2017-04-26 - HANCITOR MALSPAM - SUBJECT: YOUR INVOICE 123456 IS AVAILABLE FOR REVIEW!
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-26-Hancitor-malspam-traffic.pcap.zip 12.9 MB (12,890,632 bytes)
- 2017-04-26-Hancitor-malspam-traffic.pcap (13,425,601 bytes)
- ZIP archive of the malware: 2017-04-26-Hancitor-malspam-and-artifacts.zip 252 kB (252,293 bytes)
- 2017-04-26-Hancitor-malspam-144836-UTC.eml (1,603 bytes)
- 2017-04-26-Hancitor-malspam-150705-UTC.eml (1,601 bytes)
- 2017-04-26-Hancitor-malspam-155750-UTC.eml (1,626 bytes)
- 2017-04-26-Hancitor-malspam-170648-UTC.eml (1,559 bytes)
- 2017-04-26-Hancitor-malspam-171002-UTC.eml (1,601 bytes)
- ADP_Invoice_gerald.simpson.doc (207,360 bytes)
- BN673A.tmp (158,720 bytes)
NOTES:
- Yesterday, Hancitor malspam quit using RTF files with a .doc extension to exploit CVE-2017-0199.
- Since then, the actors behind this campaign have gone back to using Word documents with malicious macros.
- @James_inthe_box started a Twitter discussion about today's activity here.
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-04-26 as early as 14:48 UTC through at least 17:10 UTC
- From: (spoofed) "ADP Billing" <adp@lamantiaproduce.com>
- From: (spoofed) "ADP Billing" <adp@littlebaja.com>
- From: (spoofed) "ADP Billing" <adp@orchardridgecc.com>
- Subject: Your invoice 160830 is available for review!
- Subject: Your invoice 380131 is available for review!
- Subject: Your invoice 538322 is available for review!
- Subject: Your invoice 581742 is available for review!
- Subject: Your invoice 776534 is available for review!
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE WORD DOCUMENT:
- 217.23.152.16 port 80 - IPACUNIV.COM - GET /view.php?id=[base64 string]
- 217.23.152.16 port 80 - LORIBYDESYGN.NET - GET /view.php?id=[base64 string]
- 217.23.152.16 port 80 - ROYALEAGLELODGE.COM - GET /view.php?id=[base64 string]
- 217.23.152.16 port 80 - sparxdynamix.co.uk - GET /view.php?id=[base64 string]
- 217.23.152.16 port 80 - withedtwilrit.ru - GET /view.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 212.116.113.108 port 80 - thenwisedsup.com - POST /ls5/forum.php
- 212.116.113.108 port 80 - thenwisedsup.com - POST /mlu/forum.php
- 212.116.113.108 port 80 - thenwisedsup.com - POST /d1/about.php
- 134.0.11.119 port 80 - ciceromc.com - GET /wp-content/plugins/meteor-slides/1
- 134.0.11.119 port 80 - ciceromc.com - GET /wp-content/plugins/meteor-slides/2
- 134.0.11.119 port 80 - ciceromc.com - GGET /wp-content/plugins/meteor-slides/a1
- 95.46.98.132 port 80 - kparxehisfup.com - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 36daf8bb54231f6777cc81bd223cbc5b55948b9bc69cb8d3999b4931be9a7c61
File name: ADP_Invoice_gerald.simpson.doc
File size: 207,360 bytes
File description:  Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: d2bd34c6ffa969c3b347d4b3016b7d0610f65ec3346e4fe442589ebe2c37981d
File location:  C:\Users\[username]\AppData\Local\Temp\BN673A.tmp
File size:  158,720 bytes
File description:  DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-26-Hancitor-malspam-traffic.pcap.zip 12.9 MB (12,890,632 bytes)
- ZIP archive of the malware: 2017-04-26-Hancitor-malspam-and-artifacts.zip 252 kB (252,293 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.