2017-05-30 - HANCITOR MALSPAM - SUBJECT: FEDEX SHIPMENT NOTIFICATION
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-30-Hancitor-malspam-traffic.pcap.zip 12.7 MB (12,661,030 bytes)
- 2017-05-30-Hancitor-malspam-traffic.pcap (13,200,366 bytes)
- ZIP archive of the malware: 2017-05-30-Hancitor-malspam-and-artifacts.zip 255 kB (254,747 bytes)
- 2017-05-30-Hancitor-malspam-1501-UTC.eml (13,938 bytes)
- 2017-05-30-Hancitor-malspam-1505-UTC.eml (13,907 bytes)
- 2017-05-30-Hancitor-malspam-1554-UTC.eml (13,935 bytes)
- 2017-05-30-Hancitor-malspam-1602-UTC.eml (13,946 bytes)
- 2017-05-30-Hancitor-malspam-1611-UTC.eml (13,943 bytes)
- 2017-05-30-Hancitor-malspam-1612-UTC.eml (13,936 bytes)
- BN315C.tmp (176,640 bytes)
- Fedex_invoice_yahoo.doc (184,832 bytes)
NOTES:
- Saw two tweets about this activity. One was from @james_inthe_box here, and one was from @peterkruse here.
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Tuesday 2017-05-30 as early as 15:01 UTC through at least 16:12 UTC
- From: "FedEx Shipment" <TrackingUpdates@fidix.com>
- Subject: FedEx Shipment 754154562476 Notification
- Subject: FedEx Shipment 783606525076 Notification
- Subject: FedEx Shipment 713510261570 Notification
- Subject: FedEx Shipment 735302540030 Notification
- Subject: FedEx Shipment 747130050208 Notification
- Subject: FedEx Shipment 757717325013 Notification
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 185.109.147.125 port 80 - agaagents.com - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - compshrinks.com - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - shrinkssupport.com - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - sleepace.uk - GET /viewdoc/file.php?document=[base64 string]
- 185.109.147.125 port 80 - WESTCOASTRR.COM - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Fedex_invoice_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 95.182.79.233 port 80 - calgokinhim.com - POST /ls5/forum.php
- 95.182.79.233 port 80 - calgokinhim.com - POST /mlu/forum.php
- 95.182.79.233 port 80 - calgokinhim.com - POST /d1/about.php
- 192.186.249.64 port 80 - www.yossisisrael.com - GET /1
- 192.186.249.64 port 80 - www.yossisisrael.com - GET /2
- 192.186.249.64 port 80 - www.yossisisrael.com - GET /3
- 91.200.14.56 port 80 - bitengcaunzy.ru - POST /bdk/gate.php
- api.ipify.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 4ffbdd599dd5aa09f8c3f7e3db0b3c169ba38106db6192a59194e79ef60f957b
File name: Fedex_invoice_yahoo.doc
File size: 184,832 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 3a2f6291ceaee6be499e0a84d7fe931005e425fd21d25448fe5e38cc1fc37b81
File location: C:\Users\[username]\AppData\Local\Temp\BN315C.tmp
File size: 176,640 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-30-Hancitor-malspam-traffic.pcap.zip 12.7 MB (12,661,030 bytes)
- ZIP archive of the malware: 2017-05-30-Hancitor-malspam-and-artifacts.zip 255 kB (254,747 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.