malware_traffic

2020-10-27 (Tuesday) - Hancitor with Cobalt Strike and unidentified info-stealer

Oct 27th, 2020
1,729
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-10-27 (TUESDAY) - HANCITOR WITH COBALT STRIKE AND UNIDENTIFIED INFO-STEALER
  2.  
  3. EMAIL INFO:
  4.  
  5. - Received from: acuraaccelerationproblems.com ([62.232.211.230])
  6. - Received from: acuraaccelerationproblems.com ([123.59.173.195])
  7. - Received from: acuraaccelerationproblems.com ([166.156.27.93])
  8. - Received from: acuraaccelerationproblems.com ([182.237.124.38])
  9. - Received from: acuraaccelerationproblems.com ([212.5.141.134])
  10.  
  11. - From: "DocuSign Electronic Signature and Invoice Service" <fgodut@acuraaccelerationproblems.com>
  12. - From: "DocuSign Electronic Signature and Invoice Service" <iysurlg@acuraaccelerationproblems.com>
  13. - From: "DocuSign Signature " <cofnu@acuraaccelerationproblems.com>
  14. - From: "DocuSign Signature and Invoice" <boru@acuraaccelerationproblems.com>
  15. - From: "DocuSign Signature Service" <yxaizao@acuraaccelerationproblems.com>
  16.  
  17. - Subject: You got invoice from DocuSign Signature Service
  18. - Subject: You got notification from DocuSign Service
  19. - Subject: You got notification from DocuSign Signature Service
  20. - Subject: You received invoice from DocuSign Electronic Signature Service
  21.  
  22. LINKS FROM THE EMAILS:
  23.  
  24. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQWHPnAL19--S5fhuKYwz4kBBd02AMx21__UIa1V-NtzAAD9cRnqkRYsEDKx8BgUg86bMHDk66-yys9/pub
  25.  
  26. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxp://czyszczeniesrebra[.]pl/insure.php&sa=D&ust=1603827760891000&usg=AOvVaw05xTtuU2LfqUqVYMYFf2o8
  27.  
  28. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQsh8vxGwEsmF9YUXvPrmYoNrQDuW58Qk9JZJQJtgLaeFTh3Z2HJLKwlQhRCs0S1n8UA0lbmJmGn9so/pub
  29.  
  30. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://www.brafa.com[.]br/draw.php&sa=D&ust=1603827618317000&usg=AOvVaw2dYS0ytGsKQYAcmFsi47vM
  31.  
  32. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vS_KjrbqlXUcZ2KS5he0a_7_58Yf6L6ngaOm5vBMHPY7zIEwNqvbMF7r8OeOmwG6anVdqMR2Dt199sg/pub
  33.  
  34. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxp://kgi.shakiltrade[.]com/design.php&sa=D&ust=1603827914987000&usg=AOvVaw3Cugz2dPIDcazKGjUqpalh
  35.  
  36. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vToBIzhSVxmQLHqUK7cC7uWqMvN2qsBzVifLoYP3BytPdSvmz6VmiMxBpzji7exwqi0_HqRviBw1Fe9/pub
  37.  
  38. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://novopedido.camaleaocamisas.com[.]br/go.php&sa=D&ust=1603827914352000&usg=AOvVaw2jxyjn1CgNz702y4Mms6Ab
  39.  
  40. - Link: hxxps://docs.google[.]com/document/d/e/2PACX-1vQoeG8-nJekDDIKFmTvrZ8iTfZoA2jul57ug0iaPDnORepcuAIROu_kuzfiJcNQ8uIbFYGZeCFZUuOq/pub
  41.  
  42. - Link from Google Docs page: hxxps://www.google[.]com/url?q=hxxps://numbayfoundation[.]org/put.php&sa=D&ust=1603829390319000&usg=AOvVaw1yTW0oM-3VfNn8LyRM4-_6
  43.  
  44. HANCITOR TRAFFIC CAUSED BY SPREADSHEET MACRO:
  45.  
  46. - 8.209.127[.]167 port 80 - oreillyautolawsuit[.]com - GET /x.png
  47. - port 80 - api.ipify.org - GET /
  48. - 95.216.151[.]81 port 80 - ziverbsel[.]com - POST /7/forum.php
  49.  
  50. FOLLOW-UP MALWARE REQUEST FOR COBALT STRIKE (DID NOT RUN ON MY LAB HOST):
  51.  
  52. - 69.30.232[.]138 port 80 - 69.30.232[.]138 - GET /download/138.exe
  53.  
  54. TRAFFIC FOR FOLLOW-UP MALWARE
  55.  
  56. - 8.209.127[.]167 port 80 - oreillyautolawsuit[.]com - GET /f3.exe
  57. - port 80 - api.ipify.org - GET /?format=xml
  58. - 5.63.155[.]126 port 80 - functionalrejh[.]com - TCP traffic over port 80 (not hxxp)
  59.  
  60. MALWARE:
  61.  
  62. - SHA256 hash: 7c9eb9658a1782702301ed2c943c9f59f45c0ac2ffb7fb3e0da8ed6036f752a2
  63. - File size: 290,944 bytes
  64. - File name: comp_4389.xlsb
  65. - File description: XLSX file with macros for Hancitor
  66.  
  67. - SHA256 hash: c3e21f7b2bfc3da5e77b37f6556fb985e4402551bac45636a7488664e67d477f
  68. - File size: 689,496 bytes
  69. - File location: hxxp://oreillyautolawsuit[.]com/x.png
  70. - File location: C:\Users\[username]\WinHost32.exe
  71. - File description: EXE file for Hancitor
  72.  
  73. - SHA256 hash: 3b547e3bd5f3040c824ea497f265bf355483cce29c4e059d16e04fba20325498
  74. - File size: 689,496 bytes
  75. - File location: hxxp://oreillyautolawsuit[.]com/f3.exe
  76. - File location: C:\Users\[username]\AppData\Local\Temp\BN6E83.tmp
  77. - File location: unidentified info-stealer (comms with functionalrejh.com)
  78.  
  79. - SHA256 hash: 53c9abf3e3d86b1d9d633aff273a70f11e83858d3fdb362108395f170bcdebc4
  80. - File location: hxxp://69.30.232[.]138/download/138.exe
  81. - File description: EXE file for Cobalt Strike
  82.  
  83. - SHA256 hash: dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c
  84. - File size: 274,958 bytes
  85. - File location: C:\Users\[username]\AppData\Local\Temp\SU7096.tmp
  86. - FIle description: unidentified info-stealer (comms with functionalrejh.com) - same hash seen during last week's Hancitor infection
  87.  
RAW Paste Data