malware_traffic

2019-12-02 - Hancitor info

Dec 2nd, 2019
1,400
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. INFO FROM 2019-12-02 HANCITOR MALSPAM CAMPAIGN
  2.  
  3. LINK FROM MALSPAM EXAMPLE AND REDIRECT:
  4.  
  5. - 160.153.193[.]84 port 80 - www.ianfelton[.]info - GET /.well-known/ron.php
  6. - 8.208.77[.]223 port 80 - omni-groupllc[.]com - GET /437843_347843.php
  7.  
  8. IP ADDRESS FROM AN INFECTED WINDOWS HOST:
  9.  
  10. - port 80 - api.ipify[.]org - GET /
  11.  
  12. HANCITOR C2:
  13.  
  14. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /4/forum.php
  15.  
  16. FOLLOW-UP URLS FOR PONY/EVIL PONY/URSNIF:
  17.  
  18. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /1
  19. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /2
  20. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /3
  21.  
  22. PONY/EVIL PONY C2:
  23.  
  24. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /mlu/forum.php
  25. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /d2/about.php
  26.  
  27. URSNIF C2:
  28.  
  29. - 8.208.24[.]139 port 80 - bat.fulldin[.]at - GET /webstore/[long string]
  30. - 8.208.24[.]139 port 80 - foo.fulldin[.]at - GET /webstore/[long string]
  31.  
  32. FILE INFO:
  33.  
  34. - SHA256 hash: aa4492feebb9372d973786f2b5b27b7d384637b477408dfdae9702b408e7a94e
  35. - File size: 5,480 bytes
  36. - File description: Email example from 2019-12-02 wave of Hancitor malspam
  37. - Example at: https://app.any.run/tasks/b7a73294-a320-4e29-b8a0-39c2d1563811
  38.  
  39. - SHA256 hash: 0a87eb9834f49de095df87ce3be314772d34c95c7da1a1846a313d58b430fb71
  40. - File size: 180,893 bytes
  41. - File name: G9996757243586095_5678.zip
  42. - File location: hxxp://omni-groupllc[.]com/437843_347843.php
  43. - File description: Zip archive downloaded from link in Hancitor malspam
  44. - NOTE: Different SHA256 hash and file name for each successful download
  45. - Example at: https://app.any.run/tasks/b7a73294-a320-4e29-b8a0-39c2d1563811
  46.  
  47. - SHA256 hash: 729aaa301c1b3cbf2cc8702dd6a1900578cdbcb609bed2b3438552e852ae21be
  48. - File size: 696,209 bytes
  49. - File name: GAM_9996757243586095.vbs
  50. - File description: VBS file extracted from above zip archive
  51. - NOTE: Different SHA256 hash and file name for each successful download of the above zip
  52. - Example at: https://app.any.run/tasks/59a4c94b-c9d3-4b7c-b29b-1f42740dc7b6
  53.  
  54. - SHA256 hash: f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004
  55. - File size: 140,800 bytes
  56. - File location: C:\Users\[username]\AppData\Local\Temp\PbzVeQP.txt
  57. - File description: Hancitor DLL dropped by above VBS file
  58. - NOTE: Probably different file names (same SHA256 hash) for each successfully-infected host
  59. - Example at: https://app.any.run/tasks/51e7aff6-410a-4696-a1e3-462ac653b120
  60.  
  61. - SHA256 hash: e0a71b9563386bb8b77342a9de8abe9efdc5951c5e6b206ee2d26fece1085681
  62. - File size: 15,624 bytes
  63. - File name: C:\Users\[username]\AppData\Local\Temp\BNBA83.tmp
  64. - File description: Initial Ursnif EXE retrieved by today's Hancitor-infected host
  65. - NOTE: Different file names (same SHA256 hash) for each successfully-infected host
  66. - Example at: https://app.any.run/tasks/841019db-079a-4eb9-b5d5-aadff6f27d27
RAW Paste Data