2017-06-01 - HANCITOR INFECTION WITH ZLOADER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-01-Hancitor-infection-with-ZLoader.pcap.zip 7.7 MB (7,726,384 bytes)
- 2017-06-01-Hancitor-infection-with-ZLoader.pcap (8,286,426 bytes)
- 2017-06-01-Hancitor-malspam-5-examples.zip 7.7 kB (7,721 bytes)
- 2017-06-01-Hancitor-malspam-1606-UTC.eml (3,257 bytes)
- 2017-06-01-Hancitor-malspam-1632-UTC.eml (3,250 bytes)
- 2017-06-01-Hancitor-malspam-1720-UTC.eml (3,246 bytes)
- 2017-06-01-Hancitor-malspam-1948-UTC.eml (3,257 bytes)
- 2017-06-01-Hancitor-malspam-2002-UTC.eml (3,255 bytes)
- 2017-06-01-malware-from-Hancitor-infection.zip 256.5 kB (256,541 bytes)
- BN5225.tmp (179,712 bytes)
- Document_yahoo.doc (234,496 bytes)
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Thurssday 2017-06-01 as early as 16:06 UTC through at least 20:02 UTC
- From: "Google Docs" <sales@gdoc[.]com>
- Subject: You have received a new document from [some random email address]!
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 184.168.221[.]55 port 80 - AWESOMEINAUSTIN[.]COM - GET /viewdoc/file.php?document=[base64 string]
- 52.23.200[.]184 port 80 - f8ality[.]com - GET /viewdoc/file.php?document=[base64 string]
- 184.168.221[.]47 port 80 - HNMDEVELOPMENT[.]COM - GET /viewdoc/file.php?document=[base64 string]
- 50.63.202[.]33 port 80 - RVANDSTORAGE[.]US - GET /viewdoc/file.php?document=[base64 string]
- 52.23.200[.]184 port 80 - WALKERHOMEBUILDERS[.]INFO - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Document_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 178.170.189[.]193 port 80 - nyatguted[.]com - POST /ls5/forum.php
- 178.170.189[.]193 port 80 - nyatguted[.]com - POST /mlu/forum.php
- 178.170.189[.]193 port 80 - nyatguted[.]com - POST /d1/about.php
- 184.168.18[.]1 port 80 - janettelouden[.]com - GET /wp-content/plugins/link-manager/1
- 184.168.18[.]1 port 80 - janettelouden[.]com - GET /wp-content/plugins/link-manager/2
- 184.168.18[.]1 port 80 - janettelouden[.]com - GET /wp-content/plugins/link-manager/3
- 176.99.7[.]225 port 80 - soevenghappar[.]ru - POST /bdl/gate.php
- api.ipify[.]org - GET /
- checkip.dyndns[.]org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 6e73879ca49b40974cce575626e31541b49c07daa12ec2e9765c432bfac07a20
File name: Document_yahoo.doc
File size: 234,496 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: d6b2c543fa33ff6249d4832a8edebf9f74c2ee0a2b42f349c895100b48bf34c3
File location: C:\Users\[username]\AppData\Local\Temp\BN5225.tmp
File size: 179,712 bytes
File description: DELoader/ZLoader (I think)
Click here to return to the main page.