2017-02-23 - HANCITOR MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-23-Hancitor-malspam-traffic.pcap.zip   13.9 MB (13,917,143 bytes)

• 2017-02-23-Hancitor-malspam-traffic.pcap   (14,779,267 bytes)

• ZIP archive of the email and malware:  2017-02-23-Hancitor-malspam-and-artifacts.zip   300 kB (300,385 bytes)

• 2017-02-22-Hancitor-malspam-1550-UTC.eml   (4,863 bytes)
• 2017-02-22-Hancitor-malspam-1847-UTC.eml   (4,932 bytes)
• 2017-02-23-Hancitor-malspam-1726-UTC.eml   (3,933 bytes)
• 2017-02-23-Hancitor-malspam-1902-UTC.eml   (3,985 bytes)
• 2017-02-23-Hancitor-malspam-1907-UTC.eml   (3,979 bytes)
• BN87E4.tmp.exe   (257,536 bytes)
• eFax_Harryrobershard.doc   (179,200 bytes)

NOTES:

• Associated blogs about this malspam (with more indicators) are at:

• https://techhelplist.com/spam-list/1103-your-amazon-com-order-has-shipped-malware
• https://techhelplist.com/spam-list/1105-you-received-a-new-efax-from-malware

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor).  The Hancitor malware document is designed to download and infect Windows hosts with Pony, DELoader (ZLoader), and something else.

Shown above:  Flow chart for today's traffic (Thursday 2017-02-23).

 

Shown above:  Screenshot from one of the emails from yesterday (Wednesday 2017-02-22).

 

Shown above:  Screenshot from another one of the emails from yesterday (Wednesday 2017-02-22).

 

Shown above:  Screenshot from one of the emails today (Thursday 2017-01-23).

 

Shown above:  Malicoius Word document (Hancitor) seen today (2017-01-23).

 

TRAFFIC

Shown above:  Traffic from the infection today (Thursday 2017-02-23) filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS FROM THURSDAY 2017-02-23 INFECTION:

• 128.199.206.116 port 80 - lis.sg - GET /api/getn.php?id=[base64 string]
• 91.201.214.251 port 80 - lobuthatwith.com - POST /ls5/forum.php
• 91.201.214.251 port 80 - lobuthatwith.com - POST /klu/forum.php
• 91.201.214.251 port 80 - lobuthatwith.com - POST /cre/forum.php
• 91.201.214.251 port 80 - lobuthatwith.com - POST /cre/about.php
• 40.76.90.166 port 80 - ajqi.com - GET /wp-content/plugins/digg-digg/1
• 40.76.90.166 port 80 - ajqi.com - GET /wp-content/plugins/digg-digg/11
• 40.76.90.166 port 80 - ajqi.com - GET /wp-content/plugins/digg-digg/a11
• 91.214.119.22 port 80 - hidownsitbo.com - POST /bdk/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various ports - Various domains - Tor traffic

NOTE:  I was unable to grab any Word documents from the emails yesterday (2017-02-22), so I don't have any traffic for that day.

 

FILE HASHES

HANCITOR MALDOC:

• SHA256 hash:  9b925854b37b5f305327147e54198e44859c21dd57a8f4ac93b882d43fec01e7
• File name:  eFax_Harryrobershard.doc

DELOADER (ZLOADER):

• SHA256 hash:  ea4f8674d9cf4305c5c7d384bc5b90883de22e8c8e6bf8b1ec52312751e59de8
• File location:  C:\Users\[username]\AppData\Local\Temp\BN87E4.tmp

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-23-Hancitor-malspam-traffic.pcap.zip   13.9 MB (13,917,143 bytes)
• ZIP archive of the email and malware:  2017-02-23-Hancitor-malspam-and-artifacts.zip   300 kB (300,385 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.