2017-02-28 - HANCITOR MALSPAM - FAKE USPS EMAILS

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-02-28-Hancitor-malspam-traffic.pcap.zip   14 MB (14,031,732 bytes)

• 2017-02-28-Hancitor-malspam-traffic.pcap   (15,049,538 bytes)

• ZIP archive of the email and malware:  2017-02-28-Hancitor-malspam-and-artifacts.zip   229 kB (229,253 bytes)

• 2017-02-28-Hancitor-malspam-1534-UTC.eml   (1,712 bytes)
• 2017-02-28-Hancitor-malspam-1618-UTC.eml   (1,643 bytes)
• 2017-02-28-Hancitor-malspam-1624-UTC.eml   (1,669 bytes)
• 2017-02-28-Hancitor-malspam-1641-UTC.eml   (1,643 bytes)
• BN2FDA.tmp.exe   (150,528 bytes)
• USPS_Notice.doc   (184,832 bytes)

NOTES:

• Associated blog about this malspam (with more indicators) is at:

• https://techhelplist.com/spam-list/1107-2017-02-28-shipment-status-change-notification-for-parcel-malware

 

Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor).  The Hancitor malware document is designed to download and infect Windows hosts with Pony, DELoader (ZLoader), and something else.

 

EMAIL HEADERS:

• Date:  Tuesday, 2017-02-28 15:34 UTC thru at least 16:41 UTC
• From (spoofed):  "USPS" <usps@usps-shipment.com>

• Subject:  Shipment status change notification for parcel #55742318
• Subject:  Shipment status change notification for parcel #70587240
• Subject:  Shipment status change notification for parcel #11002057
• Subject:  Shipment status change notification for parcel #34330022

• Message-ID:  <D9DDE5C4.C1AFEAB2@usps-shipment.com>
• Message-ID:  <0AAF7291.31C70C00@usps-shipment.com>
• Message-ID:  <C76124B7.CBF5C4AE@usps-shipment.com>
• Message-ID:  <C6B893B6.DA7B3377@usps-shipment.com>

• X-Mailer:  Apple Mail (2.1082)
• X-Mailer:  iPhone Mail (9B176)
• X-Mailer:  iPhone Mail (13A344)
• X-Mailer:  iPhone Mail (13A404)

 

Shown above:  Screenshot from one of the emails.

 

Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• 128.199.198.31 port 443 - canmake.vn - GET /api/getn.php?id=[base64 string] <-- HTTPS
• 93.170.76.160 port 80 - gokedfama.com - POST /ls5/forum.php
• 103.24.202.195 port 80 - parishkarhub.com - GET /a1
• 185.13.227.5 port 80 - vkruisband.nl - GET /wp-content/plugins/instagram-for-wordpress/3
• 185.13.227.5 port 80 - vkruisband.nl - GET /wp-content/plugins/instagram-for-wordpress/4
• 176.31.200.90 port 80 - buttonssound.ru - POST /klu/forum.php
• 176.31.200.90 port 80 - buttonssound.ru - POST /d1/about.php
• 85.17.82.106 port 80 - withuldsinspar.com - POST /bdk/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses, various ports - Tor traffic

 

FILE HASHES

HANCITOR MALDOC:

• SHA256 hash:  780a5096b52f18316eeb93aa8a8e17cd7f8372f3dae08094bff39acae457fdc9
• File name:  USPS_Notice.doc
• File size:  184,832 bytes
• File description:  Hancitor maldoc

DELOADER (ZLOADER):

• SHA256 hash:  220c3ea724b1ec9ca2095b67f359035512fcebb7b8c32ea8298be030a82e97b1
• File location:  C:\Users\[username]\AppData\Local\Temp\BN2FDA.tmp
• File size:  150,528 bytes
• File description:  ZLoader/DELoader (I think)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-02-28-Hancitor-malspam-traffic.pcap.zip   14 MB (14,031,732 bytes)
• ZIP archive of the email and malware:  2017-02-28-Hancitor-malspam-and-artifacts.zip   229 kB (229,253 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.