2017-10-26 - HANCITOR MALSPAM (MISSED DELIVERY/SHIPMENT/SHIPPING NOTIFICATION)

ASSOCIATED FILES:

  • 2017-10-26-Hancitor-malspam-traffic.pcap   (3,154,362 bytes)
  • 2017-10-26-Hancitor-malspam-153455-UTC.txt   (2,748 bytes)
  • 2017-10-26-Hancitor-malspam-154025-UTC.txt   (2,773 bytes)
  • 2017-10-26-Hancitor-malspam-154050-UTC.txt   (2,758 bytes)
  • 2017-10-26-Hancitor-malspam-155803-UTC.txt   (2,793 bytes)
  • 2017-10-26-Hancitor-malspam-160257-UTC.txt   (2,828 bytes)
  • 2017-10-26-Hancitor-malspam-161434-UTC.txt   (2,818 bytes)
  • 2017-10-26-Hancitor-malspam-161547-UTC.txt   (2,795 bytes)
  • 2017-10-26-Hancitor-malspam-162005-UTC.txt   (2,807 bytes)
  • 2017-10-26-Hancitor-malspam-162437-UTC.txt   (2,839 bytes)
  • 2017-10-26-Hancitor-malspam-163029-UTC.txt   (2,787 bytes)
  • 2017-10-26-Hancitor-malspam-163446-UTC.txt   (2,822 bytes)
  • 2017-10-26-Hancitor-malspam-163827-UTC.txt   (2,770 bytes)
  • 2017-10-26-Hancitor-malspam-165437-UTC.txt   (2,801 bytes)
  • 2017-10-26-Hancitor-malspam-170300-UTC.txt   (2,844 bytes)
  • 2017-10-26-Hancitor-malspam-170549-UTC.txt   (2,789 bytes)
  • 2017-10-26-Hancitor-malspam-171228-UTC.txt   (2,777 bytes)
  • 2017-10-26-Hancitor-malspam-171751-UTC.txt   (2,760 bytes)
  • 2017-10-26-Hancitor-malspam-171933-UTC.txt   (2,751 bytes)
  • 2017-10-26-Hancitor-malspam-172419-UTC.txt   (2,784 bytes)
  • 2017-10-26-Hancitor-malspam-175917-UTC.txt   (2,803 bytes)
  • 2017-10-26-Hancitor-malspam-181923-UTC.txt   (2,769 bytes)
  • 2017-10-26-Hancitor-malspam-183916-UTC.txt   (2,807 bytes)
  • 2017-10-26-Hancitor-malspam-195435-UTC.txt   (2,758 bytes)
  • 2017-10-26-Hancitor-malspam-200146-UTC.txt   (2,823 bytes)
  • 2017-10-26-Hancitor-malspam-204726-UTC.txt   (2,763 bytes)
  • notice_998780.doc   (193,024 bytes)
  • xulstore.exe   (172,544 bytes)

 

TODAY'S TWEETS COVERING THE 2017-10-26 WAVE OF #HANCITOR MALSPAM:

 

NOTES:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Example of HTTPS post-infection traffic to tontrumuchtors.com in Fiddler (caused by Zeus Panda Banker).

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:


Shown above:  Example of post-infection malware, Zeus Panda Banker.  Zeus Panda Banker saves itself to the infected host in as a random name to a
random existing directory path under the user's AppData\Roaming folder.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.