2017-03-15 - HANCITOR MALSPAM - SUBJECT: RE: SUBPOENA
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-15-Hancitor-malspam-traffic.pcap.zip 14.2 MB (14,184,829 bytes)
- 2017-03-15-Hancitor-malspam-traffic.pcap (15,044,942 bytes)
- ZIP archive of the malware: 2017-03-15-Hancitor-malspam-emails-and-artifacts.zip 237 kB (236,548 bytes)
- 2017-03-15-Hancitor-malspam-1627-UTC.eml (763 bytes)
- 2017-03-15-Hancitor-malspam-1707-UTC.eml (790 bytes)
- 2017-03-15-Hancitor-malspam-1708-UTC.eml (813 bytes)
- 2017-03-15-Hancitor-malspam-1741-UTC.eml (712 bytes)
- 2017-03-15-Hancitor-malspam-1803-UTC.eml (815 bytes)
- 2017-03-15-Hancitor-malspam-1911-UTC.eml (787 bytes)
- 2017-03-15-Hancitor-malspam-1945-UTC.eml (732 bytes)
- 2017-03-15-Hancitor-malspam-1946-UTC.eml (787 bytes)
- BN750.tmp.exe (158,720 bytes)
- Subpoena_jake.naldorn.doc (198,144 bytes)
DETAILS
NOTES:
- More indicators at: https://techhelplist.com/spam-list/1116-2017-03-15-re-subpoena-malware
EMAIL HEADERS:
- From: (spoofed) "David Bukzin" <david.bukzin@evansllp.com>
- From: (spoofed) "David Bukzin" <david.bukzin@marcuscinelli.com>
- Subject: RE: subpoena
ASSOCIATED DOMAINS:
- 118.67.70.56 port 80 - lumenjapan.co.jp - GET /subpoenas/subpoena.php?id=[base64 string]
- 95.175.98.222 port 80 - athentitevent.com - POST /ls5/forum.php
- 95.175.98.222 port 80 - athentitevent.com - POST /mlu/forum.php
- 95.175.98.222 port 80 - athentitevent.com - POST /d1/about.php
- 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/1
- 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/2
- 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/a1
- 185.158.153.228 port 80 - littmautrow.com - POST /bdk/gate.php
FILE HASHES:
- SHA256 hash: 62e6e5dc0c3927a8c5d708688ca2b56df93848b15a4c38aab173c5a8384395f9
File location: Subpoena_jake.naldorn.doc
File description: Hancitor maldoc
- SHA256 hash: ccc62f5d74dc000f9d8054579ea0c22e3f875231eabf3f66dd80040d56a438b6
File location:  C:\Users[username]\AppData\Local\Temp\BN750.tmp
File description:  DELoader (ZLoader)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-15-Hancitor-malspam-traffic.pcap.zip 14.2 MB (14,184,829 bytes)
- ZIP archive of the malware: 2017-03-15-Hancitor-malspam-emails-and-artifacts.zip 237 kB (236,548 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.