2017-06-14 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-14-Hancitor-infection-with-ZLoader.pcap.zip   9.9 MB (9,880,287 bytes)

• 2017-06-14-Hancitor-infection-with-ZLoader.pcap   (10,505,738 bytes)

• 2017-06-14-Hancitor-malspam-7-examples.zip   7.7 kB (7,672 bytes)

• 2017-06-14-Hancitor-malspam-1505-UTC.eml   (1,533 bytes)
• 2017-06-14-Hancitor-malspam-1626-UTC.eml   (1,528 bytes)
• 2017-06-14-Hancitor-malspam-1727-UTC.eml   (1,527 bytes)
• 2017-06-14-Hancitor-malspam-1747-UTC.eml   (1,526 bytes)
• 2017-06-14-Hancitor-malspam-1750-UTC.eml   (1,529 bytes)
• 2017-06-14-Hancitor-malspam-1945-UTC.eml   (1,527 bytes)
• 2017-06-14-Hancitor-malspam-2028-UTC.eml   (1,524 bytes)

• 2017-06-14-malware-from-Hancitor-infection.zip   260.3 kB (260,340 bytes)

• ADP_Bill_yahoo.doc   (247,296 bytes)
• BND058.tmp   (199,680 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

• @cheapbyte:  #hancitor #pony #malware #phishing Hancitor Phishing email is ADP today, here are the links in text   (link)
• @James_inthe_box:  Incoming #hancitor run, "Your ADP for is ready!"   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-14 as early as 15:05 UTC through at least 20:28 UTC
• From:  "ADP Billing" <adp@lexalp[.]com>
• Subject:  Your ADP bill [6-digit number] for [recipient's email address] is ready!

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• equaldayequalpay[.]info - GET /viewdoc/file.php?document=[base64 string]
• lyftreviewer[.]com - GET /viewdoc/file.php?document=[base64 string]
• TEQUILACLUBUS[.]ORG - GET /viewdoc/file.php?document=[base64 string]
• uberattitude[.]com - GET /viewdoc/file.php?document=[base64 string]
• ubertooter[.]com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• ADP_Bill_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 95.169.184[.]25 port 80 - rirethenheg[.]com - POST /ls5/forum.php
• 95.169.184[.]25 port 80 - rirethenheg[.]com - POST /mlu/forum.php
• 95.169.184[.]25 port 80 - rirethenheg[.]com - POST /d1/about.php
• 50.23.16[.]14 port 80 - realassist[.]ca - GET /wp-content/plugins/getsocial/1
• 50.23.16[.]14 port 80 - realassist[.]ca - GET /wp-content/plugins/getsocial/2
• 50.23.16[.]14 port 80 - realassist[.]ca - GET /wp-content/plugins/getsocial/3
• 80.67.160[.]70 port 80 - www.madeinla[.]fr - GET /wp-content/plugins/wordpress-importer/1
• 80.67.160[.]70 port 80 - www.madeinla[.]fr - GET /wp-content/plugins/wordpress-importer/2
• 80.67.160[.]70 port 80 - www.madeinla[.]fr - GET /wp-content/plugins/wordpress-importer/3
• 146.185.254[.]187 port 80 - johngasebed[.]ru - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  d42faa3ddbc3a60a3d59c1e20678b484dc66bdb0b4982ab8626e97cd644d713b
  File name:  ADP_Bill_yahoo.doc
  File size:  247,296 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  f90d0aab0987644f48baba6f5e9f79b74897fa3fa20ddc61f8cc78ea7d16b42e
  File location:  C:\Users\[username]\AppData\Local\Temp\BND058.tmp
  File size:  199,680 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.