2018-04-04 - HANCITOR INFECTION WITH ZEUS PANDA BANKER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-04-04-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip 2.05 MB (2,048,347 bytes)
- 2018-04-04-Hancitor-infection-with-Zeus-Panda-Banker.pcap (2,313,650 bytes)
- Zip archive of the emails: 2018-04-04-Hancitor-malspam-20-examples.txt.zip 5.9 kB (5,854 bytes)
- 2018-04-04-Hancitor-malspam-20-examples.txt (89,685 bytes)
- Zip archive of the malware: 2018-04-04-malware-from-Hancitor-infection.zip 236 kB (235,695 bytes)
- 2018-04-04-email-attachment-with-malcious-macro-for-Hancitor.doc (191,488 bytes)
- 2018-04-04-follow-up-malware-Zeus-Panda-Banker.exe (167,936 bytes)
NOTES:
- The block list contains additional post-infection URLs originally reported by @Ring0x0 reported on a Pastebin link here.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- arcpercussivewelder[.]com
- arcpercussivewelding[.]com
- austinrealestateexchange[.]com
- bonitaluxe[.]com
- colloidsforlife[.]co
- dfwrealestateexchange[.]com
- durawares[.]com
- joliethearingcenter[.]net
- marnicobeauty[.]net
- marnicobeauty[.]us
- mokenahearingcenter[.]net
- silvercolloidal[.]co
- silverwater[.]co
- tilvera[.]com
- onkesandre[.]com
- ledrighlittleft[.]ru
- torscimeled[.]ru
- hxxp://risparmiato[.]com/wp-content/plugins/really-simple-captcha/2
- hxxp://risparmiato[.]com/wp-content/plugins/really-simple-captcha/3
- hxxp://siteslikecraigslist[.]com/wp-content/plugins/w3-total-cache/2
- hxxp://siteslikecraigslist[.]com/wp-content/plugins/w3-total-cache/3
- hxxp://animalhealthcenterinc[.]com/wp-content/plugins/post-expirator/3
- hxxp://animalhealthcenterinc[.]com/wp-content/plugins/post-expirator/3
- oldsinedtdin[.]com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-04-04 as early as 15:04 UTC through at least 18:53 UTC
- Received: from factorco2[.]com ([208.181.214[.]155])
- Received: from texaspipeworks[.]com ([24.59.231[.]41])
- Received: from texaspipeworks[.]com ([24.98.122[.]253])
- Received: from texaspipeworks[.]com ([50.78.213[.]182])
- Received: from texaspipeworks[.]com ([63.142.59[.]182])
- Received: from texaspipeworks[.]com ([68.236.120[.]88])
- Received: from texaspipeworks[.]com ([70.62.179[.]154])
- Received: from texaspipeworks[.]com ([72.52.101[.]226])
- Received: from texaspipeworks[.]com ([75.149.57[.]254])
- Received: from texaspipeworks[.]com ([76.99.21[.]230])
- Received: from texaspipeworks[.]com ([81.255.30[.]139])
- Received: from texaspipeworks[.]com ([98.174.169[.]236])
- Received: from texaspipeworks[.]com ([207.228.78[.]4])
- Received: from timmaloneysales[.]com ([24.123.173[.]42])
- Received: from timmaloneysales[.]com ([66.37.89[.]105])
- Received: from timmaloneysales[.]com ([67.221.222[.]194])
- Received: from timmaloneysales[.]com ([73.34.196[.]197])
- Received: from timmaloneysales[.]com ([206.81.64[.]108])
- Received: from timmaloneysales[.]com ([209.33.115[.]244])
- Received: from timmaloneysales[.]com ([216.70.134[.]158])
- From: "DHL " <delivery@texaspipeworks[.]com>
- From: "DHL " <delivery@timmaloneysales[.]com>
- From: "DHL Express" <delivery@factorco2[.]com>
- From: "DHL Express" <delivery@texaspipeworks[.]com>
- From: "DHL Express" <delivery@timmaloneysales[.]com>
- From: "DHL Inc." <delivery@texaspipeworks[.]com>
- From: "DHL Inc." <delivery@timmaloneysales[.]com>
- Subject: You have a package coming
- Subject: You have a package coming from DHL
- Subject: You have a package coming to you
- Subject: You have a package on it's way to you
- Subject: You have a package on its way
- Subject: You have a shipment coming
- Subject: You have a shipment coming from DHL
- Subject: You have a shipment coming to you from DHL
- Subject: You have a shipment on it's way
- Subject: You have a shipment on it's way from DHL
- Subject: You have a shipment on it's way to you
- Subject: You have a shipment on it's way to you from DHL
- Subject: You have a shipment on its way from DHL
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS FOR THE WORD DOCUMENT:
- hxxp://arcpercussivewelder[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://arcpercussivewelding[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://austinrealestateexchange[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://bonitaluxe[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://colloidsforlife[.]co?[string of characters]=[encoded string representing recipient's email address]
- hxxp://dfwrealestateexchange[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://durawares[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://joliethearingcenter[.]net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://marnicobeauty[.]net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://marnicobeauty[.]us?[string of characters]=[encoded string representing recipient's email address]
- hxxp://silvercolloidal[.]co?[string of characters]=[encoded string representing recipient's email address]
- hxxp://silverwater[.]co?[string of characters]=[encoded string representing recipient's email address]
- hxxp://tilvera[.]com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 104.199.36[.]43 port 80 - marnicobeauty[.]us - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify[.]org - GET /
- 91.227.68[.]36 port 80 - onkesandre[.]com - POST /ls5/forum.php
- 91.227.68[.]36 port 80 - onkesandre[.]com - POST /d2/about.php
- 92.61.152[.]31 port 80 - risparmiato[.]com - GET /wp-content/plugins/really-simple-captcha/2
- 92.61.152[.]31 port 80 - risparmiato[.]com - GET /wp-content/plugins/really-simple-captcha/32
- 45.76.114[.]241 port 443 - oldsinedtdin[.]com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: b2972114e6e5039b60c323d7cc74ad9f9edb78c8582878b4b2e93ae2a9b723bd
File size: 191,488 bytes
File name: invoice_447148.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 114e686376515143aab1873beb5953a8a1e67917a869a165ec23ecd871e5f996
File size: 167,936 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.