2017-06-29 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-29-Hancitor-infection-with-ZLoader.pcap.zip   8.8 MB (8,772,664 bytes)

• 2017-06-29-Hancitor-infection-with-ZLoader.pcap   (9,399,867 bytes)

• 2017-06-29-Hancitor-malspam-6-examples.zip   9.3 kB (9,259 bytes)

• 2017-06-29-Hancitor-malspam-152244-UTC.eml   (3,540 bytes)
• 2017-06-29-Hancitor-malspam-152359-UTC.eml   (3,526 bytes)
• 2017-06-29-Hancitor-malspam-160017-UTC.eml   (3,535 bytes)
• 2017-06-29-Hancitor-malspam-160354-UTC.eml   (3,535 bytes)
• 2017-06-29-Hancitor-malspam-161741-UTC.eml   (3,545 bytes)
• 2017-06-29-Hancitor-malspam-173356-UTC.eml   (3,532 bytes)

• 2017-06-29-malware-from-Hancitor-infection.zip   245.6 kB (245,585 bytes)

• BN8B1F.tmp   (209,920 bytes)
• Subpoena_yahoo.doc   (194,048 bytes)

 

A BLOG POST AND SOME TWEETS COVERING THE 2017-06-29 WAVE OF #HANCITOR MALSPAM:

• @fletchsec:  #hancitor run, Subject: You have received a new document!, Sender: james@consultechmgti[.]com Links and hancitor C2: (Ghostbin link)   (link)
• @James_inthe_box:  And #hancitor "You have received a new document!" (Ghostbin link / Threatcrowd.org link)   (link)
• @cheapbyte:  #hancitor #malspam #phishing Hancitor links, now include multiple malware delivery sites, txt at Ghostbin   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thursday 2017-06-29 as early as 15:22 UTC through at least 17:33 UTC
• From:  "Google Documents" <james@consultechmgt[.]com>
• Subject:  You have received a new document!

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• ALLENSMECHANICAL[.]BIZ - GET /viewdoc/file.php?document=[base64 string]
• allensmechanical[.]net - GET /viewdoc/file.php?document=[base64 string]
• correspondentfunding[.]com - GET /viewdoc/file.php?document=[base64 string]
• FROGMAN-SCUBA[.]COM - GET /viewdoc/file.php?document=[base64 string]
• HAVEFUNMAKEMONEYHELPPEOPLE[.]COM - GET /viewdoc/file.php?document=[base64 string]
• ranermed[.]com - GET /viewdoc/file.php?document=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Subpoena_[recipient's email domain minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 137.74.150[.]55 port 80 - batbetorzen[.]com - POST /ls5/forum.php
• 137.74.150[.]55 port 80 - batbetorzen[.]com - POST /mlu/forum.php
• 137.74.150[.]55 port 80 - batbetorzen[.]com - POST /d2/about.php
• 193.228.150[.]200 port 80 - transoffice[.]org - GET /wp-content/plugins/ink-indication/1
• 193.228.150[.]200 port 80 - transoffice[.]org - GET /wp-content/plugins/ink-indication/2
• 193.228.150[.]200 port 80 - transoffice[.]org - GET /wp-content/plugins/ink-indication/3
• 83.217.11[.]130 port 80 - repwasswithhow[.]com - POST /bdl/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  f4f026fbe3df5ee8ed848bd844fffb72b63006cfa8d1f053a9f3ee4c271e9188
  File name:  Subpoena_yahoo.doc
  File size:  194,048 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  8bf110d38b3084d065f975da641fd0ae2ae672f607e6c30cf5544699770dc905
  File location:  C:\Users\[username]\AppData\Local\Temp\BN8B1F.tmp.tmp
  File size:  209,920 bytes
  File description:  DELoader/ZLoader

 

Click here to return to the main page.