2018-12-20 - HANCITOR INFECTION WITH URSNIF AND SMOKE LOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-12-20-Hancitor-1st-run-retreives-Pony-EvilPony-Ursnif-and-SmokeLoader.pcap.zip   552 kB (552,107 bytes)   No Urnsif or Smokeloader post-infection traffic
• 2018-12-20-Hancitor-2nd-run-retreives-Pony-EvilPony-Ursnif-and-Ursnif.pcap.zip   1.2 MB (1,171,928 bytes)
• 2018-12-20-Hancitor-Ursnif-and-Smokeloader-malware.zip   3.4 MB (3,354,198 bytes)

 

Shown above:  Flow chart for traffic on the first run.

 

Shown above:  On the first run I saw a 4th URL for follow-up malware that turned out to be Smoke Loader.

 

Shown above:  I tried a second infection less than an hour later, but no Smoke Loader.

 

Shown above:  Here's what Smoke Loader looked like on an infected Windows host.

 

Click here to return to the main page.