2018-08-15 - QUICK POST: HANCITOR INFECTION TRAFFFIC WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-08-15-Hancitor-malspam-16-examples.zip   78.6 kB (78,609 bytes)
• 2018-08-15-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   492.7 kB (492,705 bytes)
• 2018-08-15-malware-from-Hancitor-infection.zip   330.5 kB (330,513 bytes)

NOTES:

• Today's Hancitor malspam started with the wrong message template for HelloFax from yesterday.
• Initial emails also had bad links to download malicious Word docs, using domains from yesterday's Hancitor malspam.
• As the day progressed, I saw more Hancitor malspam with the proper message template for UPS and new URLs for the malicious Word docs.

 

Shown above:  Today's wave started out with the wrong message text template, but it was eventually corrected.

 

IMAGES

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.