2017-08-03 - HANCITOR MALSPAM (INVOICE FROM CASEY MARTINEZ)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-08-03-Hancitor-malspam-traffic.pcap.zip 9.1 MB (9,145,705 bytes)
- 2017-08-03-Hancitor-malspam-traffic.pcap (9,882,970 bytes)
- Zip archive of the malware: 2017-08-03-Hancitor-malspam-and-artifacts.zip 317 kB (317,084 bytes)
- 2017-08-03-Hancitor-malspam-150038-UTC.eml (1,475 bytes)
- 2017-08-03-Hancitor-malspam-153147-UTC.eml (1,464 bytes)
- 2017-08-03-Hancitor-malspam-154120-UTC.eml (1,484 bytes)
- BNAFED.tmp (209,920 bytes)
- Invoice_808290.doc (300,032 bytes)
TODAY'S TWEETS COVERING THE 2017-08-03 WAVE OF #HANCITOR MALSPAM:
- @James_inthe_box: Incoming #hancitor run: "Re: invoice <digits> bullshit", new .doc type. (link)
- @cheapbyte: #hancitor #malspam #phishing Hancitor Aug 3, 2017 fake "Invoice <digits> bullshit" phish. Txt via Ghostbin (link)
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date: Wednesday 2017-08-03 as early as 15:00 UTC through at least 15:41 UTC
- From: "Casey Martinez" <cas.martinez@hvacofamerica.com>
- Re: invoice 37432815 bullshit
- Re: invoice 42585083 bullshit
- Re: invoice 45816663 bullshit
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
LINKS IN THE EMAILS THE WORD DOCUMENT:
- MERIDIANNATIONALTITLE.COM - GET /f.php?d=[base64 string]
- MERIDIANNATL.INFO - GET /f.php?d=[base64 string]
- RHJACK.INFO - GET /f.php?d=[base64 string]
NAME FOR THE MALICIOUS WORD DOCUMENT:
- Invoice_[six random digits].doc
POST-INFECTION TRAFFIC FROM MY INFECTED HOST:
- 185.120.77.184 port 80 - tewocarof.ru - POST /ls5/forum.php
- 185.120.77.184 port 80 - tewocarof.ru - POST /mlu/forum.php
- 185.120.77.184 port 80 - tewocarof.ru - POST /d2/about.php
- 31.216.35.44 port 80 - allemansgallivare.se - GET /wp-content/plugins/easyrotator-for-wordpress/1
- 31.216.35.44 port 80 - allemansgallivare.se - GET /wp-content/plugins/easyrotator-for-wordpress/2
- 31.216.35.44 port 80 - allemansgallivare.se - GET /wp-content/plugins/easyrotator-for-wordpress/3
- 185.20.226.135 port 80 - tinjotofling.com - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses on various TCP ports - Tor traffic
- DNS query for ranwashertbi.com - Response: No such name
- 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579
File name: Invoice_808290.doc
File size: 300,032 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 998179d7a379783c287dedaabdd537bb359c8c90c70ac69ea13c931f51d8e326
File location: C:\Users\[username]\AppData\Local\Temp\BNAFED.tmp
File size: 209,920 bytes
File description: DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-08-03-Hancitor-malspam-traffic.pcap.zip 9.1 MB (9,145,705 bytes)
- Zip archive of the malware: 2017-08-03-Hancitor-malspam-and-artifacts.zip 317 kB (317,084 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.