2021-05-13 (THURSDAY) - HANCITOR WITH FICKER STEALER AND COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-05-13-IOCs-from-Hancitor.txt.zip   3.7 kB   (3,727 bytes)
• 2021-05-13-Hancitor-malspam-11-examples.zip   27.8 kB   (27,848 bytes)
• 2021-05-13-Hancitor-traffic-with-Ficker-Stealer-and-Cobalt-Strike.pcap.zip   9.0 MB   (9,047,623 bytes)
• 2021-05-13-Hancitor-malware-samples.zip   11.5 MB   (11,538,232 bytes)

REFERENCES:

• Wireshark Tutorial: Examining Traffic from Hancitor Infections

NOTES:

• All zip archives on this site are password-protected.  If you don't know the password, see the "about" page of this website.

• Victim's Active Directory (AD) environment from the pcap:

• Victim's LAN segment range:  10.0.0[.]0/24 (10.0.0[.]0 through 10.0.0[.]255
• Victim's Domain:  sunbattleaxes[.]com
• Victim's Domain controller:  10.0.0[.]2 - BattleAx-DC
• LAN segment gateway:  10.0.0[.]1
• LAN segment broadcast address:  10.0.0[.]255
• IP address of the infected Windows host:  10.0.0[.]101
• Host name of the infected Windows host:  DESKTOP-UGSXCLB
• User account name on the infected Windows host:  albert.hamstein

 

IMAGES

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.