2018-01-24 - QUICK POST: HANCITOR MALSPAM

ASSOCIATED FILES:

  • 2018-01-24-Hancitor-infection-traffic.pcap   (9,461,350 bytes)
  • 2018-01-24-Hancitor-malspam-12-emails.txt   (25,671 bytes)
  • 2018-01-24-Hancitor-RTF-sample-invoice_254455.doc   (156,854 bytes)
  • 2018-01-24-Hancitor-decoded-from-base64-string-in-RTF-file.exe   (41,472 bytes)
  • 2018-01-24-Zeus-Panda-Banker-sample.exe   (204,800 bytes)
  • 2018-01-24-follow-up-malware-spambot-intaller.exe   (2,040,320 bytes)

 

NOTES:

1) Script with the base64 string for the Hancitor binary was embedded in the RTF file instead of being retrieved from a server.
2) My infected lab host spewed a great deal of additional Hancitor malspam in the post-infection SMTP traffic.

 

INDICATORS:

EMAIL INFO:

- Subject: Shipment status changed for parcel #1234!
- From: usps@ncasef.com

BLOCK LIST FROM INDICATORS IN THE PCAP:

- 777rent.com
- boxerproperty.info
- boxerworkstyle.net
- buildmyofficespace.com
- buildyourofficespace.com
- cheap-office-space.net
- denver-office-space.net
- el-paso-office-space.com
- houston-executive-suites.net
- jbaportfolio.com
- naveundpa.com
- suptalefthed.ru
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/1
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/2
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/3
- hxxp://store.firmbarbershop.com/wp-content/plugins/custom-firmshop/62b.exe

MALWARE:

- SHA256 hash: b489ca02dcea8dc7d5420908ad5d58f99a6fef160721dcecfd512095f2163f7a
- Description: 2018-01-24 Hancitor RTF sample: invoice_254455.doc

- SHA256 hash: e205b987b1faa34dc3457c76299779f5b1fe604a276cf578fc5642e708be5f12
- Description: 2018-01-24 Hancitor binary decoded from base64 string in RTF file

- SHA256 hash: 92c07ff5e7e08360ed324a574d6b3db9a2d6934bff6eb4cd1deee80e72f7ed33
- Description: 2018-01-24 Zeus Panda Banker

- SHA256 hash: 998184a140b0998732144be054f4c8f5c1609d997155830c52feee05160db3b8
- Description: 2018-01-24 follow-up malware: Send-Safe spambot installer

 

IMAGES:

 

 

 

 

 

Click here to return to the main page.