2017-06-27 - HANCITOR MALSPAM (INVOICE PROBLEM)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 22017-06-27-Hancitor-infection-with-ZLoader.pcap.zip   8.5 MB (8,531,510 bytes)

• 2017-06-27-Hancitor-infection-with-ZLoader.pcap   (9,200,955 bytes)

• 2017-06-27-Hancitor-malspam-3-examples.zip   3.6 kB (3,645 bytes)

• 2017-06-27-Hancitor-malspam-1737-UTC.eml   (1,551 bytes)
• 2017-06-27-Hancitor-malspam-1743-UTC.eml   (1,556 bytes)
• 2017-06-27-Hancitor-malspam-1759-UTC.eml   (1,544 bytes)

• 2017-06-27-malware-from-Hancitor-infection.zip   240.0 kB (240,015 bytes)

• BNEA00.tmp   (188,928 bytes)
• Invoice_129383.doc   (169,472 bytes)

 

SOME TWEETS COVERING THE 2017-06-27 WAVE OF #HANCITOR MALSPAM:

• @James_inthe_box:  Incoming #hancitor; "Re: invoice problem" links and c2   (link)
• @cheapbyte:  #hancitor #malspam #phishing Hancitor links June 27, 2017 huge number of links in text at Ghostbin   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Tuesday 2017-06-27 as early as 17:37 UTC through at least 17:59 UTC
• From:  "james.holt@grandrealtyusa[.]com" <james.holt@grandrealtyusa[.]com>
• Subject:  Re: invoice 67810072 problem
• Subject:  Re: invoice 67810072 problem
• Subject:  Re: invoice 67810072 problem

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• 2015FORDMUSTANGPARTS[.]COM - GET /viewdoc/file.php?document=[base64 string]
• akrapovicexhaustsystems[.]com - GET /viewdoc/file.php?document=[base64 string]
• pokemongoboulder[.]com - GET /viewdoc/file.php?document=[base64 string]
• SERENITYKATY[.]NET - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[six-digit number].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 195.54.162[.]66 port 80 - rototmidi[.]com - POST /ls5/forum.php
• 195.54.162[.]66 port 80 - rototmidi[.]com - POST /mlu/forum.php
• 195.54.162[.]66 port 80 - rototmidi[.]com - POST /d2/about.php
• 62.210.16[.]62 port 80 - bretagne[.]plus - GET /wp-content/plugins/google-analyticator/1
• 62.210.16[.]62 port 80 - bretagne[.]plus - GET /wp-content/plugins/google-analyticator/4
• 62.210.16[.]62 port 80 - bretagne[.]plus - GET /wp-content/plugins/google-analyticator/3
• 146.185.243[.]152 port 80 - undtinjohnaning[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  e9f8b7b9faa8a61257c42ecec480c1a0b8855e7514122c7060c89f4ced2d592b
  File name:  Invoice_129383.doc
  File size:  169,472 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  e14982a13558812873982069243872ca703c9a3e21e7e9b31ff3e0062e368b68
  File location:  C:\Users\[username]\AppData\Local\Temp\BNEA00.tmp
  File size:  188,928 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.