2017-06-07 - HANCITOR INFECTION WTIH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-07-Hancitor-infection-with-ZLoader.pcap.zip   8.4 MB (8,448,479 bytes)

• 2017-06-07-Hancitor-infection-with-ZLoader.pcap   (9,005,351 bytes)

• 2017-06-07-Hancitor-malspam-3-examples.zip   4.8 kB (4,754 bytes)

• 2017-06-07-Hancitor-malspam-1430-UTC.eml   (3,302 bytes)
• 2017-06-07-Hancitor-malspam-1447-UTC.eml   (3,293 bytes)
• 2017-06-07-Hancitor-malspam-1513-UTC.eml   (3,300 bytes)

• 2017-06-07-malware-from-Hancitor-infection.zip   245.1 kB (245,094 bytes)

• BN778F.tmp   (197,120 bytes)
• Document_yahoo.doc   (203,776 bytes)

 

SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR ACTIVITY:

• @Artilllerie   (link)
• @fletchsec   (link)
• @James_inthe_box   (link)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-07 as early as 14:30 UTC through at least 15:13 UTC
• From:  "Google Docs" <accounting@thomewaterproofing[.]com>
• Subject:  accounting@[recipient's email domain] has sent you a document through Google Docs

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 93.95.97[.]125 port 80 - fenixconnection[.]com - GET /viewdoc/file.php?document=[base64 string]
• 93.95.97[.]125 port 80 - PAMTHELANDGAL[.]COM - GET /viewdoc/file.php?document=[base64 string]
• 93.95.97[.]125 port 80 - tee2green[.]org - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Document_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /ls5/forum.php
• 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /mlu/forum.php
• 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /d1/about.php
• 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /1
• 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /2
• 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /3
• 185.17.121[.]22 port 80 - foonlachim[.]ru - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  f0420708c417376a52121f0a83c25a8b2051fffa5b3365205c34ac56e3d0065d
  File name:  Document_yahoo.doc
  File size:  203,776 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  b74663fcbfa7570f86f42f7a2211ad6b2a5c4bc425a913d8733a7f2704ca7014
  File location:  C:\Users\[username]\AppData\Local\Temp\BN778F.tmp
  File size:  197,120 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.