2017-08-21 - HANCITOR MALSPAM (UPS QUANTUM VIEW)

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-08-21-Hancitor-malspam-traffic.pcap.zip   8.5 MB (8,486,796 bytes)

• 2017-08-21-Hancitor-malspam-traffic.pcap   (9,174,063 bytes)

• Zip archive of the malware:  2017-08-21-Hancitor-malspam-and-artifacts.zip   237 kB (236,716 bytes)

• 2017-08-21-Hancitor-malspam-1640-UTC.eml   (1,836 bytes)
• 2017-08-21-Hancitor-malspam-1709-UTC.eml   (1,832 bytes)
• 2017-08-21-Hancitor-malspam-1902-UTC.eml   (1,836 bytes)
• UPS_Slip_623040.doc   (200,192 bytes)
• gokes.exe   (180,224 bytes)

 

TODAY'S TWEETS COVERING THE 2017-08-21 WAVE OF #HANCITOR MALSPAM:

• @cheapbyte:  #hancitor #ioc #malspam Hancitor Fake UPS phishing email August 21, 2017 URLs via Ghostbin   (link)
• @Ring0x0:  Receiving #Hancitor variant v4 #malspam with subject "Delivery stopped for shipment #[0-9]{6}" downloads UPS_Slip_xxxxxx.doc   (link)
• @James_inthe_box:  Incoming varient 4 #hancitor run "Your document Invoice <digits> is ready to be signed!" [Ghostbin link]   (link)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date:  Monday 2017-08-21 as early as 16:40 UTC through at least 19:02 UTC
• From:  "UPS Quantum View" <ups@piercerx.com>
• Delivery stopped for shipment #142384
• Delivery stopped for shipment #164844
• Delivery stopped for shipment #650321

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT:

• impacthealthnow.net - GET /f.php?d=[base64 string]
• impacthealthnow.org - GET /f.php?d=[base64 string]

NAME FOR THE MALICIOUS WORD DOCUMENT:

• UPS_Slip_[six random digits].doc

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

• 62.109.18.138 port 80 - butsulacoft.com - POST /ls5/forum.php
• 62.109.18.138 port 80 - butsulacoft.com - POST /mlu/forum.php
• 62.109.18.138 port 80 - butsulacoft.com - POST /d2/about.php
• 185.56.146.26 port 80 - tekstheks.nl - GET /wp-admin/includes/1
• 185.56.146.26 port 80 - tekstheks.nl - GET /wp-admin/includes/2
• 185.56.146.26 port 80 - tekstheks.nl - GET /wp-admin/includes/3
• 217.29.63.222 port 80 - fortsiretbab.com - POST /bdl/gate.php
• api.ipify.org - GET /
• checkip.dyndns.org - GET /
• Various IP addresses on various TCP ports - Tor traffic
• 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  ab90ed6cb461f17ce1f901097a045aba7c984898a0425767f01454689698f2e9
  File name:  UPS_Slip_623040.doc
  File size:  200,192 bytes
  File description:  Hancitor maldoc

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  879b244120400083f562ce530c87001b46de4fc96b38a6b12a5afea22ef6efef
  File location:  C:\Users\[username]\AppData\Local\Temp\BN6A37.tmp
  File location:  C:\Users\[username]\AppData\Roaming\Goom\gokes.exe
  File size:  180,224 bytes
  File description:  DELoader/ZLoader

 

IMAGES

Shown above:  Artifacts from the infected host in the user's AppData\Local\Temp directory.

 

Shown above:  Artifacts from the infected host in the user's AppData\Roaming directory.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-08-21-Hancitor-malspam-traffic.pcap.zip   8.5 MB (8,486,796 bytes)
• Zip archive of the malware:  2017-08-21-Hancitor-malspam-and-artifacts.zip   237 kB (236,716 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.