2017-03-08 - HANCITOR MALSPAM - FAKE EFAX EMAILS
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-08-Hancitor-malspam-traffic.pcap.zip 12.4 MB (12,430,214 bytes)
- 2017-03-08-Hancitor-malspam-traffic.pcap (13,078,617 bytes)
- ZIP archive of the email and malware: 2017-03-08-Hancitor-malspam-and-artifacts.zip 243 kB (243,070 bytes)
- 2017-03-08-Hancitor-malspam-1547-UTC.eml (3,338 bytes)
- 2017-03-08-Hancitor-malspam-1715-UTC.eml (3,357 bytes)
- 2017-03-08-Hancitor-malspam-1744-UTC.eml (3,384 bytes)
- 2017-03-08-Hancitor-malspam-1949-UTC.eml (3,310 bytes)
- 2017-03-08-Hancitor-malspam-1954-UTC.eml (3,308 bytes)
- 2017-03-08-Hancitor-malspam-2016-UTC.eml (3,333 bytes)
- 2017-03-08-Hancitor-malspam-2031-UTC.eml (3,336 bytes)
- 2017-03-08-Hancitor-malspam-2057-UTC.eml (3,332 bytes)
- 2017-03-08-Hancitor-malspam-2101-UTC.eml (3,354 bytes)
- 2017-03-08-Hancitor-malspam-2125-UTC.eml (3,311 bytes)
- 2017-03-08-Hancitor-malspam-tracker.csv (2,160 bytes)
- BNE80.tmp.exe (175,104 bytes)
- eFax_gabe.smith.doc (166,400 bytes)
NOTES:
- Associated blog about this malspam (with more indicators) is at:
Shown above: Flow chart for today's traffic.
DESCRIPTION:
- Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor). The Hancitor malware document is designed to download and infect Windows hosts with malware.
EMAIL HEADERS:
- Date: Monday, 2017-03-08 as early as 15:47 UTC thru at least 21:25 UTC
- From (spoofed): "eFax" <message@efaxcorporate.com>
- Subject: You received a new eFax from [10-digit US phone number starting with area code 212]
- See the spreadsheet tracker for details.
Shown above: Screenshot from one of the emails.
Shown above: Malicious Word document (Hancitor).
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- 210.245.80.30 port 80 - cocdoc.fpt.edu.vn - GET /api/getn.php?id=[base64 string] [not working when I checked]
- 103.6.198.124 port 80 - peakfitness.com.my - GET /api/getn.php?id=[base64 string] [not working when I checked]
- 219.94.155.228 port 80 - willcube.co.jp - GET /api/getn.php?id=[base64 string]
- 91.240.87.2 port 80 - undonnotru.com - POST /ls5/forum.php
- 91.240.87.2 port 80 - undonnotru.com - POST /mlu/forum.php
- 91.240.87.2 port 80 - undonnotru.com - POST /d1/about.php
- 162.210.102.90 port 80 - kbmusicproductions.com - GET /modules/mod_ariimageslidersa/1
- 162.210.102.90 port 80 - kbmusicproductions.com - GET /modules/mod_ariimageslidersa/2
- 162.210.102.90 port 80 - kbmusicproductions.com - GET /modules/mod_ariimageslidersa/a1
- 194.1.236.244 port 80 - taltorsletfor.com - POST /bdk/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses, various ports - various domains - Tor traffic
FILE HASHES
HANCITOR MALDOC:
- SHA256 hash: f1ca46b16fa0101d2e147e2a5b6452f29ef189495903162ffa887e11a0412df5
- File name: eFax_gabe.smith.doc
- File size: 166,400 bytes
- File description: Hancitor maldoc
FROM THE INFECTED HOST:
- SHA256 hash: 2798928b07527108872bde33079be1f6a712fdfcd73316798b6725f922a91169
- File location: C:\Users\[username]\AppData\Local\Temp\BNE80.tmp
- File size: 175,104 bytes
- File description: ZLoader/DELoader (I think)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-08-Hancitor-malspam-traffic.pcap.zip 12.4 MB (12,430,214 bytes)
- ZIP archive of the email and malware: 2017-03-08-Hancitor-malspam-and-artifacts.zip 243 kB (243,070 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.