Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)

IOCs:

  • 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2
  • 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony
  • 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2
  • 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak
  • 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC)

Traffic:

traffic

IDS Events:

ids

Hashes:

SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8
File name: contract_54262.doc

SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926
File name: hancitor.dll

SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495
File name: pm.dll

SHA256: 8aa3b69e95fdde655a29a889fcb6710b6ef23936a0762961aabc0d00e19e4e26
File name: BNC967.tmp.exe and DekJanv.exe

Infection Chain:

The user received this email from eva@gkinjurylaw.com:

email

The subject of the email is “legally binding contract” and it contains a .doc file called “contract_54262.doc”. The email is supposedly coming from somebody within Gullixson and Kennedy LLP. The threat actors use social engineering to entice the user into opening up the attachment. You can see that they even threaten legal action if no action is taken within 48 hours.

The user would then open the attachment (contract_54262.doc) and be presented with this:

attached-document

The user is then social engineered once more as they are told that they must click “Enable Editing” and then “Enable Content”. Once they do that the host makes GET requests for pm.dll and BNC967.tmp.exe.

Here you can see the GET request for pm.dll and then we can see some interesting strings in the TCP stream, including some hard-coded C2s (circled in red):

get-for-pm-dlltcp-stream-pm-dll

Here is the GET for the Vawtrak payload:

get-for-vawtrak-payloadget-for-vawtrak-payload-2

Here are some pictures of the payload dropped on the system as well as a registry key created for persistence:

Here we can see some Vawtrak C2 traffic via 185.75.46.13 (id-at-commonName=jmfbrtbsmth.com):

malicious-ssl-cert

I would recommend blocking all the IPs listed at the top of this blog post. Also, I want to give a shout-out to @Techhelplistcom who first uploaded these files to VT. He does great work! You can see a summary of his comments below in red (I’ve included all the additional IOCs he found) or you can click on the hash links above to see them for yourself:

Hancitor in .doc and injected to memory by .doc
Hancitor C2s:
verdimamuch.ru/ls5/gate.php
hoevenginuse.ru/ls5/gate.php

Pony Downloaded via Hancitor C2 Instructions:
geadent[.]ro/wp-admin/pm.dll
aydinlargergitavan[.]com/wp-content/themes/CherryFramework/pm.dll

Pony C2s:
verdimamuch.ru/zapoy/gate.php
hoevenginuse.ru/zapoy/gate.php

Vawtrak C2s:
hxxps://mesucnufd[.]com/index.php
hxxp://188.127.237.120/module/
mesucnufd.com resolves to 46.105.218.106

hxxps://taryaznl[.]ru/index.php
hxxp://46.105.218.106/module/
taryaznl[.]ru resolves to 185.75.46.13

Also, be sure to check out his blog at https://techhelplist.com/spam-list.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: