2017-11-01 - HANCITOR MALSPAM (FAKE RINGCENTRAL FAX)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-11-01-Hancitor-malspam-traffic-example.pcap.zip 334 kB (333;675 bytes)
- 2017-11-01-Hancitor-malspam-traffic-example.pcap (444,600 bytes)
- Zip archive of the malware: 2017-11-01-Hancitor-malspam-and-artifacts.zip 237 kB (236,722 bytes)
- 2017-11-01-Hancitor-maldoc-fax_953654.doc (219,648 bytes)
- 2017-11-01-Hancitor-malspam-all-emails.txt (32,613 bytes)
- 2017-11-01-Zeus-Panda-Banker.exe (186,368 bytes)
TODAY'S TWEETS COVERING THE 2017-11-01 WAVE OF #HANCITOR MALSPAM:
- @James_inthe_box: Incoming #hancitor run: "New incoming Fax from <digits>" pastebin.com/RTVN0SjK updates as I get them. (link to tweet)
NOTES:
- Looks like Hancitor malspam has settled on Zeus Panda Banker and given up on DELoader/ZLoader (or whatever you call it).
Shown above: My tribute to the fallen.
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-11-01 as early as 15:41 UTC through at least 18:51 UTC
- From: "RingCentral" <ringcentral@scsga.com>
- Received: from scsga.com ([5.40.45.99])
- Received: from scsga.com ([12.235.201.58])
- Received: from scsga.com ([24.121.0.239])
- Received: from scsga.com ([24.198.72.63])
- Received: from scsga.com ([66.214.96.122])
- Received: from scsga.com ([66.251.57.58])
- Received: from scsga.com ([67.78.226.170])
- Received: from scsga.com ([69.4.50.182])
- Received: from scsga.com ([69.160.204.254])
- Received: from scsga.com ([70.184.164.23])
- Received: from scsga.com ([71.0.220.4])
- Received: from scsga.com ([71.9.45.154])
- Received: from scsga.com ([71.12.100.6])
- Received: from scsga.com ([72.164.13.170])
- Received: from scsga.com ([74.93.19.115])
- Received: from scsga.com ([74.93.101.9])
- Received: from scsga.com ([74.116.202.94])
- Received: from scsga.com ([107.2.249.5])
- Received: from scsga.com ([173.25.235.195])
- Received: from scsga.com ([173.219.159.242])
- Received: from scsga.com ([174.141.60.58])
- Received: from scsga.com ([206.174.36.58])
- Received: from scsga.com ([209.151.132.206])
- Received: from scsga.com ([216.201.251.238])
- Subject: New incoming Fax from 407-046-4410
- Subject: New incoming Fax from 417-250-5487
- Subject: New incoming Fax from 421-580-6121
- Subject: New incoming Fax from 422-015-6021
- Subject: New incoming Fax from 422-187-1865
- Subject: New incoming Fax from 425-680-2708
- Subject: New incoming Fax from 426-552-1233
- Subject: New incoming Fax from 430-263-7400
- Subject: New incoming Fax from 431-231-0514
- Subject: New incoming Fax from 435-351-6605
- Subject: New incoming Fax from 442-818-5401
- Subject: New incoming Fax from 454-083-6353
- Subject: New incoming Fax from 454-166-6806
- Subject: New incoming Fax from 454-441-7340
- Subject: New incoming Fax from 456-287-1607
- Subject: New incoming Fax from 456-718-8837
- Subject: New incoming Fax from 458-613-2213
- Subject: New incoming Fax from 468-412-5488
- Subject: New incoming Fax from 475-502-0142
- Subject: New incoming Fax from 475-540-2766
- Subject: New incoming Fax from 477-862-8313
- Subject: New incoming Fax from 481-178-7060
- Subject: New incoming Fax from 483-773-1434
- Subject: New incoming Fax from 488-745-5318
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- acehh.com - GET /fax.php?jue353=[recipient's email address]
- acehh.com - GET /fax.php?lad607=[recipient's email address]
- annapeds.com - GET /fax.php?iag336=[recipient's email address]
- annapeds.com - GET /fax.php?qdt367=[recipient's email address]
- annapeds.com - GET /fax.php?rny447=[recipient's email address]
- instanttaxsolutions.biz - GET /fax.php?srw411=[recipient's email address]
- instanttaxsolutions.biz - GET /fax.php?ssu260=[recipient's email address]
- instanttaxsolutions.biz - GET /fax.php?tre248=[recipient's email address]
- mulreninfrances.com - GET /fax.php?etc018=[recipient's email address]
- mulreninfrances.com - GET /fax.php?ruo625=[recipient's email address]
- nikohsec.com - GET /fax.php?ctp325=[recipient's email address]
- nikohsec.com - GET /fax.php?gbd283=[recipient's email address]
- nikohsec.com - GET /fax.php?jkb582=[recipient's email address]
- nikohsec.com - GET /fax.php?mhi707=[recipient's email address]
- summerill.biz - GET /fax.php?fgq222=[recipient's email address]
- summerill.biz - GET /fax.php?jnc305=[recipient's email address]
- summerill.biz - GET /fax.php?tif185=[recipient's email address]
- summerill.org - GET /fax.php?jks360=[recipient's email address]
- summerill.org - GET /fax.php?pga184=[recipient's email address]
- summerill.org - GET /fax.php?tvf326=[recipient's email address]
- summerill.org - GET /fax.php?uih258=[recipient's email address]
- summerill.org - GET /fax.php?xxf418=[recipient's email address]
- w10836dom.com - GET /fax.php?ujp575=[recipient's email address]
- wildwoodreunion.com - GET /fax.php?erg057=[recipient's email address]
NAME FOR THE MALICIOUS WORD DOCUMENT:
- fax_[six random digits].doc
POST-INFECTION TRAFFIC FROM MY INFECTED HOST:
- 45.63.117.36 port 80 - nikohsec.com - GET /fax.php?gdb283=[victim's email address]
- 178.170.244.181 port 80 - unduseherttan.com - POST /ls5/forum.php
- 178.170.244.181 port 80 - unduseherttan.com - POST /mlu/forum.php
- 178.170.244.181 port 80 - unduseherttan.com - POST /d2/about.php
- 62.233.65.78 port 80 - puyeshgar.com - GET /1
- 62.233.65.78 port 80 - puyeshgar.com - GET /2
- 62.233.65.78 port 80 - puyeshgar.com - GET /3
- 78.46.236.26 port 443 - tontrumuchtors.com - attempted TCP connections (RST from the server) caused by Zeus Panda Banker
- api.ipify.org - GET /
FILE HASHES
WORD DOCUMENT FROM LINK IN THE EMAIL:
- SHA256 hash: 667752cadad91de5900ec1da18b81a4ba623468d33ce7847330fbd99dba2a263
File name: fax_953654.doc
File size: 219,648 bytes
File description: Hancitor maldoc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: daa74336508773712e6d40216490ff5a8d912950535ef9950f34318823142a35
File location: C:\Users\[username]\AppData\Roaming\[random existing path]\[random name].exe
File size: 186,368 bytes
File description: Zeus Panda Banker
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-11-01-Hancitor-malspam-traffic-example.pcap.zip 334 kB (333;675 bytes)
- Zip archive of the malware: 2017-11-01-Hancitor-malspam-and-artifacts.zip 237 kB (236,722 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.