2017-08-10 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

ASSOCIATED FILES:

  • 2017-08-10-Hancitor-infection-with-ZLoader.pcap   (8,099,283 bytes)
  • 2017-08-10-Hancitor-malspam-173651-UTC.eml   (16,543 bytes)
  • 2017-08-10-Hancitor-malspam-174331-UTC.eml   (16,542 bytes)
  • 2017-08-10-Hancitor-malspam-174559-UTC.eml   (16,552 bytes)
  • 2017-08-10-Hancitor-malspam-180101-UTC.eml   (16,549 bytes)
  • 2017-08-10-Hancitor-malspam-182715-UTC.eml   (16,551 bytes)
  • 2017-08-10-Hancitor-malspam-190329-UTC.eml   (16,541 bytes)
  • Fedex_Invoice_598791.doc   (232,960 bytes)
  • defil.exe   (173,568 bytes)

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

Click here to return to the main page.