2017-03-15 - HANCITOR MALSPAM - SUBJECT: RE: SUBPOENA

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-15-Hancitor-malspam-traffic.pcap.zip   14.2 MB (14,184,829 bytes)

• 2017-03-15-Hancitor-malspam-traffic.pcap   (15,044,942 bytes)

• ZIP archive of the malware:  2017-03-15-Hancitor-malspam-emails-and-artifacts.zip   237 kB (236,548 bytes)

• 2017-03-15-Hancitor-malspam-1627-UTC.eml   (763 bytes)
• 2017-03-15-Hancitor-malspam-1707-UTC.eml   (790 bytes)
• 2017-03-15-Hancitor-malspam-1708-UTC.eml   (813 bytes)
• 2017-03-15-Hancitor-malspam-1741-UTC.eml   (712 bytes)
• 2017-03-15-Hancitor-malspam-1803-UTC.eml   (815 bytes)
• 2017-03-15-Hancitor-malspam-1911-UTC.eml   (787 bytes)
• 2017-03-15-Hancitor-malspam-1945-UTC.eml   (732 bytes)
• 2017-03-15-Hancitor-malspam-1946-UTC.eml   (787 bytes)
• BN750.tmp.exe   (158,720 bytes)
• Subpoena_jake.naldorn.doc   (198,144 bytes)

 

DETAILS

NOTES:

• More indicators at:  https://techhelplist.com/spam-list/1116-2017-03-15-re-subpoena-malware

 

EMAIL HEADERS:

• From: (spoofed) "David Bukzin" <david.bukzin@evansllp.com>
• From: (spoofed) "David Bukzin" <david.bukzin@marcuscinelli.com>
• Subject: RE: subpoena

 

ASSOCIATED DOMAINS:

• 118.67.70.56 port 80 - lumenjapan.co.jp - GET /subpoenas/subpoena.php?id=[base64 string]
• 95.175.98.222 port 80 - athentitevent.com - POST /ls5/forum.php
• 95.175.98.222 port 80 - athentitevent.com - POST /mlu/forum.php
• 95.175.98.222 port 80 - athentitevent.com - POST /d1/about.php
• 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/1
• 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/2
• 60.43.178.142 port 80 - 7hoshi.co.jp - GET /wp-content/themes/corporate_tcd011/a1
• 185.158.153.228 port 80 - littmautrow.com - POST /bdk/gate.php

 

FILE HASHES:

• SHA256 hash:  62e6e5dc0c3927a8c5d708688ca2b56df93848b15a4c38aab173c5a8384395f9
  File location:  Subpoena_jake.naldorn.doc
  File description:  Hancitor maldoc

• SHA256 hash:  ccc62f5d74dc000f9d8054579ea0c22e3f875231eabf3f66dd80040d56a438b6
  File location:  C:\Users[username]\AppData\Local\Temp\BN750.tmp
  File description:  DELoader (ZLoader)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-15-Hancitor-malspam-traffic.pcap.zip   14.2 MB (14,184,829 bytes)
• ZIP archive of the malware:  2017-03-15-Hancitor-malspam-emails-and-artifacts.zip   237 kB (236,548 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.