2017-10-05 - HANCITOR MALSPAM (2 WAVES: MAKE HACKING DIFFICULT & FW: IRS)

ASSOCIATED FILES:

  • 2017-10-05-Hancitor-malspam-traffic.pcap   (9,860,952 bytes)
  • 2017-10-05-Hancitor-malspam-1619-UTC.eml   (14,470 bytes)
  • 2017-10-05-Hancitor-malspam-1816-UTC.eml   (897 bytes)
  • 2017-10-05-Hancitor-malspam-1824-UTC.eml   (968 bytes)
  • Ymqyod-opdei.exe   (209,920 bytes)
  • ebook_338683.doc   (215,040 bytes)

 

A TWITTER THREAD COVERING 2017-10-05 WAVES OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from an email in the 1st wave.

 


Shown above:  Screenshot from an email in the 2nd wave.

 

EMAIL HEADERS - EXAMPLE FROM 1ST WAVE:

 

EMAIL HEADERS - EXAMPLES FROM 2ND WAVE:

 


Shown above:  Malicious Word document from one of the malspam links.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Artifacts from an infected host in the user's AppData\Local\Temp directory.

 


Shown above:  Artifacts from an infected host in the user's AppData\Roaming directory.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.