2017-03-16 - HANCITOR MALSPAM - SUBJECT: RE: DIVORCE PAPERS

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-16-Hancitor-malspam-traffic.pcap.zip   13.9 MB (13,947,374 bytes)

• 2017-03-16-Hancitor-malspam-traffic.pcap   (14,894,790 bytes)

• ZIP archive of the malware:  2017-03-16-Hancitor-malspam-emails-and-artifacts.zip   227 kB (226,973 bytes)

• 2017-03-16-Hancitor-malspam-1604-UTC.eml   (1,093 bytes)
• 2017-03-16-Hancitor-malspam-1737-UTC.eml   (1,070 bytes)
• 2017-03-16-Hancitor-malspam-1758-UTC.eml   (1,090 bytes)
• 2017-03-16-Hancitor-malspam-1821-UTC.eml   (1,095 bytes)
• 2017-03-16-Hancitor-malspam-1948-UTC.eml   (1,094 bytes)
• BN898B.tmp.exe   (159,744 bytes)
• Divorce_gene.staples.doc   (181,760 bytes)

NOTES:

• More indicators at:  https://techhelplist.com/spam-list/1119-2017-03-16-re-divorce-papers-malware

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Thursday 2017-03-16 as early as 16:04 thru at least 18:21 UTC
• From:  (spoofed) "Vincent R. Cappucci" <vcappucci@ent-law.com>
• Subject:  RE: divorce papers

 

Shown above:  Malicious Word document (Hancitor) from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE INITIAL DOCUMENT:

• 133.242.215.147 port 80 - fortyfour.jp - GET /divorce/divorce.php?id=[base64 string]
• 41.185.8.224 port 80 - byteshop.co.za - GET /divorce/divorce.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 95.175.98.222 port 80 - wihotitbu.com - POST /ls5/forum.php
• 95.175.98.222 port 80 - wihotitbu.com - POST /mlu/forum.php
• 95.175.98.222 port 80 - wihotitbu.com - POST /d1/about.php
• 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/1
• 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/2
• 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/a1
• 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/1
• 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/2
• 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/a1
• 193.124.176.37 port 80 - arratritthe.com - POST /bdk/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses, various ports - Tor traffic

 

FILE HASHES

FROM LINK IN THE EMAIL:

• SHA256 hash:  7b8bd7b3aae87c57adbb8bdd2d2ce543a6db88f1fa9c0eefa65f4d8409884ffa
  File location:  Divorce_bela.hermaas.doc
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  c8989c184174f25a13a23242d9e7d2c99f74ca9e283d1d4b1ad642bdcb89ba63
  File location:  C:\Users[username]\AppData\Local\Temp\BN898B.tmp
  File description:  DELoader (ZLoader)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-16-Hancitor-malspam-traffic.pcap.zip   13.9 MB (13,947,374 bytes)
• ZIP archive of the malware:  2017-03-16-Hancitor-malspam-emails-and-artifacts.zip   227 kB (226,973 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.