Guest User

2018-12-20 - Hancitor malspam file info

a guest
Dec 20th, 2018
1,636
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2018-12-20 - HANCITOR MALSPAM FILE INFO:
  2.  
  3. Initial Excel spreadsheet from: 47.90.254[.]148 using the following domains:
  4.  
  5. airxllc[.]com
  6. idahorxcoupon[.]com
  7. indianarxcoupon[.]com
  8. iowarxcoupon[.]com
  9. kansasrxcoupon[.]com
  10. kentuckyrxcoupon[.]com
  11. louisianarxcoupon[.]com
  12. mainerxcoupon[.]com
  13. marylandrxcoupon[.]com
  14. michiganrxcoupon[.]com
  15. montanarxcoupon[.]com
  16. minnesotarxcoupon[.]com
  17. mississippirxcoupon[.]com
  18. visionsportmotors[.]com
  19.  
  20. FILE DETAILS:
  21.  
  22. SHA256 hash: f6bfb82eb8bd80cb7f45d9d67f4c2ccf68340be0008fadc8381d75643a61c8e2
  23. File size: 257,536 bytes
  24. File name: invoice_194086.xls (random numbers in the file name)
  25. File description: Downloaded Excel spreadsheet with macros for Hancitor
  26. CAPE sandbox: https://cape.contextis.com/analysis/27870/
  27. Reverse.it: https://www.reverse.it/sample/f6bfb82eb8bd80cb7f45d9d67f4c2ccf68340be0008fadc8381d75643a61c8e2
  28.  
  29. SHA256 hash: b0a6576e930a3a7c469537e9e229086b1c3b95b24fc5b0e9e474157016be1b59
  30. File size: 81,922 bytes
  31. File location: C:\Users\[username]\AppData\Local\Temp\4CB52522.com
  32. File location: C:\Users\[username]\AppData\Local\Temp\6.pif
  33. File description: Hancitor malware binary
  34. CAPE sandbox: https://cape.contextis.com/analysis/27871/
  35. Reverse.it: https://www.reverse.it/sample/b0a6576e930a3a7c469537e9e229086b1c3b95b24fc5b0e9e474157016be1b59
  36.  
  37. SHA256 hash: 5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
  38. File size: 137,728 bytes
  39. File location: C:\Users\[username]\AppData\Local\Temp\
  40. File description: Ursnif retrieved by Hancitor-infected host
  41. CAPE sandbox: https://cape.contextis.com/analysis/27872/
  42. Reverse.it: https://www.reverse.it/sample/5061f35b959d1a36808515a9ef02fa92b54bd0448e38c5d9eeab3a89d5c5e97a
  43.  
  44. SHA256 hash: d797df921fa015b4b8db8d8a33f248bb62a6515bb60792802bc96ba094ee25b0
  45. File size: 345,088 bytes
  46. File location: C:\Users\[username]\AppData\Local\Temp\
  47. File description: SmokeLoader retrieved by Hancitor-infected host
  48. CAPE sandbox: https://cape.contextis.com/analysis/27873/
  49. Reverse.it: https://www.reverse.it/sample/d797df921fa015b4b8db8d8a33f248bb62a6515bb60792802bc96ba094ee25b0
RAW Paste Data