malware_traffic

2019-10-09 - Hancitor acitivity

Oct 9th, 2019
1,789
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-10-09 - HANCITOR ACTIVITY
  2.  
  3. - Reference: https://www.malware-traffic-analysis.net/2019/10/09/index.html
  4.  
  5. DATA FROM 10 EXAMPLES OF MALSPAM:
  6.  
  7. - Received: from elitewellnesssystems.com ([50.76.187.41])
  8. - Received: from elitewellnesssystems.com ([65.181.54.170])
  9. - Received: from elitewellnesssystems.com ([67.135.230.178])
  10. - Received: from elitewellnesssystems.com ([71.172.32.163])
  11. - Received: from elitewellnesssystems.com ([96.94.62.89])
  12. - Received: from elitewellnesssystems.com ([98.196.115.67])
  13. - Received: from elitewellnesssystems.com ([173.12.239.115])
  14. - Received: from elitewellnesssystems.com ([173.167.51.106])
  15. - Received: from elitewellnesssystems.com ([174.207.21.30])
  16. - Received: from elitewellnesssystems.com ([192.230.171.163])
  17.  
  18. - From: "DocuSign Electronic Signature " <docusign@elitewellnesssystems.com>
  19. - From: "DocuSign Electronic Signature and Invoice Service" <docusign@elitewellnesssystems.com>
  20. - From: "DocuSign Signature " <docusign@elitewellnesssystems.com>
  21. - From: "DocuSign Signature Service" <docusign@elitewellnesssystems.com>
  22. - From: "DocuSign Signature and Invoice" <docusign@elitewellnesssystems.com>
  23. - From: "DocuSign Signature and Invoice Service" <docusign@elitewellnesssystems.com>
  24.  
  25. - Subject: You got invoice from DocuSign Electronic Service
  26. - Subject: You got invoice from DocuSign Electronic Signature Service
  27. - Subject: You got invoice from DocuSign Signature Service
  28. - Subject: You received invoice from DocuSign Electronic Signature Service
  29. - Subject: You received invoice from DocuSign Service
  30. - Subject: You received notification from DocuSign Electronic Service
  31. - Subject: You received notification from DocuSign Service
  32. - Subject: You received notification from DocuSign Signature Service
  33.  
  34. LINKS FROM THE EMAILS:
  35.  
  36. - hxxp://dafranco[.]fr/components/rsl20.php
  37. - hxxp://feedtamils[.]com/request_images/trks6565.php
  38. - hxxp://guitarlessonsvideo[.]info/setupconfig/rottenhellboy12.php
  39. - hxxp://interimsellingsolutions[.]com/cgi-bin/wddawson123.php
  40. - hxxp://investinscs[.]com/entrepreneur-bootcamp/wilsonthebuilder.php
  41. - hxxp://iolandagazzerro[.]it/installation_/yobobyuan.php
  42. - hxxp://pingaaksh[.]in/wp-content/whansjoseph.php
  43. - hxxp://ralphcarr[.]com/apps/tmeyers51.php
  44. - hxxp://sacredbeautycollection[.]com/sexycashflow/wwhillassoc.php
  45. - hxxp://tamilhindu[.]com/css/swalker.php
  46.  
  47. INFECTION TRAFFIC:
  48.  
  49. ZIP DOWNLOAD:
  50.  
  51. - 47.74.181[.]177 port 80 - elitefireandsafety[.]com - GET /docus_39386.zip
  52. - 47.74.181[.]177 port 80 - elitefireandsafety[.]com - GET /download.html
  53.  
  54. IP ADDRESS CHECK:
  55.  
  56. - port 80 - api.ipify[.]org - GET /
  57.  
  58. HANCITOR/PONY/EVIL PONY CALLBACK:
  59.  
  60. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /4/forum.php
  61. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /mlu/forum.php
  62. - 95.169.181[.]133 port 80 - avantusthea[.]com - POST /d2/about.php
  63.  
  64. FOLLOW-UP DOWNLOADS FOR PONY/EVIL PONY/URSNIF:
  65.  
  66. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/1
  67. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/2
  68. - 173.201.96[.]128 port 80 - kylemarketing[.]com GET /wp-includes/widgets/4
  69.  
  70. FOLLOW-UP DOWNLOAD FOR COBALT STRIKE:
  71.  
  72. - 192.254.233[.]200 port 80 - domainnamesexpert[.]info GET /wp-content/plugins/iSEO/a
  73.  
  74. COBALT STRIKE INFECTION TRAFFIC:
  75.  
  76. - 31.44.184[.]123 port 80 - 31.44.184[.]123 - GET /CjnA
  77. - 31.44.184[.]123 port 80 - 31.44.184[.]123 - GET /pixel.gif
  78.  
  79. URSNIF INFECTION TRAFFIC:
  80.  
  81. - 47.254.144[.]71 port 80 - has.votaritar[.]at - GET /webstore/[long string]
  82.  
  83. FILE HASHES:
  84.  
  85. - SHA256 hash: 84d53b972e9a763d34dfb5927153670d46b5563a18c605d625612adf23bba604
  86. - File size: 117,691 bytes
  87. - File location: hxxp://elitefireandsafety[.]com/docus_39386.zip
  88. - File name: docus_39386.zip
  89. - File description: Downloaded zip archive from link in Hancitor malspam
  90.  
  91. - SHA256 hash: 36448de9a48210f85e5fd61329bbce4d86173ba705fca75d0dfecdf2002d1684
  92. - File size: 131,721 bytes
  93. - File name: docus_39386.doc
  94. - File description: Word doc extracted from downloaded zip archive. Word doc has macro for Hancitor
  95.  
  96. - SHA256 hash: c559274c18ff0a53580aa98806d1aeabaff35f6bfcb9732152df9360fa644563
  97. - File size: 68,096 bytes
  98. - File location: hxxp://elitefireandsafety[.]com/download.html (HTML file with hex code for Hancitor DLL)
  99. - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Word\Startup\55F.wll
  100. - File description: Hancitor DLL file
  101.  
  102. - SHA256 hash: 59beed8f43d8d99406f88f11711a8b29d52cd5edd8409fc7b8b0cc4b3afa9c4e
  103. - File size: 39,936 bytes
  104. - File location: hxxp://domainnamesexpert[.]info/wp-content/plugins/iSEO/a (encoded/compressed or otherwise obfuscated)
  105. - File location: C:\Users\[username]\AppData\Local\Temp\BND7D7.tmp
  106. - File description: Cobalt Strike EXE found on Hancitor-infection host
  107.  
  108. - SHA256 hash: 1397916117996f3f12b6a57f566d37ece3ceab4a069a08ff5b8b5e73b68ed05c
  109. - File size: 243,712 bytes
  110. - File location: hxxp://kylemarketing[.]com/wp-includes/widgets/4 (encoded/compressed or otherwise obfuscated)
  111. - File location: C:\Users\[username]\AppData\Local\Temp\BN142C.tmp
  112. - File description: Ursnif EXE found on Hancitor-infection host
RAW Paste Data