2017-06-14 - HANCITOR MALSPAM (FAKE ADP BILL)
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-14-Hancitor-malspam-traffic.pcap.zip 9.9 MB (9,880,287 bytes)
- 2017-06-14-Hancitor-malspam-traffic.pcap (10,505,738 bytes)
- ZIP archive of the malware: 2017-06-14-Hancitor-malspam-and-artifacts.zip 267 kB (266,852 bytes)
- 2017-06-14-Hancitor-malspam-1505-UTC.eml (1,533 bytes)
- 2017-06-14-Hancitor-malspam-1626-UTC.eml (1,528 bytes)
- 2017-06-14-Hancitor-malspam-1727-UTC.eml (1,527 bytes)
- 2017-06-14-Hancitor-malspam-1747-UTC.eml (1,526 bytes)
- 2017-06-14-Hancitor-malspam-1750-UTC.eml (1,529 bytes)
- 2017-06-14-Hancitor-malspam-1945-UTC.eml (1,527 bytes)
- 2017-06-14-Hancitor-malspam-2028-UTC.eml (1,524 bytes)
- ADP_Bill_yahoo.doc (247,296 bytes)
- BND058.tmp (199,680 bytes)
SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:
- @cheapbyte: #hancitor #pony #malware #phishing Hancitor Phishing email is ADP today, here are the links in text (link)
- @James_inthe_box: Incoming #hancitor run, "Your ADP for
is ready!" (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-06-14 as early as 15:05 UTC through at least 20:28 UTC
- From: "ADP Billing" <adp@lexalp.com>
- Subject: Your ADP bill [6-digit number] for [recipient's email address] is ready!
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- equaldayequalpay.info - GET /viewdoc/file.php?document=[base64 string]
- lyftreviewer.com - GET /viewdoc/file.php?document=[base64 string]
- TEQUILACLUBUS.ORG - GET /viewdoc/file.php?document=[base64 string]
- uberattitude.com - GET /viewdoc/file.php?document=[base64 string]
- ubertooter.com - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- ADP_Bill_[recipient's email domain, minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 95.169.184.25 port 80 - rirethenheg.com - POST /ls5/forum.php
- 95.169.184.25 port 80 - rirethenheg.com - POST /mlu/forum.php
- 95.169.184.25 port 80 - rirethenheg.com - POST /d1/about.php
- 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/1
- 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/2
- 50.23.16.14 port 80 - realassist.ca - GET /wp-content/plugins/getsocial/3
- 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/1
- 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/2
- 80.67.160.70 port 80 - www.madeinla.fr - GET /wp-content/plugins/wordpress-importer/3
- 146.185.254.187 port 80 - johngasebed.ru - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: d42faa3ddbc3a60a3d59c1e20678b484dc66bdb0b4982ab8626e97cd644d713b
File name: ADP_Bill_yahoo.doc
File size: 247,296 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: f90d0aab0987644f48baba6f5e9f79b74897fa3fa20ddc61f8cc78ea7d16b42e
File location: C:\Users\[username]\AppData\Local\Temp\BND058.tmp
File size: 199,680 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-14-Hancitor-malspam-traffic.pcap.zip 9.9 MB (9,880,287 bytes)
- ZIP archive of the malware: 2017-06-14-Hancitor-malspam-and-artifacts.zip 267 kB (266,852 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.