2017-06-21 - HANCITOR INFECTION WITH ZLOADER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-21-Hancitor-infection-with-ZLoader.pcap.zip 7.9 MB (7,851,612 bytes)
- 2017-06-21-Hancitor-infection-with-ZLoader.pcap (8,341,639 bytes)
- 2017-06-21-Hancitor-malspam-12-examples.zip 23.1 kB (23,093 bytes)
- 2017-06-21-Hancitor-malspam-1427-UTC.eml (5,671 bytes)
- 2017-06-21-Hancitor-malspam-1429-UTC.eml (5,669 bytes)
- 2017-06-21-Hancitor-malspam-1531-UTC.eml (5,663 bytes)
- 2017-06-21-Hancitor-malspam-1534-UTC.eml (5,666 bytes)
- 2017-06-21-Hancitor-malspam-1558-UTC.eml (5,672 bytes)
- 2017-06-21-Hancitor-malspam-1607-UTC.eml (5,660 bytes)
- 2017-06-21-Hancitor-malspam-1640-UTC.eml (5,662 bytes)
- 2017-06-21-Hancitor-malspam-1708-UTC.eml (5,668 bytes)
- 2017-06-21-Hancitor-malspam-1715-UTC.eml (5,680 bytes)
- 2017-06-21-Hancitor-malspam-1719-UTC.eml (5,671 bytes)
- 2017-06-21-Hancitor-malspam-1730-UTC.eml (5,678 bytes)
- 2017-06-21-Hancitor-malspam-1900-UTC.eml (5,672 bytes)
- 2017-06-21-malware-from-Hancitor-infection.zip 247.4 kB (247,388 bytes)
- BNAEF3.tmp (185,856 bytes)
- Invoice_yahoo.doc (232,960 bytes)
SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:
- @fletchsec: Incoming ##hancitor run, sender - quickbooks-email@deleonstransportinc.com subject-Invoice ##### for (recipients name) (link)
- @James_inthe_box: Incoming #hancitor run "Invoice <digits> for <domain>" (link)
- @cheapbyte: #hancitor #malspam #phishing Hancitor phishing links June 21, 2017 Text links via ghostbin (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-06-21 as early as 14:27 UTC through at least 19:00 UTC
- From: "De Leons Transport, Inc." <quickbooks-email@deleonstransportinc[.]com>
- Subject: Invoice 57723 for [recipient's email domain]
- Subject: Invoice 21671 for [recipient's email domain]
- Subject: Invoice 04105 for [recipient's email domain]
- Subject: Invoice 08132 for [recipient's email domain]
- Subject: Invoice 84061 for [recipient's email domain]
- Subject: Invoice 20011 for [recipient's email domain]
- Subject: Invoice 07380 for [recipient's email domain]
- Subject: Invoice 30672 for [recipient's email domain]
- Subject: Invoice 12831 for [recipient's email domain]
- Subject: Invoice 12457 for [recipient's email domain]
- Subject: Invoice 54556 for [recipient's email domain]
- Subject: Invoice 57714 for [recipient's email domain]
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- CROWNLINKSCOFFEE[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DFWBENEFITSBROKER[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DFWHEALTHINSURANCEEXCHANGE[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DIQOTE[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DSGBENEFITSGROUP[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DSGDISABILITY[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DSGHEALTHEXCHANGE[.]COM - GET /viewdoc/file.php?document=[base64 string]
- DSGLIFE[.]COM - GET /viewdoc/file.php?document=[base64 string]
- FAAPRODUCTIONSTUDIOS[.]COM - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Invoice_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 185.117.88[.]83 port 80 - tontorrombut[.]com - POST /ls5/forum.php
- 37.230.117[.]123 port 80 - ritterthimi[.]com - POST /mlu/forum.php
- 37.230.117[.]123 port 80 - ritterthimi[.]com - POST /d1/about.php
- 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /1
- 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /2
- 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /3
- 149.202.225[.]162 port 80 - muchrutontor[.]com - POST /bdl/gate.php
- api.ipify[.]org - GET /
- checkip.dyndns[.]org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 2b3c920dca2fd71ecadd0ae500b2be354d138841de649c89bacb9dee81e89fd4
File name: Invoice_yahoo.doc
File size: 232,960 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 6520ce78ef1c1bfccf2c3144e02aeb16736b91d31464bafa07198b66ab5a4c55
File location: C:\Users\[username]\AppData\Local\Temp\BNAEF3.tmp
File size: 185,856 bytes
File description: DELoader/ZLoader
Click here to return to the main page.