2017-06-26 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-26-Hancitor-infection-with-ZLoader.pcap.zip   9.0 MB (9,043,926 bytes)

• 2017-06-26-Hancitor-infection-with-ZLoader.pcap   (9,721,184 bytes)

• 2017-06-26-Hancitor-malspam-10-examples.zip   11.4 kB (11,447 bytes)

• 2017-06-26-Hancitor-malspam-1548-UTC.eml   (1,924 bytes)
• 2017-06-26-Hancitor-malspam-1552-UTC.eml   (1,925 bytes)
• 2017-06-26-Hancitor-malspam-1556-UTC.eml   (1,931 bytes)
• 2017-06-26-Hancitor-malspam-1557-UTC.eml   (1,922 bytes)
• 2017-06-26-Hancitor-malspam-1613-UTC.eml   (1,924 bytes)
• 2017-06-26-Hancitor-malspam-1626-UTC.eml   (1,930 bytes)
• 2017-06-26-Hancitor-malspam-1754-UTC.eml   (1,924 bytes)
• 2017-06-26-Hancitor-malspam-1828-UTC.eml   (1,927 bytes)
• 2017-06-26-Hancitor-malspam-1927-UTC.eml   (1,927 bytes)
• 2017-06-26-Hancitor-malspam-1938-UTC.eml   (1,933 bytes)

• 2017-06-26-malware-from-Hancitor-infection.zip   252.4 kB (252,387 bytes)

• BN5466.tmp   (186,368 bytes)
• Invoice_yahoo.doc   (221,696 bytes)

 

A BLOG POST AND SOME TWEETS COVERING THE 2017-06-26 WAVE OF #HANCITOR MALSPAM:

• @cheapbyte:  #hancitor #malspam #phishing Hancitor Phishing links June 26, 2017 URLs in text on ghostbin.com   (link)
• @James_inthe_box:  This has all the same players as the "usual" #hancitor run: #zloader #pony and that weird #evilpony   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Monday 2017-06-26 as early as 15:48 UTC through at least 19:38 UTC
• From:  "ADP Payroll" <run.payroll.invoice@performancesales[.]com>
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 01068880
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 05866353
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 13104356
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 43710578
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 46575423
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 55157316
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 58861681
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 60074612
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 60511545
• Subject:  ADP Payroll Invoice for week ending 06/24/2017 - 02406. Invoice: 88040420

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• DSGLIFEINSURANCE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• DSGWELLNESS365[.]COM - GET /viewdoc/file.php?document=[base64 string]
• ENROLLNOWONLINE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• FORTWORTHHEALTHEXCHANGE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• thepillownurse[.]info - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[recipient's email domain, minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 146.120.110[.]121 port 80 - dintrolletone[.]com - POST /ls5/forum.php
• 146.120.110[.]121 port 80 - dintrolletone[.]com - POST /mlu/forum.php
• 146.120.110[.]121 port 80 - dintrolletone[.]com - POST /d1/about.php
• 177.93.111[.]181 port 80 - pousadaruralsolardosventos[.]com - GET /wp-content/plugins/google-maps-widget/1
• 177.93.111[.]181 port 80 - pousadaruralsolardosventos[.]com - GET /wp-content/plugins/google-maps-widget/2
• 177.93.111[.]181 port 80 - pousadaruralsolardosventos[.]com - GET /wp-content/plugins/google-maps-widget/3
• 176.31.200[.]66 port 80 - cajohnorro[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  f9efadc1f2ff65179f005704fafaf63b7d8f6d9bb6be3e08329126634df2d333
  File name:  Invoice_yahoo.doc
  File size:  221,696 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  99ca5f7573cfb2f0c6bbc8b544ef67900a371de4ceed532569e0c4ae10a56859
  File location:  C:\Users\[username]\AppData\Local\Temp\BN5466.tmp
  File size:  186,368 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.