SHARE
TWEET

2019-12-02 - Hancitor info

malware_traffic Dec 2nd, 2019 688 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. INFO FROM 2019-12-02 HANCITOR MALSPAM CAMPAIGN
  2.  
  3. LINK FROM MALSPAM EXAMPLE AND REDIRECT:
  4.  
  5. - 160.153.193[.]84 port 80 - www.ianfelton[.]info - GET /.well-known/ron.php
  6. - 8.208.77[.]223 port 80 - omni-groupllc[.]com - GET /437843_347843.php
  7.  
  8. IP ADDRESS FROM AN INFECTED WINDOWS HOST:
  9.  
  10. - port 80 - api.ipify[.]org - GET /
  11.  
  12. HANCITOR C2:
  13.  
  14. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /4/forum.php
  15.  
  16. FOLLOW-UP URLS FOR PONY/EVIL PONY/URSNIF:
  17.  
  18. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /1
  19. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /2
  20. - 2.57.89[.]115 port 80 - www.laadlifashionworld[.]com - GET /3
  21.  
  22. PONY/EVIL PONY C2:
  23.  
  24. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /mlu/forum.php
  25. - 178.170.248[.]82 port 80 - laticivue[.]com - POST /d2/about.php
  26.  
  27. URSNIF C2:
  28.  
  29. - 8.208.24[.]139 port 80 - bat.fulldin[.]at - GET /webstore/[long string]
  30. - 8.208.24[.]139 port 80 - foo.fulldin[.]at - GET /webstore/[long string]
  31.  
  32. FILE INFO:
  33.  
  34. - SHA256 hash: aa4492feebb9372d973786f2b5b27b7d384637b477408dfdae9702b408e7a94e
  35. - File size: 5,480 bytes
  36. - File description: Email example from 2019-12-02 wave of Hancitor malspam
  37. - Example at: https://app.any.run/tasks/b7a73294-a320-4e29-b8a0-39c2d1563811
  38.  
  39. - SHA256 hash: 0a87eb9834f49de095df87ce3be314772d34c95c7da1a1846a313d58b430fb71
  40. - File size: 180,893 bytes
  41. - File name: G9996757243586095_5678.zip
  42. - File location: hxxp://omni-groupllc[.]com/437843_347843.php
  43. - File description: Zip archive downloaded from link in Hancitor malspam
  44. - NOTE: Different SHA256 hash and file name for each successful download
  45. - Example at: https://app.any.run/tasks/b7a73294-a320-4e29-b8a0-39c2d1563811
  46.  
  47. - SHA256 hash: 729aaa301c1b3cbf2cc8702dd6a1900578cdbcb609bed2b3438552e852ae21be
  48. - File size: 696,209 bytes
  49. - File name: GAM_9996757243586095.vbs
  50. - File description: VBS file extracted from above zip archive
  51. - NOTE: Different SHA256 hash and file name for each successful download of the above zip
  52. - Example at: https://app.any.run/tasks/59a4c94b-c9d3-4b7c-b29b-1f42740dc7b6
  53.  
  54. - SHA256 hash: f01881dbff4546bd2d66a49cc01ee09e306c025aaa4df16022eb826426f2e004
  55. - File size: 140,800 bytes
  56. - File location: C:\Users\[username]\AppData\Local\Temp\PbzVeQP.txt
  57. - File description: Hancitor DLL dropped by above VBS file
  58. - NOTE: Probably different file names (same SHA256 hash) for each successfully-infected host
  59. - Example at: https://app.any.run/tasks/51e7aff6-410a-4696-a1e3-462ac653b120
  60.  
  61. - SHA256 hash: e0a71b9563386bb8b77342a9de8abe9efdc5951c5e6b206ee2d26fece1085681
  62. - File size: 15,624 bytes
  63. - File name: C:\Users\[username]\AppData\Local\Temp\BNBA83.tmp
  64. - File description: Initial Ursnif EXE retrieved by today's Hancitor-infected host
  65. - NOTE: Different file names (same SHA256 hash) for each successfully-infected host
  66. - Example at: https://app.any.run/tasks/841019db-079a-4eb9-b5d5-aadff6f27d27
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top