2017-06-28 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-06-28-Hancitor-infection-with-ZLoader.pcap   (10,102,479 bytes)
  • 2017-06-28-Hancitor-malspam-140314-UTC.eml   (8,716 bytes)
  • 2017-06-28-Hancitor-malspam-142551-UTC.eml   (8,712 bytes)
  • 2017-06-28-Hancitor-malspam-143504-UTC.eml   (8,719 bytes)
  • 2017-06-28-Hancitor-malspam-151209-UTC.eml   (8,715 bytes)
  • 2017-06-28-Hancitor-malspam-160108-UTC.eml   (8,721 bytes)
  • 2017-06-28-Hancitor-malspam-162417-UTC.eml   (8,720 bytes)
  • 2017-06-28-Hancitor-malspam-163623-UTC.eml   (8,717 bytes)
  • 2017-06-28-Hancitor-malspam-164557-UTC.eml   (8,725 bytes)
  • 2017-06-28-Hancitor-malspam-165812-UTC.eml   (8,721 bytes)
  • 2017-06-28-Hancitor-malspam-171623-UTC.eml   (8,723 bytes)
  • 2017-06-28-Hancitor-malspam-175725-UTC.eml   (8,720 bytes)
  • 2017-06-28-Hancitor-malspam-180522-UTC.eml   (8,718 bytes)
  • 2017-06-28-Hancitor-malspam-180554-UTC.eml   (8,721 bytes)
  • BNC3BB.tmp   (188,416 bytes)
  • Ringcentral_Fax_654608.doc   (288,256 bytes)

 

SOME TWEETS COVERING THE 2017-06-28 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.