malware_traffic

2020-10-27 (Tuesday) - Hancitor with Cobalt Strike and unidentified info-stealer

Oct 27th, 2020
3,166
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-27 (TUESDAY) - HANCITOR WITH COBALT STRIKE AND UNIDENTIFIED INFO-STEALER
  2.  
  3. EMAIL INFO:
  4.  
  5. - Received from: acuraaccelerationproblems.com ([62.232.211.230])
  6. - Received from: acuraaccelerationproblems.com ([123.59.173.195])
  7. - Received from: acuraaccelerationproblems.com ([166.156.27.93])
  8. - Received from: acuraaccelerationproblems.com ([182.237.124.38])
  9. - Received from: acuraaccelerationproblems.com ([212.5.141.134])
  10.  
  11. - From: "DocuSign Electronic Signature and Invoice Service" <fgodut@acuraaccelerationproblems.com>
  12. - From: "DocuSign Electronic Signature and Invoice Service" <iysurlg@acuraaccelerationproblems.com>
  13. - From: "DocuSign Signature " <cofnu@acuraaccelerationproblems.com>
  14. - From: "DocuSign Signature and Invoice" <boru@acuraaccelerationproblems.com>
  15. - From: "DocuSign Signature Service" <yxaizao@acuraaccelerationproblems.com>
  16.  
  17. - Subject: You got invoice from DocuSign Signature Service
  18. - Subject: You got notification from DocuSign Service
  19. - Subject: You got notification from DocuSign Signature Service
  20. - Subject: You received invoice from DocuSign Electronic Signature Service
  21.  
  22. LINKS FROM THE EMAILS:
  23.  
  24. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQWHPnAL19--S5fhuKYwz4kBBd02AMx21__UIa1V-NtzAAD9cRnqkRYsEDKx8BgUg86bMHDk66-yys9/pub
  25.  
  26. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxp://czyszczeniesrebra[.]pl/insure.php&sa=D&ust=1603827760891000&usg=AOvVaw05xTtuU2LfqUqVYMYFf2o8
  27.  
  28. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQsh8vxGwEsmF9YUXvPrmYoNrQDuW58Qk9JZJQJtgLaeFTh3Z2HJLKwlQhRCs0S1n8UA0lbmJmGn9so/pub
  29.  
  30. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://www.brafa.com[.]br/draw.php&sa=D&ust=1603827618317000&usg=AOvVaw2dYS0ytGsKQYAcmFsi47vM
  31.  
  32. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vS_KjrbqlXUcZ2KS5he0a_7_58Yf6L6ngaOm5vBMHPY7zIEwNqvbMF7r8OeOmwG6anVdqMR2Dt199sg/pub
  33.  
  34. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxp://kgi.shakiltrade[.]com/design.php&sa=D&ust=1603827914987000&usg=AOvVaw3Cugz2dPIDcazKGjUqpalh
  35.  
  36. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vToBIzhSVxmQLHqUK7cC7uWqMvN2qsBzVifLoYP3BytPdSvmz6VmiMxBpzji7exwqi0_HqRviBw1Fe9/pub
  37.  
  38. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://novopedido.camaleaocamisas.com[.]br/go.php&sa=D&ust=1603827914352000&usg=AOvVaw2jxyjn1CgNz702y4Mms6Ab
  39.  
  40. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQoeG8-nJekDDIKFmTvrZ8iTfZoA2jul57ug0iaPDnORepcuAIROu_kuzfiJcNQ8uIbFYGZeCFZUuOq/pub
  41.  
  42. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://numbayfoundation[.]org/put.php&sa=D&ust=1603829390319000&usg=AOvVaw1yTW0oM-3VfNn8LyRM4-_6
  43.  
  44. HANCITOR TRAFFIC CAUSED BY SPREADSHEET MACRO:
  45.  
  46. - 8.209.127[.]167 port 80 - oreillyautolawsuit[.]com - GET /x.png
  47. - port 80 - api.ipify.org - GET /
  48. - 95.216.151[.]81 port 80 - ziverbsel[.]com - POST /7/forum.php
  49.  
  50. FOLLOW-UP MALWARE REQUEST FOR COBALT STRIKE (DID NOT RUN ON MY LAB HOST):
  51.  
  52. - 69.30.232[.]138 port 80 - 69.30.232[.]138 - GET /download/138.exe
  53.  
  54. TRAFFIC FOR FOLLOW-UP MALWARE
  55.  
  56. - 8.209.127[.]167 port 80 - oreillyautolawsuit[.]com - GET /f3.exe
  57. - port 80 - api.ipify.org - GET /?format=xml
  58. - 5.63.155[.]126 port 80 - functionalrejh[.]com - TCP traffic over port 80 (not hxxp)
  59.  
  60. MALWARE:
  61.  
  62. - SHA256 hash: 7c9eb9658a1782702301ed2c943c9f59f45c0ac2ffb7fb3e0da8ed6036f752a2
  63. - File size: 290,944 bytes
  64. - File name: comp_4389.xlsb
  65. - File description: XLSX file with macros for Hancitor
  66.  
  67. - SHA256 hash: c3e21f7b2bfc3da5e77b37f6556fb985e4402551bac45636a7488664e67d477f
  68. - File size: 689,496 bytes
  69. - File location: hxxp://oreillyautolawsuit[.]com/x.png
  70. - File location: C:\Users\[username]\WinHost32.exe
  71. - File description: EXE file for Hancitor
  72.  
  73. - SHA256 hash: 3b547e3bd5f3040c824ea497f265bf355483cce29c4e059d16e04fba20325498
  74. - File size: 689,496 bytes
  75. - File location: hxxp://oreillyautolawsuit[.]com/f3.exe
  76. - File location: C:\Users\[username]\AppData\Local\Temp\BN6E83.tmp
  77. - File location: unidentified info-stealer (comms with functionalrejh.com)
  78.  
  79. - SHA256 hash: 53c9abf3e3d86b1d9d633aff273a70f11e83858d3fdb362108395f170bcdebc4
  80. - File location: hxxp://69.30.232[.]138/download/138.exe
  81. - File description: EXE file for Cobalt Strike
  82.  
  83. - SHA256 hash: dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c
  84. - File size: 274,958 bytes
  85. - File location: C:\Users\[username]\AppData\Local\Temp\SU7096.tmp
  86. - FIle description: unidentified info-stealer (comms with functionalrejh.com) - same hash seen during last week's Hancitor infection
  87.  
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×