2017-06-12 - HANCITOR MALSPAM (DOCUSIGN-THEMED)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-12-Hancitor-malspam-traffic.pcap.zip   9.8 MB (9,754,581 bytes)

• 2017-06-12-Hancitor-malspam-traffic.pcap   (10,273,532 bytes)

• ZIP archive of the malware:  2017-06-12-Hancitor-artifacts.zip   260 kB (260,302 bytes)

• BN1506.tmp   (181,760 bytes)
• Invoice_yahoo.doc   (217,088 bytes)

 

SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:

• @cheapbyte   (see this one for more indicators)
• @maciekkotowicz   (link)
• @rawintelsec   (link)

 

EMAILS

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date:  Monday 2017-06-12 as early as 16:29 UTC through at least 20:01 UTC
• From:  "William Scott via DocuSign" <william_scott@flexovitportal.com>
• Subject:  Please review your document Invoice 1580227 for [recipient's email domain]
• Subject:  Please review your document Invoice 1758741 for [recipient's email domain]
• Subject:  Please review your document Invoice 3251851 for [recipient's email domain]
• Subject:  Please review your document Invoice 4844170 for [recipient's email domain]
• Subject:  Please review your document Invoice 6603507 for [recipient's email domain]

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• CMGPLACEMENT.NET - GET /file.php?document=[base64 string]
• digitalactionist.com - GET /file.php?document=[base64 string]
• EXPLORIST.CO.IN - GET /file.php?document=[base64 string]
• krishnadress.com - GET /file.php?document=[base64 string]
• MYSAFERRETIREMENT.COM - GET /file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 185.173.178.177 port 80 - gaparugret.com - POST /ls5/forum.php
• 185.173.178.177 port 80 - gaparugret.com - POST /mlu/forum.php
• 185.173.178.177 port 80 - gaparugret.com - POST /d1/about.php
• 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/1
• 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/2
• 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/3
• 176.103.48.219 port 80 - evengtounty.com - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  594ab467454aafa64fc6bbf2b4aa92f7628d5861560eee1155805bd0987dbac3
  File name:  Invoice_yahoo.doc
  File size:  217,088 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  79ae923717f27dedc7b9357f753d3973a49ac2e9dab78a9d57c3c738c08aec74
  File location:  C:\Users\[username]\AppData\Local\Temp\BN1506.tmp
  File size:  181,760 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-12-Hancitor-malspam-traffic.pcap.zip   9.8 MB (9,754,581 bytes)
• ZIP archive of the malware:  2017-06-12-Hancitor-artifacts.zip   260 kB (260,302 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.