2017-06-15 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-15-Hancitor-infection-with-ZLoader.pcap.zip   8.8 MB (8,761,896 bytes)

• 2017-06-15-Hancitor-infection-with-ZLoader.pcap   (9,577,473 bytes)

• 2017-06-15-Hancitor-malspam-9-examples.zip   13.5 kB (13,495 bytes)

• 2017-06-15-Hancitor-malspam-1614-UTC.eml   (2,982 bytes)
• 2017-06-15-Hancitor-malspam-1638-UTC.eml   (2,965 bytes)
• 2017-06-15-Hancitor-malspam-1702-UTC.eml   (2,977 bytes)
• 2017-06-15-Hancitor-malspam-1711-UTC.eml   (2,969 bytes)
• 2017-06-15-Hancitor-malspam-1714-UTC.eml   (2,969 bytes)
• 2017-06-15-Hancitor-malspam-1732-UTC.eml   (2,967 bytes)
• 2017-06-15-Hancitor-malspam-1738-UTC.eml   (2,968 bytes)
• 2017-06-15-Hancitor-malspam-1850-UTC.eml   (2,968 bytes)
• 2017-06-15-Hancitor-malspam-1920-UTC.eml   (2,964 bytes)

• 2017-06-15-malware-from-Hancitor-infection.zip   253.1 kB (253,071 bytes)

• BN8BAB.tmp   (182,784 bytes)
• Document_yahoo.doc   (221,696 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

• @James_inthe_box:  Incoming #hancitor run, "<domain@domain> has sent you a document" cc @AmazonHelp as hoster   (link)
• @fletchsec:  #Hancitor Two more download links   (link)
• @cheapbyte:  #hancitor #malware #phishing Hancitor Google Doc Malware Phishing links for today, text URLS at ghostbin   (link)

OTHER NOTES:

• By the time I checked for it, the initial download sites (the ones I knew about) had been taken down, and I was unable to retrieve the Word document.
• Thanks to @cheapbyte for sharing the file hash on the Hancitor Word document.

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thursday 2017-06-15 as early as 16:14 UTC through at least 19:20 UTC
• From:  "Google Documents" <accounting@jeco-inc[.]com>
• Subject:  accounting@[recipient's email domain] has sent you a document

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• attorneycreditcardservices[.]com - GET /viewdoc/file.php?document=[base64 string]
• BLACKBELT[.]CC - GET /viewdoc/file.php?document=[base64 string]
• ENDOLONGWOOD[.]COM - GET /viewdoc/file.php?document=[base64 string]
• ENDOVOLUSIA[.]COM - GET /viewdoc/file.php?document=[base64 string]
• MIRRORLITE[.]US - GET /viewdoc/file.php?document=[base64 string]
• MIRRORLITEINC[.]COM - GET /viewdoc/file.php?document=[base64 string]
• MIRRORLITEINC[.]NET - GET /viewdoc/file.php?document=[base64 string]
• MIRRORLITEINC[.]INFO - GET /viewdoc/file.php?document=[base64 string]
• rcarrplumbing[.]com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Document_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 185.15.208[.]195 port 80 - peroptepa[.]ru - POST /ls5/forum.php
• 185.15.208[.]195 port 80 - peroptepa[.]ru - POST /mlu/forum.php
• 185.15.208[.]195 port 80 - peroptepa[.]ru - POST /d1/about.php
• 177.47.187[.]12 port 80 - insight.com[.]vc - GET /wp-content/plugins/advanced-custom-fields/2
• 177.47.187[.]12 port 80 - insight.com[.]vc - GET /wp-content/plugins/advanced-custom-fields/3
• 177.93.111[.]181 port 80 - schoolhousebrasil[.]com[.]br - GET /wp-content/plugins/wordpress-importer/2
• 177.93.111[.}181 port 80 - schoolhousebrasil[.]com[.]br - GET /wp-content/plugins/wordpress-importer/3
• 185.175.158[.]242 port 80 - foaningundthe[.]com - POST /bdl/gate.php
• 46.183.223[.]230 port 80 - hertertrighheg[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  05d504a441d74008703f92064fe1d28a091c6bef1c10b6af3b7539a6585a9c04
  File name:  Document_yahoo.doc
  File size:  221,696 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  b7df021ebcd149ce63215036e7a61623c5a022d62e708dab2595c1f7c4b53a51
  File location:  C:\Users\[username]\AppData\Local\Temp\BN8BAB.tmp
  File size:  182,784 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.