2017-07-03 - HANCITOR MALSPAM (FEDEX TRACKING NOTIFICATION)
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-07-03-Hancitor-malspam-traffic.pcap.zip 6.8 MB (6,767,155 bytes)
- 2017-07-03-Hancitor-malspam-traffic.pcap (7,230,916 bytes)
- ZIP archive of the malware: 2017-07-03-Hancitor-malspam-and-artifacts.zip 338 kB (338,441 bytes)
- 2017-07-03-Hancitor-malspam-142247-UTC.eml (21,614 bytes)
- 2017-07-03-Hancitor-malspam-142410-UTC.eml (21,625 bytes)
- 2017-07-03-Hancitor-malspam-143011-UTC.eml (21,625 bytes)
- 2017-07-03-Hancitor-malspam-143130-UTC.eml (21,619 bytes)
- 2017-07-03-Hancitor-malspam-143511-UTC.eml (21,627 bytes)
- 2017-07-03-Hancitor-malspam-150706-UTC.eml (21,617 bytes)
- 2017-07-03-Hancitor-malspam-151836-UTC.eml (21,625 bytes)
- 2017-07-03-Hancitor-malspam-160604-UTC.eml (21,629 bytes)
- 2017-07-03-Hancitor-malspam-162538-UTC.eml (21,633 bytes)
- BN2AE6.tmp (197,120 bytes)
- Invoice_yahoo.doc (359,936 bytes)
SOME TWEETS COVERING THE 2017-07-03 WAVE OF #HANCITOR MALSPAM:
- @James_inthe_box: And #hancitor run with mod'd link structure: "FedEx Tracking <digits> Notification" (Ghostbin link) (link)
- @cheapbyte: And #hancitor #phishing #malspam Hancitor July 3, 2017 links and SHA (Ghostbin link) Check the malware download 1,2,3 (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Monday 2017-07-03 as early as 14:22 UTC through at least 16:25 UTC
- From: "FedEx" <tracking@afedex.com>
- Subject: FedEx Tracking 715715163815 Notification
- Subject: FedEx Tracking 716387320236 Notification
- Subject: FedEx Tracking 720158312704 Notification
- Subject: FedEx Tracking 723824805710 Notification
- Subject: FedEx Tracking 725323300358 Notification
- Subject: FedEx Tracking 726461552752 Notification
- Subject: FedEx Tracking 758633840738 Notification
- Subject: FedEx Tracking 764042320736 Notification
- Subject: FedEx Tracking 778208545774 Notification
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
HTTP REQUESTS FOR THE WORD DOCUMENT:
- auburnmachine.com - GET /viewdoc/file.php?d=[base64 string]
- careermoveresumes.us - GET /viewdoc/file.php?d=[base64 string]
- GPAC.BIZ - GET /viewdoc/file.php?d=[base64 string]
- GPAC-LLC.COM - GET /viewdoc/file.php?d=[base64 string]
- GPAC-LLC.NET - GET /viewdoc/file.php?d=[base64 string]
- rz-restaurants.com - GET /viewdoc/file.php?d=[base64 string]
- tucsonweddingexpo.com - GET /viewdoc/file.php?d=[base64 string]
- WOMENSLIFEANDSTYLEEXPO.COM - GET /viewdoc/file.php?d=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENTS:
- Invoice_[recipient's email domain minus the suffix].doc
POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:
- 185.7.30.140 port 80 - fortronsofher.com - POST /ls5/forum.php
- 185.7.30.140 port 80 - fortronsofher.com - POST /mlu/forum.php
- 185.7.30.140 port 80 - fortronsofher.com - POST /d2/about.php
- 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/1
- 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/2
- 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/3
- 81.177.141.140 port 80 - makedbosand.com - POST /bdl/gate.php
- 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 5e23a6cb91e82f61d683620c9bdef57241b66e73c3f7a67260e20762bc7a1162
File name: Invoice_yahoo.doc
File size: 359,936 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: cb0714a8342a5092d8c83a5a736dc19b04d8e20d87e6d83f520f9e57882db38b
File location: C:\Users\[username]\AppData\Local\Temp\BN2AE6.tmp
File size: 197,120 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-07-03-Hancitor-malspam-traffic.pcap.zip 6.8 MB (6,767,155 bytes)
- ZIP archive of the malware: 2017-07-03-Hancitor-malspam-and-artifacts.zip 338 kB (338,441 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.