2017-10-30 - HANCITOR MALSPAM (VIEW YOUR OFFICE 365 BUSINESS BILLING STATEMENT)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-10-30-Hancitor-malspam-traffic-example.pcap.zip 364 kB (364,152 bytes)
- 2017-10-30-Hancitor-malspam-traffic-example.pcap (528,674 bytes)
- Zip archive of the malware: 2017-10-30-Hancitor-malspam-and-artifacts.zip 248 kB (247,725 bytes)
- 2017-10-30-Hancitor-malspam-1621-UTC.eml (5,996 bytes)
- 2017-10-30-Hancitor-malspam-1626-UTC.eml (5,921 bytes)
- 2017-10-30-Hancitor-malspam-1722-UTC.eml (6,002 bytes)
- 2017-10-30-Hancitor-malspam-1724-UTC.eml (6,058 bytes)
- 2017-10-30-Hancitor-malspam-1726-UTC.eml (5,934 bytes)
- 2017-10-30-Hancitor-malspam-1822-UTC.eml (6,033 bytes)
- 2017-10-30-Hancitor-malspam-1829-UTC.eml (5,965 bytes)
- 2017-10-30-Hancitor-malspam-1837-UTC.eml (5,967 bytes)
- 2017-10-30-Hancitor-malspam-1855-UTC.eml (5,933 bytes)
- 2017-10-30-Hancitor-malspam-1918-UTC.eml (6,007 bytes)
- 2017-10-30-ZeusPandaBanker.exe (153,088 bytes)
- statement_299584.doc (220,160 bytes)
TODAY'S TWEETS COVERING THE 2017-10-30 WAVE OF #HANCITOR MALSPAM:
- @James_inthe_box: Incoming #hancitor #malspam: "View your Office 365 Business billing statement for <domain>" pastebin.com/BDYSi0Zv updates forthcoming (link)
- @pollo290987: #Hancitor arizoznaic,us/s.php?nlv654=[email clear] 10stepstoyes,info/s.php?idw042=[email clear] colighaningr,com GET /ls5/forum.php (link)
NOTES:
- The DDE attack we saw earlier this month from Hanictor malspam was very short-lived. Today, just like last time, it's been Word macros.
- Also like last time, we have Zeus Panda Banker (no ZLoader/DELoader).
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Monday 2017-10-30 as early as 16:21 UTC through at least 19:18 UTC
- Subject: View your Office 365 Business billing statement for [recipient's email domain]
- From: "Microsoft Online Services Team" <microsoft@inreachitsolutions.com>
- Received: from inreachitsolutions.com ([50.206.59.110])
- Received: from inreachitsolutions.com ([67.88.39.194])
- Received: from inreachitsolutions.com ([69.11.104.192])
- Received: from inreachitsolutions.com ([74.95.217.206])
- Received: from inreachitsolutions.com ([76.73.153.98])
- Received: from inreachitsolutions.com ([79.10.219.3])
- Received: from inreachitsolutions.com ([98.198.65.62])
- Received: from inreachitsolutions.com ([108.190.156.147])
- Received: from inreachitsolutions.com ([136.61.93.165])
- Received: from inreachitsolutions.com ([174.226.18.159])
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Attempted TCP connections caused by Zeus Panda Banker on the infected host.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- arizonaic.biz - GET /s.php?fre574=[recipient's email address]
- arizonaic.biz - GET /s.php?tnx552=[recipient's email address]
- arizonaic.com - GET /s.php?ywy156=[recipient's email address]
- arizonaic.mobi - GET /s.php?mim650=[recipient's email address]
- arizonaic.net - GET /s.php?jxw684=[recipient's email address]
- arizonaic.net - GET /s.php?sns010=[recipient's email address]
- arizonaic.us - GET /s.php?aiz184=[recipient's email address]
- arizonaic.us - GET /s.php?kjw700=[recipient's email address]
- opbrace.com - GET /s.php?hvo262=[recipient's email address]
- tenstepstoyes.org - GET /s.php?vvg003=[recipient's email address]
NAME FOR THE MALICIOUS WORD DOCUMENT:
- statement_[six random digits].doc
POST-INFECTION TRAFFIC FROM MY INFECTED HOST:
- 178.170.244.181 port 80 - colighaningr.com - POST /ls5/forum.php
- 178.170.244.181 port 80 - colighaningr.com - POST /mlu/forum.php
- 178.170.244.181 port 80 - colighaningr.com - POST /d2/about.php
- 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/1
- 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/2
- 66.113.109.58 port 80 - icarusplays.org - GET /Aspire_files/afxtoz/3
- 164.132.28.118 port 443 - tontrumuchtors.com - attempted TCP connection (RST from the server)
- api.ipify.org - GET /
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: d2ddcfd70f9fb7eba158c1ce17438bd9328ddfaa6507428be4f802402b15ab9e
File name: statement_299584.doc
File size: 220,160 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: ba35a1c840ba413f1f92179b7dce1d84ae07b9f8a349e847692760a7b395ddb1
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].tmp
File location: C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
File size: 153,088 bytes
File description: Zeus Panda Banker
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-10-30-Hancitor-malspam-traffic-example.pcap.zip 364 kB (364,152 bytes)
- Zip archive of the malware: 2017-10-30-Hancitor-malspam-and-artifacts.zip 248 kB (247,725 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.