2017-11-28 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-28-Hancitor-malspam-20-examples.txt.zip   3.2 kB (3,216 bytes)
• 2017-11-28-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   470.4 kB (470,375 bytes)
• 2017-11-28-malware-from-Hancitor-infection.zip   227.1 kB (227,105 bytes)

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• diti[.]tips
• dititips[.]com
• getcepsocks[.]com
• jobstcompressionstocking[.]com
• juzo[.]us
• liha[.]tips
• newtecantips[.]com
• sigvarisperformancesocks[.]com
• socksforwintersports[.]com
• tecan[.]tips
• zensahcompressionsleeves[.]com
• hxxp://bigiftprod.cloudapp[.]net/1
• hxxp://bigiftprod.cloudapp[.]net/2
• hxxp://bigiftprod.cloudapp[.]net/3
• hxxp://mail.geekenfreude[.]com/1
• hxxp://mail.geekenfreude[.]com/2
• hxxp://mail.geekenfreude[.]com/3
• inspartorswa[.]com
• rowrorofrat[.]com

 

EMAILS

HEADER INFORMATION:

• Date/Time: Tuesday 2017-11-28 as early as 16:09 UTC through at least 18:47 UTC
• From: "eFax" <efax@faxmail[.]com>

• Subject: 800-241-5331 has faxed you a document.
• Subject: 800-241-8328 has faxed you a document.
• Subject: 801-241-0241 has faxed you a document.
• Subject: 801-241-1014 has faxed you a document.
• Subject: 801-241-5068 has faxed you a document.
• Subject: 802-241-0514 has faxed you a document.
• Subject: 803-241-1160 has faxed you a document.
• Subject: 804-241-6041 has faxed you a document.
• Subject: 804-241-6600 has faxed you a document.
• Subject: 804-241-8681 has faxed you a document.
• Subject: 805-241-5668 has faxed you a document.
• Subject: 806-241-1475 has faxed you a document.
• Subject: 806-241-2183 has faxed you a document.
• Subject: 806-241-3742 has faxed you a document.
• Subject: 807-241-0001 has faxed you a document.
• Subject: 807-241-1351 has faxed you a document.
• Subject: 807-241-2240 has faxed you a document.
• Subject: 807-241-6075 has faxed you a document.
• Subject: 807-241-7725 has faxed you a document.
• Subject: 808-241-4650 has faxed you a document.

• Received: from faxmail[.]com ([24.172.42[.]90])
• Received: from faxmail[.]com ([50.78.78[.]249])
• Received: from faxmail[.]com ([68.44.48[.]36])
• Received: from faxmail[.]com ([69.167.229[.]69])
• Received: from faxmail[.]com ([70.123.237[.]77])
• Received: from faxmail[.]com ([72.240.14[.]244])
• Received: from faxmail[.]com ([75.176.84[.]83])
• Received: from faxmail[.]com ([96.70.38[.]129])
• Received: from faxmail[.]com ([97.78.8[.]202])
• Received: from faxmail[.]com ([97.94.254[.]91])
• Received: from faxmail[.]com ([98.118.52[.]41])
• Received: from faxmail[.]com ([142.176.85[.]144])
• Received: from faxmail[.]com ([173.12.239[.]115])
• Received: from faxmail[.]com ([173.219.81[.]251])
• Received: from faxmail[.]com ([173.220.58[.]194])
• Received: from faxmail[.]com ([173.240.19[.]73])
• Received: from faxmail[.]com ([174.136.51[.]207])
• Received: from faxmail[.]com ([204.195.154[.]167])
• Received: from faxmail[.]com ([216.174.138[.]18])
• Received: from faxmail[.]com ([216.255.252[.]98])

 

LINKS FROM THE EMAILS:

• hxxp://diti[.]tips?01ut718OlavyU1O=[recipient's email address]
• hxxp://diti[.]tips?0q7tB8J1et1ifoe=[recipient's email address]
• hxxp://diti[.]tips?sY5Q1uNCoXuxa=[recipient's email address]
• hxxp://dititips[.]com?584k10120886AuVY4=[recipient's email address]
• hxxp://dititips[.]com?ySWn=[recipient's email address]
• hxxp://getcepsocks[.]com?l1z1l4uIH4=[recipient's email address]
• hxxp://jobstcompressionstocking[.]com?S1POJh7E5A02=[recipient's email address]
• hxxp://jobstcompressionstocking[.]com?yOz1pa4046X=[recipient's email address]
• hxxp://juzo[.]us?76Mie4iME5=[recipient's email address]
• hxxp://liha[.]tips?442Wsl5IqoN58182iA=[recipient's email address]
• hxxp://liha[.]tips?huPTMA5UgIa4=[recipient's email address]
• hxxp://liha[.]tips?lJyyAvO161H041=[recipient's email address]
• hxxp://newtecantips[.]com?h7AKlK0l=[recipient's email address]
• hxxp://sigvarisperformancesocks[.]com?KiEvahYOc0utFUcY=[recipient's email address]
• hxxp://socksforwintersports[.]com?2pOq=[recipient's email address]
• hxxp://socksforwintersports[.]com?i8DuS4H3em=[recipient's email address]
• hxxp://tecan[.]tips?ow2JCAti50IamU287=[recipient's email address]
• hxxp://tecan[.]tips?Ve637558Gq8g030=[recipient's email address]
• hxxp://zensahcompressionsleeves[.]com?5684XUZeDe75a=[recipient's email address]
• hxxp://zensahcompressionsleeves[.]com?F31JAoW1I1yveO5=[recipient's email address]

 

TRAFFIC

TRAFFIC FROM AN INFECTED HOST:

• 169.239.128[.]117 port 80 - diti[.]tips - GET /?sY5Q1uNCoXuxa=[recipient's email address]
• 185.111.107[.]150 port 80 - inspartorswa[.]com - POST /ls5/forum.php
• 185.111.107[.]150 port 80 - inspartorswa[.]com - POST /d2/about.php
• port 80 - api.ipify[.]org - GET /
• 65.52.78[.]162 port 80 - bigiftprod.cloudapp[.]net - GET /1
• 65.52.78[.]162 port 80 - bigiftprod.cloudapp[.]net - GET /2
• 65.52.78[.]162 port 80 - bigiftprod.cloudapp[.]net - GET /3
• 66.147.244[.]133 port 80 - mail.geekenfreude[.]com - GET /1
• 66.147.244[.]133 port 80 - mail.geekenfreude[.]com - GET /2
• 66.147.244[.]133 port 80 - mail.geekenfreude[.]com - GET /3
• 185.174.173[.]6 port 443 - rowrorofrat[.]com - HTTPS traffic caused by Zeus Panda Banker

 

MALWARE

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash: 075a45a6dce497ef689c3211ebc3e84f9de6fd1027ec80c7653cc60fcc1d3275
  File description: malicious Word doc with Hancitor macro (fax_928826.doc)
  File size: 179,712 bytes

• SHA256 hash: 89a63d2bdee386ab69227938124052aee367aff1909005364538c4e89d5ebb72
  File description: Zeus Panda Banker (.exe file)
  File size: 181,760 bytes

 

Click here to return to the main page.