2017-06-01 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-06-01-Hancitor-infection-with-ZLoader.pcap   (8,286,426 bytes)
  • 2017-06-01-Hancitor-malspam-1606-UTC.eml   (3,257 bytes)
  • 2017-06-01-Hancitor-malspam-1632-UTC.eml   (3,250 bytes)
  • 2017-06-01-Hancitor-malspam-1720-UTC.eml   (3,246 bytes)
  • 2017-06-01-Hancitor-malspam-1948-UTC.eml   (3,257 bytes)
  • 2017-06-01-Hancitor-malspam-2002-UTC.eml   (3,255 bytes)
  • BN5225.tmp   (179,712 bytes)
  • Document_yahoo.doc   (234,496 bytes)

EMAIL


Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.