2018-10-09 - HANCITOR INFECTION WITH ZEUS PANDA BANKER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email examples:  2018-10-09-Hancitor-malspam-3-email-examples.zip   18.1 kB (18,131 bytes)

• 2018-10-09-Hancitor-malspam-1459-UTC.eml   (26,787 bytes)
• 2018-10-09-Hancitor-malspam-1502-UTC.eml   (26,831 bytes)
• 2018-10-09-Hancitor-malspam-1608-UTC.eml   (26,780 bytes)

• Traffic:  2018-10-09-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   387 kB (386,660 bytes)

• 2018-10-09-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (522,205 bytes)

• Malware:  2018-10-09-malware-from-Hancitor-infection.zip   278 kB (277,549 bytes)

• 2018-10-09-downloaded-Word-doc-with-macro-for-Hancitor.doc   (205,312 bytes)
• 2018-10-09-Hancitor-malware-binary.exe   (66,560 bytes)
• 2018-10-09-Zeus-Panda-Banker-caused-by-Hancitor.exe   (143,360 bytes)

NOTES:

• Today's blog contains indicators already tweeted/posted from people like @James_inthe_box, @wwp96, @Techhelplistcom, and probably others that I'm forgetting.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• carvanadenver[.]com
• carvanamemphis[.]com
• carvananashville[.]com
• genesisatoxmoor[.]com
• genesiseastlouisville[.]com
• genesisofeaslouisville[.]com
• genesisofindiana[.]com
• genesisofwestlouisville[.]com
• oxmoorusedcars[.]com
• sellittooxmoor[.]com
• selltooxmoor[.]com
• hxxp[:]//keywestresortsadvice[.]com/wp-content/plugins/google-privacy-policy/1
• hxxp[:]//keywestresortsadvice[.]com/wp-content/plugins/google-privacy-policy/2
• hxxp[:]//keywestresortsadvice[.]com/wp-content/plugins/google-privacy-policy/3
• hxxp[:]//lonestarportablebuildings[.]com/wp-content/plugins/prevent-xmlrpc/1
• hxxp[:]//lonestarportablebuildings[.]com/wp-content/plugins/prevent-xmlrpc/2
• hxxp[:]//lonestarportablebuildings[.]com/wp-content/plugins/prevent-xmlrpc/3
• hxxp[:]//merisela[.]ru/wp-content/plugins/flagallery-skins/music_default/1
• hxxp[:]//merisela[.]ru/wp-content/plugins/flagallery-skins/music_default/2
• hxxp[:]//merisela[.]ru/wp-content/plugins/flagallery-skins/music_default/3
• hxxp[:]//muneersiddiqui[.]com/wp-content/plugins/bwp-minify/includes/1
• hxxp[:]//muneersiddiqui[.]com/wp-content/plugins/bwp-minify/includes/2
• hxxp[:]//muneersiddiqui[.]com/wp-content/plugins/bwp-minify/includes/3
• hxxp[:]//surfsongnorthwildwood[.]com/wp-content/plugins/wordpress-hit-counter/1
• hxxp[:]//surfsongnorthwildwood[.]com/wp-content/plugins/wordpress-hit-counter/2
• hxxp[:]//surfsongnorthwildwood[.]com/wp-content/plugins/wordpress-hit-counter/3
• hxxp[:]//www.socialmanagers[.]com/1
• hxxp[:]//www.socialmanagers[.]com/2
• hxxp[:]//www.socialmanagers[.]com/3
• fornetodu[.]com
• hehenforfi[.]ru
• hersjustretleft[.]ru
• sincirewdo[.]ru
• 275aacaa1610[.]net
• 275aacaa1698[.]net
• nobotanri[.]ru
• veintitna[.]ru
• lachistontfi[.]ru

 

HEADERS FROM A MALSPAM EXAMPLE

Shown above:  Screenshot from one of the emails.

 

Received: from vantibolli[.]com ([24.35.224[.]24]) by [removed] for [removed];
        Tue, 09 Oct 2018 16:06:40 +0000 (UTC)
Message-ID: <1BEAEE8F.56D173F7@vantibolli[.]com>
Date: Tue, 09 Oct 2018 11:08:54 -0500
From: "UPS Choice" <att@ups@vantibolli[.]com>
X-Mailer: iPad Mail (13E237)
MIME-Version: 1.0
To: [removed]
Subject: Notice from UPS

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp[:]//carvanadenver[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//carvanamemphis[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//carvananashville[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//genesisatoxmoor[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//genesiseastlouisville[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//genesisofeaslouisville[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//genesisofindiana[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//genesisofwestlouisville[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//oxmoorusedcars[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//sellittooxmoor[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp[:]//selltooxmoor[.]com?[string of characters]=[encoded string representing recipient's email address]

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 47.254.213[.]226 port 80 - carvananashville[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 185.43.223[.]138 port 80 - fornetodu[.]com - POST /4/forum.php
• 185.43.223[.]138 port 80 - fornetodu[.]com - POST /mlu/about.php
• 185.43.223[.]138 port 80 - fornetodu[.]com - POST /d2/about.php
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /wp-content/plugins/google-privacy-policy/1
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /cgi-sys/suspendedpage.cgi
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /wp-content/plugins/google-privacy-policy/2
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /cgi-sys/suspendedpage.cgi
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /wp-content/plugins/google-privacy-policy/3
• 50.87.151[.]133 port 80 - keywestresortsadvice[.]com - GET /cgi-sys/suspendedpage.cgi
• 176.57.210[.]4 port 80 - merisela[.]ru - GET /wp-content/plugins/flagallery-skins/music_default/1   (503 service temporarily unavailable)
• 176.57.210[.]4 port 80 - merisela[.]ru - GET /wp-content/plugins/flagallery-skins/music_default/2   (503 service temporarily unavailable)
• 176.57.210[.]4 port 80 - merisela[.]ru - GET /wp-content/plugins/flagallery-skins/music_default/3   (503 service temporarily unavailable)
• 173.201.144[.]1 port 80 - www.socialmanagers[.]com - GET /1
• 173.201.144[.]1 port 80 - www.socialmanagers[.]com - GET /2
• 173.201.144[.]1 port 80 - www.socialmanagers[.]com - GET /3
• 46.36.220[.]116 port 443 - sincirewdo[.]ru - HTTPS/SSL/TLS traffic   [Zeus Panda Banker]

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  77c930bfbf405087f59a279927f32450362a47269237525318dc5d22094a331b
  File size:  205,312 bytes
  File name:  invoice_390226.doc   (random file names)
  File description:  Word doc downloaded from a link in Hancitor malspam.  Doc has macro to retreive Hancitor.

• SHA256 hash:  f5fa0a0f444d33c8485450beb01dd5b338c15996fd48670e2727bf3552e6a59d
  File size:  66,560 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\6.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\6.pif
  File description:  Hancitor malware binary caused by macro in downloaded Word doc

• SHA256 hash:  b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753
  File size:  143,360 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
  File description:  Zeus Panda Banker on 2018-10-09 caused by Hancitor infection

 

Click here to return to the main page.