2017-12-06 - HANCITOR INFECTION WITH ICEDID

NOTICE:

ASSOCIATED FILES:

  • 2017-12-06-Hancitor-infection-with-IcedID.pcap   (1,934,709 bytes)
  • 2017-12-06-Hancitor-malspam-30-examples.txt   (34,526 bytes)
  • 2017-12-06-Hancitor-maldoc-invoice_491457.doc   (214,528 bytes)
  • 2017-12-06-IcedID-theatctaa.exe   (903,168 bytes)
  • 2017-12-06-binary-from-nobleduty_com.exe   (825,856 bytes)

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro ruleset.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NETWORK TRAFFIC FROM MY INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  IceID persistent on the infected Windows host.

 

Click here to return to the main page.