2018-07-19 - HANCITOR INFECTION TRAFFIC WITH AZORULT AND ZEUS PANDA BANKER

ASSOCIATED FILES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

HEADERS FROM A MALSPAM EXAMPLE

Received: from hecker.com ([72.16.245.65]) by [removed] for [removed];
        Thu, 19 Jul 2018 15:21:29 +0000 (UTC)
Message-ID: <AE24D157.45E76072@hecker.com>
Date: Thu, 19 Jul 2018 10:22:07 -0500
Reply-To: "Bank of America Corporation. All rights reserved." <bankofamerica@hecker.com>
From: "Bank of America Corporation. All rights reserved." <bankofamerica@hecker.com>
X-Mailer: iPhone Mail (13D20)
X-Accept-Language: en-us
MIME-Version: 1.0
TO:
[removed]
Subject: Alert from Bank of America

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.