2017-06-28 - HANCITOR MALSPAM (RINGCENTRAL FAX)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-28-Hancitor-malspam-traffic.pcap.zip   9.3 MB (9,283,527 bytes)

• 2017-06-28-Hancitor-malspam-traffic.pcap   (10,102,479 bytes)

• ZIP archive of the malware:  2017-06-28-Hancitor-malspam-and-artifacts.zip   329 kB (328,942 bytes)

• 2017-06-28-Hancitor-malspam-140314-UTC.eml   (8,716 bytes)
• 2017-06-28-Hancitor-malspam-142551-UTC.eml   (8,712 bytes)
• 2017-06-28-Hancitor-malspam-143504-UTC.eml   (8,719 bytes)
• 2017-06-28-Hancitor-malspam-151209-UTC.eml   (8,715 bytes)
• 2017-06-28-Hancitor-malspam-160108-UTC.eml   (8,721 bytes)
• 2017-06-28-Hancitor-malspam-162417-UTC.eml   (8,720 bytes)
• 2017-06-28-Hancitor-malspam-163623-UTC.eml   (8,717 bytes)
• 2017-06-28-Hancitor-malspam-164557-UTC.eml   (8,725 bytes)
• 2017-06-28-Hancitor-malspam-165812-UTC.eml   (8,721 bytes)
• 2017-06-28-Hancitor-malspam-171623-UTC.eml   (8,723 bytes)
• 2017-06-28-Hancitor-malspam-175725-UTC.eml   (8,720 bytes)
• 2017-06-28-Hancitor-malspam-180522-UTC.eml   (8,718 bytes)
• 2017-06-28-Hancitor-malspam-180554-UTC.eml   (8,721 bytes)
• BNC3BB.tmp   (188,416 bytes)
• Ringcentral_Fax_654608.doc   (288,256 bytes)

 

SOME TWEETS COVERING THE 2017-06-28 WAVE OF #HANCITOR MALSPAM:

• @James_inthe_box:  New #hancitor run "New Fax Message from <phone number> on <date> at <time>   (link)
• @cheapbyte:  #hancitor #malspam #phishing Hancitor June 28 2017 links, URLs at ghostbin   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-28 as early as 14:03 UTC through at least 18:05 UTC
• From:  "RingCentral" <ringcentral@travelink-services.com>
• Subject:  New Fax Message from (305)-003-2774 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-216-1424 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-282-2820 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-337-2748 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-436-6110 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-441-5456 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-464-2036 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-573-7800 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-621-5853 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-672-1683 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-746-7840 on 06/28/2017 at 09:02 AM
• Subject:  New Fax Message from (305)-851-8471 on 06/28/2017 at 09:02 AM

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• AWAREARRESTALIGN.COM - GET /viewdoc/file.php?document=[base64 string]
• carbnfuel.com - GET /viewdoc/file.php?document=[base64 string]
• CARBONFULE.COM - GET /viewdoc/file.php?document=[base64 string]
• CATALINETICS.COM - GET /viewdoc/file.php?document=[base64 string]
• cognistix.net - GET /viewdoc/file.php?document=[base64 string]
• H2S2.INFO - GET /viewdoc/file.php?document=[base64 string]
• systemsmith.com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Ringcentral_Fax__[six-digit number].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 137.74.150.55 port 80 - ranlingthetne.com - POST /ls5/forum.php
• 137.74.150.55 port 80 - ranlingthetne.com - POST /mlu/forum.php
• 137.74.150.55 port 80 - ranlingthetne.com - POST /d2/about.php
• 186.202.153.168 port 80 - www.prava.com.br - GET /wp-content/plugins/easy-captcha/1
• 186.202.153.168 port 80 - www.prava.com.br - GET /wp-content/plugins/easy-captcha/2
• 186.202.153.168 port 80 - www.prava.com.br - GET /wp-content/plugins/easy-captcha/3
• 91.121.198.229 port 80 - www.librodeapuntes.es - GET /wp-content/plugins/analytics_ga_plugin/2
• 91.121.198.229 port 80 - www.librodeapuntes.es - GET /wp-content/plugins/analytics_ga_plugin/3
• 91.201.214.170 port 80 - tounundhem.com - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  0cb34a9c52755ec21ad7eda70aecb961b9751441df65f93a928bf48819c2f7ae
  File name:  Ringcentral_Fax_654608.doc
  File size:  288,256 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  530e2d72776104e6f7b9ed23513ec1d33fb968697d665470b104f566ef30d33f
  File location:  C:\Users\[username]\AppData\Local\Temp\BNC3BB.tmp
  File size:  188,416 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-28-Hancitor-malspam-traffic.pcap.zip   9.3 MB (9,283,527 bytes)
• ZIP archive of the malware:  2017-06-28-Hancitor-malspam-and-artifacts.zip   329 kB (328,942 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.