2017-02-01 - HANCITOR/PONY MALSPAM - SUBJECT: INVOICE #12345678

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-01-Hancitor-Pony-malspam-traffic.pcap.zip   10.3 MB (10,376,975 bytes)

• 2017-02-01-Hancitor-Pony-malspam-traffic.pcap   (12,650,233 bytes)

• ZIP archive of the emails and recovered malware:  2017-02-01-Hancitor-Pony-malspam-emails-and-malware.zip   1.7 MB (1,712,584 bytes)

• 2017-02-01-Hancitor-Pony-malspam-1641-UTC.eml   (1,638 bytes)
• 2017-02-01-Hancitor-Pony-malspam-1642-UTC.eml   (1,640 bytes)
• 2017-02-01-Hancitor-Pony-malspam-1812-UTC.eml   (836 bytes)
• 2017-02-01-Hancitor-Pony-malspam-1832-UTC.eml   (811 bytes)
• 2017-02-01-Invoice_jeremycombs.doc   (201,216 bytes)
• 2017-02-01-follow-up-malware-Terdot.A-Zloader.exe   (258,048 bytes)
• 2017-02-01-follow-up-malware-24c.exe   (1,938,432 bytes)

NOTES:

• More malspam similar to something I posted in an ISC diary I wrote covering Hancitor/Pony/Vawtrak malspam from 2017-01-10 (link).
• Today it's a fake invoice message.
• Today, it was Hancitor --> Pony --> Terdot.A/Zloader --> another follow-up download.

Shown above:  Flowchart for this infection traffic.

 

EMAIL

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-02-01 at 16:41 UTC
• Date:  Wednesday 2017-02-01 at 16:42 UTC
• Date:  Wednesday 2017-02-01 at 18:12 UTC
• Date:  Wednesday 2017-02-01 at 18:32 UTC

• From (spoofed):  "George Cromwell" <gcromwell@gcromwell@le-bernardin.com>
• From (spoofed):  "George Cromwell" <gcromwell@gcromwell@le-bernardin.com>
• From (spoofed):  "gcromwell@le-bernardin.com" <gcromwell@gcromwell@le-bernardin.com>
• From (spoofed):  "gcromwell@thomaskeller.com" <gcromwell@thomaskeller.com>

• Subject:  FW: Re: invoice #6987530
• Subject:  FW: Re: invoice # 6658504
• Subject:  FW: Re: invoice #50266207
• Subject:  FW: Re: invoice #64028380

• Message-ID:  <26FMRQTQ.0598363@recknor.com>
• Message-ID:  <GA5Z0Q0E.6605786@rote-seiten.com>
• Message-ID:  <80B41CD4.1A4EE0F7@le-bernardin.com>
• Message-ID:  <6042DE27.A20367EC@thomaskeller.com>

 

Shown above:  Word document downloaded from link in the email.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Another try using a different URL from one of the emails.

 

ASSOCIATED DOMAINS:

• 27.254.109.103 port 80 - www.timeconsulting.co.th - GET /api/get.php?id=[base64 characters representing recipient's email address]
• api.ipify.org - GET /   [IP address check by the infected host]
• 80.87.196.67 port 80 - taronwifi.com - POST /ls5/forum.php   [Hancitor check-in]
• 37.152.88.26 port 80 - www.ligaslastorres.es - GET /wp-content/themes/phantomlite/1   [Download Pony DLL]
• 80.87.196.67 port 80 - taronwifi.com - POST /klu/forum.php
• 37.152.88.26 port 80 - www.ligaslastorres.es - GET /wp-content/themes/phantomlite/a1   [follow-up download]
• 37.143.15.137 port 80 - rinmisupher.com - POST /bdk/gate.php
• checkip.dyndns.org - GET /   [IP address check by the infected host]
• 104.239.200.178 port 80 - bayandreef.com - GET /wp-content/themes/bayandreef/24c.exe
• 91.220.131.24 port 50012 - 91.220.131.24 - UDP traffic
• 91.220.131.24 port 50011 - 91.220.131.24 - HTTPS/SSL/TLS traffic over TCP port 50011
• Various IP addresses port 25 - various domains - Attempted SMTP traffic

NOTE: No spam was sent from the infected Windows host, but it did try sending emails using the spoofed sender address gcromwell@thomaskeller.com (the same sender address from the email used to infect this particular Windows host).

 

ASSOCIATED DOMAINS NOTED FROM SECOND ATTEMPT:

• 103.28.39.28 port 80 - anthonyiphone.vn - GET /api/get.php?id=[base64 characters representing recipient's email address]
• 80.87.196.67 port 80 - wilsedrecta.ru - POST /ls5/forum.php
• 80.87.196.67 port 80 - eventsitperet.ru - POST /ls5/forum.php

 

FILE HASHES

WORD DOCUMENT:

• SHA256 hash:  5e41582be6df17aa6691ab526a93fcfacd612c05618b576988a67acc7be9a145   (201,216 bytes)
  File description:  Hancitor maldoc (Word document) on 2017-02-01

 

TERDOT.A/ZLOADER:

• SHA256 hash:  c01582eb77ccbc1977db81c3ecf9b5297e28897f91be0f7e4af24b14fbf3cf59   (258,048 bytes)
  File description:  Terdot.A/Zloader on 2017-02-01

 

FOLLOW-UP DOWNLOAD:

• SHA256 hash:  ffffd99fdc813e58bc9282101036d055a1ea937281b3202132961e5377f34962   (1,938,432 bytes)
  File description:  Follow-up malware downloaded on 2017-02-01

 

IMAGES

Shown above:  Some alerts on the post-infection traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-01-Hancitor-Pony-malspam-traffic.pcap.zip   10.3 MB (10,376,975 bytes)
• ZIP archive of the emails and recovered malware:  2017-02-01-Hancitor-Pony-malspam-emails-and-malware.zip   1.7 MB (1,712,584 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.