2017-02-16 - HANCITOR MALSPAM
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-02-16-Hancitor-malspam-traffic-both-pcaps.zip 16.5 MB (16,493,449 bytes)
- ZIP archive of the malware: 2017-02-16-Hancitor-malspam-email-and-malware.zip 607 kB (606,970 bytes)
EMAILS
FROM MONDAY 2017-02-13:
- Date: Monday, 2017-02-13 at 16:40 UTC
- From: "Amazon.com" <amazon@amazon-sales.com>
- Subject: Your Amazon.com order has shipped (#254-01842113-8362234115)
- Message-ID: <A3DF14A3.1B272B8E@amazon-sales.com>
- X-Mailer: iPad Mail (11D167)
FROM THURSDAY 2017-02-16:
- Date: Thursday, 2017-02-16 at 16:33 UTC
- From: "Apache Mall" <accountant@apachemall.com>
- Subject: FW: subpoena
- Message-ID: <7C4B486E.ED81F6DF@apachemall.com>
- X-Mailer: iPod Mail (10B500)
TRAFFIC
Shown above: Traffic from the Monday 2017-02-13 infection filtered in Wireshark.
ASSOCIATED DOMAINS FROM MONDAY 2017-02-13:
- 198.144.191.168 port 80 - www.chuppon.cl - GET /api/get.php?id=[base64 string]
- api.ipify.org - GET /
- 178.32.212.37 port 80 - hisgotinla.com - POST /ls5/forum.php
- 178.32.212.37 port 80 - hisgotinla.com - POST /klu/forum.php
- 198.27.82.180 port 80 - buladoremedio.com - GET /wp-includes/1
- 198.27.82.180 port 80 - buladoremedio.com - GET /wp-includes/a1
- 62.75.198.163 port 80 - usedintgould.com - POST /bdk/gate.php
- checkip.dyndns.org - GET /
- 148.251.34.82 port 80 - refronnotning.ru - POST /bdk/gate.php
- 95.215.111.73 port 80 - hecknoforheg.ru - POST /bdk/gate.php
- 83.96.168.183 port 80 - 83.96.168.183 - POST /bdk/gate.php
- 91.221.37.160 port 80 - sindintmoro.ru - POST /bdk/gate.php
- 188.127.239.35 port 80 - kedugutret.ru - POST /bdk/gate.php
Shown above: Traffic from the Thursday 2017-02-16 infection filtered in Wireshark.
ASSOCIATED DOMAINS FROM THURSDAY 2017-02-16:
- 220.130.141.206 port 80 - lilyland.com.tw - GET /api/getn.php?id=[base64 string]
- api.ipify.org - GET /
- 91.201.214.251 port 80 - babbowitwas.com - POST /ls5/forum.php
- 91.201.214.251 port 80 - babbowitwas.com - POST /klu/forum.php
- 162.144.0.85 port 80 - searchenginemarketing.gr - GET /clients/epartners/1
- 162.144.0.85 port 80 - searchenginemarketing.gr - GET /clients/epartners/a1
- 46.148.26.79 port 80 - withtylebet.com - POST /bdk/gate.php
- checkip.dyndns.org - GET /
FILE HASHES
HANCITOR MALDOCS:
- 0b8f91277f2161875cfe2f49ef1e499bcb60d1caa677d7d2e96b71437c648e5d - 2017-02-13-Hancitor-maldoc-Amazon_invoice.doc
- ab2ece498057bda06572c25bc74652f307670df0f55e85a2bb3fd5ccdb0e8b4f - 2017-02-16-Hancitor-maldoc-subpoena_from.doc
FOLLOW-UP MALWARE:
- ba05a2b22d749ebb0974d676ad68dae386d024e427946149e6ab680d823f8561 - 2017-02-13-DELoader-BNAF32.tmp.exe
- 480358462314ab7d4837df7ac8a1047ec6883f97d0581d0a049485c8d6fcb9fb - 2017-02-16-DELoader-BN8F45.tmp.exe
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-02-16-Hancitor-malspam-traffic-both-pcaps.zip 16.5 MB (16,493,449 bytes)
- ZIP archive of the malware: 2017-02-16-Hancitor-malspam-email-and-malware.zip 607 kB (606,970 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.