2017-02-16 - HANCITOR MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-02-16-Hancitor-malspam-traffic-both-pcaps.zip   16.5 MB (16,493,449 bytes)
• ZIP archive of the malware:  2017-02-16-Hancitor-malspam-email-and-malware.zip   607 kB (606,970 bytes)

 

EMAILS

FROM MONDAY 2017-02-13:

• Date:  Monday, 2017-02-13 at 16:40 UTC
• From:  "Amazon.com" <amazon@amazon-sales.com>
• Subject:  Your Amazon.com order has shipped (#254-01842113-8362234115)
• Message-ID:  <A3DF14A3.1B272B8E@amazon-sales.com>
• X-Mailer:  iPad Mail (11D167)

 

FROM THURSDAY 2017-02-16:

• Date:  Thursday, 2017-02-16 at 16:33 UTC
• From:  "Apache Mall" <accountant@apachemall.com>
• Subject:  FW: subpoena
• Message-ID:  <7C4B486E.ED81F6DF@apachemall.com>
• X-Mailer:  iPod Mail (10B500)

 

TRAFFIC

Shown above:  Traffic from the Monday 2017-02-13 infection filtered in Wireshark.

 

ASSOCIATED DOMAINS FROM MONDAY 2017-02-13:

• 198.144.191.168 port 80 - www.chuppon.cl - GET /api/get.php?id=[base64 string]
• api.ipify.org - GET /
• 178.32.212.37 port 80 - hisgotinla.com - POST /ls5/forum.php
• 178.32.212.37 port 80 - hisgotinla.com - POST /klu/forum.php
• 198.27.82.180 port 80 - buladoremedio.com - GET /wp-includes/1
• 198.27.82.180 port 80 - buladoremedio.com - GET /wp-includes/a1
• 62.75.198.163 port 80 - usedintgould.com - POST /bdk/gate.php
• checkip.dyndns.org - GET /
• 148.251.34.82 port 80 - refronnotning.ru - POST /bdk/gate.php
• 95.215.111.73 port 80 - hecknoforheg.ru - POST /bdk/gate.php
• 83.96.168.183 port 80 - 83.96.168.183 - POST /bdk/gate.php
• 91.221.37.160 port 80 - sindintmoro.ru - POST /bdk/gate.php
• 188.127.239.35 port 80 - kedugutret.ru - POST /bdk/gate.php

 

Shown above:  Traffic from the Thursday 2017-02-16 infection filtered in Wireshark.

 

ASSOCIATED DOMAINS FROM THURSDAY 2017-02-16:

• 220.130.141.206 port 80 - lilyland.com.tw - GET /api/getn.php?id=[base64 string]
• api.ipify.org - GET /
• 91.201.214.251 port 80 - babbowitwas.com - POST /ls5/forum.php
• 91.201.214.251 port 80 - babbowitwas.com - POST /klu/forum.php
• 162.144.0.85 port 80 - searchenginemarketing.gr - GET /clients/epartners/1
• 162.144.0.85 port 80 - searchenginemarketing.gr - GET /clients/epartners/a1
• 46.148.26.79 port 80 - withtylebet.com - POST /bdk/gate.php
• checkip.dyndns.org - GET /

 

FILE HASHES

HANCITOR MALDOCS:

• 0b8f91277f2161875cfe2f49ef1e499bcb60d1caa677d7d2e96b71437c648e5d - 2017-02-13-Hancitor-maldoc-Amazon_invoice.doc
• ab2ece498057bda06572c25bc74652f307670df0f55e85a2bb3fd5ccdb0e8b4f - 2017-02-16-Hancitor-maldoc-subpoena_from.doc

 

FOLLOW-UP MALWARE:

• ba05a2b22d749ebb0974d676ad68dae386d024e427946149e6ab680d823f8561 - 2017-02-13-DELoader-BNAF32.tmp.exe
• 480358462314ab7d4837df7ac8a1047ec6883f97d0581d0a049485c8d6fcb9fb - 2017-02-16-DELoader-BN8F45.tmp.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-02-16-Hancitor-malspam-traffic-both-pcaps.zip   16.5 MB (16,493,449 bytes)
• ZIP archive of the malware:  2017-02-16-Hancitor-malspam-email-and-malware.zip   607 kB (606,970 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.