2017-06-21 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-21-Hancitor-infection-with-ZLoader.pcap.zip   7.9 MB (7,851,612 bytes)

• 2017-06-21-Hancitor-infection-with-ZLoader.pcap   (8,341,639 bytes)

• 2017-06-21-Hancitor-malspam-12-examples.zip   23.1 kB (23,093 bytes)

• 2017-06-21-Hancitor-malspam-1427-UTC.eml   (5,671 bytes)
• 2017-06-21-Hancitor-malspam-1429-UTC.eml   (5,669 bytes)
• 2017-06-21-Hancitor-malspam-1531-UTC.eml   (5,663 bytes)
• 2017-06-21-Hancitor-malspam-1534-UTC.eml   (5,666 bytes)
• 2017-06-21-Hancitor-malspam-1558-UTC.eml   (5,672 bytes)
• 2017-06-21-Hancitor-malspam-1607-UTC.eml   (5,660 bytes)
• 2017-06-21-Hancitor-malspam-1640-UTC.eml   (5,662 bytes)
• 2017-06-21-Hancitor-malspam-1708-UTC.eml   (5,668 bytes)
• 2017-06-21-Hancitor-malspam-1715-UTC.eml   (5,680 bytes)
• 2017-06-21-Hancitor-malspam-1719-UTC.eml   (5,671 bytes)
• 2017-06-21-Hancitor-malspam-1730-UTC.eml   (5,678 bytes)
• 2017-06-21-Hancitor-malspam-1900-UTC.eml   (5,672 bytes)

• 2017-06-21-malware-from-Hancitor-infection.zip   247.4 kB (247,388 bytes)

• BNAEF3.tmp   (185,856 bytes)
• Invoice_yahoo.doc   (232,960 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

• @fletchsec:  Incoming ##hancitor run, sender - quickbooks-email@deleonstransportinc.com subject-Invoice ##### for (recipients name)   (link)
• @James_inthe_box:  Incoming #hancitor run "Invoice <digits> for <domain>"   (link)
• @cheapbyte:  #hancitor #malspam #phishing Hancitor phishing links June 21, 2017 Text links via ghostbin   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-21 as early as 14:27 UTC through at least 19:00 UTC
• From:  "De Leons Transport, Inc." <quickbooks-email@deleonstransportinc[.]com>
• Subject:  Invoice 57723 for [recipient's email domain]
• Subject:  Invoice 21671 for [recipient's email domain]
• Subject:  Invoice 04105 for [recipient's email domain]
• Subject:  Invoice 08132 for [recipient's email domain]
• Subject:  Invoice 84061 for [recipient's email domain]
• Subject:  Invoice 20011 for [recipient's email domain]
• Subject:  Invoice 07380 for [recipient's email domain]
• Subject:  Invoice 30672 for [recipient's email domain]
• Subject:  Invoice 12831 for [recipient's email domain]
• Subject:  Invoice 12457 for [recipient's email domain]
• Subject:  Invoice 54556 for [recipient's email domain]
• Subject:  Invoice 57714 for [recipient's email domain]

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• CROWNLINKSCOFFEE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DFWBENEFITSBROKER[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DFWHEALTHINSURANCEEXCHANGE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DIQOTE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DSGBENEFITSGROUP[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DSGDISABILITY[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DSGHEALTHEXCHANGE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DSGLIFE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• FAAPRODUCTIONSTUDIOS[.]COM - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 185.117.88[.]83 port 80 - tontorrombut[.]com - POST /ls5/forum.php
• 37.230.117[.]123 port 80 - ritterthimi[.]com - POST /mlu/forum.php
• 37.230.117[.]123 port 80 - ritterthimi[.]com - POST /d1/about.php
• 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /1
• 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /2
• 52.44.248[.]183 port 80 - musicismyfirstlanguage[.]com - GET /3
• 149.202.225[.]162 port 80 - muchrutontor[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  2b3c920dca2fd71ecadd0ae500b2be354d138841de649c89bacb9dee81e89fd4
  File name:  Invoice_yahoo.doc
  File size:  232,960 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  6520ce78ef1c1bfccf2c3144e02aeb16736b91d31464bafa07198b66ab5a4c55
  File location:  C:\Users\[username]\AppData\Local\Temp\BNAEF3.tmp
  File size:  185,856 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.