2018-07-03 - HANCITOR MALSPAM INFECTION TRAFFIC

ASSOCIATED FILES:

  • 2018-07-03-Hancitor-malspam-1701-UTC.eml   (3,788 bytes)
  • 2018-07-03-Hancitor-malspam-infection-traffic.pcap   (2,781,537 bytes)/li>
  • 2018-07-03-Hancitor-malware-binary-6C.pif.exe   (73,216 bytes)
  • 2018-07-03-Send-Safe-SSE-spambot-malware-from-Hancitor-infection.exe   (1,870,096 bytes)
  • 2018-07-03-Zeus-Panda-Banker-caused-by-Hancitor.exe   (170,496 bytes)
  • 2018-07-03-downloaded-Word-doc-with-macro-for-Hancitor.doc   (202,240 bytes)

 

NOTES:


Shown above:  Flow chart for today's Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Example of the malspam.

 

EMAIL HEADERS FROM TODAY'S HANCITOR MALSPAM EXAMPLE:

Received: from psi4jobs.com ([209.64.58.226]) by [removed] for [removed];
        Tue, 03 Jul 2018 17:01:30 +0000 (UTC)
Message-ID: <FB3EC39B.47DDD340@psi4jobs.com>
Date: Tue, 03 Jul 2018 13:01:30 -0400
From: "eFax " <message@psi4jobs.com>
X-Mailer: Molto foriPad (2.1.0.8604)
MIME-Version: 1.0
TO:
[removed]
Subject: This is efax Notification
Content-Type: text/html;
        charset="utf-8"
Content-Transfer-Encoding: 7bit

 


Shown above:  Word doc downloaded from link in the malspam.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 


Shown above:  SSE spambot UDP beacon traffic from my infected lab host.

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED LAB HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.