2017-04-05 - HANCITOR MALSPAM - SUBJECT: MARCH INVOICE # 1234567 DUE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-05-Hancitor-malspam-traffic.pcap.zip 13.8 MB (13,778,261 bytes)
- 2017-04-05-Hancitor-malspam-traffic.pcap (14,582,657 bytes)
- ZIP archive of the malware: 2017-04-05-Hancitor-malspam-and-artifacts.zip 191 kB (191,467 bytes)
- 2017-04-05-Hancitor-malspam-1512-UTC.eml (763 bytes)
- 2017-04-05-Hancitor-malspam-1526-UTC.eml (737 bytes)
- 2017-04-05-Hancitor-malspam-1733-UTC.eml (789 bytes)
- BN4E.tmp (165,888 bytes)
- d657.exe (156,672 bytes)
- March_invoice_nathaniel.clark.js (33,004 bytes)
NOTES:
- On Wednesday 2017-04-05, links from Hancitor malspam pointed to a .js file instead of a .doc file as we've seen previously.
- More indicators for this malspam are posted at: https://techhelplist.com/spam-list/1129-2017-04-05-march-invoice-due-malware
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-04-05 as early as 15:12 UTC
- From: (spoofed) "NetBrains, Inc." <billing@netbrain.com>
- Subject: march invoice # 1437146 due
- Subject: march invoice # 7454510 due
- Subject: march invoice # 8781758 due
Shown above: Malicious .js file from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE .JS FILE:
- 47.90.202.88 port 80 - random-billing.com - GET /getnum.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 47.90.202.88 port 80 - random-billing.com - GET /get.php?ff1
- 80.249.163.1 port 80 - fateleptura.hu - GET /1
- 80.249.163.1 port 80 - fateleptura.hu - GET /2
- 80.249.163.1 port 80 - fateleptura.hu - GET /a1
- 212.116.113.108 port 80 - fortotrolhec.com - POST /ls5/forum.php
- 212.116.113.108 port 80 - fortotrolhec.com - POST /mlu/forum.php
- 212.116.113.108 port 80 - fortotrolhec.com - POST /d1/about.php
- 194.1.239.63 port 80 - situghlacsof.com - POST /bdk/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
.JS FILE FROM LINK IN THE EMAIL:
- SHA256 hash: a882be2a0b1f13b7cf60ed50237344049962bb53e82dbcfb44c33c936895c685
File location: March_invoice_nathaniel.clark.js
File description: Hancitor .js file
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: 1f860dfa7ab0d7cd0d38b5f8e90f68ee9d8b9ce81c1b55fd35c999c445b4349c
File location:  C:\Users\[username]\AppData\Local\Temp\d657.exe
File description:  Hancitor binary
- SHA256 hash: b2d4609580c64295b5c233bba1205e58e6e0be4b128bc772ace76b65ef9dd902
File location:  C:\Users\[username]\AppData\Local\Temp\BN4E.tmp
File description:  DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-05-Hancitor-malspam-traffic.pcap.zip 13.8 MB (13,778,261 bytes)
- ZIP archive of the malware: 2017-04-05-Hancitor-malspam-and-artifacts.zip 191 kB (191,467 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.