SHARE
TWEET

2019-10-09 - Hancitor acitivity

malware_traffic Oct 9th, 2019 (edited) 1,427 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-10-09 - HANCITOR ACTIVITY
  2.  
  3. - Reference: https://www.malware-traffic-analysis.net/2019/10/09/index.html
  4.  
  5. DATA FROM 10 EXAMPLES OF MALSPAM:
  6.  
  7. - Received: from elitewellnesssystems.com ([50.76.187.41])
  8. - Received: from elitewellnesssystems.com ([65.181.54.170])
  9. - Received: from elitewellnesssystems.com ([67.135.230.178])
  10. - Received: from elitewellnesssystems.com ([71.172.32.163])
  11. - Received: from elitewellnesssystems.com ([96.94.62.89])
  12. - Received: from elitewellnesssystems.com ([98.196.115.67])
  13. - Received: from elitewellnesssystems.com ([173.12.239.115])
  14. - Received: from elitewellnesssystems.com ([173.167.51.106])
  15. - Received: from elitewellnesssystems.com ([174.207.21.30])
  16. - Received: from elitewellnesssystems.com ([192.230.171.163])
  17.  
  18. - From: "DocuSign Electronic Signature " <docusign@elitewellnesssystems.com>
  19. - From: "DocuSign Electronic Signature and Invoice Service" <docusign@elitewellnesssystems.com>
  20. - From: "DocuSign Signature " <docusign@elitewellnesssystems.com>
  21. - From: "DocuSign Signature  Service" <docusign@elitewellnesssystems.com>
  22. - From: "DocuSign Signature and Invoice" <docusign@elitewellnesssystems.com>
  23. - From: "DocuSign Signature and Invoice Service" <docusign@elitewellnesssystems.com>
  24.  
  25. - Subject: You got invoice from DocuSign Electronic Service
  26. - Subject: You got invoice from DocuSign Electronic Signature Service
  27. - Subject: You got invoice from DocuSign Signature Service
  28. - Subject: You received invoice from DocuSign Electronic Signature Service
  29. - Subject: You received invoice from DocuSign Service
  30. - Subject: You received notification from DocuSign Electronic Service
  31. - Subject: You received notification from DocuSign Service
  32. - Subject: You received notification from DocuSign Signature Service
  33.  
  34. LINKS FROM THE EMAILS:
  35.  
  36. - hxxp://dafranco[.]fr/components/rsl20.php
  37. - hxxp://feedtamils[.]com/request_images/trks6565.php
  38. - hxxp://guitarlessonsvideo[.]info/setupconfig/rottenhellboy12.php
  39. - hxxp://interimsellingsolutions[.]com/cgi-bin/wddawson123.php
  40. - hxxp://investinscs[.]com/entrepreneur-bootcamp/wilsonthebuilder.php
  41. - hxxp://iolandagazzerro[.]it/installation_/yobobyuan.php
  42. - hxxp://pingaaksh[.]in/wp-content/whansjoseph.php
  43. - hxxp://ralphcarr[.]com/apps/tmeyers51.php
  44. - hxxp://sacredbeautycollection[.]com/sexycashflow/wwhillassoc.php
  45. - hxxp://tamilhindu[.]com/css/swalker.php
  46.  
  47. INFECTION TRAFFIC:
  48.  
  49. ZIP DOWNLOAD:
  50.  
  51. - 47.74.181[.]177 port 80 - elitefireandsafety[.]com - GET /docus_39386.zip
  52. - 47.74.181[.]177 port 80 - elitefireandsafety[.]com - GET /download.html
  53.  
  54. IP ADDRESS CHECK:
  55.  
  56. - port 80 - api.ipify[.]org - GET /
  57.  
  58. HANCITOR/PONY/EVIL PONY CALLBACK:
  59.  
  60. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /4/forum.php
  61. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /mlu/forum.php
  62. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /d2/about.php
  63.  
  64. FOLLOW-UP DOWNLOADS FOR PONY/EVIL PONY/URSNIF:
  65.  
  66. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/1
  67. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/2
  68. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/4
  69.  
  70. FOLLOW-UP DOWNLOAD FOR COBALT STRIKE:
  71.  
  72. - 192.254.233[.]200 port 80 - domainnamesexpert[.]info GET /wp-content/plugins/iSEO/a
  73.  
  74. COBALT STRIKE INFECTION TRAFFIC:
  75.  
  76. - 31.44.184[.]123 port 80 - 31.44.184[.]123 - GET /CjnA
  77. - 31.44.184[.]123 port 80 - 31.44.184[.]123 - GET /pixel.gif
  78.  
  79. URSNIF INFECTION TRAFFIC:
  80.  
  81. - 47.254.144[.]71 port 80 - has.votaritar[.]at - GET /webstore/[long string]
  82.  
  83. FILE HASHES:
  84.  
  85. - SHA256 hash: 84d53b972e9a763d34dfb5927153670d46b5563a18c605d625612adf23bba604
  86. - File size: 117,691 bytes
  87. - File location: hxxp://elitefireandsafety[.]com/docus_39386.zip
  88. - File name: docus_39386.zip
  89. - File description: Downloaded zip archive from link in Hancitor malspam
  90.  
  91. - SHA256 hash: 36448de9a48210f85e5fd61329bbce4d86173ba705fca75d0dfecdf2002d1684
  92. - File size: 131,721 bytes
  93. - File name: docus_39386.doc
  94. - File description: Word doc extracted from downloaded zip archive. Word doc has macro for Hancitor
  95.  
  96. - SHA256 hash: c559274c18ff0a53580aa98806d1aeabaff35f6bfcb9732152df9360fa644563
  97. - File size: 68,096 bytes
  98. - File location: hxxp://elitefireandsafety[.]com/download.html (HTML file with hex code for Hancitor DLL)
  99. - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Word\Startup\55F.wll
  100. - File description: Hancitor DLL file
  101.  
  102. - SHA256 hash: 59beed8f43d8d99406f88f11711a8b29d52cd5edd8409fc7b8b0cc4b3afa9c4e
  103. - File size: 39,936 bytes
  104. - File location: hxxp://domainnamesexpert[.]info/wp-content/plugins/iSEO/a (encoded/compressed or otherwise obfuscated)
  105. - File location: C:\Users\[username]\AppData\Local\Temp\BND7D7.tmp
  106. - File description: Cobalt Strike EXE found on Hancitor-infection host
  107.  
  108. - SHA256 hash: 1397916117996f3f12b6a57f566d37ece3ceab4a069a08ff5b8b5e73b68ed05c
  109. - File size: 243,712 bytes
  110. - File location: hxxp://kylemarketing[.]com/wp-includes/widgets/4 (encoded/compressed or otherwise obfuscated)
  111. - File location: C:\Users\[username]\AppData\Local\Temp\BN142C.tmp
  112. - File description: Ursnif EXE found on Hancitor-infection host
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top