2017-05-30 - HANCITOR MALSPAM - SUBJECT: FEDEX SHIPMENT NOTIFICATION

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-05-30-Hancitor-malspam-traffic.pcap.zip   12.7 MB (12,661,030 bytes)

• 2017-05-30-Hancitor-malspam-traffic.pcap   (13,200,366 bytes)

• ZIP archive of the malware:  2017-05-30-Hancitor-malspam-and-artifacts.zip   255 kB (254,747 bytes)

• 2017-05-30-Hancitor-malspam-1501-UTC.eml   (13,938 bytes)
• 2017-05-30-Hancitor-malspam-1505-UTC.eml   (13,907 bytes)
• 2017-05-30-Hancitor-malspam-1554-UTC.eml   (13,935 bytes)
• 2017-05-30-Hancitor-malspam-1602-UTC.eml   (13,946 bytes)
• 2017-05-30-Hancitor-malspam-1611-UTC.eml   (13,943 bytes)
• 2017-05-30-Hancitor-malspam-1612-UTC.eml   (13,936 bytes)
• BN315C.tmp   (176,640 bytes)
• Fedex_invoice_yahoo.doc   (184,832 bytes)

 

NOTES:

• Saw two tweets about this activity.  One was from @james_inthe_box here, and one was from @peterkruse here.

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Tuesday 2017-05-30 as early as 15:01 UTC through at least 16:12 UTC
• From:  "FedEx Shipment" <TrackingUpdates@fidix.com>
• Subject:  FedEx Shipment 754154562476 Notification
• Subject:  FedEx Shipment 783606525076 Notification
• Subject:  FedEx Shipment 713510261570 Notification
• Subject:  FedEx Shipment 735302540030 Notification
• Subject:  FedEx Shipment 747130050208 Notification
• Subject:  FedEx Shipment 757717325013 Notification

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 185.109.147.125 port 80 - agaagents.com - GET /viewdoc/file.php?document=[base64 string]
• 185.109.147.125 port 80 - compshrinks.com - GET /viewdoc/file.php?document=[base64 string]
• 185.109.147.125 port 80 - shrinkssupport.com - GET /viewdoc/file.php?document=[base64 string]
• 185.109.147.125 port 80 - sleepace.uk - GET /viewdoc/file.php?document=[base64 string]
• 185.109.147.125 port 80 - WESTCOASTRR.COM - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Fedex_invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 95.182.79.233 port 80 - calgokinhim.com - POST /ls5/forum.php
• 95.182.79.233 port 80 - calgokinhim.com - POST /mlu/forum.php
• 95.182.79.233 port 80 - calgokinhim.com - POST /d1/about.php
• 192.186.249.64 port 80 - www.yossisisrael.com - GET /1
• 192.186.249.64 port 80 - www.yossisisrael.com - GET /2
• 192.186.249.64 port 80 - www.yossisisrael.com - GET /3
• 91.200.14.56 port 80 - bitengcaunzy.ru - POST /bdk/gate.php
• api.ipify.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  4ffbdd599dd5aa09f8c3f7e3db0b3c169ba38106db6192a59194e79ef60f957b
  File name:  Fedex_invoice_yahoo.doc
  File size:  184,832 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  3a2f6291ceaee6be499e0a84d7fe931005e425fd21d25448fe5e38cc1fc37b81
  File location:  C:\Users\[username]\AppData\Local\Temp\BN315C.tmp
  File size:  176,640 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-05-30-Hancitor-malspam-traffic.pcap.zip   12.7 MB (12,661,030 bytes)
• ZIP archive of the malware:  2017-05-30-Hancitor-malspam-and-artifacts.zip   255 kB (254,747 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.