2017-10-30 - HANCITOR MALSPAM (VIEW YOUR OFFICE 365 BUSINESS BILLING STATEMENT)

ASSOCIATED FILES:

  • 2017-10-30-Hancitor-malspam-traffic-example.pcap   (528,674 bytes)
  • 2017-10-30-Hancitor-malspam-1621-UTC.eml   (5,996 bytes)
  • 2017-10-30-Hancitor-malspam-1626-UTC.eml   (5,921 bytes)
  • 2017-10-30-Hancitor-malspam-1722-UTC.eml   (6,002 bytes)
  • 2017-10-30-Hancitor-malspam-1724-UTC.eml   (6,058 bytes)
  • 2017-10-30-Hancitor-malspam-1726-UTC.eml   (5,934 bytes)
  • 2017-10-30-Hancitor-malspam-1822-UTC.eml   (6,033 bytes)
  • 2017-10-30-Hancitor-malspam-1829-UTC.eml   (5,965 bytes)
  • 2017-10-30-Hancitor-malspam-1837-UTC.eml   (5,967 bytes)
  • 2017-10-30-Hancitor-malspam-1855-UTC.eml   (5,933 bytes)
  • 2017-10-30-Hancitor-malspam-1918-UTC.eml   (6,007 bytes)
  • 2017-10-30-ZeusPandaBanker.exe   (153,088 bytes)
  • statement_299584.doc   (220,160 bytes)

 

TODAY'S TWEETS COVERING THE 2017-10-30 WAVE OF #HANCITOR MALSPAM:

 

NOTES:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Attempted TCP connections caused by Zeus Panda Banker on the infected host.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.