2017-05-16 - HANCITOR MALSPAM - SUBJECT: UPS SHIPMENT LABEL NOTIFICATION
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-16-Hancitor-malspam-traffic.pcap.zip 11.8 MB (11,831,609 bytes)
- 2017-05-16-Hancitor-malspam-traffic.pcap (12,783,182 bytes)
- ZIP archive of the malware: 2017-05-16-Hancitor-malspam-and-artifacts.zip 258 kB (257,934 bytes)
- 2017-05-16-Hancitor-malspam-182526-UTC.eml (2,082 bytes)
- 2017-05-16-Hancitor-malspam-184711-UTC.eml (2,076 bytes)
- BNE3C9.tmp (207,872 bytes)
- UPS_Label_harold.smithee.doc (204,800 bytes)
NOTES:
- @Techhelplistcom reported this malspam earlier today, and you can find more indicators here.
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Tuesday 2017-05-16
- Subject: UPS Shipment Label Notification
- From: "UPS Return Labels" <no-reply@ulabel.com>
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 54.213.18.155 port 80 - REALCHANGEGLOBAL.US - GET /viewdoc1/file.php?document=[base64 string]
- 54.213.18.155 port 80 - dohehotont.ru - GET /viewdoc1/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- UPS_Label_[username].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 77.246.144.79 port 80 - ormolesit.com - POST /ls5/forum.php
- 77.246.144.79 port 80 - ormolesit.com - POST /mlu/forum.php
- 77.246.144.79 port 80 - ormolesit.com - POST /d1/about.php
- 192.185.25.109 port 80 - yusufdemirci.com.tr - GET /wp-content/plugins/wp-cumulus/1
- 192.185.25.109 port 80 - yusufdemirci.com.tr - GET /wp-content/plugins/wp-cumulus/2
- 192.185.25.109 port 80 - yusufdemirci.com.tr - GET /wp-content/plugins/wp-cumulus/a1
- 81.177.27.113 port 80 - oneharhaprow.com - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 1014b0191af345644fb1d079438aeeefd33b54a4119f7f26d76b1b2c294cca61
File name: UPS_Label_harold.smithee.doc
File size: 204,800 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 19352237f417ba7e63855fbdfcd42084f92848a16138b9db555f076dab741c57
File location: C:\Users\[username]\AppData\Local\Temp\BNE3C9.tmp
File size: 207,872 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-16-Hancitor-malspam-traffic.pcap.zip 11.8 MB (11,831,609 bytes)
- ZIP archive of the malware: 2017-05-16-Hancitor-malspam-and-artifacts.zip 258 kB (257,934 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.