2019-01-16 - HANCITOR MALSPAM WITH PAYPAL THEME

ASSOCIATED FILES:

  • 47 .eml files ranging from 16,891 to 17120 bytes
  • 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap   (767,878 bytes)
  • 2019-01-16-Hancitor-binary-retrieved-by-Excel-macro.exe   (94210 bytes)
  • 2019-01-16-Ursnif-retrieved-by-Hancitor-infected-host.exe   (236,032 bytes)
  • 2019-01-16-downloaded-Excel-speadsheet-with-macro-for-Hancitor.xls   (274,432 bytes)

NOTES:


Shown above:  Flow chart for recent Hancitor malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

MALSPAM DATA


Shown above:  Screenshot from one of the emails.

 

DATA FROM 47 EMAIL EXAMPLES:

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

 


Shown above:  HTTP traffic from today's infection filtered in Wireshark.

 


Shown above:  DNS traffic from today's infection filtered in Wireshark.

 

INITIAL HANCITOR INFECTION TRAFFIC:

URSNIF POST-INFECTION HTTP TRAFFIC:

URSNIF POST-INFECTION DNS TRAFFIC:

URSNIF DOMAINS IN THE DNS QUERIES:

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.