2017-08-02 - HANCITOR INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-08-02-Hancitor-infection-traffic.pcap.zip 327.6 kB (327,560 bytes)
- 2017-08-02-Hancitor-infection-traffic.pcap (512,864 bytes)
- 2017-08-02-Hancitor-malspam-3-examples.zip 4.1 kB (4,060 bytes)
- 2017-08-02-Hancitor-malspam-145839-UTC.eml (1,998 bytes)
- 2017-08-02-Hancitor-malspam-171842-UTC.eml (1,997 bytes)
- 2017-08-02-Hancitor-malspam-181153-UTC.eml (2,002 bytes)
- 2017-08-02-malware-from-Hancitor-infection.zip 254.6 kB (254,627 bytes)
- ADP_Invoice_989046.doc (241,664 bytes)
- BN2F78.tmp (210,432 bytes)
TODAY'S TWEETS COVERING THE 2017-08-02 WAVE OF #HANCITOR MALSPAM:
- @cheapbyte: And #hancitor #malspam #phishing Hancitor Fake ADP email August 2, 2017 URLs in text at Ghostbin (link)
- @James_inthe_box: New #hancitor run: "ADP Payroll Invoice <digits>" (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-08-02 as early as 14:58 UTC through at least 18:11 UTC
- From: "ADP Payroll" <adp.payroll.invoice@finemanrealty[.]com>
- Subject: ADP Payroll Invoice 58343861 for month 07/01/2017 - 07/31/2017
- Subject: ADP Payroll Invoice 63018533 for month 07/01/2017 - 07/31/2017
- Subject: ADP Payroll Invoice 78036003 for month 07/01/2017 - 07/31/2017
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
LINKS IN THE EMAILS THE WORD DOCUMENT:
- foundationofyet[.]net - GET /f.php?d=[base64 string]
- thefamilymoneyfarm[.]com - GET /f.php?d=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENT:
- ADP_Invoice_[six random digits].doc
POST-INFECTION TRAFFIC FROM MY INFECTED HOST:
- 185.188.182[.]34 port 80 - etdintuseoft[.]com - POST /ls5/forum.php
- 185.188.182[.]34 port 80 - etdintuseoft[.]com - POST /mlu/forum.php
- 185.188.182[.]34 port 80 - etdintuseoft[.]com - POST /d2/about.php
- 184.168.134[.]131 port 80 - www.hlinv[.]net - GET /wp-content/plugins/wordpress-importer/1
- 184.168.134[.]131 port 80 - www.hlinv[.]net - GET /wp-content/plugins/wordpress-importer/2
- 184.168.134[.]131 port 80 - www.hlinv[.]net - GET /wp-content/plugins/wordpress-importer/3
- api.ipify[.]org - GET /
- DNS query for toflingtinjo[.]ru - Response: No such name
- DNS query for ersrofsafah[.]ru - Response: No such name
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc
File name: ADP_Invoice_989046.doc
File size: 241,664 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: deb540755cc2fe423d6eabf4177778720ae01caf6c5973ffc24f7dec111fceba
File location: C:\Users\[username]\AppData\Local\Temp\BN2F78.tmp
File size: 210,432 bytes
File description: DELoader/ZLoader
Click here to return to the main page.