2017-04-03 - HANCITOR MALSPAM - SUBJECT: NEW FAX MESSAGE, INCOMING FROM 849-930-XXXX
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-03-Hancitor-malspam-traffic.pcap.zip 485 kB (485,075 bytes)
- 2017-04-03-Hancitor-malspam-traffic.pcap (630,633 bytes)
- ZIP archive of the malware: 2017-04-03-Hancitor-malspam-emails-and-artifacts.zip 360 kB (359,998 bytes)
- 2017-04-03-Hancitor-malspam-1535-UTC.eml (1,129 bytes)
- 2017-04-03-Hancitor-malspam-1537-UTC.eml (1,105 bytes)
- 2017-04-03-Hancitor-malspam-1554-UTC.eml (1,125 bytes)
- 46353.exe (197,632 bytes)
- BN692D.tmp (158,720 bytes)
- Ringcentral_renya.glendayle.doc (241,152 bytes)
NOTES:
- More indicators at: https://techhelplist.com/spam-list/1125-2017-04-03-new-fax-message-incoming-from-malware
- The DELoader/ZLoader malware crashed on the host I infected, so I didn't get the follow-up Tor traffic that I usually see.
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Monday 2017-04-03 as early as 15:35 UTC
- From: (spoofed) "RingCentral" <message@faxcentral.com>
- Subject: New Fax Message, incoming from 849-930-xxxx
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE INITIAL DOCUMENT:
- 197.221.2.170 port 80 - pac-all-products.co.za - GET /ring/getnum.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 78.108.80.142 port 80 - rusotdelka33.ru - GET /wp-content/themes/sugar-modal-windows/slx.exe?showforum=14.0
- 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/1
- 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/2
- 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/a1
- 31.41.44.125 port 80 - veuntedund.com - POST /ls5/forum.php
- 31.41.44.125 port 80 - veuntedund.com - POST /d1/about.php
- 31.41.44.125 port 80 - veuntedund.com - POST /mlu/forum.php
- api.ipify.org - GET /
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 14b45db836ff1c0d7e283d0ff824013d7a48c59d3805c20cf9a4c61106256fe4
File location: Ringcentral_renya.glendayle.doc
File description: Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: fc8e08d0c0039b9fad3a1d0138dafe9428f06fbdc6096292edeae123a9fb7c65
File location:  C:\Users\[username]\AppData\Local\Temp\46353.exe
File description:  Hancitor binary
- SHA256 hash: 0a6b1ac5472a554e6d72bee875b7b7cdf85c9c1c8765b4f395c8847f47cc5043
File location:  C:\Users\[username]\AppData\Local\Temp\BN692D.tmp
File description:  DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-03-Hancitor-malspam-traffic.pcap.zip 485 kB (485,075 bytes)
- ZIP archive of the malware: 2017-04-03-Hancitor-malspam-emails-and-artifacts.zip 360 kB (359,998 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.