2017-05-09 - HANCITOR MALSPAM - SUBJECT: RE: MAY SUBPOENA FROM FTC
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-09-Hancitor-malspam-traffic.pcap.zip 7.6 MB (7,563,949 bytes)
- 2017-05-09-Hancitor-malspam-traffic.pcap (7,938,967 bytes)
- ZIP archive of the malware: 2017-05-09-Hancitor-malspam-and-artifacts.zip 302 kB (302,482 bytes)
- 2017-05-09-Hancitor-malspam-1637-UTC.eml (1,913 bytes)
- 2017-05-09-Hancitor-malspam-1728-UTC.eml (1,915 bytes)
- BNB3B4.tmp (194,048 bytes)
- scanned_subpoena_blake.reginald.doc (224,768 bytes)
NOTES:
- @Techhelplistcom reported a wave of Hancitor malspam today (link).
- However, I saw another wave with a different theme.
- Different URL patterns were used for the document downloads (see below).
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Tuesday 2017-05-09
- Subject: Completed: [domain] - Wire Transfer Instructions for [username] Document Ready for Signature
- From: "Cameron Smith via DocuSign" <dse@docusgn.com>
- Subject: RE: may subpoena from FTC
- From: "James Weinberg" <info@wildesweinberg.com>
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUEST FOR THE WORD DOCUMENT:
- 47.91.92.1 port 80 - andsihowdint.ru - GET /april/get.php?id=[base64 string]
- 47.91.92.1 port 80 - andsihowdint.ru - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - boatingflagpole.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - godisimnot.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - hertretletan.ru - GET /april/get.php?id=[base64 string]
- 47.91.92.1 port 80 - hertretletan.ru - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - hudsonhughes.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - knoxvilleupholstery.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - partnersprojectinc.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - partnersprojectinc.net - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - precisionexposures.com - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - rewthenreti.ru - GET /april/get.php?id=[base64 string]
- 47.91.92.1 port 80 - rewthenreti.ru - GET /file.php?document=[base64 string]
- 47.91.92.1 port 80 - zariyamatrimony.com - GET /file.php?document=[base64 string]
NAMES FOR THE MALICIOUS WORD DOCUMENTS:
- Wire_Transfer_[username].doc
- scanned_subpoena_[username].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 151.80.190.158 port 80 - geheppauld.com - POST /ls5/forum.php
- 151.80.190.158 port 80 - geheppauld.com - POST /borjomi/gate.php
- 69.90.66.240 port 80 - codybraithwaite.com - GET /wp-content/themes/sketch/22
- 69.90.66.240 port 80 - codybraithwaite.com - GET /wp-content/themes/sketch/a1
- 185.42.15.171 port 80 - wadidncise.com - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 41b7ecafccc7f21966827c48c902c5d28d5ed5ac21f56c9978ccd2709ac8b797
File name: scanned_subpoena_blake.reginald.doc
File size: 224,768 bytes
File description: Hancitor maldoc
MALWARE FROM THE INFECTED HOST:
- SHA256 hash: 5b9fe396d66f13301d3ad0027e124f64258079d3e7401076581b9b5d6eefa826
File location: C:\Users\[username]\AppData\Local\Temp\BNB3B4.tmp
File size: 194,048 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-09-Hancitor-malspam-traffic.pcap.zip 7.6 MB (7,563,949 bytes)
- ZIP archive of the malware: 2017-05-09-Hancitor-malspam-and-artifacts.zip 302 kB (302,482 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.