2017-02-21 - HANCITOR MALSPAM

ASSOCIATED FILES:

  • 2017-02-21-Hancitor-malspam-traffic.pcap   (8,791,842 bytes)
  • 2017-02-21-Hancitor-malspam-1550-UTC.eml   (1,610 bytes)
  • BNACA3.tmp.exe   (246,784 bytes)
  • USPS_Notice_william.abedalrahman.doc   (172,032 bytes)

NOTES:

 

EMAIL

DESCRIPTION:


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

INITIAL GET REQUEST FOR WORD DOCUMENT, CHECK-IN, AND FOLLOW-UP DOWNLOADS:

 

POST-INFECTION CHECK-IN:

 

IP ADDRESS CHECKS:

 

DOMAINS REQUESTS THAT RESOLVED, BUT NO FOLLOW-UP TRAFFIC:

 

DOMAIN REQUESTS THAT DIDN'T RESOLVE:

 

FILE HASHES

HANCITOR MALSPAM:

DELOADER (ZLOADER):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.