2018-04-23 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the emails:  2018-04-23-Hancitor-malspam-50-email-examples.txt.zip   19.4 kB (19,367 bytes)

• 2018-04-23-Hancitor-malspam-50-examples.txt   (419,944 bytes)

• Zip archive of the traffic:  2018-04-23-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   2.4 MB (2,433,584 bytes)

• 2018-04-23-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (3,056,973 bytes)

• Zip archive of the malware:  2018-04-23-malware-from-Hancitor-infection.zip   258 kB (258,442 bytes)

• 2018-04-23-Word-doc-with-macro-for-Hancitor.doc   (234,496 bytes)
• 2018-04-23-Zeus-Panda-Banker-from-Hancitor-infection.exe   (204,800 bytes)

NOTES:

• The block list contains additional info reported by @Techhelplistcom in the VirusTotal entry for the associated Word Document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• effortlesshappiness[.]org
• emiliepare[.]com
• flemingfamilyracing[.]com
• habs911[.]com
• highgearfitnesssolutions[.]com
• kaelfleming[.]com
• motoxmom[.]com
• secondwindwithjoyce[.]com
• secondwindwithjoycebuford[.]com
• solinti[.]com
• whiteheadmotorscredit[.]com
• ofortoftrow[.]com
• tonthinfive[.]ru
• fetitherhi[.]ru
• hxxp[:]//ebizwize[.]com/wp-content/plugins/gravityforms/includes/1
• hxxp[:]//ebizwize[.]com/wp-content/plugins/gravityforms/includes/2
• hxxp[:]//ebizwize[.]com/wp-content/plugins/gravityforms/includes/3
• hxxp[:]//www.willametteplastics[.]com/wp-content/plugins/google-sitemap-generator/1
• hxxp[:]//www.willametteplastics[.]com/wp-content/plugins/google-sitemap-generator/2
• hxxp[:]//www.willametteplastics[.]com/wp-content/plugins/google-sitemap-generator/3
• hxxp[:]//wg-hamburg[.]org/wp-content/plugins/pretty-link/includes/jquery/1
• hxxp[:]//wg-hamburg[.]org/wp-content/plugins/pretty-link/includes/jquery/2
• hxxp[:]//wg-hamburg[.]org/wp-content/plugins/pretty-link/includes/jquery/3
• hxxp[:]//alhamraa[.]org/1
• hxxp[:]//alhamraa[.]org/2
• hxxp[:]//alhamraa[.]org/3
• hxxp[:]//radyosu[.]com[.]tr/wp-content/plugins/gravityforms/1
• hxxp[:]//radyosu[.]com[.]tr/wp-content/plugins/gravityforms/2
• hxxp[:]//radyosu[.]com[.]tr/wp-content/plugins/gravityforms/3
• taldiparep[.]ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Monday 2018-04-23 as early as 15:40 UTC through at least 19:08 UTC

• Received: from drkeyless[.]com ([12.45.168[.]162])
• Received: from drkeyless[.]com ([38.98.124[.]62])
• Received: from drkeyless[.]com ([45.50.35[.]127])
• Received: from drkeyless[.]com ([47.190.52[.]75])
• Received: from drkeyless[.]com ([50.198.180[.]182])
• Received: from drkeyless[.]com ([52.144.63[.]34])
• Received: from drkeyless[.]com ([64.19.210[.]198])
• Received: from drkeyless[.]com ([64.60.143[.]138])
• Received: from drkeyless[.]com ([66.166.194[.]58])
• Received: from drkeyless[.]com ([67.151.111[.]146])
• Received: from drkeyless[.]com ([70.51.87[.]254])
• Received: from drkeyless[.]com ([70.62.85[.]98])
• Received: from drkeyless[.]com ([70.88.80[.]100])
• Received: from drkeyless[.]com ([70.89.136[.]45])
• Received: from drkeyless[.]com ([70.167.87[.]13])
• Received: from drkeyless[.]com ([71.179.228[.]74])
• Received: from drkeyless[.]com ([72.16.245[.]65])
• Received: from drkeyless[.]com ([72.24.104[.]186])
• Received: from drkeyless[.]com ([72.84.234[.]140])
• Received: from drkeyless[.]com ([72.215.138[.]182])
• Received: from drkeyless[.]com ([72.250.217[.]109])
• Received: from drkeyless[.]com ([73.131.213[.]217])
• Received: from drkeyless[.]com ([74.81.115[.]46])
• Received: from drkeyless[.]com ([76.8.204[.]66])
• Received: from drkeyless[.]com ([96.83.60[.]30])
• Received: from drkeyless[.]com ([96.95.49[.]49])
• Received: from drkeyless[.]com ([97.65.162[.]2])
• Received: from drkeyless[.]com ([97.89.35[.]202])
• Received: from drkeyless[.]com ([107.197.89[.]242])
• Received: from drkeyless[.]com ([173.165.129[.]137])
• Received: from drkeyless[.]com ([174.114.94[.]236])
• Received: from drkeyless[.]com ([199.10.29[.]18])
• Received: from drkeyless[.]com ([209.64.58[.]226])
• Received: from drkeyless[.]com ([216.186.201[.]189])
• Received: from habitatmuskoka[.]com ([23.30.54[.]177])
• Received: from habitatmuskoka[.]com ([38.98.124[.]62])
• Received: from habitatmuskoka[.]com ([50.79.71[.]242])
• Received: from habitatmuskoka[.]com ([50.84.166[.]122])
• Received: from habitatmuskoka[.]com ([50.243.142[.]145])
• Received: from habitatmuskoka[.]com ([67.214.229[.]146])
• Received: from habitatmuskoka[.]com ([70.62.57[.]79])
• Received: from habitatmuskoka[.]com ([70.94.0[.]154])
• Received: from habitatmuskoka[.]com ([74.76.224[.]100])
• Received: from habitatmuskoka[.]com ([75.144.224[.]202])
• Received: from habitatmuskoka[.]com ([96.86.215[.]241])
• Received: from habitatmuskoka[.]com ([96.95.49[.]49])
• Received: from habitatmuskoka[.]com ([97.80.33[.]9])
• Received: from habitatmuskoka[.]com ([98.211.84[.]142])
• Received: from habitatmuskoka[.]com ([216.201.231[.]202])

• From: "Bank of America Corporation. All rights reserved." <onlinebanking@drkeyless[.]com>
• From: "Bank of America Corporation. All rights reserved." <onlinebanking@habitatmuskoka[.]com>
• From: "Bank of America Corporation." <onlinebanking@drkeyless[.]com>
• From: "Bank of America Corporation." <onlinebanking@habitatmuskoka[.]com>

• Subject: Alert from Bank of America
• Subject: Notice from Bank of America
• Subject: Notification from Bank of America

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp[:]//effortlesshappiness[.]org?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//emiliepare[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//flemingfamilyracing[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//habs911[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//highgearfitnesssolutions[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//kaelfleming[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//motoxmom[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//secondwindwithjoyce[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//secondwindwithjoycebuford[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//solinti[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//whiteheadmotorscredit[.]com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.187.104[.]75 port 80 - solinti[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 92.53.107[.]93 port 80 - ofortoftrow[.]com - POST /4/forum.php
• 92.53.107[.]93 port 80 - ofortoftrow[.]com - POST /mlu/about.php
• 92.53.107[.]93 port 80 - ofortoftrow[.]com - POST /d2/about.php
• 192.185.90[.]189 port 80 - ebizwize[.]com - GET /wp-content/plugins/gravityforms/includes/1
• 192.185.90[.]189 port 80 - ebizwize[.]com - GET /wp-content/plugins/gravityforms/includes/2
• 192.185.90[.]189 port 80 - ebizwize[.]com - GET /wp-content/plugins/gravityforms/includes/3
• 91.230.61[.]33 port 443 - taldiparep[.]ru - post-infection traffic caused by Zeus Panda Banker
• port 443 - www.google[.]com - probably connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  3e2a06a9e80f24ea91ac98322f8d9b2333ec97685d88864c54153cd4a3fa202c
  File size:  234,496 bytes
  File name:  invoice_624159.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  bd985e1138244b3a2f2052d916effeec5bfe79de6d5103154c529a3256ac638d
  File size:  204,800 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

Click here to return to the main page.