2018-10-22 - QUICK POST: HANCITOR MALSPAM - NO ZEUS PANDA BANKER... JUST PONY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Emails:  2018-10-22-Hancitor-malspam-3-email-examples.zip   6.7 kB (6,749 bytes)

• 2018-10-22-Hancitor-malspam-1638-UTC.eml   (4,237 bytes)
• 2018-10-22-Hancitor-malspam-1702-UTC.eml   (4,241 bytes)
• 2018-10-22-Hancitor-malspam-1844-UTC.eml   (4,200 bytes)

• Traffic:  2018-10-22-Hancitor-malspam-infection-traffic.pcap.zip   277 kB (277,073 bytes)

• 2018-10-22-Hancitor-malspam-infection-traffic.pcap   (380,858 bytes)

• Malware:  2018-10-22-malware-from-Hancitor-infection.zip   206 kB (205,709 bytes)

• 2018-10-22-downloaded-Word-doc-with-macro-for-Hancitor.doc   (208,896 bytes)
• 2018-10-22-Hancitor-malware-binary.exe   (73,728 bytes)
• 2018-10-22-Fareit-Pony.dll   (71,680 bytes)

NOTES:

• Today, the same exact same file was returned from each of the URLs ending in /1, /2, and /3 after the Hancitor binary executed.
• Looks like no Evil Pony or Zeus Panda Banker...  Just Pony.
• I'm not even sure the Pony ran properly.
• I found a Fareit/Pony DLL on the infected Windows host as a .tmp file in the AppData/Local/Temp directory that failed to run (see images section).
• Reverse.it analysis of the Pony DLL can be found here.

 

IMAGES

Shown above:  Flow chart for today's Hancitor infection (different than usual).

 

Shown above:  Screenshot from one of today's email examples.

 

Shown above:  Downloading a malicious Word doc from the email link.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  I saw one follow-up download for Pony.

 

Shown above:  Pony DLL found as a .tmp file on the infected Windows host.

 

Click here to return to the main page.