2017-06-29 - HANCITOR MALSPAM (GOOGLE DOCS)
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-29-Hancitor-malspam-traffic.pcap.zip 8.8 MB (8,772,650 bytes)
- 2017-06-29-Hancitor-malspam-traffic.pcap (9,399,867 bytes)
- ZIP archive of the malware: 2017-06-29-Hancitor-malspam-and-artifacts.zip 254 kB (253,762 bytes)
- 2017-06-29-Hancitor-malspam-152244-UTC.eml (3,540 bytes)
- 2017-06-29-Hancitor-malspam-152359-UTC.eml (3,526 bytes)
- 2017-06-29-Hancitor-malspam-160017-UTC.eml (3,535 bytes)
- 2017-06-29-Hancitor-malspam-160354-UTC.eml (3,535 bytes)
- 2017-06-29-Hancitor-malspam-161741-UTC.eml (3,545 bytes)
- 2017-06-29-Hancitor-malspam-173356-UTC.eml (3,532 bytes)
- BN8B1F.tmp (209,920 bytes)
- Subpoena_yahoo.doc (194,048 bytes)
A BLOG POST AND SOME TWEETS COVERING THE 2017-06-29 WAVE OF #HANCITOR MALSPAM:
- Broadanalysis.com blog post: Hancitor 2017-06-29 MalSpam (link)
- @fletchsec: #hancitor run, Subject: You have received a new document!, Sender: james@consultechmgt.com Links and hancitor C2: (Ghostbin link) (link)
- @James_inthe_box: And #hancitor "You have received a new document!" (Ghostbin link / Threatcrowd.org link) (link)
- @cheapbyte: #hancitor #malspam #phishing Hancitor links, now include multiple malware delivery sites, txt at Ghostbin (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Thursday 2017-06-29 as early as 15:22 UTC through at least 17:33 UTC
- From: "Google Documents" <james@consultechmgt.com>
- Subject: You have received a new document!
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- ALLENSMECHANICAL.BIZ - GET /viewdoc/file.php?document=[base64 string]
- allensmechanical.net - GET /viewdoc/file.php?document=[base64 string]
- correspondentfunding.com - GET /viewdoc/file.php?document=[base64 string]
- FROGMAN-SCUBA.COM - GET /viewdoc/file.php?document=[base64 string]
- HAVEFUNMAKEMONEYHELPPEOPLE.COM - GET /viewdoc/file.php?document=[base64 string]
- ranermed.com - GET /viewdoc/file.php?document=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Subpoena_[recipient's email domain minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 137.74.150.55 port 80 - batbetorzen.com - POST /ls5/forum.php
- 137.74.150.55 port 80 - batbetorzen.com - POST /mlu/forum.php
- 137.74.150.55 port 80 - batbetorzen.com - POST /d2/about.php
- 193.228.150.200 port 80 - transoffice.org - GET /wp-content/plugins/ink-indication/1
- 193.228.150.200 port 80 - transoffice.org - GET /wp-content/plugins/ink-indication/2
- 193.228.150.200 port 80 - transoffice.org - GET /wp-content/plugins/ink-indication/3
- 83.217.11.130 port 80 - repwasswithhow.com - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: f4f026fbe3df5ee8ed848bd844fffb72b63006cfa8d1f053a9f3ee4c271e9188
File name: Subpoena_yahoo.doc
File size: 194,048 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905
File location: C:\Users\[username]\AppData\Local\Temp\BN8B1F.tmp.tmp
File size: 209,920 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-29-Hancitor-malspam-traffic.pcap.zip 8.8 MB (8,772,650 bytes)
- ZIP archive of the malware: 2017-06-29-Hancitor-malspam-and-artifacts.zip 254 kB (253,762 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.