{ "Event": { "analysis": "2", "date": "2016-05-16", "extends_uuid": "", "info": "OSINT - Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck", "publish_timestamp": "1463399938", "published": true, "threat_level_id": "3", "timestamp": "1463399905", "uuid": "5739b34f-01ac-4e80-a403-4a1502de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1463399298", "to_ids": false, "type": "link", "uuid": "5739b382-e464-4c58-bf66-44c302de0b81", "value": "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1463399319", "to_ids": false, "type": "comment", "uuid": "5739b397-f144-48c0-a8a7-472d02de0b81", "value": "Proofpoint researchers have recently observed the re-emergence of two malware downloaders that had largely disappeared for several months. Hancitor (also known as Tordal and Chanitor) and Ruckguv have reappeared in campaigns distributing Pony and Vawtrak with significant updates and increased functionality. We have also been tracking an actor experimenting with various loaders, providing insights into these evolving components of malware ecosystems." }, { "category": "Network activity", "comment": "Ruckguv downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399382", "to_ids": true, "type": "url", "uuid": "5739b3d6-068c-42fb-83f4-4b0c02de0b81", "value": "http://logimax.net.in/ii.exe" }, { "category": "Network activity", "comment": "Ruckguv downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399382", "to_ids": true, "type": "url", "uuid": "5739b3d6-0940-4787-9571-44b502de0b81", "value": "http://tourjacket.me/ii.exe" }, { "category": "Network activity", "comment": "Ruckguv downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399382", "to_ids": true, "type": "url", "uuid": "5739b3d6-cd9c-4e5f-b332-473502de0b81", "value": "http://urbanrecreation.eu/ii.exe" }, { "category": "Network activity", "comment": "Ruckguv downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399383", "to_ids": true, "type": "url", "uuid": "5739b3d7-b578-440d-9e5c-4db202de0b81", "value": "http://tantrix.com.tr/pm.dll" }, { "category": "Network activity", "comment": "Ruckguv downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399383", "to_ids": true, "type": "url", "uuid": "5739b3d7-6b0c-47db-a983-4bb302de0b81", "value": "http://therapeutica.com.br/pm.dll" }, { "category": "Network activity", "comment": "Hancitor C2", "deleted": false, "disable_correlation": false, "timestamp": "1463399429", "to_ids": true, "type": "url", "uuid": "5739b405-8604-4bb7-b7bc-4e6b02de0b81", "value": "http://hadfanawass.com/sl/gate.php" }, { "category": "Network activity", "comment": "Hancitor C2", "deleted": false, "disable_correlation": false, "timestamp": "1463399430", "to_ids": true, "type": "url", "uuid": "5739b406-b970-4bb2-afc1-416902de0b81", "value": "http://rophenreswi.ru/sl/gate.php" }, { "category": "Network activity", "comment": "Hancitor C2", "deleted": false, "disable_correlation": false, "timestamp": "1463399430", "to_ids": true, "type": "url", "uuid": "5739b406-cbe4-490c-b81a-451502de0b81", "value": "http://mihesfitons.ru/sl/gate.php" }, { "category": "Network activity", "comment": "Hancitor C2", "deleted": false, "disable_correlation": false, "timestamp": "1463399430", "to_ids": true, "type": "url", "uuid": "5739b406-498c-44f0-94cd-481202de0b81", "value": "https://krrewiaog3u4npcg.onion.to/sl/gate.php" }, { "category": "Network activity", "comment": "Hancitor downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399562", "to_ids": true, "type": "url", "uuid": "5739b48a-5510-41e1-952a-4fc402de0b81", "value": "http://quoapps.es/pm.dll" }, { "category": "Network activity", "comment": "Hancitor downloading Pony", "deleted": false, "disable_correlation": false, "timestamp": "1463399562", "to_ids": true, "type": "url", "uuid": "5739b48a-1098-4ba4-a3f6-4c0d02de0b81", "value": "http://posturepals.es/inst1.exe" }, { "category": "Payload delivery", "comment": "Document that dropped Ruckguv on May 4", "deleted": false, "disable_correlation": false, "timestamp": "1463399733", "to_ids": true, "type": "sha256", "uuid": "5739b535-745c-4fa5-b5d3-445202de0b81", "value": "b1ba251cf4f494a00ff0d64a50004d839928dac816afb81c33af51622baf2c12" }, { "category": "Payload delivery", "comment": "Ruckguv", "deleted": false, "disable_correlation": false, "timestamp": "1463399733", "to_ids": true, "type": "sha256", "uuid": "5739b535-3bb0-45bc-b8fc-4ebb02de0b81", "value": "0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba" }, { "category": "Payload delivery", "comment": "Pony (Ruckguv module)", "deleted": false, "disable_correlation": false, "timestamp": "1463399733", "to_ids": true, "type": "sha256", "uuid": "5739b535-28d8-47c7-be75-4af502de0b81", "value": "2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3" }, { "category": "Payload delivery", "comment": "Vawtrak (Ruckguv payload)", "deleted": false, "disable_correlation": false, "timestamp": "1463399733", "to_ids": true, "type": "sha256", "uuid": "5739b535-968c-4cd1-b88f-406402de0b81", "value": "9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9" }, { "category": "Payload delivery", "comment": "Document that dropped Hancitor on April 28", "deleted": false, "disable_correlation": false, "timestamp": "1463399838", "to_ids": true, "type": "sha256", "uuid": "5739b59e-fbc4-4aca-9af5-4ee902de0b81", "value": "9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df" }, { "category": "Payload delivery", "comment": "Hancitor", "deleted": false, "disable_correlation": false, "timestamp": "1463399838", "to_ids": true, "type": "sha256", "uuid": "5739b59e-0b48-44e9-a8aa-406d02de0b81", "value": "5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48" }, { "category": "Payload delivery", "comment": "Pony (Hancitor module)", "deleted": false, "disable_correlation": false, "timestamp": "1463399839", "to_ids": true, "type": "sha256", "uuid": "5739b59f-3eec-4b2c-b62f-499702de0b81", "value": "b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68" }, { "category": "Payload delivery", "comment": "Vawtrak (Hancitor payload)", "deleted": false, "disable_correlation": false, "timestamp": "1463399839", "to_ids": true, "type": "sha256", "uuid": "5739b59f-9be8-43b9-8654-4dd902de0b81", "value": "ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5" }, { "category": "Payload delivery", "comment": "Vawtrak (Hancitor payload) - Xchecked via VT: ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5", "deleted": false, "disable_correlation": false, "timestamp": "1463399905", "to_ids": true, "type": "sha1", "uuid": "5739b5e1-872c-459b-9c96-454e02de0b81", "value": "a35698fe9ef3c6215f50c06d3ef398e5bdeb8c6f" }, { "category": "Payload delivery", "comment": "Vawtrak (Hancitor payload) - Xchecked via VT: ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5", "deleted": false, "disable_correlation": false, "timestamp": "1463399905", "to_ids": true, "type": "md5", "uuid": "5739b5e1-99c4-4e19-8650-4d0b02de0b81", "value": "68793f7cc760048ba97eb1cc97252461" }, { "category": "External analysis", "comment": "Vawtrak (Hancitor payload) - Xchecked via VT: ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5", "deleted": false, "disable_correlation": false, "timestamp": "1463399905", "to_ids": false, "type": "link", "uuid": "5739b5e1-9d14-482a-bb1f-455f02de0b81", "value": "https://www.virustotal.com/file/ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5/analysis/1462606723/" }, { "category": "Payload delivery", "comment": "Pony (Hancitor module) - Xchecked via VT: b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68", "deleted": false, "disable_correlation": false, "timestamp": "1463399905", "to_ids": true, "type": "sha1", "uuid": "5739b5e1-6710-4847-ba02-4d3a02de0b81", "value": "3a7ad22bb6f4953c7bbcaec85680c6a9be03af46" }, { "category": "Payload delivery", "comment": "Pony (Hancitor module) - Xchecked via VT: b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68", "deleted": false, "disable_correlation": false, "timestamp": "1463399905", "to_ids": true, "type": "md5", "uuid": "5739b5e1-06e0-4766-930e-4f2802de0b81", "value": "21eb66fd849c57ce2c69e3e1ad1b064c" }, { "category": "External analysis", "comment": "Pony (Hancitor module) - Xchecked via VT: b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68", "deleted": false, "disable_correlation": false, "timestamp": "1463399906", "to_ids": false, "type": "link", "uuid": "5739b5e2-97e8-4de1-af00-42ab02de0b81", "value": "https://www.virustotal.com/file/b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68/analysis/1463121357/" }, { "category": "Payload delivery", "comment": "Hancitor - Xchecked via VT: 5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48", "deleted": false, "disable_correlation": false, "timestamp": "1463399906", "to_ids": true, "type": "sha1", "uuid": "5739b5e2-b92c-4d17-adaa-456502de0b81", "value": "dbb61c1e21440dd671eeb76576aa293ae1ef117c" }, { "category": "Payload delivery", "comment": "Hancitor - Xchecked via VT: 5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48", "deleted": false, "disable_correlation": false, "timestamp": "1463399906", "to_ids": true, "type": "md5", "uuid": "5739b5e2-53d4-4158-99c8-491002de0b81", "value": "2c1e65962b41bcd1ffef977870f083fa" }, { "category": "External analysis", "comment": "Hancitor - Xchecked via VT: 5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48", "deleted": false, "disable_correlation": false, "timestamp": "1463399906", "to_ids": false, "type": "link", "uuid": "5739b5e2-d658-4689-9c2b-4bae02de0b81", "value": "https://www.virustotal.com/file/5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48/analysis/1463383176/" }, { "category": "Payload delivery", "comment": "Document that dropped Hancitor on April 28 - Xchecked via VT: 9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df", "deleted": false, "disable_correlation": false, "timestamp": "1463399906", "to_ids": true, "type": "sha1", "uuid": "5739b5e2-37c0-467d-bf51-49f102de0b81", "value": "64d8f9d5c127a53c124ba4aef48662cbf3919ea6" }, { "category": "Payload delivery", "comment": "Document that dropped Hancitor on April 28 - Xchecked via VT: 9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df", "deleted": false, "disable_correlation": false, "timestamp": "1463399907", "to_ids": true, "type": "md5", "uuid": "5739b5e3-8d3c-433c-9a2d-46bd02de0b81", "value": "50be8add4e5a01175808893af56468bd" }, { "category": "External analysis", "comment": "Document that dropped Hancitor on April 28 - Xchecked via VT: 9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df", "deleted": false, "disable_correlation": false, "timestamp": "1463399907", "to_ids": false, "type": "link", "uuid": "5739b5e3-c674-487a-acf4-4f1e02de0b81", "value": "https://www.virustotal.com/file/9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df/analysis/1462606671/" }, { "category": "Payload delivery", "comment": "Vawtrak (Ruckguv payload) - Xchecked via VT: 9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9", "deleted": false, "disable_correlation": false, "timestamp": "1463399907", "to_ids": true, "type": "sha1", "uuid": "5739b5e3-e9ac-441e-9069-4b2502de0b81", "value": "375133988496954a4e59083f4e8510a26ab394e3" }, { "category": "Payload delivery", "comment": "Vawtrak (Ruckguv payload) - Xchecked via VT: 9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9", "deleted": false, "disable_correlation": false, "timestamp": "1463399907", "to_ids": true, "type": "md5", "uuid": "5739b5e3-b1c8-40b6-8794-485802de0b81", "value": "8dc5fd222426538698ab5b7975ada717" }, { "category": "External analysis", "comment": "Vawtrak (Ruckguv payload) - Xchecked via VT: 9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9", "deleted": false, "disable_correlation": false, "timestamp": "1463399907", "to_ids": false, "type": "link", "uuid": "5739b5e3-a94c-4d1b-8d86-4f5002de0b81", "value": "https://www.virustotal.com/file/9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9/analysis/1463212109/" }, { "category": "Payload delivery", "comment": "Pony (Ruckguv module) - Xchecked via VT: 2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": true, "type": "sha1", "uuid": "5739b5e4-3590-4015-a1de-4a0e02de0b81", "value": "e5884dbd7b4504a95f7fe0c6db1b2f62b3cb96d2" }, { "category": "Payload delivery", "comment": "Pony (Ruckguv module) - Xchecked via VT: 2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": true, "type": "md5", "uuid": "5739b5e4-b2c0-4339-a778-48bb02de0b81", "value": "e7f103eacd306f9fa7484f3783ca40f0" }, { "category": "External analysis", "comment": "Pony (Ruckguv module) - Xchecked via VT: 2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": false, "type": "link", "uuid": "5739b5e4-5af8-4ccc-bd61-496202de0b81", "value": "https://www.virustotal.com/file/2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3/analysis/1463383601/" }, { "category": "Payload delivery", "comment": "Ruckguv - Xchecked via VT: 0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": true, "type": "sha1", "uuid": "5739b5e4-3c40-40e7-84f7-474b02de0b81", "value": "d7895d3b24fb1e4e4d62361fcd365ca3062acf62" }, { "category": "Payload delivery", "comment": "Ruckguv - Xchecked via VT: 0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": true, "type": "md5", "uuid": "5739b5e4-f720-4f41-8d10-46cb02de0b81", "value": "aebefd65569920aa7ae61171ebc65af6" }, { "category": "External analysis", "comment": "Ruckguv - Xchecked via VT: 0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba", "deleted": false, "disable_correlation": false, "timestamp": "1463399908", "to_ids": false, "type": "link", "uuid": "5739b5e4-3f5c-4b59-aa26-4f1e02de0b81", "value": "https://www.virustotal.com/file/0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba/analysis/1463383560/" } ] } }