2017-09-18 - HANCITOR iNFECTION WITH ZLOADER
ASSOCIATED FILES:
- 2017-09-18-Hancitor-infection-with-ZLoader.pcap.zip 9.0 MB (8,964,534 bytes)
- 2017-09-18-Hancitor-infection-with-ZLoader.pcap (9,608,961 bytes)
- 2017-09-18-Hancitor-malspam-10-examples.zip 9.5 kB (9,506 bytes)
- 2017-09-18-Hancitor-malspam-1451-UTC.eml (1,222 bytes)
- 2017-09-18-Hancitor-malspam-1452-UTC.eml (1,282 bytes)
- 2017-09-18-Hancitor-malspam-1508-UTC.eml (1,220 bytes)
- 2017-09-18-Hancitor-malspam-1511-UTC.eml (1,265 bytes)
- 2017-09-18-Hancitor-malspam-1551-UTC.eml (1,278 bytes)
- 2017-09-18-Hancitor-malspam-1552-UTC.eml (1,244 bytes)
- 2017-09-18-Hancitor-malspam-1620-UTC.eml (1,258 bytes)
- 2017-09-18-Hancitor-malspam-1642-UTC.eml (1,288 bytes)
- 2017-09-18-Hancitor-malspam-1705-UTC.eml (1,203 bytes)
- 2017-09-18-Hancitor-malspam-1730-UTC.eml (1,225 bytes)
- 2017-09-18-malware-from-Hancitor-infection.zip 263.6 kB (263,627 bytes)
- invoice_950094.doc (257,024 bytes)
- uvur.exe (173,568 bytes)
TODAY'S TWEETS COVERING THE 2017-09-18 WAVE OF #HANCITOR MALSPAM:
- @cheapbyte: #malspam #Hancitor Fake invoice Sep 18, 2017 IOC URLs at [Pastebin link] (link)
- @James_inthe_box: Incoming variant 4 #hancitor run"RE: RE: sept invoice <digits>" [Pastebin link] (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Monday 2017-09-18 as early as 14:51 UTC through at least 17:30 UTC
- From: "Quinton Acre" <sales@mariderlaw[.]com>
- From: "Clifford Fettig" <sales@mariderlaw[.]com>
- From: "Rubin Stein" <sales@mariderlaw[.]com>
- From: "Lindsay Spafford" <sales@mariderlaw[.]com>
- From: "Lanny Grajales" <sales@mariderlaw[.]com>
- From: "Rubin Stein" <sales@mariderlaw[.]com>
- From: "Sidney Hornung" <sales@mariderlaw[.]com>
- From: "Ezekiel Bendixen" <sales@mariderlaw[.]com>
- From: "Chester Cobbins" <sales@mariderlaw[.]com>
- From: "Grover Corner" <sales@mariderlaw[.]com>
- Subject: RE: RE: sept invoice 384463
- Subject: RE: RE: sept invoice 653381
- Subject: RE: RE: sept invoice 471242
- Subject: RE: RE: sept invoice 102782
- Subject: RE: RE: sept invoice 031865
- Subject: RE: RE: sept invoice 585237
- Subject: RE: RE: sept invoice 783061
- Subject: RE: RE: sept invoice 270541
- Subject: RE: RE: sept invoice 575073
- Subject: RE: RE: sept invoice 312248
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
LINKS IN THE EMAILS THE WORD DOCUMENT:
- 1234CARE[.]com - GET /i.php?n=[base64 string]
- 1234medical[.]org - GET /i.php?n=[base64 string]
- 123care[.]nyc - GET /i.php?n=[base64 string]
- JAVAJAZZERS[.]com - GET /i.php?n=[base64 string]
- 123care[.]info - GET /i.php?n=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENT:
- invoice_[six random digits].doc
POST-INFECTION TRAFFIC FROM MY INFECTED HOST:
- 212.116.113[.]94 port 80 - hatgutifi[.]com - POST /ls5/forum.php
- 212.116.113[.]94 port 80 - hatgutifi[.]com - POST /mlu/forum.php
- 212.116.113[.]94 port 80 - hatgutifi[.]com - POST /d2/about.php
- 79.96.37[.]7 port 80 - cepd[.]info - GET /wp-content/plugins/perth-portfolio/1
- 79.96.37[.]7 port 80 - cepd[.]info - GET /wp-content/plugins/perth-portfolio/2
- 79.96.37[.]7 port 80 - cepd[.]info - GET /wp-content/plugins/perth-portfolio/3
- 91.230.60[.]13 port 80 - deandveri[.]com - POST /bdl/gate.php
- api.ipify[.]org - GET /
- checkip.dyndns[.]org - GET /
- Various IP addresses on various TCP ports - Tor traffic
- 10.0.2.2 port 443 - TCP SYN segment approx once avery 5 minutes
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: f2dbdb12feb70f883e567a53d38c58081289134676c5f7ec09fefb031c559230
File name: invoice_950094.doc
File size: 257,024 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 7831c0162c613fbaed1220726424b4553e7c577246b281ba0abdb55763aff41c
File location: C:\Users\[username]\AppData\Local\Temp\BN8C28.tmp
File location: C:\Users\[username]\AppData\Roaming\Dozire\uvur.exe
File size: 173,568 bytes
File description: DELoader/ZLoader
Click here to return to the main page.