2017-05-25 - HANCITOR MALSPAM WITH A GOOGLE DOCS THEME
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-25-Hancitor-malspam-traffic.pcap.zip 13.4 MB (13,446,906 bytes)
- 2017-05-25-Hancitor-malspam-1st-run.pcap (13,624,335 bytes)
- 2017-05-25-Hancitor-malspam-2nd-run.pcap (1,196,182 bytes)
- ZIP archive of the malware: 2017-05-25-Hancitor-malspam-and-artifacts.zip 244 kB (243,905 bytes)
- 2017-05-25-Hancitor-malspam-1616-UTC.eml (3,210 bytes)
- BNE9F0.tmp (176,640 bytes)
- Billing_ruinedsunglass.doc (206,336 bytes)
NOTES:
- @Techhelplistcom reported this malspam earlier today, and you can find more indicators here.
- Had an issue where the full range of post-infection traffic didn't appear until about an hour after the initial infection.
- During a second run, the full range of post post-infection traffic (tor traffic, etc) didn't appear at all.
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Thursday 2017-05-25
- Subject: [recipient's email domain] has sent you a document through Google Docs!
- From: "Google Docs" <accountant@aarowmechanical.com>
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 46.173.218.143 port 80 - homesmartinsurancegroup.com - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Billing_[recipient's email domain without the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 212.129.51.160 port 80 - fordebubut.com - POST /ls5/forum.php
- 212.129.51.160 port 80 - fordebubut.com - POST /mlu/forum.php
- 212.129.51.160 port 80 - fordebubut.com - POST /d1/about.php
- 50.62.110.1 port 80 - gregoryrullo.com - GET /1
- 50.62.110.1 port 80 - gregoryrullo.com - GET /2
- 50.62.110.1 port 80 - gregoryrullo.com - GET /a1
- 192.196.156.150 port 80 - www.homesdecoratingideas.com - GET /a1
- 185.118.66.252 port 80 - rewningiden.com - POST /bdk/gate.php
- 198.105.244.228 port 80 - kedrolhechedt.com - POST /bdk/gate.php
- 198.105.244.228 port 80 - dijussoda.com - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 0cf705e4804f3585e44368e8d611ddb9376863ff8c4400d156d043f6b181924e
File name: Billing_ruinedsunglass.doc
File size: 206,336 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: dc8aa91015f1f67639b13489bd556e425aacc308d902ddf7585adf856c3aa7b2
File location: C:\Users\[username]\AppData\Local\Temp\BNE9F0.tmp
File size: 176,640 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-25-Hancitor-malspam-traffic.pcap.zip 13.4 MB (13,446,906 bytes)
- ZIP archive of the malware: 2017-05-25-Hancitor-malspam-and-artifacts.zip 244 kB (243,905 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.