2017-05-30 - HANCITOR MALSPAM - SUBJECT: FEDEX SHIPMENT NOTIFICATION

ASSOCIATED FILES:

  • 2017-05-30-Hancitor-malspam-traffic.pcap   (13,200,366 bytes)
  • 2017-05-30-Hancitor-malspam-1501-UTC.eml   (13,938 bytes)
  • 2017-05-30-Hancitor-malspam-1505-UTC.eml   (13,907 bytes)
  • 2017-05-30-Hancitor-malspam-1554-UTC.eml   (13,935 bytes)
  • 2017-05-30-Hancitor-malspam-1602-UTC.eml   (13,946 bytes)
  • 2017-05-30-Hancitor-malspam-1611-UTC.eml   (13,943 bytes)
  • 2017-05-30-Hancitor-malspam-1612-UTC.eml   (13,936 bytes)
  • BN315C.tmp   (176,640 bytes)
  • Fedex_invoice_yahoo.doc   (184,832 bytes)

 

NOTES:

EMAIL


Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.