2017-06-29 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-06-29-Hancitor-infection-with-ZLoader.pcap   (9,399,867 bytes)
  • 2017-06-29-Hancitor-malspam-152244-UTC.eml   (3,540 bytes)
  • 2017-06-29-Hancitor-malspam-152359-UTC.eml   (3,526 bytes)
  • 2017-06-29-Hancitor-malspam-160017-UTC.eml   (3,535 bytes)
  • 2017-06-29-Hancitor-malspam-160354-UTC.eml   (3,535 bytes)
  • 2017-06-29-Hancitor-malspam-161741-UTC.eml   (3,545 bytes)
  • 2017-06-29-Hancitor-malspam-173356-UTC.eml   (3,532 bytes)
  • BN8B1F.tmp   (209,920 bytes)
  • Subpoena_yahoo.doc   (194,048 bytes)

 

A BLOG POST AND SOME TWEETS COVERING THE 2017-06-29 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.