Malware-Traffic-Analysis.net - 2017-03-14 Hancitor infection with ZLoader

2017-03-14 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Shown above: List of emails in the 2017-03-14 Hancitor malspam archive.

Shown above: Screen shot of the email.

EMAIL HEADERS:

Shown above: Malicious Word document (Hancitor) from link in the malspam.

Shown above: Traffic from the infection filtered in Wireshark.

ASSOCIATED DOMAINS:

223.223.216[.]36 port 80 - www.newgrand[.]com[.]hk - GET /api/getn.php?[base64 string]
95.175.98[.]222 port 80 - athodifor[.]com - POST /ls5/forum.php
95.175.98[.]222 port 80 - athodifor[.]com - POST /mlu/forum.php
95.175.98[.]222 port 80 - athodifor[.]com - POST /d1/forum.php
195.74.38[.]95 port 80 - www.smile7.smileproduktionsbyra[.]se - GET /templates/gulfstationsmall/html/com_content/article/1
195.74.38[.]95 port 80 - www.smile7.smileproduktionsbyra[.]se - GET /templates/gulfstationsmall/html/com_content/article/2
195.74.38[.]95 port 80 - www.smile7.smileproduktionsbyra[.]se - GET /templates/gulfstationsmall/html/com_content/article/a1
185.82.217[.]58 port 80 - evengparterdi[.]com - POST /bdk/gate.php
api.ipify[.]org - GET /
checkip.dyndns[.]org - GET /
Various IP addresses, various ports - Tor traffic

FROM LINK IN THE EMAIL:

SHA256 hash: 35aa9a631a536ddce57ecf26e55c5c76d80fe91672bcdf60d0eddc1849d56012
File name: Invoice_tish.lanfeld.doc
File description: Hancitor maldoc

DOWNLOADED MALWARE:

SHA256 hash: 2dcf25cfb6f1ebcc6d0d23275ae88923fa3f5230da924e97f1e22899e6557030
File location: C:\Users\[username]\AppData\Local\Temp\BNE761.tmp
File description: DELoader/ZLoader

Click here to return to the main page.