2017-05-02 - HANCITOR MALSPAM - SUBJECT: YOUR ONLINE BILL IS AVAILABLE. AMOUNT DUE $484.45
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-02-Hancitor-malspam-traffic.pcap.zip 279 kB (278,924 bytes)
- 2017-05-02-Hancitor-malspam-traffic.pcap (376,376 bytes)
- ZIP archive of the malware: 2017-05-02-Hancitor-malspam-and-artifacts.zip 252 kB (252,188 bytes)
- 2017-05-02-hancitor-malspam-1705-UTC.eml (58,535 bytes)
- BNA4D6.tmp (194,560 bytes)
- Verizon_Bill_nerval.highbot.doc (191,488 bytes)
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2017-05-02 at 17:03:26 UTC
- From: (spoofed) "Verizon Wireless" <verizon@alestaloetzel.com>
- Subject: Your online bill is available. Amount due $484.45
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE WORD DOCUMENT:
- 62.213.103.60 port 80 - porkaporka.com - GET /view.php?id=[base64 string]
- 62.213.103.60 port 80 - neveralonehomecare.org - GET /view.php?id=[base64 string]
- 62.213.103.60 port 80 - REGINATSHIRTS.INFO - GET /view.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 80.85.158.216 port 80 - andvewouse.com - POST /ls5/forum.php
- 80.85.158.216 port 80 - andvewouse.com - POST /mlu/forum.php
- 185.84.108.22 port 80 - umberto40.ru - GET /wp-includes/1
- 185.84.108.22 port 80 - umberto40.ru - GET /wp-includes/a1
- 198.105.244.64 port 80 - hissupsparve.com - POST /bdk/gate.php
- api.ipify.org - GET /
- 146.185.254.14 port 80 - myrerithad.ru - POST /ls5/forum.php
- 176.103.49.221 port 80 - hesoneheci.ru - POST /ls5/forum.php
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: ccd600d5ebb12770bad5a60e61bd4ff12c10dcec675d97343c8774f1ce40c443
File name: Verizon_Bill_nerval.highbot.doc
File size: 191,488 bytes
File description: Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: 3e1fa8d0cbe73caf572cd186e72b1aee8e734d055e7da6fa6c1945fb2e7423a8
File location: C:\Users\[username]\AppData\Local\Temp\BNA4D6.tmp
File size:  194,560 bytes
File descriptio;n: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-02-Hancitor-malspam-traffic.pcap.zip 279 kB (278,924 bytes)
- ZIP archive of the malware: 2017-05-02-Hancitor-malspam-and-artifacts.zip 252 kB (252,188 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.