Hancitor data for Tuesday 2018-12-18

1. Hancitor data for Tuesday 2018-12-18:
2.  
3. Some domains used in links from the emails to download the initial Excel spreadsheet:
4.  
5. - co2meter[.]in
6. - co2meters[.]co
7. - co2meters[.]us
8. - gaslab[.]kr
9. - gaslab[.]mx
10.  
11. SHA256 hash: 79b1d08d8afc60e72518db75615af3d232d86809ea75881fa10af7e5736adc4a
12. File size: 521,728 bytes
13. File name: invoice_012345.xls (random numbers in the file name)
14. File description: Excel spreadsheet with macro to drop Hancitor binary
15. Sample available at: https://cape.contextis.com/analysis/27376/
16. Sample available at: https://www.reverse.it/sample/79b1d08d8afc60e72518db75615af3d232d86809ea75881fa10af7e5736adc4a
17.  
18. SHA256 hash: 14fca96dd1d99d7e9bfcd9a830294ce0488b357cf2b4c0898f798e40c0efd248
19. File size: 94,210 bytes
20. File location: C:\Users\[username]\AppData\Local\Temp\4CB52522.com
21. File location: C:\Users\[username]\AppData\Local\Temp\6.exe
22. File location: C:\Users\[username]\AppData\Local\Temp\6.pif
23. File description: Hancitor malware binary
24. Sample available at: https://cape.contextis.com/analysis/27374/
25. Sample available at: https://www.reverse.it/sample/14fca96dd1d99d7e9bfcd9a830294ce0488b357cf2b4c0898f798e40c0efd248
26.  
27. SHA256 hash: 35c58b14a3e5526cac8bbc1cb43d56ba5947b1de0c5f3c9fd9b9bd4f25685fc3
28. File size: 225,280 bytes
29. File location: C:\Users\[username]\AppData\Local\Temp\BN52C1.tmp
30. File description: Ursnif retrieved by Hancitor-infected host
31. Sample available at: https://cape.contextis.com/analysis/27375/
32. Sample available at: https://www.reverse.it/sample/35c58b14a3e5526cac8bbc1cb43d56ba5947b1de0c5f3c9fd9b9bd4f25685fc3