2018-07-19 - HANCITOR INFECTION WITH AZORULT AND ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-07-19-Hancitor-malspam-1522-UTC.eml.zip   3 kB (2,944 bytes)
• 2018-07-19-Hancitor-infection-with-AZORult-and-Zeus-Panda-Banker.pcap.zip   3.3 MB (3,333,572 bytes)
• 2018-07-19-malware-from-Hancitor-infection.zip   298 kB (297,838 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• driverscontroller[.]com
• lacdowronfor[.]com
• hxxp[:]//baliseconsulting[.]com/wp-content/plugins/jurig/12
• hxxp[:]//baliseconsulting[.]com/wp-content/plugins/jurig/2
• hxxp[:]//baliseconsulting[.]com/wp-content/plugins/jurig/3
• hadsparmirat[.]com
• rombutcading[.]ru

 

HEADERS FROM A MALSPAM EXAMPLE

Received: from hecker[.]com ([72.16.245[.]65]) by [removed] for [removed];
        Thu, 19 Jul 2018 15:21:29 +0000 (UTC)
Message-ID: <AE24D157.45E76072@hecker[.]com>
Date: Thu, 19 Jul 2018 10:22:07 -0500
Reply-To: "Bank of America Corporation. All rights reserved." <bankofamerica@hecker[.]com>
From: "Bank of America Corporation. All rights reserved." <bankofamerica@hecker[.]com>
X-Mailer: iPhone Mail (13D20)
X-Accept-Language: en-us
MIME-Version: 1.0
TO: [removed]
Subject: Alert from Bank of America

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 35.204.172[.]181 port 80 - driverscontroller[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 195.69.187[.]122 port 80 - lacdowronfor[.]com - POST /4/forum.php
• 195.69.187[.]122 port 80 - lacdowronfor[.]com - POST /d2/about.php
• 69.195.124[.]61 port 80 - baliseconsulting[.]com - GET /wp-content/plugins/jurig/12
• 69.195.124[.]61 port 80 - baliseconsulting[.]com - GET /wp-content/plugins/jurig/2
• 69.195.124[.]61 port 80 - baliseconsulting[.]com - GET /wp-content/plugins/jurig/3
• 104.223.19[.]69 port 80 - hadsparmirat[.]com - POST /index.php   [AZORult post-infection traffic]
• 185.60.133[.]246 443 80 - rombutcading[.]ru - HTTPS/SSL/TLS traffic   [Zeus Panda Banker]
• port 443 - www.google[.]com - connectivity check by infected Windows host   [Zeus Panda Banker]

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  8d851450fbd40364c51750e18a565016d999d2cde604b597af7133fe5717f8bb
  File size:  211,968 bytes
  File name:  invoice_526379.doc   (random file names)
  File description:  Word doc downloaded from a link in Hancitor malspam.  Doc has macro to retreive Hancitor.

• SHA256 hash:  6f1fdca97982d547dd976bca985e117bb47ddbacf487f3ddddc61a65872cbff6
  File size:  73,216 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\6C.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\6C.pif
  File description:  Hancitor malware binary downloaded by macro in downloaded Word doc

• SHA256 hash:  5b7f1708092a1fecf4ad1dc22cccca62c1648361f805762c465f12b9501e485c
  File size:  265,728 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
  File description:  Zeus Panda Banker downloaded by my Hancitor-infected host

 

Click here to return to the main page.