2018-04-19 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-04-19-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   4.0 MB (4,004,476 bytes)

• 2018-04-19-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (5,194,979 bytes)

• Zip archive of the emails:  2018-04-19-Hancitor-malspam-54-examples.txt.zip   11 kB (11,099 bytes)

• 2018-04-19-Hancitor-malspam-54-examples.txt   (333,283 bytes)

• Zip archive of the malware:  2018-04-19-malware-from-Hancitor-infection.zip   1.9 MB (1,881,848 bytes)

• 2018-04-19-Hancitor-infection-follow-up-malware-81a.exe   (1,892,352 bytes)
• 2018-04-19-Word-doc-with-macro-for-Hancitor.doc   (265,216 bytes)
• 2018-04-19-Zeus-Panda-Banker-seen-during-Hancitor-malspam-infection.exe   (204,800 bytes)

NOTES:

• The block list contains additional info reported by @Techhelplistcom in a VirusTotal comment for the associated Word document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
• Today, I also saw follow-up malware for the Send Safe Enterprise (SSE) spambot installer.

Shown above:  Flow chart for a typical Hancitor infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• estimatorfind[.]com
• garywhitakerfamily[.]com
• garywhitakerfamily[.]net
• headshopsmell[.]com
• ilovepatchouli[.]com
• patchouliscent[.]com
• virtualpaintexpo[.]com
• caharthenret[.]com
• naotuseor[.]ru
• pertacikin[.]ru
• hxxp[:]//flushstance[.]com/1
• hxxp[:]//flushstance[.]com/2
• hxxp[:]//flushstance[.]com/3
• hxxp[:]//saedpartnership[.]org/wp-content/plugins/envato-market/inc/1
• hxxp[:]//saedpartnership[.]org/wp-content/plugins/envato-market/inc/2
• hxxp[:]//saedpartnership[.]org/wp-content/plugins/envato-market/inc/3
• hxxp[:]//weddinggames[.]com[.]au/wp-content/themes/twentyten/1
• hxxp[:]//weddinggames[.]com[.]au/wp-content/themes/twentyten/2
• hxxp[:]//weddinggames[.]com[.]au/wp-content/themes/twentyten/3
• hxxp[:]//www.cdiqra[.]com/components/com_content/helpers/1
• hxxp[:]//www.cdiqra[.]com/components/com_content/helpers/2
• hxxp[:]//www.cdiqra[.]com/components/com_content/helpers/3
• hxxp[:]//ofczianka[.]hu/wp-content/themes/twentyfifteen/inc/1
• hxxp[:]//ofczianka[.]hu/wp-content/themes/twentyfifteen/inc/2
• hxxp[:]//ofczianka[.]hu/wp-content/themes/twentyfifteen/inc/3
• taldiparep[.]ru
• hxxp[:]//www.unsafedrugs[.]com/81a.exe

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Thursday 2018-04-19 as early as 14:59 UTC through at least 18:14 UTC

• Received: from ([12.106.90[.]2])
• Received: from ([173.8.37[.]101])
• Received: from grandjkc[.]com ([5.89.22[.]195])
• Received: from grandjkc[.]com ([24.116.113[.]74])
• Received: from grandjkc[.]com ([24.230.94[.]38])
• Received: from grandjkc[.]com ([38.106.98[.]31])
• Received: from grandjkc[.]com ([50.204.18[.]30]))
• Received: from grandjkc[.]com ([65.122.188[.]170])
• Received: from grandjkc[.]com ([67.49.49[.]239])
• Received: from grandjkc[.]com ([69.27.48[.]150])
• Received: from grandjkc[.]com ([70.90.55[.]134])
• Received: from grandjkc[.]com ([70.90.219[.]225])
• Received: from grandjkc[.]com ([71.80.60[.]221])
• Received: from grandjkc[.]com ([73.161.105[.]233])
• Received: from grandjkc[.]com ([75.148.247[.]113])
• Received: from grandjkc[.]com ([96.84.215[.]1])
• Received: from grandjkc[.]com ([96.95.225[.]170])
• Received: from grandjkc[.]com ([204.195.154[.]167])
• Received: from thecarltun[.]com ([12.186.237[.]244])
• Received: from thecarltun[.]com ([23.24.67[.]153])
• Received: from thecarltun[.]com ([23.30.54[.]177])
• Received: from thecarltun[.]com ([24.205.165[.]132])
• Received: from thecarltun[.]com ([24.249.81[.]126])
• Received: from thecarltun[.]com ([38.106.98[.]31])
• Received: from thecarltun[.]com ([45.59.254[.]20])
• Received: from thecarltun[.]com ([50.198.179[.]162])
• Received: from thecarltun[.]com ([50.225.140[.]58])
• Received: from thecarltun[.]com ([50.243.56[.]185])
• Received: from thecarltun[.]com ([50.255.203[.]185])
• Received: from thecarltun[.]com ([64.62.60[.]154])
• Received: from thecarltun[.]com ([67.186.172[.]133])
• Received: from thecarltun[.]com ([67.208.133[.]132])
• Received: from thecarltun[.]com ([72.24.104[.]186])
• Received: from thecarltun[.]com ([72.25.166[.]130])
• Received: from thecarltun[.]com ([73.34.196[.]197])
• Received: from thecarltun[.]com ([75.146.90[.]69])
• Received: from thecarltun[.]com ([75.148.254[.]54])
• Received: from thecarltun[.]com ([76.8.204[.]66])
• Received: from thecarltun[.]com ([96.33.250[.]2])
• Received: from thecarltun[.]com ([96.37.147[.]182])
• Received: from thecarltun[.]com ([96.83.60[.]30])
• Received: from thecarltun[.]com ([98.189.148[.]233])
• Received: from thecarltun[.]com ([108.46.196.93])
• Received: from thecarltun[.]com ([173.8.37[.]101])
• Received: from thecarltun[.]com ([173.8.52[.]203])
• Received: from thecarltun[.]com ([192.171.200[.]46])
• Received: from thecarltun[.]com ([197.159.123[.]130])
• Received: from thecarltun[.]com ([207.237.12[.]116])
• Received: from thecarltun[.]com ([209.23.243[.]106])
• Received: from thecarltun[.]com ([216.201.198[.]182])

• From: "HelloFax Inc." <hellofax@grandjkc[.]com>
• From: "HelloFax Inc." <hellofax@thecarltun[.]com>
• From: "HelloFax" <hellofax@grandjkc[.]com>
• From: "HelloFax" <hellofax@thecarltun[.]com>

• Subject: HelloFax, Here is Your Fax
• Subject: HelloFax, Someone Sent You a Fax
• Subject: Welcome to HelloFax, Here is Your Fax
• Subject: Welcome to HelloFax, Someone Sent You a Fax

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Traffic from the infected host for SSE spambot UDP beacon.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp[:]//estimatorfind[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//garywhitakerfamily[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//garywhitakerfamily[.]net?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//headshopsmell[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//ilovepatchouli[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//patchouliscent[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//virtualpaintexpo[.]com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.204.196[.]178 port 80 - garywhitakerfamily[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 185.43.223[.]6 port 80 - caharthenret[.]com - POST /4/forum.php
• 185.43.223[.]6 port 80 - caharthenret[.]com - POST /mlu/about.php
• 185.43.223[.]6 port 80 - caharthenret[.]com - POST /d2/about.php
• 70.39.144[.]54 port 80 - flushstance[.]com - GET /1
• 70.39.144[.]54 port 80 - flushstance[.]com - GET /2
• 91.230.61[.]33 port 443 - taldiparep[.]ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google[.]com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
• 45.63.85[.]179 port 80 - www.unsafedrugs[.]com - GET /81a.exe   (returned SSE spambot installer)
• 31.44.184[.]81 port 50014 - UDP beacon caused by SSE spambot malware

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  6195d0f2f52397842d57759a124abf280309c0639a13ed314d319286bc4a46d7
  File size:  265,216 bytes
  File name:  fac_591073.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  47340ab357291de9bcb8cac8232b1c94ba4fdf1ddddeea5b43fab814ebff9881
  File size:  204,800 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

• SHA256 hash:  e74a8652a357912698551a459f1820901d4c92adef0e1826e42d3c761047bede
  File size:  1,892,352 bytes
  File location:  hxxp[:]//www.unsafedrugs[.]com/81a.exe
  File description:  Follow-up malware - Send Safe Enterprise (SSE) spambot installer

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

Click here to return to the main page.