2017-02-27 - HANCITOR MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-27-Hancitor-malspam-traffic.pcap.zip   14 MB (14,015,757 bytes)

• 2017-02-27-Hancitor-malspam-traffic.pcap   (15,101,064 bytes)

• ZIP archive of the email and malware:  2017-02-27-Hancitor-malspam-and-artifacts.zip   296 kB (296,461 bytes)

• 2017-02-27-Hancitor-malspam-1551-UTC.eml   (1,634 bytes)
• 2017-02-27-Hancitor-malspam-1557-UTC.eml   (1,656 bytes)
• 2017-02-27-Hancitor-malspam-1617-UTC.eml   (1,686 bytes)
• 2017-02-27-Hancitor-malspam-1636-UTC.eml   (1,635 bytes)
• 2017-02-27-Hancitor-malspam-1952-UTC.eml   (1,596 bytes)
• 2017-02-27-Hancitor-malspam-2019-UTC.eml   (1,620 bytes)
• ADP_Invoice_fred.jaison.doc   (176,640 bytes)
• BN4B90.tmp.exe   (263,680 bytes)

NOTES:

• Associated blog about this malspam (with more indicators) is at:

• https://techhelplist.com/spam-list/1106-your-invoice-is-ready-for-your-review-adp-malware

 

Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor).  The Hancitor malware document is designed to download and infect Windows hosts with Pony and DELoader (ZLoader).

 

EMAIL HEADERS:

• Date:  Mon, 27 Feb 2017 15:58:02 UTC
• Subject:  Your invoice 781712 is ready for your review!
• Message-ID:  <AA667E22.C943A5FF@adp-service.com>
• From:  "ADP Billing" <billing@adp-service.com>
• X-Mailer:  iPad Mail (13F69)

 

Shown above:  Screenshot from one of the emails.

 

Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• 153.149.183.108 port 80 - www.jrcnet.co.jp - GET /jrc20160401/api/getn.php?id=[base64 string]
• 185.15.208.197 port 80 - downorlyref.com - POST /ls5/forum.php
• 185.15.208.197 port 80 - downorlyref.com - POST /klu/forum.php
• 185.13.227.5 port 80 - anatripsis.nl - GET /wp-content/themes/twentyfourteen/inc/1
• 185.13.227.5 port 80 - anatripsis.nl - GET /wp-content/themes/twentyfourteen/inc/a1
• 80.78.253.177 port 80 - lyhertenhis.com - POST /bdk/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses, various ports - Tor traffic

• 186.202.153.165 port 80 - www.bxlog.com.br - GET /api/getn.php?id=[base64 string]   Note: This one was seen in one of the later emails.  It's not in the pcap.

 

FILE HASHES

HANCITOR MALDOC:

• SHA256 hash:  d2d786e373e968858e8a45118b20b744c621e10c84d5bbfddd0ff12841c5442b
• File name:  ADP_Invoice_fred.jaison.doc
• File size:  176,640 bytes
• File description:  Hancitor maldoc

DELOADER (ZLOADER):

• SHA256 hash:  8a79ea947bc742cddb33a7ad4852e69582d28898cd8d325743d6e08b2ce84117
• File location:  C:\Users\[username]\AppData\Local\Temp\BN4B90.tmp
• File size:  263,680 bytes
• File description:  ZLoader/DELoader (I think)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-27-Hancitor-malspam-traffic.pcap.zip   14 MB (14,015,757 bytes)
• ZIP archive of the email and malware:  2017-02-27-Hancitor-malspam-and-artifacts.zip   296 kB (296,461 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.