2017-06-07 - HANCITOR MALSPAM (GOOGLE DOCS-THEMED)
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-07-Hancitor-malspam-traffic.pcap.zip 8.4 MB (8,448,465 bytes)
- 2017-06-07-Hancitor-malspam-traffic.pcap (9,005,351 bytes)
- ZIP archive of the malware: 2017-06-07-Hancitor-malspam-and-artifacts.zip 249 kB (249,000 bytes)
- 2017-06-07-Hancitor-malspam-1430-UTC.eml (3,302 bytes)
- 2017-06-07-Hancitor-malspam-1447-UTC.eml (3,293 bytes)
- 2017-06-07-Hancitor-malspam-1513-UTC.eml (3,300 bytes)
- BN778F.tmp (197,120 bytes)
- Document_yahoo.doc (203,776 bytes)
SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:
EMAILS
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-06-07 as early as 14:30 UTC through at least 15:13 UTC
- From: "Google Docs" <accounting@thomewaterproofing.com>
- Subject: accounting@[recipient's email domain] has sent you a document through Google Docs
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 93.95.97.125 port 80 - fenixconnection.com - GET /viewdoc/file.php?document=[base64 string]
- 93.95.97.125 port 80 - PAMTHELANDGAL.COM - GET /viewdoc/file.php?document=[base64 string]
- 93.95.97.125 port 80 - tee2green.org - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Document_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 88.214.236.156 port 80 - bettontgotbab.com - POST /ls5/forum.php
- 88.214.236.156 port 80 - bettontgotbab.com - POST /mlu/forum.php
- 88.214.236.156 port 80 - bettontgotbab.com - POST /d1/about.php
- 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /1
- 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /2
- 37.152.88.6 port 80 - www.valdelomarasesores.com - GET /3
- 185.17.121.22 port 80 - foonlachim.ru - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: f0420708c417376a52121f0a83c25a8b2051fffa5b3365205c34ac56e3d0065d
File name: Document_yahoo.doc
File size: 203,776 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: b74663fcbfa7570f86f42f7a2211ad6b2a5c4bc425a913d8733a7f2704ca7014
File location: C:\Users\[username]\AppData\Local\Temp\BN778F.tmp
File size: 197,120 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-07-Hancitor-malspam-traffic.pcap.zip 8.4 MB (8,448,465 bytes)
- ZIP archive of the malware: 2017-06-07-Hancitor-malspam-and-artifacts.zip 249 kB (249,000 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.