2020-07-16 - Hancitor infection with an info-stealer

1. 2020-07-16 - HANCITOR INFECTION WITH SOME SORT OF INFO-STEALER
2.  
3. NOTE:
4.  
5. - I'm not sure what the follow-up malware is in this case.
6.  
7. REFERENCES:
8.  
9. - https://twitter.com/malware_traffic/status/1283834025866661888
10. - https://twitter.com/nazywam/status/1283837862123896835
11. - https://www.malware-traffic-analysis.net/2020/07/16/index.html
12.  
13. 6 EXAMPLES OF URLS FROM HANCITOR MALSPAM FOR THE XLS FILE:
14.  
15. - hxxp://ajthompsontrucking[.]com/p/rgbchr.php
16. - hxxp://demox2.egitek.com[.]tr/cgialfa/russell_jerry.php
17. - hxxp://devranga-001-site3.atempurl[.]com/n47wde/rrjensen1.php
18. - hxxp://dunafacility[.]partners/wp-includes/tannerbaum.php
19. - hxxp://thevietnamwarshow[.]com/cgi-bin/ridk42.php
20. - hxxp://www.tfuller[.]cn/css/sbergsgaard.php
21.  
22. 6 EXAMPLES OF THE HANCITOR XLS FILE:
23.  
24. - 2a2caf9fb121bc09e56f0564f4fe5c790bd9bb9a2982acba8aebf543f954043e inv_0.xls
25. - c93661fefcbd97fa5d66aa7e6bb6d8274b84f29e7cdbcb95988fe2a04ce5fa0f inv_1.xls
26. - 2c53e8ab0d8eadb0901e3b0aa0646dc8f9d856b23c74dd2163b51e379391538e inv_3.xls
27. - 936b5a6fc8f31cf4b5e910388cf3612d5058b3d662a56216e3574bcc140392e3 inv_4.xls
28. - a4c76c4969af9211c5ae6e6d0942971b0b7b4e0fb2a4b47e45e77231ea22a5ab inv_8.xls
29. - 4f8696a9fa832771c2e0a561ec5b12e0bde3f0afeda049c7e53ffc1b56e7bb09 inv_9.xls
30.  
31. HANCITOR DLL:
32.  
33. - SHA256 hash: e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d
34. - File size: 395,264 bytes
35. - File location: hxxp://ebaaacq[.]com/8778234.dll
36. - File location: C:\Users\[username]\Documents\CztMJfC.ocx
37. - File description: Hancitor DLL retrieved by XLS macros
38. - File run method: regsvr32.exe /s /i [filename]
39.  
40. FOLLOW-UP MALWARE:
41.  
42. - SHA256 hash: b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f
43. - File size: 1,126,912 bytes
44. - File location: hxxp://partybusnetwork[.]com/wp-content/plugins/rotating-images/4
45. - File location: C:\Users\[username]\AppData\Local\Temp\BN1234.tmp
46. - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
47. - File description: Follow-up malware (don't know what this is, seems to be an info-stealer)
48. - File name: BN1234.tmp but having random Hexadecimal ASCII numbers for the 1234
49. - File note: URL ending in /4 returned encoded/encrypted data used to create file on victim host
50.  
51. C2 TRAFFIC FROM HANCITOR DLL:
52.  
53. - vootingzel[.]com - GET /4/forum.php
54. - theaterpunti[.]ru - GET /4/forum.php
55. - persuaddek[.]ru - GET /4/forum.php
56.  
57. - NOTE: Thanks to @nazywam for the above info!
58.  
59. HANCITOR INFECTION TRAFFIC:
60.  
61. - 185.61.153[.]123 port 80 - dunafacility[.]partners - GET /wp-includes/tannerbaum.php
62. - 80.249.144[.]108 port 80 - ebaaacq[.]com - GET /8778234.dll
63. - port 80 - api.ipify[.]org - GET /
64. - 31.184.249[.]180 port 80 - vootingzel[.]com - attempted TCP connections, but no response from server
65. - 82.148.31[.]55 port 80 - theaterpunti[.]ru - POST /4/forum.php
66. - 82.148.31.55 port 80 - theaterpunti[.]ru - POST /d2/about.php
67. - 192.254.228[.]42 port 80 - partybusnetwork[.]com - GET /wp-content/plugins/rotating-images/2
68. - 192.254.228[.]42 port 80 - partybusnetwork[.]com - GET /wp-content/plugins/rotating-images/4
69.  
70. TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
71.  
72. - port 80 - ip-api[.]com - GET /xml
73. - port 80 - ip-api[.]com - GET /line/?fields=hosting
74. - 31.216.147.134 port 443 - g.api.mega.co[.]nz - HTTPS traffic
75. - port 443 - api.ipify[.]org - HTTPS traffic
76. - 31.216.144.77 port 80 - gfs270n067.userstorage.mega.co[.]nz - POST /ul/[base64-like string]/0
77. - 31.216.144.77 port 80 - gfs270n067.userstorage.mega.co[.]nz - POST /ul/[base64-like string]/1310720