2017-05-04 - HANCITOR MALSPAM - SUBJECT: USPS PROOF OF DELIVERY LETTER ON YOUR SHIPMENT
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-04-Hancitor-malspam-traffic.pcap.zip 11.0 MB (10,960,834 bytes)
- 2017-05-04-Hancitor-malspam-traffic.pcap (11,646,696 bytes)
- ZIP archive of the malware: 2017-05-04-Hancitor-malspam-and-artifacts.zip 254 kB (254,191 bytes)
- 2017-05-04-Hancitor-malspam-1559-UTC.eml (2,785 bytes)
- 2017-05-04-Hancitor-malspam-1600-UTC.eml (2,786 bytes)
- 2017-05-04-Hancitor-malspam-1623-UTC.eml (2,757 bytes)
- 2017-05-04-Hancitor-malspam-1705-UTC.eml (2,733 bytes)
- 2017-05-04-Hancitor-malspam-2032-UTC.eml (2,732 bytes)
- 2017-05-04-Hancitor-malspam-2034-UTC.eml (2,732 bytes)
- BND7B8.tmp (194,560 bytes)
- USPS_glen.fendale.doc (190,464 bytes)
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2017-05-04 as early as 15:59 UTC through at least 20:34 UTC
- From: (spoofed) "USPS" <usps@uspz.com>
- Subject: USPS Proof of Delivery letter on your shipment EI00474731US
- Subject: USPS Proof of Delivery letter on your shipment EI02553212US
- Subject: USPS Proof of Delivery letter on your shipment EI08731375US
- Subject: USPS Proof of Delivery letter on your shipment EI18266375US
- Subject: USPS Proof of Delivery letter on your shipment EI25088368US
- Subject: USPS Proof of Delivery letter on your shipment EI28338016US
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE WORD DOCUMENT:
- 47.91.78.8 port 80 - ALARISREALESTATE.COM - GET /view.php?id=[base64 string]
- 47.91.78.8 port 80 - LAZYJPRINTINGSERVICES.COM - GET /view.php?id=[base64 string]
POST-INFECTION TRAFFIC:
- 146.120.110.146 port 80 - sitcahadling.com - POST /ls5/forum.php
- 146.120.110.146 port 80 - sitcahadling.com - POST /mlu/forum.php
- 146.120.110.146 port 80 - sitcahadling.com - POST /d1/about.php
- 86.105.215.161 port 80 - sebastianbizduna.com - GET /modules/mod_ariimageslidersa/1
- 86.105.215.161 port 80 - sebastianbizduna.com - GET /modules/mod_ariimageslidersa/2
- 86.105.215.161 port 80 - sebastianbizduna.com - GET /modules/mod_ariimageslidersa/a1
- 185.86.79.93 port 80 - thephahedthe.com - POST /bdk/gate.php
- 137.74.176.54 port 80 - didnhelittrat.com - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 8b31cbf818c17fe3778124c102c8d74d14ffdc41fc5548bff5b861e2720a8e68
File name: USPS_glen.fendale.doc
File size: 190,464 bytes
File description:  Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: 19d54c76c0d887ff607ea8eef0c59237e26dc9df54a96d4c8b957fbbb21f3bb9
File location:  C:\Users\[username]\AppData\Local\Temp\BND7B8.tmp
File size:  194,560 bytes
File description:  DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-04-Hancitor-malspam-traffic.pcap.zip 11.0 MB (10,960,834 bytes)
- ZIP archive of the malware: 2017-05-04-Hancitor-malspam-and-artifacts.zip 254 kB (254,191 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.