2018-12-18: Hancitor "18eor12" -> EvilPony & ISFB v217

1. Hancitor "18eor12" Payload Domains (MD5: DCAF482D4E651615D310D668FACE3F88):
2.  
3. // l -> Download and execute .EXE in separate thread (arg=1)
4. {l:http://mail.mobileapprental.com/wp-content/themes/1|http://www.parkinsoncsra.org/wp-admin/1|http://digitalmarketingsheffield.co.uk/wp-includes/pomo/1|http://ledbazaar.net/wp-admin/1|http://culture-developpement.asso.fr/wp-content/plugins/wp-pagenavi/1}
5.  
6. // b -> Download and inject code into svchost.exe
7. {b:http://mail.mobileapprental.com/wp-content/themes/2|http://www.parkinsoncsra.org/wp-admin/2|http://digitalmarketingsheffield.co.uk/wp-includes/pomo/2|http://ledbazaar.net/wp-admin/2|http://culture-developpement.asso.fr/wp-content/plugins/wp-pagenavi/2}
8.  
9. // r -> Download and execute .DLL or .EXE
10. {r:http://mail.mobileapprental.com/wp-content/themes/3|http://www.parkinsoncsra.org/wp-admin/3|http://digitalmarketingsheffield.co.uk/wp-includes/pomo/3|http://ledbazaar.net/wp-admin/3|http://culture-developpement.asso.fr/wp-content/plugins/wp-pagenavi/3}
11.  
12. EvilPony C2 (MD5: 08ACB679FF979299B6AAA62CF94A900D):
13.  
14. http://perjustleftsup.com/mlu/forum.php
15. http://codirecrof.ru/mlu/forum.php
16. http://moceoftpar.ru/mlu/forum.php
17.  
18. MD5 (2018-12-18.isfbv217.loader.packed.vk.exe) = F31EF06DB9A84FFD82D62DA7953FA101
19.  
20. Bot ['2.17']
21. Build ['061']
22. Botnet/Group ID ['2000']
23. DGA TLDs ['com', 'ru', 'org']
24. Server [’550’]
25. Encryption key ['Gwe9HMygngWe8kPK']
26. DGA CRC ['0x4eb7d2ca']
27. DGA Base URL ['constitution.org/usdeclar.txt']
28. Domains: ['api2.doter.at/webstore', 'beetfeetlife.bit/webstore', 'in.extermas.at/webstore', 'sx.zaronif.at/webstore', 'g2.ex100p.at/webstore', 'gif.doter.at/webstore', 'extra.avareg.cn/webstore', 'foo.avaregio.at/webstore', 'op.iovbased.at/webstore', 'ws.doter.at/webstore', 'f1.cnboal.at/webstore', 'xxx.doolap.at/webstore', '51.255.48.78', '192.71.245.208', '178.17.170.179', '193.183.98.66', '207.148.83.241', '111.67.20.8', '103.236.162.119', '142.4.205.47', '213.136.85.253', '159.89.249.249', '82.196.9.45']
29. Path: ['/images/']