2017-06-14 - HANCITOR MALSPAM (FAKE ADP BILL)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-14-Hancitor-malspam-traffic.pcap.zip   9.9 MB (9,880,287 bytes)

• 2017-06-14-Hancitor-malspam-traffic.pcap   (10,505,738 bytes)

• ZIP archive of the malware:  2017-06-14-Hancitor-malspam-and-artifacts.zip   267 kB (266,852 bytes)

• 2017-06-14-Hancitor-malspam-1505-UTC.eml   (1,533 bytes)
• 2017-06-14-Hancitor-malspam-1626-UTC.eml   (1,528 bytes)
• 2017-06-14-Hancitor-malspam-1727-UTC.eml   (1,527 bytes)
• 2017-06-14-Hancitor-malspam-1747-UTC.eml   (1,526 bytes)
• 2017-06-14-Hancitor-malspam-1750-UTC.eml   (1,529 bytes)
• 2017-06-14-Hancitor-malspam-1945-UTC.eml   (1,527 bytes)
• 2017-06-14-Hancitor-malspam-2028-UTC.eml   (1,524 bytes)
• ADP_Bill_yahoo.doc   (247,296 bytes)
• BND058.tmp   (199,680 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

• @cheapbyte:  #hancitor #pony #malware #phishing Hancitor Phishing email is ADP today, here are the links in text   (link)
• @James_inthe_box:  Incoming #hancitor run, "Your ADP for is ready!"   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-14 as early as 15:05 UTC through at least 20:28 UTC
• From:  "ADP Billing" <adp@lexalp.com>
• Subject:  Your ADP bill [6-digit number] for [recipient's email address] is ready!

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• equaldayequalpay.info - GET /viewdoc/file.php?document=[base64 string]
• lyftreviewer.com - GET /viewdoc/file.php?document=[base64 string]
• TEQUILACLUBUS.ORG - GET /viewdoc/file.php?document=[base64 string]
• uberattitude.com - GET /viewdoc/file.php?document=[base64 string]
• ubertooter.com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• ADP_Bill_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 95.169.184.25 port 80 - rirethenheg.com - POST /ls5/forum.php
• 95.169.184.25 port 80 - rirethenheg.com - POST /mlu/forum.php
• 95.169.184.25 port 80 - rirethenheg.com - POST /d1/about.php
• 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/1
• 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/2
• 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/3
• 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/1
• 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/2
• 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/3
• 146.185.254.187 port 80 - johngasebed.ru - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  d42faa3ddbc3a60a3d59c1e20678b484dc66bdb0b4982ab8626e97cd644d713b
  File name:  ADP_Bill_yahoo.doc
  File size:  247,296 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  f90d0aab0987644f48baba6f5e9f79b74897fa3fa20ddc61f8cc78ea7d16b42e
  File location:  C:\Users\[username]\AppData\Local\Temp\BND058.tmp
  File size:  199,680 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-14-Hancitor-malspam-traffic.pcap.zip   9.9 MB (9,880,287 bytes)
• ZIP archive of the malware:  2017-06-14-Hancitor-malspam-and-artifacts.zip   267 kB (266,852 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.