Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://isc.sans.edu/forums/diary/Campaign+evolution+Hancitor+changes+its+Word+macros/24376
- h/t @malware_traffic
- Hancitor Bin (BUILD=03gre12):
- SHA256: ad783ca9c2bd4c9905b131d170c1dce5bad9de8b8c2d4607a8cd051021284df0
- https://cape.contextis.com/analysis/25398/
- // l -> Download and execute .EXE in separate thread (arg=1)
- {l:http://todoemergencias.cl/wp-includes/1|http://adm-architecture.com/adm/wp-includes/1|http://heargear.net/templates/1|http://rosegreenstein.com/wp-includes/customize/1|http://accidentalpodcast.com/wp-content/plugins/site-is-offline-plugin/1}
- // b -> Download and inject code into svchost.exe
- {b:http://todoemergencias.cl/wp-includes/2|http://adm-architecture.com/adm/wp-includes/2|http://heargear.net/templates/2|http://rosegreenstein.com/wp-includes/customize/2|http://accidentalpodcast.com/wp-content/plugins/site-is-offline-plugin/2}
- // r -> Download and execute .DLL or .EXE
- {r:http://todoemergencias.cl/wp-includes/3|http://adm-architecture.com/adm/wp-includes/3|http://heargear.net/templates/3|http://rosegreenstein.com/wp-includes/customize/3|http://accidentalpodcast.com/wp-content/plugins/site-is-offline-plugin/3}
- MD5 (2018-12-04.isfbv217.loader.decoded.vk.exe) = 94c524462cf4d756c37f641e4c8b835b
- Bot ['2.17']
- Build ['49']
- Botnet/Group ID ['200']
- DGA TLDs ['com', 'ru', 'org']
- Server [’550’]
- Encryption key ['Gwe9HMygngWe8kPK']
- DGA CRC ['0x4eb7d2ca']
- DGA Base URL ['constitution.org/usdeclar.txt']
- Domains ['api2.doter.at/webstore', 'beetfeetlife.bit/webstore', 'in.extremas.at/webstore', 'asx.zenjom.at/webstore', 'g2.ex100p.at/webstore', 'gif.doter.at/webstore', 'extra.avareg.cn/webstore', 'foo.avaregio.at/webstore', 'op.iowbased.at/webstore', 'ws.doter.at/webstore', 'f1.cnboal.at/webstore', 'xxx.doolop.at/webstore']
- Domains2 ['51.255.48.78', '8.8.8.8', '192.71.245.208', '178.17.170.179', '193.183.98.66', '207.148.83.241', '111.67.20.8', '103.236.162.119', '142.4.205.47', '213.136.85.253', '159.89.249.249', '82.196.9.45']
- Path: ['/webstore/']'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement