malware_traffic

2020-07-16 - Hancitor infection with an info-stealer

Jul 16th, 2020
10,086
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.41 KB | None | 0 0
  1. 2020-07-16 - HANCITOR INFECTION WITH SOME SORT OF INFO-STEALER
  2.  
  3. NOTE:
  4.  
  5. - I'm not sure what the follow-up malware is in this case.
  6.  
  7. REFERENCES:
  8.  
  9. - https://twitter.com/malware_traffic/status/1283834025866661888
  10. - https://twitter.com/nazywam/status/1283837862123896835
  11. - https://www.malware-traffic-analysis.net/2020/07/16/index.html
  12.  
  13. 6 EXAMPLES OF URLS FROM HANCITOR MALSPAM FOR THE XLS FILE:
  14.  
  15. - hxxp://ajthompsontrucking[.]com/p/rgbchr.php
  16. - hxxp://demox2.egitek.com[.]tr/cgialfa/russell_jerry.php
  17. - hxxp://devranga-001-site3.atempurl[.]com/n47wde/rrjensen1.php
  18. - hxxp://dunafacility[.]partners/wp-includes/tannerbaum.php
  19. - hxxp://thevietnamwarshow[.]com/cgi-bin/ridk42.php
  20. - hxxp://www.tfuller[.]cn/css/sbergsgaard.php
  21.  
  22. 6 EXAMPLES OF THE HANCITOR XLS FILE:
  23.  
  24. - 2a2caf9fb121bc09e56f0564f4fe5c790bd9bb9a2982acba8aebf543f954043e inv_0.xls
  25. - c93661fefcbd97fa5d66aa7e6bb6d8274b84f29e7cdbcb95988fe2a04ce5fa0f inv_1.xls
  26. - 2c53e8ab0d8eadb0901e3b0aa0646dc8f9d856b23c74dd2163b51e379391538e inv_3.xls
  27. - 936b5a6fc8f31cf4b5e910388cf3612d5058b3d662a56216e3574bcc140392e3 inv_4.xls
  28. - a4c76c4969af9211c5ae6e6d0942971b0b7b4e0fb2a4b47e45e77231ea22a5ab inv_8.xls
  29. - 4f8696a9fa832771c2e0a561ec5b12e0bde3f0afeda049c7e53ffc1b56e7bb09 inv_9.xls
  30.  
  31. HANCITOR DLL:
  32.  
  33. - SHA256 hash: e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d
  34. - File size: 395,264 bytes
  35. - File location: hxxp://ebaaacq[.]com/8778234.dll
  36. - File location: C:\Users\[username]\Documents\CztMJfC.ocx
  37. - File description: Hancitor DLL retrieved by XLS macros
  38. - File run method: regsvr32.exe /s /i [filename]
  39.  
  40. FOLLOW-UP MALWARE:
  41.  
  42. - SHA256 hash: b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f
  43. - File size: 1,126,912 bytes
  44. - File location: hxxp://partybusnetwork[.]com/wp-content/plugins/rotating-images/4
  45. - File location: C:\Users\[username]\AppData\Local\Temp\BN1234.tmp
  46. - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  47. - File description: Follow-up malware (don't know what this is, seems to be an info-stealer)
  48. - File name: BN1234.tmp but having random Hexadecimal ASCII numbers for the 1234
  49. - File note: URL ending in /4 returned encoded/encrypted data used to create file on victim host
  50.  
  51. C2 TRAFFIC FROM HANCITOR DLL:
  52.  
  53. - vootingzel[.]com - GET /4/forum.php
  54. - theaterpunti[.]ru - GET /4/forum.php
  55. - persuaddek[.]ru - GET /4/forum.php
  56.  
  57. - NOTE: Thanks to @nazywam for the above info!
  58.  
  59. HANCITOR INFECTION TRAFFIC:
  60.  
  61. - 185.61.153[.]123 port 80 - dunafacility[.]partners - GET /wp-includes/tannerbaum.php
  62. - 80.249.144[.]108 port 80 - ebaaacq[.]com - GET /8778234.dll
  63. - port 80 - api.ipify[.]org - GET /
  64. - 31.184.249[.]180 port 80 - vootingzel[.]com - attempted TCP connections, but no response from server
  65. - 82.148.31[.]55 port 80 - theaterpunti[.]ru - POST /4/forum.php
  66. - 82.148.31.55 port 80 - theaterpunti[.]ru - POST /d2/about.php
  67. - 192.254.228[.]42 port 80 - partybusnetwork[.]com - GET /wp-content/plugins/rotating-images/2
  68. - 192.254.228[.]42 port 80 - partybusnetwork[.]com - GET /wp-content/plugins/rotating-images/4
  69.  
  70. TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
  71.  
  72. - port 80 - ip-api[.]com - GET /xml
  73. - port 80 - ip-api[.]com - GET /line/?fields=hosting
  74. - 31.216.147.134 port 443 - g.api.mega.co[.]nz - HTTPS traffic
  75. - port 443 - api.ipify[.]org - HTTPS traffic
  76. - 31.216.144.77 port 80 - gfs270n067.userstorage.mega.co[.]nz - POST /ul/[base64-like string]/0
  77. - 31.216.144.77 port 80 - gfs270n067.userstorage.mega.co[.]nz - POST /ul/[base64-like string]/1310720
Add Comment
Please, Sign In to add comment