2017-08-10 - HANCITOR MALSPAM (FEDEX SHIPMENT DELIVERED)

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-08-10-Hancitor-malspam-traffic.pcap.zip   7.5 MB (7,477,219 bytes)

• 2017-08-10-Hancitor-malspam-traffic.pcap   (8,099,283 bytes)

• Zip archive of the malware:  2017-08-10-Hancitor-malspam-and-artifacts.zip   261 kB (261,425 bytes)

• 2017-08-10-Hancitor-malspam-173651-UTC.eml   (16,543 bytes)
• 2017-08-10-Hancitor-malspam-174331-UTC.eml   (16,542 bytes)
• 2017-08-10-Hancitor-malspam-174559-UTC.eml   (16,552 bytes)
• 2017-08-10-Hancitor-malspam-180101-UTC.eml   (16,549 bytes)
• 2017-08-10-Hancitor-malspam-182715-UTC.eml   (16,551 bytes)
• 2017-08-10-Hancitor-malspam-190329-UTC.eml   (16,541 bytes)
• Fedex_Invoice_598791.doc   (232,960 bytes)
• defil.exe   (173,568 bytes)

 

TODAY'S TWEETS COVERING THE 2017-08-10 WAVE OF #HANCITOR MALSPAM:

• @pollo290987:  #Chanitor   /f.php?d=[email b64]   cheechnchong,com   thefamilymoneyfarm,com   govprostore,com   rightchoice,us.  (link)
• @cheapbyte:  #hancitor #malspam #phishing Hancitor August 10, 2017 Fake FedEx delivery URLs at [Ghostbin link] Updated throughout the day   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Thursday 2017-08-10 as early as 17:36 UTC through at least 19:03 UTC
• From:  "FedEx Express" <fedex@intcous.com>
• FedEx Shipment $080316662 Delivered
• FedEx Shipment $146564485 Delivered
• FedEx Shipment $374737114 Delivered
• FedEx Shipment $520013241 Delivered
• FedEx Shipment $637381061 Delivered
• FedEx Shipment $760882055 Delivered

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT:

• enviroluxgrowlights.com - GET /f.php?d=[base64 string]
• enviroluxlighting.net - GET /f.php?d=[base64 string]
• govprostore.com - GET /f.php?d=[base64 string]
• rightchoice.us - GET /f.php?d=[base64 string]
• tommyvapor.com - GET /f.php?d=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENT:

• Fedex_Invoice_[six random digits].doc

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

• 192.99.131.252 port 80 - littwileftbi.ru - POST /ls5/forum.php
• 192.99.131.252 port 80 - littwileftbi.ru - POST /mlu/forum.php
• 192.99.131.252 port 80 - littwileftbi.ru - POST /d2/about.php
• 209.126.148.164 port 80 - betaresourcesltd.com - GET /wp-content/plugins/easyrotator-for-wordpress/1
• 209.126.148.164 port 80 - betaresourcesltd.com - GET /wp-content/plugins/easyrotator-for-wordpress/2
• 209.126.148.164 port 80 - betaresourcesltd.com - GET /wp-content/plugins/easyrotator-for-wordpress/3
• 91.228.239.205 port 80 - heghaptedfa.ru - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic
• 86.110.117.167 port 80 - betwassjusthen.com - TCP SYN packets but no response from the server
• 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  87a10cc169f9ffd0c75bb9846a99fb477fc4329840964b02349ae44a672729c2
  File name:  Fedex_Invoice_598791.doc
  File size:  232,960 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  1ed3a443b17d3bd3825f8289735f059dd655fb24d628125c0204bdcdadc7865c
  File location:  C:\Users\[username]\AppData\Local\Temp\BN8979.tmp
  File location:  C:\Users\[username]\AppData\Roaming\Isaq\defil.exe
  File size:  173,568 bytes
  File description:  DELoader/ZLoader

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-08-10-Hancitor-malspam-traffic.pcap.zip   7.5 MB (7,477,219 bytes)
• Zip archive of the malware:  2017-08-10-Hancitor-malspam-and-artifacts.zip   261 kB (261,425 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.