2017-06-08 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-06-08-Hancitor-malspam-traffic.pcap   (8,831,992 bytes)
  • 2017-06-08-Hancitor-malspam-1520-UTC.eml   (3,613 bytes)
  • 2017-06-08-Hancitor-malspam-1529-UTC.eml   (3,613 bytes)
  • 2017-06-08-Hancitor-malspam-1549-UTC.eml   (3,616 bytes)
  • 2017-06-08-Hancitor-malspam-1644-UTC.eml   (3,607 bytes)
  • 2017-06-08-Hancitor-malspam-1650-UTC.eml   (3,602 bytes)
  • BN730D.tmp   (202,752 bytes)
  • Payment_Invoice_yahoo.doc   (199,168 bytes)

 

SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

OTHER INDICATORS FROM @CHEAPBYTE AND @JAMES_INTHE_BOX:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.