2017-06-12 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-12-Hancitor-infection-with-ZLoader.pcap.zip   9.8 MB (9,754,595 bytes)

• 2017-06-12-Hancitor-infection-with-ZLoader.pcap   (10,273,532 bytes)

• 2017-06-12-malware-from-Hancitor-infection.zip   260.7 kB (260,688 bytes)

• BN1506.tmp   (181,760 bytes)
• Invoice_yahoo.doc   (217,088 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

• @cheapbyte   (see this one for more indicators)
• @maciekkotowicz   (link)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Monday 2017-06-12 as early as 16:29 UTC through at least 20:01 UTC
• From:  "William Scott via DocuSign" <william_scott@flexovitportal[.]com>
• Subject:  Please review your document Invoice 1580227 for [recipient's email domain]
• Subject:  Please review your document Invoice 1758741 for [recipient's email domain]
• Subject:  Please review your document Invoice 3251851 for [recipient's email domain]
• Subject:  Please review your document Invoice 4844170 for [recipient's email domain]
• Subject:  Please review your document Invoice 6603507 for [recipient's email domain]

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• CMGPLACEMENT[.]NET - GET /file.php?document=[base64 string]
• digitalactionist[.]com - GET /file.php?document=[base64 string]
• EXPLORIST[.]CO[.]IN - GET /file.php?document=[base64 string]
• krishnadress[.]com - GET /file.php?document=[base64 string]
• MYSAFERRETIREMENT[.]COM - GET /file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 185.173.178[.]177 port 80 - gaparugret[.]com - POST /ls5/forum.php
• 185.173.178[.]177 port 80 - gaparugret[.]com - POST /mlu/forum.php
• 185.173.178[.]177 port 80 - gaparugret[.]com - POST /d1/about.php
• 66.7.198[.]115 port 80 - controlzeta[.]cl - GET /wp-content/plugins/contact-form-7/includes/1
• 66.7.198[.]115 port 80 - controlzeta[.]cl - GET /wp-content/plugins/contact-form-7/includes/2
• 66.7.198[.]115 port 80 - controlzeta[.]cl - GET /wp-content/plugins/contact-form-7/includes/3
• 176.103.48[.]219 port 80 - evengtounty[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  594ab467454aafa64fc6bbf2b4aa92f7628d5861560eee1155805bd0987dbac3
  File name:  Invoice_yahoo.doc
  File size:  217,088 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  79ae923717f27dedc7b9357f753d3973a49ac2e9dab78a9d57c3c738c08aec74
  File location:  C:\Users\[username]\AppData\Local\Temp\BN1506.tmp
  File size:  181,760 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.