2017-03-08 - HANCITOR MALSPAM - FAKE EFAX EMAILS

ASSOCIATED FILES:

  • 2017-03-08-Hancitor-malspam-traffic.pcap   (13,078,617 bytes)
  • 2017-03-08-Hancitor-malspam-1547-UTC.eml   (3,338 bytes)
  • 2017-03-08-Hancitor-malspam-1715-UTC.eml   (3,357 bytes)
  • 2017-03-08-Hancitor-malspam-1744-UTC.eml   (3,384 bytes)
  • 2017-03-08-Hancitor-malspam-1949-UTC.eml   (3,310 bytes)
  • 2017-03-08-Hancitor-malspam-1954-UTC.eml   (3,308 bytes)
  • 2017-03-08-Hancitor-malspam-2016-UTC.eml   (3,333 bytes)
  • 2017-03-08-Hancitor-malspam-2031-UTC.eml   (3,336 bytes)
  • 2017-03-08-Hancitor-malspam-2057-UTC.eml   (3,332 bytes)
  • 2017-03-08-Hancitor-malspam-2101-UTC.eml   (3,354 bytes)
  • 2017-03-08-Hancitor-malspam-2125-UTC.eml   (3,311 bytes)
  • 2017-03-08-Hancitor-malspam-tracker.csv   (2,160 bytes)
  • BNE80.tmp.exe   (175,104 bytes)
  • eFax_gabe.smith.doc   (166,400 bytes)

NOTES:

 


Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

 

EMAIL HEADERS:

 


Shown above:  Screenshot from one of the emails.

 


Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

HANCITOR MALDOC:

FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.