2017-03-16 - HANCITOR MALSPAM - SUBJECT: RE: DIVORCE PAPERS
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-16-Hancitor-malspam-traffic.pcap.zip 13.9 MB (13,947,374 bytes)
- 2017-03-16-Hancitor-malspam-traffic.pcap (14,894,790 bytes)
- ZIP archive of the malware: 2017-03-16-Hancitor-malspam-emails-and-artifacts.zip 227 kB (226,973 bytes)
- 2017-03-16-Hancitor-malspam-1604-UTC.eml (1,093 bytes)
- 2017-03-16-Hancitor-malspam-1737-UTC.eml (1,070 bytes)
- 2017-03-16-Hancitor-malspam-1758-UTC.eml (1,090 bytes)
- 2017-03-16-Hancitor-malspam-1821-UTC.eml (1,095 bytes)
- 2017-03-16-Hancitor-malspam-1948-UTC.eml (1,094 bytes)
- BN898B.tmp.exe (159,744 bytes)
- Divorce_gene.staples.doc (181,760 bytes)
NOTES:
- More indicators at: https://techhelplist.com/spam-list/1119-2017-03-16-re-divorce-papers-malware
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Thursday 2017-03-16 as early as 16:04 thru at least 18:21 UTC
- From: (spoofed) "Vincent R. Cappucci" <vcappucci@ent-law.com>
- Subject: RE: divorce papers
Shown above: Malicious Word document (Hancitor) from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE INITIAL DOCUMENT:
- 133.242.215.147 port 80 - fortyfour.jp - GET /divorce/divorce.php?id=[base64 string]
- 41.185.8.224 port 80 - byteshop.co.za - GET /divorce/divorce.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 95.175.98.222 port 80 - wihotitbu.com - POST /ls5/forum.php
- 95.175.98.222 port 80 - wihotitbu.com - POST /mlu/forum.php
- 95.175.98.222 port 80 - wihotitbu.com - POST /d1/about.php
- 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/1
- 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/2
- 186.202.153.204 port 80 - turismarviagens.com.br - GET /wp-content/plugins/cyclone-slider/inc/a1
- 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/1
- 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/2
- 192.186.235.32 port 80 - www.oberlincarbonmanagement.org - GET /wp-content/plugins/quick-setup/modules/a1
- 193.124.176.37 port 80 - arratritthe.com - POST /bdk/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses, various ports - Tor traffic
FILE HASHES
FROM LINK IN THE EMAIL:
- SHA256 hash: 7b8bd7b3aae87c57adbb8bdd2d2ce543a6db88f1fa9c0eefa65f4d8409884ffa
File location: Divorce_bela.hermaas.doc
File description: Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: c8989c184174f25a13a23242d9e7d2c99f74ca9e283d1d4b1ad642bdcb89ba63
File location:  C:\Users[username]\AppData\Local\Temp\BN898B.tmp
File description:  DELoader (ZLoader)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-16-Hancitor-malspam-traffic.pcap.zip 13.9 MB (13,947,374 bytes)
- ZIP archive of the malware: 2017-03-16-Hancitor-malspam-emails-and-artifacts.zip 227 kB (226,973 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.