2017-04-03 - HANCITOR MALSPAM - SUBJECT: NEW FAX MESSAGE, INCOMING FROM 849-930-XXXX

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-03-Hancitor-malspam-traffic.pcap.zip   485 kB (485,075 bytes)

• 2017-04-03-Hancitor-malspam-traffic.pcap   (630,633 bytes)

• ZIP archive of the malware:  2017-04-03-Hancitor-malspam-emails-and-artifacts.zip   360 kB (359,998 bytes)

• 2017-04-03-Hancitor-malspam-1535-UTC.eml   (1,129 bytes)
• 2017-04-03-Hancitor-malspam-1537-UTC.eml   (1,105 bytes)
• 2017-04-03-Hancitor-malspam-1554-UTC.eml   (1,125 bytes)
• 46353.exe   (197,632 bytes)
• BN692D.tmp   (158,720 bytes)
• Ringcentral_renya.glendayle.doc   (241,152 bytes)

NOTES:

• More indicators at:  https://techhelplist.com/spam-list/1125-2017-04-03-new-fax-message-incoming-from-malware

• The DELoader/ZLoader malware crashed on the host I infected, so I didn't get the follow-up Tor traffic that I usually see.

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Monday 2017-04-03 as early as 15:35 UTC
• From:  (spoofed) "RingCentral" <message@faxcentral.com>
• Subject:  New Fax Message, incoming from 849-930-xxxx

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUEST FOR THE INITIAL DOCUMENT:

• 197.221.2.170 port 80 - pac-all-products.co.za - GET /ring/getnum.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 78.108.80.142 port 80 - rusotdelka33.ru - GET /wp-content/themes/sugar-modal-windows/slx.exe?showforum=14.0
• 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/1
• 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/2
• 81.93.240.41 port 80 - www.so-quest.fr - GET /wp-content/plugins/widget-context/a1
• 31.41.44.125 port 80 - veuntedund.com - POST /ls5/forum.php
• 31.41.44.125 port 80 - veuntedund.com - POST /d1/about.php
• 31.41.44.125 port 80 - veuntedund.com - POST /mlu/forum.php
• api.ipify.org - GET /

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  14b45db836ff1c0d7e283d0ff824013d7a48c59d3805c20cf9a4c61106256fe4
  File location:  Ringcentral_renya.glendayle.doc
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  fc8e08d0c0039b9fad3a1d0138dafe9428f06fbdc6096292edeae123a9fb7c65
  File location:  C:\Users\[username]\AppData\Local\Temp\46353.exe
  File description:  Hancitor binary

• SHA256 hash:  0a6b1ac5472a554e6d72bee875b7b7cdf85c9c1c8765b4f395c8847f47cc5043
  File location:  C:\Users\[username]\AppData\Local\Temp\BN692D.tmp
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-03-Hancitor-malspam-traffic.pcap.zip   485 kB (485,075 bytes)
• ZIP archive of the malware:  2017-04-03-Hancitor-malspam-emails-and-artifacts.zip   360 kB (359,998 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.