2017-03-13 HANCITOR MALSPAM - SUBJECT: INCOMING FAX

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-13-Hancitor-malspam-traffic.pcap.zip   16 MB (16,053,560 bytes)
• ZIP archive of the emails and malware:  2017-03-13-Hancitor-malspam-emails-and-artifacts.zip   1.8 MB (1,806,134 bytes)

NOTES:

• More indicators at:  https://techhelplist.com/spam-list/1114-2017-03-13-incoming-fax-from-malware

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Monday 2017-03-13 from 17:00 thru at least 20:01 UTC
• Subject:  Incoming Fax from (various phone numbers starting with area code 725)
• From:  "RingCentral" <ringcentral@messaging.com>

 

Shown above:  Malicious Word document (Hancitor) from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 111.89.137.83 port 80 - taiwa-p.co.jp - GET /api/getn.php?[base64 string]
• 185.154.20.201 port 80 - rofhadhedleft.com - POST /ls5/forum.php
• 185.154.20.201 port 80 - rofhadhedleft.com - POST /mlu/forum.php
• 46.51.172.51 port 80 - www.planete-sofinco.fr - GET /uploads/ressources/1/25/30/1
• 46.51.172.51 port 80 - www.planete-sofinco.fr - GET /uploads/ressources/1/25/30/a1
• 45.76.36.195 port 80 - refresandun.com - POST /bdk/gate.php
• 195.208.1.124 port 80 - www.mebel-kardinal.ru - GET /ckeditor/_source/plugins/find/dialogs/143.exe
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses, various ports - Tor traffic
• Various IP addresses, port 25 - Attempted SMTP traffic
• 91.220.131.143 port 50008 - UDP beacon traffic

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FILE HASHES

FROM LINK IN THE EMAIL:

• SHA256 hash:  800bf028a23440134fc834efc5c1e02cc70f05b2e800bbc285d7c92a4b126b1c
  File name:  Ringcentral_Fax_seth.randall.doc
  File description:  Hancitor maldoc

DOWNLOADED MALWARE:

• SHA256 hash:  124dfffd5286bb6d831a18a598e4100904a522e1c8fa0d2e5014f0fb7ed7d088
  File location:  C:\Users\[username]\AppData\Local\Temp\BNA6E8.tmp
  File description:  DELoader/ZLoader

• SHA256 hash:  8161c820dc9137e68b2542b20940d89ca653852d13291c72f6ef2eca9f34a2d9
  File name:  143.exe
  File description:  follow-up malware downloaded after initial infection

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-13-Hancitor-malspam-traffic.pcap.zip   16 MB (16,053,560 bytes)
• ZIP archive of the emails and malware:  2017-03-13-Hancitor-malspam-emails-and-artifacts.zip   1.8 MB (1,806,134 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.