2017-06-12 - HANCITOR MALSPAM (DOCUSIGN-THEMED)
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-12-Hancitor-malspam-traffic.pcap.zip 9.8 MB (9,754,581 bytes)
- 2017-06-12-Hancitor-malspam-traffic.pcap (10,273,532 bytes)
- ZIP archive of the malware: 2017-06-12-Hancitor-artifacts.zip 260 kB (260,302 bytes)
- BN1506.tmp (181,760 bytes)
- Invoice_yahoo.doc (217,088 bytes)
SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #HANCITOR MALSPAM:
- @cheapbyte (see this one for more indicators)
- @maciekkotowicz (link)
- @rawintelsec (link)
EMAILS
Shown above: Screen shot from one of the emails.
EMAIL HEADERS:
- Date: Monday 2017-06-12 as early as 16:29 UTC through at least 20:01 UTC
- From: "William Scott via DocuSign" <william_scott@flexovitportal.com>
- Subject: Please review your document Invoice 1580227 for [recipient's email domain]
- Subject: Please review your document Invoice 1758741 for [recipient's email domain]
- Subject: Please review your document Invoice 3251851 for [recipient's email domain]
- Subject: Please review your document Invoice 4844170 for [recipient's email domain]
- Subject: Please review your document Invoice 6603507 for [recipient's email domain]
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- CMGPLACEMENT.NET - GET /file.php?document=[base64 string]
- digitalactionist.com - GET /file.php?document=[base64 string]
- EXPLORIST.CO.IN - GET /file.php?document=[base64 string]
- krishnadress.com - GET /file.php?document=[base64 string]
- MYSAFERRETIREMENT.COM - GET /file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Invoice_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 185.173.178.177 port 80 - gaparugret.com - POST /ls5/forum.php
- 185.173.178.177 port 80 - gaparugret.com - POST /mlu/forum.php
- 185.173.178.177 port 80 - gaparugret.com - POST /d1/about.php
- 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/1
- 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/2
- 66.7.198.115 port 80 - controlzeta.cl - GET /wp-content/plugins/contact-form-7/includes/3
- 176.103.48.219 port 80 - evengtounty.com - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 594ab467454aafa64fc6bbf2b4aa92f7628d5861560eee1155805bd0987dbac3
File name: Invoice_yahoo.doc
File size: 217,088 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 79ae923717f27dedc7b9357f753d3973a49ac2e9dab78a9d57c3c738c08aec74
File location: C:\Users\[username]\AppData\Local\Temp\BN1506.tmp
File size: 181,760 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-12-Hancitor-malspam-traffic.pcap.zip 9.8 MB (9,754,581 bytes)
- ZIP archive of the malware: 2017-06-12-Hancitor-artifacts.zip 260 kB (260,302 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.