2018-05-03 - HANCITOR FROM FAKE VEMNO NOTIFICATIONS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-05-03-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip 2.2 MB (2,207,186 bytes)
- 2018-05-03-Hancitor-infection-with-Zeus-Panda-Banker.pcap (2,546,485 bytes)
- Zip archive of the emails: 2018-05-03-Hancitor-malspam-60-examples.txt.zip 10.9 kB (10,859 bytes)
- 2018-05-03-Hancitor-malspam-60-examples.txt (232,606 bytes)
- Zip archive of the malware: 2018-05-03-malware-from-Hancitor-infection.zip 233 kB (232,791 bytes)
- 2018-05-03-Word-doc-with-macro-for-Hancitor.doc (188,928 bytes)
- 2018-05-03-Zeus-Panda-Banker-from-Hancitor-infection.exe (177,152 bytes)
NOTES:
- The block list contains additional info first reported in the VirusBay entry for the associated Word document.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- beachesofnwflorida[.]com
- coastalrealtycsb[.]com
- coastalrealtypsj[.]com
- costaljoe[.]com
- csbbeachrentals[.]com
- floridasbestescape[.]com
- gocoastalflorida[.]com
- isdgcom[.]net
- sgiflbeachhomes[.]com
- sgirentalhomes[.]com
- stgeorgeislandbeachhomes[.]com
- visitcsb[.]com
- tanreblingtold[.]com
- hedningdolac[.]ru
- atlerando[.]ru
- hxxp[:]//yakshin[.]ru/wp-content/themes/omega/lib/1
- hxxp[:]//yakshin[.]ru/wp-content/themes/omega/lib/2
- hxxp[:]//yakshin[.]ru/wp-content/themes/omega/lib/3
- hxxp[:]//jeffreytobin[.]com/wp-content/plugins/options-framework/includes/1
- hxxp[:]//jeffreytobin[.]com/wp-content/plugins/options-framework/includes/2
- hxxp[:]//jeffreytobin[.]com/wp-content/plugins/options-framework/includes/3
- hxxp[:]//newstotalk[.]com/wp-content/themes/wp-genius/1
- hxxp[:]//newstotalk[.]com/wp-content/themes/wp-genius/2
- hxxp[:]//newstotalk[.]com/wp-content/themes/wp-genius/3
- hxxp[:]//peterjoubert[.]com/wp-content/themes/twentyeleven/inc/1
- hxxp[:]//peterjoubert[.]com/wp-content/themes/twentyeleven/inc/2
- hxxp[:]//peterjoubert[.]com/wp-content/themes/twentyeleven/inc/3
- hxxp[:]//marysherwoodlifestyles[.]com/wp-content/themes/twentythirteen/inc/1
- hxxp[:]//marysherwoodlifestyles[.]com/wp-content/themes/twentythirteen/inc/2
- hxxp[:]//marysherwoodlifestyles[.]com/wp-content/themes/twentythirteen/inc/3
- robwassotdint[.]ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2018-05-03 as early as 14:59 UTC through at least 19:28 UTC
- Received: from burroughscompanies[.]com ([24.12.65[.]191])
- Received: from burroughscompanies[.]com ([50.201.223[.]204])
- Received: from burroughscompanies[.]com ([50.255.162[.]73])
- Received: from burroughscompanies[.]com ([50.77.19[.]245])
- Received: from burroughscompanies[.]com ([64.132.127[.]25])
- Received: from burroughscompanies[.]com ([67.214.229[.]146])
- Received: from burroughscompanies[.]com ([67.79.17[.]130])
- Received: from burroughscompanies[.]com ([68.116.68[.]2])
- Received: from burroughscompanies[.]com ([68.179.191[.]49])
- Received: from burroughscompanies[.]com ([69.170.122[.]68])
- Received: from burroughscompanies[.]com ([71.172.32[.]163])
- Received: from burroughscompanies[.]com ([73.63.17[.]35])
- Received: from burroughscompanies[.]com ([74.93.97[.]81])
- Received: from burroughscompanies[.]com ([97.80.48[.]154])
- Received: from burroughscompanies[.]com ([192.119.212[.]206])
- Received: from burroughscompanies[.]com ([209.23.243[.]106])
- Received: from burroughscompanies[.]com ([209.83.63[.]58])
- Received: from pinoswindow[.]com ([12.150.239[.]26])
- Received: from pinoswindow[.]com ([24.2.107[.]206])
- Received: from pinoswindow[.]com ([38.110.219[.]130])
- Received: from pinoswindow[.]com ([38.140.190[.]218])
- Received: from pinoswindow[.]com ([47.190.52[.]75])
- Received: from pinoswindow[.]com ([50.38.131[.]250])
- Received: from pinoswindow[.]com ([50.201.134[.]50])
- Received: from pinoswindow[.]com ([50.225.140[.]58])
- Received: from pinoswindow[.]com ([50.245.13[.]13])
- Received: from pinoswindow[.]com ([50.245.219[.]38])
- Received: from pinoswindow[.]com ([50.252.134[.]186])
- Received: from pinoswindow[.]com ([66.21.114[.]99])
- Received: from pinoswindow[.]com ([66.219.240[.]66])
- Received: from pinoswindow[.]com ([67.128.146[.]154])
- Received: from pinoswindow[.]com ([67.186.172[.]133])
- Received: from pinoswindow[.]com ([67.189.153[.]43])
- Received: from pinoswindow[.]com ([69.170.122[.]68])
- Received: from pinoswindow[.]com ([69.179.140[.]245])
- Received: from pinoswindow[.]com ([71.9.44[.]142])
- Received: from pinoswindow[.]com ([72.25.166[.]130])
- Received: from pinoswindow[.]com ([72.77.1[.]13])
- Received: from pinoswindow[.]com ([74.113.59[.]181])
- Received: from pinoswindow[.]com ([74.218.8[.]178])
- Received: from pinoswindow[.]com ([75.109.213[.]106])
- Received: from pinoswindow[.]com ([76.73.158[.]220])
- Received: from pinoswindow[.]com ([96.91.170[.]74])
- Received: from pinoswindow[.]com ([96.240.18[.]85])
- Received: from pinoswindow[.]com ([97.94.30[.]141])
- Received: from pinoswindow[.]com ([107.138.228[.]207])
- Received: from pinoswindow[.]com ([137.103.121[.]141])
- Received: from pinoswindow[.]com ([142.217.200[.]139])
- Received: from pinoswindow[.]com ([169.55.251[.]141])
- Received: from pinoswindow[.]com ([173.12.239[.]115])
- Received: from pinoswindow[.]com ([173.219.61[.]189])
- Received: from pinoswindow[.]com ([173.220.58[.]194])
- Received: from pinoswindow[.]com ([174.50.253[.]185])
- Received: from pinoswindow[.]com ([174.77.236[.]252])
- Received: from pinoswindow[.]com ([184.67.195[.]30])
- Received: from pinoswindow[.]com ([208.85.181[.]217])
- Received: from pinoswindow[.]com ([208.88.67[.]188])
- Received: from pinoswindow[.]com ([216.57.209[.]45])
- From: "Vemno Inc " <vemnoteam@burroughscompanies[.]com>
- From: "Vemno Inc " <vemnoteam@pinoswindow[.]com>
- From: "Vemno Inc All Rights Reserved" <vemnoteam@burroughscompanies[.]com>
- From: "Vemno Inc All Rights Reserved" <vemnoteam@pinoswindow[.]com>
- From: "Vemno Services " <vemnoteam@burroughscompanies[.]com>
- From: "Vemno Services " <vemnoteam@pinoswindow[.]com>
- From: "Vemno Services All Rights Reserved" <vemnoteam@burroughscompanies[.]com>
- From: "Vemno Services All Rights Reserved" <vemnoteam@pinoswindow[.]com>
- Subject: Automated Payment Message From Vemno
- Subject: Automated Payment Notice From Vemno
- Subject: Automated Payment Notification From Vemno
- Subject: Automatic Payment Message From Vemno
- Subject: Automatic Payment Notice From Vemno
- Subject: Automatic Payment Notification From Vemno
- Subject: Electronic Payment Message From Vemno
- Subject: Electronic Payment Notice From Vemno
- Subject: Electronic Payment Notification From Vemno
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp[:]//beachesofnwflorida[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//coastalrealtycsb[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//coastalrealtypsj[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//costaljoe[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//csbbeachrentals[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//floridasbestescape[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//gocoastalflorida[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//isdgcom[.]net?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//sgiflbeachhomes[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//sgirentalhomes[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//stgeorgeislandbeachhomes[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp[:]//visitcsb[.]com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.187.117[.]14 port 80 - isdgcom[.]net - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify[.]org - GET /
- 185.43.223[.]6 port 80 - tanreblingtold[.]com - POST /4/forum.php
- 185.43.223[.]6 port 80 - tanreblingtold[.]com - POST /mlu/about.php
- 185.43.223[.]6 port 80 - tanreblingtold[.]com - POST /d2/about.php
- 141.8.192[.]4 port 80 - yakshin[.]ru - GET /wp-content/themes/omega/lib/1
- 141.8.192[.]4 port 80 - yakshin[.]ru - GET /wp-content/themes/omega/lib/2
- 141.8.192[.]4 port 80 - yakshin[.]ru - GET /wp-content/themes/omega/lib/3
- 185.174.175[.]14 port 443 - robwassotdint[.]ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google[.]com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: fb82fd4534d7c32a3de8523fde2d59b7c26146eae1827c0b4202630e3004c587
File size: 188,928 bytes
File name: invoice_921483.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 429a5b8fee9b92d638bb4e27821eedbf9844a828ca9131b18f98b38ef16d6edf
File size: 177,152 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.