2019-07-22 - HANCITOR SWITCHES TO AMADEY, STILL PUSHING PONY/URSNIF/COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-07-22-Amadey-infection-with-Pony-and-Ursnif-and-Cobalt-Strike.pcap.zip   2.2 MB (2,222,251 bytes)

• 2019-07-22-Amadey-infection-with-Pony-and-Ursnif-and-Cobalt-Strike.pcap   (6,439,886 bytes)

• 2019-07-22-Amadey-Pony-Ursnif-and-Cobalt-Strike-malware-and-artifacts.zip   3.7 MB (3,692,058 bytes)

• 10703351608909_4400271827.zip   (58,682 bytes)
• 10703351608909_7812450780530.vbs   (122,537 bytes)
• 2019-07-22-Amadey-binary-dropped-by-VBS-file-yddSomO.exe   (80,573 bytes)
• 2019-07-22-Cobalt-Strike-H7mp-from-31.44.184.33.exe   (210,944 bytes)
• 2019-07-22-Cobalt-Strike-a22.exe-from-ectcnepal.org.exe   (118,784 bytes)
• 2019-07-22-Pony-pp.exe-from-neu.x-sait.de.exe   (246,784 bytes)
• 2019-07-22-Ursnif-4.exe-from-neu.x-sait.de.exe   (258,560 bytes)
• 2019-07-22-Windows-registry-updates-caused-by-Ursnif.txt   (13,771,512 bytes)
• 2019-07-22-artifact-dropped-by-VBS-file-rFEoVZsY.txt   (8 bytes)

NOTES:

• As early as Thursday 2019-07-18, the Hancitor malspam campaign switched from Hancitor to Amadey as its initial EXE.
• More info in this Twitter thread and this tweet.
• Malspam from this campaign now uses attached zip archives containing VBS files for the initial infection vector.
• Some changes in the infection traffic, but follow-up malware is the same as Hancitor pushed earlier this month (July 1st through 3rd): Pony, Ursnif, & Cobalt Strike.

 

Shown above:  The infection traffic filtered in Wireshark.

 

Click here to return to the main page.