2017-07-03 - HANCITOR MALSPAM (FEDEX TRACKING NOTIFICATION)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-07-03-Hancitor-malspam-traffic.pcap.zip   6.8 MB (6,767,155 bytes)

• 2017-07-03-Hancitor-malspam-traffic.pcap   (7,230,916 bytes)

• ZIP archive of the malware:  2017-07-03-Hancitor-malspam-and-artifacts.zip   338 kB (338,441 bytes)

• 2017-07-03-Hancitor-malspam-142247-UTC.eml   (21,614 bytes)
• 2017-07-03-Hancitor-malspam-142410-UTC.eml   (21,625 bytes)
• 2017-07-03-Hancitor-malspam-143011-UTC.eml   (21,625 bytes)
• 2017-07-03-Hancitor-malspam-143130-UTC.eml   (21,619 bytes)
• 2017-07-03-Hancitor-malspam-143511-UTC.eml   (21,627 bytes)
• 2017-07-03-Hancitor-malspam-150706-UTC.eml   (21,617 bytes)
• 2017-07-03-Hancitor-malspam-151836-UTC.eml   (21,625 bytes)
• 2017-07-03-Hancitor-malspam-160604-UTC.eml   (21,629 bytes)
• 2017-07-03-Hancitor-malspam-162538-UTC.eml   (21,633 bytes)
• BN2AE6.tmp   (197,120 bytes)
• Invoice_yahoo.doc   (359,936 bytes)

 

SOME TWEETS COVERING THE 2017-07-03 WAVE OF #HANCITOR MALSPAM:

• @James_inthe_box:  And #hancitor run with mod'd link structure: "FedEx Tracking <digits> Notification" (Ghostbin link)   (link)
• @cheapbyte:  And #hancitor #phishing #malspam Hancitor July 3, 2017 links and SHA (Ghostbin link) Check the malware download 1,2,3   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Monday 2017-07-03 as early as 14:22 UTC through at least 16:25 UTC
• From:  "FedEx" <tracking@afedex.com>
• Subject:  FedEx Tracking 715715163815 Notification
• Subject:  FedEx Tracking 716387320236 Notification
• Subject:  FedEx Tracking 720158312704 Notification
• Subject:  FedEx Tracking 723824805710 Notification
• Subject:  FedEx Tracking 725323300358 Notification
• Subject:  FedEx Tracking 726461552752 Notification
• Subject:  FedEx Tracking 758633840738 Notification
• Subject:  FedEx Tracking 764042320736 Notification
• Subject:  FedEx Tracking 778208545774 Notification

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

• auburnmachine.com - GET /viewdoc/file.php?d=[base64 string]
• careermoveresumes.us - GET /viewdoc/file.php?d=[base64 string]
• GPAC.BIZ - GET /viewdoc/file.php?d=[base64 string]
• GPAC-LLC.COM - GET /viewdoc/file.php?d=[base64 string]
• GPAC-LLC.NET - GET /viewdoc/file.php?d=[base64 string]
• rz-restaurants.com - GET /viewdoc/file.php?d=[base64 string]
• tucsonweddingexpo.com - GET /viewdoc/file.php?d=[base64 string]
• WOMENSLIFEANDSTYLEEXPO.COM - GET /viewdoc/file.php?d=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENTS:

• Invoice_[recipient's email domain minus the suffix].doc

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

• 185.7.30.140 port 80 - fortronsofher.com - POST /ls5/forum.php
• 185.7.30.140 port 80 - fortronsofher.com - POST /mlu/forum.php
• 185.7.30.140 port 80 - fortronsofher.com - POST /d2/about.php
• 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/1
• 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/2
• 176.99.7.116 port 80 - wonderhosting.ru - GET /wp-includes/pomo/3
• 81.177.141.140 port 80 - makedbosand.com - POST /bdl/gate.php
• 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  5e23a6cb91e82f61d683620c9bdef57241b66e73c3f7a67260e20762bc7a1162
  File name:  Invoice_yahoo.doc
  File size:  359,936 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  cb0714a8342a5092d8c83a5a736dc19b04d8e20d87e6d83f520f9e57882db38b
  File location:  C:\Users\[username]\AppData\Local\Temp\BN2AE6.tmp
  File size:  197,120 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-07-03-Hancitor-malspam-traffic.pcap.zip   6.8 MB (6,767,155 bytes)
• ZIP archive of the malware:  2017-07-03-Hancitor-malspam-and-artifacts.zip   338 kB (338,441 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.