2017-06-21 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-06-21-Hancitor-infection-with-ZLoader.pcap   (8,341,639 bytes)
  • 2017-06-21-Hancitor-malspam-1427-UTC.eml   (5,671 bytes)
  • 2017-06-21-Hancitor-malspam-1429-UTC.eml   (5,669 bytes)
  • 2017-06-21-Hancitor-malspam-1531-UTC.eml   (5,663 bytes)
  • 2017-06-21-Hancitor-malspam-1534-UTC.eml   (5,666 bytes)
  • 2017-06-21-Hancitor-malspam-1558-UTC.eml   (5,672 bytes)
  • 2017-06-21-Hancitor-malspam-1607-UTC.eml   (5,660 bytes)
  • 2017-06-21-Hancitor-malspam-1640-UTC.eml   (5,662 bytes)
  • 2017-06-21-Hancitor-malspam-1708-UTC.eml   (5,668 bytes)
  • 2017-06-21-Hancitor-malspam-1715-UTC.eml   (5,680 bytes)
  • 2017-06-21-Hancitor-malspam-1719-UTC.eml   (5,671 bytes)
  • 2017-06-21-Hancitor-malspam-1730-UTC.eml   (5,678 bytes)
  • 2017-06-21-Hancitor-malspam-1900-UTC.eml   (5,672 bytes)
  • BNAEF3.tmp   (185,856 bytes)
  • Invoice_yahoo.doc   (232,960 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.