2017-06-07 - HANCITOR INFECTION WTIH ZLOADER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-07-Hancitor-infection-with-ZLoader.pcap.zip 8.4 MB (8,448,479 bytes)
- 2017-06-07-Hancitor-infection-with-ZLoader.pcap (9,005,351 bytes)
- 2017-06-07-Hancitor-malspam-3-examples.zip 4.8 kB (4,754 bytes)
- 2017-06-07-Hancitor-malspam-1430-UTC.eml (3,302 bytes)
- 2017-06-07-Hancitor-malspam-1447-UTC.eml (3,293 bytes)
- 2017-06-07-Hancitor-malspam-1513-UTC.eml (3,300 bytes)
- 2017-06-07-malware-from-Hancitor-infection.zip 245.1 kB (245,094 bytes)
- BN778F.tmp (197,120 bytes)
- Document_yahoo.doc (203,776 bytes)
SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR ACTIVITY:
EMAILS
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-06-07 as early as 14:30 UTC through at least 15:13 UTC
- From: "Google Docs" <accounting@thomewaterproofing[.]com>
- Subject: accounting@[recipient's email domain] has sent you a document through Google Docs
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- 93.95.97[.]125 port 80 - fenixconnection[.]com - GET /viewdoc/file.php?document=[base64 string]
- 93.95.97[.]125 port 80 - PAMTHELANDGAL[.]COM - GET /viewdoc/file.php?document=[base64 string]
- 93.95.97[.]125 port 80 - tee2green[.]org - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Document_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /ls5/forum.php
- 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /mlu/forum.php
- 88.214.236[.]156 port 80 - bettontgotbab[.]com - POST /d1/about.php
- 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /1
- 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /2
- 37.152.88[.]6 port 80 - www.valdelomarasesores[.]com - GET /3
- 185.17.121[.]22 port 80 - foonlachim[.]ru - POST /bdl/gate.php
- api.ipify[.]org - GET /
- checkip.dyndns[.]org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: f0420708c417376a52121f0a83c25a8b2051fffa5b3365205c34ac56e3d0065d
File name: Document_yahoo.doc
File size: 203,776 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: b74663fcbfa7570f86f42f7a2211ad6b2a5c4bc425a913d8733a7f2704ca7014
File location: C:\Users\[username]\AppData\Local\Temp\BN778F.tmp
File size: 197,120 bytes
File description: DELoader/ZLoader
Click here to return to the main page.