2017-03-14 HANCITOR MALSPAM - SUBJECT: PAYMENT REQUEST FOR INVOICE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-14-Hancitor-malspam-traffic.pcap.zip 14.4 MB (14,423,834 bytes)
- ZIP archive of the emails and malware: 2017-03-14-Hancitor-malspam-emails-and-artifacts.zip 227 kB (227,337 bytes)
NOTES:
- More indicators at: https://techhelplist.com/spam-list/1115-2017-03-14-shipment-status-change-notification-for-parcel-malware
Shown above: List of emails in the 2017-03-14 Hancitor malspam archive.
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Tuesday 2017-03-14 from 16:25 thru at least 17:57 UTC
- Subject: payment request for invoice #1234567
- From: "ShopUSA" <billing@shopusa.com>
Shown above: Malicious Word document (Hancitor) from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 223.223.216.36 port 80 - www.newgrand.com.hk - GET /api/getn.php?[base64 string]
- 95.175.98.222 port 80 - athodifor.com - POST /ls5/forum.php
- 95.175.98.222 port 80 - athodifor.com - POST /mlu/forum.php
- 95.175.98.222 port 80 - athodifor.com - POST /d1/forum.php
- 195.74.38.95 port 80 - www.smile7.smileproduktionsbyra.se - GET /templates/gulfstationsmall/html/com_content/article/1
- 195.74.38.95 port 80 - www.smile7.smileproduktionsbyra.se - GET /templates/gulfstationsmall/html/com_content/article/2
- 195.74.38.95 port 80 - www.smile7.smileproduktionsbyra.se - GET /templates/gulfstationsmall/html/com_content/article/a1
- 185.82.217.58 port 80 - evengparterdi.com - POST /bdk/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses, various ports - Tor traffic
FILE HASHES
FROM LINK IN THE EMAIL:
- SHA256 hash: 35aa9a631a536ddce57ecf26e55c5c76d80fe91672bcdf60d0eddc1849d56012
File name: Invoice_tish.lanfeld.doc
File description: Hancitor maldoc
DOWNLOADED MALWARE:
- SHA256 hash: 2dcf25cfb6f1ebcc6d0d23275ae88923fa3f5230da924e97f1e22899e6557030
File location: C:\Users\[username]\AppData\Local\Temp\BNE761.tmp
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-14-Hancitor-malspam-traffic.pcap.zip 14.4 MB (14,423,834 bytes)
- ZIP archive of the emails and malware: 2017-03-14-Hancitor-malspam-emails-and-artifacts.zip 227 kB (227,337 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.