2017-06-08 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-08-Hancitor-infection-with-ZLoader.pcap.zip   8.3 MB (8,253,203 bytes)

• 2017-06-08-Hancitor-malspam-traffic.pcap   (8,831,992 bytes)

• 2017-06-08-Hancitor-malspam-5-examples.zip   7.4 kB (7,415 bytes)

• 2017-06-08-Hancitor-malspam-1520-UTC.eml   (3,613 bytes)
• 2017-06-08-Hancitor-malspam-1529-UTC.eml   (3,613 bytes)
• 2017-06-08-Hancitor-malspam-1549-UTC.eml   (3,616 bytes)
• 2017-06-08-Hancitor-malspam-1644-UTC.eml   (3,607 bytes)
• 2017-06-08-Hancitor-malspam-1650-UTC.eml   (3,602 bytes)

• 2017-06-08-malware-from-Hancitor-infection.zip   253.6 kB (253,556 bytes)

• BN730D.tmp   (202,752 bytes)
• Payment_Invoice_yahoo.doc   (199,168 bytes)

 

SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:

• @cheapbyte   (link)
• @James_inthe_box   (link)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thursday 2017-06-08 as early as 15:20 UTC through at least 16:50 UTC
• From:  "Dropbox" <dropbox@veintrain[.]com>
• Subject:  Dropbox Reminder - Casey Smith has shared a document with you.

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 52.15.91[.]247 port 80 - brri[.]in - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - bucksinvestmentgroup[.]com - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - BUCKSREALESTATECENTER[.]COM - GET /viewdoc/file.php?document=[base64 string]
• 184.168.221[.]51 port 80 - gottliebfamilypartnership[.]com - GET /viewdoc/file.php?document=[base64 string]
• 184.168.221[.]30 port 80 - laceyagency[.]com - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - nhphomes[.]com - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - PILOTCLUBLIFELINE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - SAFELIFESENIORSC[.]COM - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - scottshelp[.]com - GET /viewdoc/file.php?document=[base64 string]
• 52.15.91[.]247 port 80 - selectionsmaricopa[.]com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Payment_Invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 91.230.211[.]174 port 80 - tohageheg[.]com - POST /ls5/forum.php
• 91.230.211[.]174 port 80 - tohageheg[.]com - POST /mlu/forum.php
• 91.230.211[.]174 port 80 - tohageheg[.]com - POST /d1/about.php
• 195.42.120[.]213 port 80 - www.av-signage[.]de - GET /wp-content/plugins/fourteen-colors/1
• 195.42.120[.]213 port 80 - www.av-signage[.]de - GET /wp-content/plugins/fourteen-colors/2
• 195.42.120[.]213 port 80 - www.av-signage[.]de - GET /wp-content/plugins/fourteen-colors/3
• 95.47.161[.]46 port 80 - suphersun[.]ru - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

OTHER INDICATORS FROM @CHEAPBYTE AND @JAMES_INTHE_BOX:

• 185.173.178[.]177 port 80 - downdintwiltit[.]ru - POST /ls5/forum.php
• 91.230.211[.]174 port 80 - lonemoning[.]ru - POST /ls5/forum.php

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  1c7f4150670158ab16e475f3641739d5adc40e191a64167f14c8c152be7fda82
  File name:  Payment_Invoice_yahoo.doc
  File size:  199,168 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  d9ebab1937abaad9bafbffbc4d434a034bbef141a78a22b200f7da1f026f4ad1
  File location:  C:\Users\[username]\AppData\Local\Temp\BN730D.tmp
  File size:  202,752 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.