2017-07-20 - HANCITOR MALSPAM (INVOICE NOTIFICATION)

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-07-20-Hancitor-malspam-traffic.pcap.zip   7.9 MB (7,909,522 bytes)

• 2017-07-20-Hancitor-malspam-traffic.pcap   (8,654,555 bytes)

• ZIP archive of the malware:  2017-07-20-Hancitor-malspam-and-artifacts.zip   305 kB (305,371 bytes)

• 2017-07-20-Hancitor-malspam-1456-UTC.eml   (5,787 bytes)
• 2017-07-20-Hancitor-malspam-1531-UTC.eml   (5,793 bytes)
• 2017-07-20-Hancitor-malspam-1547-UTC.eml   (5,782 bytes)
• 2017-07-20-Hancitor-malspam-1609-UTC.eml   (5,787 bytes)
• 2017-07-20-Hancitor-malspam-1650-UTC.eml   (5,786 bytes)
• 2017-07-20-Hancitor-malspam-1714-UTC.eml   (5,783 bytes)
• 2017-07-20-Hancitor-malspam-1817-UTC.eml   (5,792 bytes)
• 2017-07-20-Hancitor-malspam-1852-UTC.eml   (5,787 bytes)
• BN9A1C.tmp   (194,048 bytes)
• Intuit_Invoice_649272.doc   (296,960 bytes)

 

TWEETS COVERING THE 2017-07-20 WAVE OF #HANCITOR MALSPAM:

• @cheapbyte:  And #hancitor #malspam #phishing Hancitor IOC July 20, 2017 Fake QUickbooks email. URLs via Ghostbin   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thursday 2017-07-20 as early as 14:56 UTC through at least 18:52 UTC
• From:  "Hunter Douglas" <quickbooks-email@esquireinteriors.com>
• Subject:  Invoice 13800 for [recipient's email domain]
• Subject:  Invoice 31138 for [recipient's email domain]
• Subject:  Invoice 40341 for [recipient's email domain]
• Subject:  Invoice 47474 for [recipient's email domain]
• Subject:  Invoice 54552 for [recipient's email domain]
• Subject:  Invoice 74716 for [recipient's email domain]
• Subject:  Invoice 83618 for [recipient's email domain]

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT THAT I SAW:

• bestbrokerageever.com - GET /file.php?d=[base64 string]
• bestbrokerever.net - GET /file.php?d=[base64 string]
• bestbrokerever.org - GET /file.php?d=[base64 string]
• poshbathbombs.com - GET /file.php?d=[base64 string]
• poshbathbombs.net - GET /file.php?d=[base64 string]
• YOURSTRATEGICGUIDE.NET - GET /file.php?d=[base64 string]

ADDITIONAL LINKS FOR THE WORD DOCUMENT REPORTED BY @CHEAPBYTE:

• bestbrokerever.info - GET /file.php?d=[base64 string]
• byobfranchise.com - GET /file.php?d=[base64 string]
• hutsonrental.com - GET /file.php?d=[base64 string]
• poshbathbomb.net - GET /file.php?d=[base64 string]
• yourstrategicguide.info - GET /file.php?d=[base64 string]
• yourstrategicguide.org - GET /file.php?d=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENT:

• Intuit_Invoice_[six random digits].doc

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

• 185.43.223.49 port 80 - mohurndertil.com - POST /ls5/forum.php
• 185.43.223.49 port 80 - mohurndertil.com - POST /mlu/forum.php
• 185.43.223.49 port 80 - mohurndertil.com - POST /d2/about.php
• 46.235.47.84 port 80 - wood-boards.com - GET /wp-content/plugins/tumblr-crosspostr/1
• 46.235.47.84 port 80 - wood-boards.com - GET /wp-content/plugins/tumblr-crosspostr/2
• 46.235.47.84 port 80 - wood-boards.com - GET /wp-content/plugins/tumblr-crosspostr/3
• 185.111.107.82 port 80 - tohinwithec.com - POST /bdl/gate.php
• 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic

ADDITIONAL POST-INFECTION URLS REPORTED BY @CHEAPBYTE:

• mohurndertil.com - POST /ls5/forum.php
• nyorcalning.ru - POST /ls5/forum.php
• hadsitguled.ru - POST /ls5/forum.php
• porthia.com.br - GET /wp-content/plugins/insert-pages/1
• porthia.com.br - GET /wp-content/plugins/insert-pages/2
• porthia.com.br - GET /wp-content/plugins/insert-pages/3
• questscopeduurzaam.nl - GET /wp-content/plugins/really-simple-captcha/1
• questscopeduurzaam.nl - GET /wp-content/plugins/really-simple-captcha/2
• questscopeduurzaam.nl - GET /wp-content/plugins/really-simple-captcha/3
• nmultra2014.no - GET /.tmb/1
• nmultra2014.no - GET /.tmb/2
• nmultra2014.no - GET /.tmb/3
• yana-k-design.com - GET /wp-content/plugins/menu-social-icons/1
• yana-k-design.com - GET /wp-content/plugins/menu-social-icons/2
• yana-k-design.com - GET /wp-content/plugins/menu-social-icons/3
• lvpar.com.br - GET /wp-content/plugins/wordpress-seo/1
• lvpar.com.br - GET /wp-content/plugins/wordpress-seo/2
• lvpar.com.br - GET /wp-content/plugins/wordpress-seo/3

ADDITIONAL POST-INFECTION URL NOTED IN REVERSE.IT ANALYSIS OF DELOADER/ZLOADER:

• 92.63.106.180 port 80 - nofocalen.com - POST /bdl/gate.php

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  643951eee2dac8c3677f5ef7e9cb07444f12d165f6e401c1cd7afa27d7552367
  File name:  Intuit_Invoice_649272.doc
  File size:  296,960 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  206d7fe28230cced9110517c401f72e11ce68bb2dc617d476f6a935f8be4da97
  File location:  C:\Users\[username]\AppData\Local\Temp\BN9A1C.tmp
  File size:  194,048 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-07-20-Hancitor-malspam-traffic.pcap.zip   7.9 MB (7,909,522 bytes)
• ZIP archive of the malware:  2017-07-20-Hancitor-malspam-and-artifacts.zip   305 kB (305,371 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.