2017-04-26 - HANCITOR MALSPAM - SUBJECT: YOUR INVOICE 123456 IS AVAILABLE FOR REVIEW!

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-26-Hancitor-malspam-traffic.pcap.zip   12.9 MB (12,890,632 bytes)

• 2017-04-26-Hancitor-malspam-traffic.pcap   (13,425,601 bytes)

• ZIP archive of the malware:  2017-04-26-Hancitor-malspam-and-artifacts.zip   252 kB (252,293 bytes)

• 2017-04-26-Hancitor-malspam-144836-UTC.eml   (1,603 bytes)
• 2017-04-26-Hancitor-malspam-150705-UTC.eml   (1,601 bytes)
• 2017-04-26-Hancitor-malspam-155750-UTC.eml   (1,626 bytes)
• 2017-04-26-Hancitor-malspam-170648-UTC.eml   (1,559 bytes)
• 2017-04-26-Hancitor-malspam-171002-UTC.eml   (1,601 bytes)
• ADP_Invoice_gerald.simpson.doc   (207,360 bytes)
• BN673A.tmp   (158,720 bytes)

NOTES:

• Yesterday, Hancitor malspam quit using RTF files with a .doc extension to exploit CVE-2017-0199.
• Since then, the actors behind this campaign have gone back to using Word documents with malicious macros.
• @James_inthe_box started a Twitter discussion about today's activity here.

 

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2017-04-26 as early as 14:48 UTC through at least 17:10 UTC

• From:  (spoofed) "ADP Billing" <adp@lamantiaproduce.com>
• From:  (spoofed) "ADP Billing" <adp@littlebaja.com>
• From:  (spoofed) "ADP Billing" <adp@orchardridgecc.com>

• Subject:  Your invoice 160830 is available for review!
• Subject:  Your invoice 380131 is available for review!
• Subject:  Your invoice 538322 is available for review!
• Subject:  Your invoice 581742 is available for review!
• Subject:  Your invoice 776534 is available for review!

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUEST FOR THE WORD DOCUMENT:

• 217.23.152.16 port 80 - IPACUNIV.COM - GET /view.php?id=[base64 string]
• 217.23.152.16 port 80 - LORIBYDESYGN.NET - GET /view.php?id=[base64 string]
• 217.23.152.16 port 80 - ROYALEAGLELODGE.COM - GET /view.php?id=[base64 string]
• 217.23.152.16 port 80 - sparxdynamix.co.uk - GET /view.php?id=[base64 string]
• 217.23.152.16 port 80 - withedtwilrit.ru - GET /view.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 212.116.113.108 port 80 - thenwisedsup.com - POST /ls5/forum.php
• 212.116.113.108 port 80 - thenwisedsup.com - POST /mlu/forum.php
• 212.116.113.108 port 80 - thenwisedsup.com - POST /d1/about.php
• 134.0.11.119 port 80 - ciceromc.com - GET /wp-content/plugins/meteor-slides/1
• 134.0.11.119 port 80 - ciceromc.com - GET /wp-content/plugins/meteor-slides/2
• 134.0.11.119 port 80 - ciceromc.com - GGET /wp-content/plugins/meteor-slides/a1
• 95.46.98.132 port 80 - kparxehisfup.com - POST /bdk/gate.php
• api.ipify.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  36daf8bb54231f6777cc81bd223cbc5b55948b9bc69cb8d3999b4931be9a7c61
  File name:  ADP_Invoice_gerald.simpson.doc
  File size:  207,360 bytes
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  d2bd34c6ffa969c3b347d4b3016b7d0610f65ec3346e4fe442589ebe2c37981d
  File location:  C:\Users\[username]\AppData\Local\Temp\BN673A.tmp
  File size:  158,720 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-26-Hancitor-malspam-traffic.pcap.zip   12.9 MB (12,890,632 bytes)
• ZIP archive of the malware:  2017-04-26-Hancitor-malspam-and-artifacts.zip   252 kB (252,293 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.