2019-04-02 - HANCITOR MALSPAM WITH DOCUSIGN THEME

ASSOCIATED FILES:

  • 2019-04-02-Hancitor-malspam-example.eml   (5,528 bytes)
  • 2019-04-02-Hancitor-infection-with-Ursnif.pcap   (1,292,552 bytes)
  • 2019-04-02-Hancitor-malware-binary.exe   (290,816 bytes)
  • 2019-04-02-Ursnif-retrieved-by-Windows-infected-host.exe   (174,080 bytes)
  • 2019-04-02-Word-doc-with-macro-for-Hancitor.doc   (145,920 bytes)
  • 2019-04-02-registry-updates-caused-by-Ursnif.txt   (12,244,536 bytes)

NOTES:

 


Shown above:  Flow chart for today's Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAIL HEADERS


Shown above:  Screenshot from an example of Hancitor malspam.

 

EMAIL HEADERS FROM TODAY'S HANCITOR MALSPAM EXAMPLE:

Received: from milaromanoff.com ([64.56.218.98]) by [removed] for [removed];
        Tue, 02 Apr 2019 16:36:58 +0000 (UTC)
Date: Tue, 02 Apr 2019 11:35:04 -0500
MIME-Version: 1.0
X-Mailer: iPhone Mail (11A501)
Content-Transfer-Encoding: 7bit
Subject: You got invoice from DocuSign Electronic Service
Message-ID: <364EB70F.BFED560B@milaromanoff.com>
From: "DocuSign Signature " <docusign@milaromanoff.com>
Content-Type: text/html;
        charset="utf-8"
To: [removed]

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

 


Shown above:  HTTP traffic from today's infection filtered in Wireshark.

 

INITIAL HANCITOR INFECTION TRAFFIC:

URSNIF POST-INFECTION HTTP TRAFFIC:

URSNIF POST-INFECTION DNS TRAFFIC:

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.