2017-11-28 - TWO DAYS OF HANCITOR MALSPAM

ASSOCIATED FILES:

• 2017-11-27-Hancitor-malspam-emails.txt.zip   4.0 kB (4,039 bytes)
• 2017-11-27-Hancitor-malspam-traffic.pcap.zip   1.9 MB (1,854,349 bytes)
• 2017-11-27-Hancitor-malspam-malware.zip   669 kB (669,496 bytes)

• 2017-11-28-Hancitor-malspam-emails.txt.zip   3.2 kB (3,206 bytes)
• 2017-11-28-Hancitor-malspam-traffic.pcap.zip   470 kB (470,341 bytes)
• 2017-11-28-Hancitor-malspam-malware.zip   227 kB (226,719 bytes)

NOTES:

• This post contains two days of Hancitor malspam, because I didn't have time to do a separate blog yesterday.
• Yesterday (2017-11-27) Hancitor maldocs were pushing a file downloader that grabbed the IcedID bankingTrojan, but today (2017-11-28) Hancitor is back to pushing Zeus Panda Banker (along with Pony and EvilPony, resident in memory, as usual).

 

Shown above:  Traffic from an infection filtered in Wireshark (Monday 2017-11-27).

 

Shown above:  Traffic from an infection filtered in Wireshark (Tuesday 2017-11-28).

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• compression-pump.info
• compression-pumps.info
• compression-pumps.net
• compression-sock.info
• compression-socks.info
• jobst-compression-stockings.com
• juzo-compression-socks.com
• juzo-compression-stockings.info
• lymphedema-pumps.info
• maternity-stockings.com
• nrgcompression.com
• socks4runners.com
• hxxp://www.sa-la.org/1
• hxxp://www.sa-la.org/2
• hxxp://www.sa-la.org/4
• dintretrewor.com
• faperropma.ru
• agaratas.com
• atlanimeday.com
• gooblesooq.com

• diti.tips
• dititips.com
• getcepsocks.com
• jobstcompressionstocking.com
• juzo.us
• liha.tips
• newtecantips.com
• sigvarisperformancesocks.com
• socksforwintersports.com
• tecan.tips
• zensahcompressionsleeves.com
• hxxp://bigiftprod.cloudapp.net/1
• hxxp://bigiftprod.cloudapp.net/2
• hxxp://bigiftprod.cloudapp.net/3
• hxxp://mail.geekenfreude.com/1
• hxxp://mail.geekenfreude.com/2
• hxxp://mail.geekenfreude.com/3
• inspartorswa.com
• rowrorofrat.com

 

EMAILS

MALSPAM INFO - MONDAY 2017-11-27:

• Date/Time: Monday 2017-11-27 as early as 15:43 UTC through at least 18:30 UTC
• Subject: [recipient's email domain] accounting statements

• From: "Abe Duron" <finance@fairwaypm.com>
• From: "Darius Brundidge" <finance@derenztransport.com>
• From: "Dean Danley" <finance@fairwaypm.com>
• From: "Devin Stangle" <finance@derenztransport.com>
• From: "Fredric Nathaniel" <finance@derenztransport.com>
• From: "Gil Mcglinchey" <finance@derenztransport.com>
• From: "Gil Mcglinchey" <finance@derenztransport.com>
• From: "Gregorio Barrentine" <finance@fairwaypm.com>
• From: "Homer Beaudette" <finance@fairwaypm.com>
• From: "Jed Poffenberger" <finance@derenztransport.com>
• From: "Kermit Cowling" <finance@fairwaypm.com>
• From: "Leandro Maginnis" <finance@derenztransport.com>
• From: "Louie Meador" <finance@derenztransport.com>
• From: "Marvin Kozak" <finance@derenztransport.com>
• From: "Moshe Winston" <finance@derenztransport.com>
• From: "Ned Peavey" <finance@derenztransport.com>
• From: "Ned Peavey" <finance@derenztransport.com>
• From: "Ned Peavey" <finance@derenztransport.com>
• From: "Perry Vermeulen" <finance@fairwaypm.com>
• From: "Perry Vermeulen" <finance@fairwaypm.com>
• From: "Stanford Magnuson" <finance@fairwaypm.com>
• From: "Wayne Grey" <finance@derenztransport.com>
• From: "Whitney Grange" <finance@derenztransport.com>
• From: "Wilfred Cabezas" <finance@derenztransport.com>

• Received: from derenztransport.com ([4.16.101.182])
• Received: from derenztransport.com ([23.30.139.233])
• Received: from derenztransport.com ([24.159.72.85])
• Received: from derenztransport.com ([24.172.35.186])
• Received: from derenztransport.com ([50.242.168.2])
• Received: from derenztransport.com ([50.247.22.145])
• Received: from derenztransport.com ([64.179.211.192])
• Received: from derenztransport.com ([67.52.110.14])
• Received: from derenztransport.com ([96.37.147.182])
• Received: from derenztransport.com ([108.32.132.32])
• Received: from derenztransport.com ([122.175.39.24])
• Received: from derenztransport.com ([173.14.168.185])
• Received: from derenztransport.com ([199.6.38.172])
• Received: from derenztransport.com ([206.217.6.169])
• Received: from derenztransport.com ([208.41.239.26])
• Received: from fairwaypm.com ([23.176.0.45])
• Received: from fairwaypm.com ([63.142.196.118])
• Received: from fairwaypm.com ([65.60.113.202])
• Received: from fairwaypm.com ([66.166.194.58])
• Received: from fairwaypm.com ([142.176.85.144])
• Received: from fairwaypm.com ([158.222.66.172])
• Received: from fairwaypm.com ([173.58.193.44])
• Received: from fairwaypm.com ([192.154.121.214])

 

MALSPAM INFO - TUESDAY 2017-11-28:

• Date/Time: Tuesday 2017-11-28 as early as 16:09 UTC through at least 18:47 UTC
• From: "eFax" <efax@faxmail.com>

• Subject: 800-241-5331 has faxed you a document.
• Subject: 800-241-8328 has faxed you a document.
• Subject: 801-241-0241 has faxed you a document.
• Subject: 801-241-1014 has faxed you a document.
• Subject: 801-241-5068 has faxed you a document.
• Subject: 802-241-0514 has faxed you a document.
• Subject: 803-241-1160 has faxed you a document.
• Subject: 804-241-6041 has faxed you a document.
• Subject: 804-241-6600 has faxed you a document.
• Subject: 804-241-8681 has faxed you a document.
• Subject: 805-241-5668 has faxed you a document.
• Subject: 806-241-1475 has faxed you a document.
• Subject: 806-241-2183 has faxed you a document.
• Subject: 806-241-3742 has faxed you a document.
• Subject: 807-241-0001 has faxed you a document.
• Subject: 807-241-1351 has faxed you a document.
• Subject: 807-241-2240 has faxed you a document.
• Subject: 807-241-6075 has faxed you a document.
• Subject: 807-241-7725 has faxed you a document.
• Subject: 808-241-4650 has faxed you a document.

• Received: from faxmail.com ([24.172.42.90])
• Received: from faxmail.com ([50.78.78.249])
• Received: from faxmail.com ([68.44.48.36])
• Received: from faxmail.com ([69.167.229.69])
• Received: from faxmail.com ([70.123.237.77])
• Received: from faxmail.com ([72.240.14.244])
• Received: from faxmail.com ([75.176.84.83])
• Received: from faxmail.com ([96.70.38.129])
• Received: from faxmail.com ([97.78.8.202])
• Received: from faxmail.com ([97.94.254.91])
• Received: from faxmail.com ([98.118.52.41])
• Received: from faxmail.com ([142.176.85.144])
• Received: from faxmail.com ([173.12.239.115])
• Received: from faxmail.com ([173.219.81.251])
• Received: from faxmail.com ([173.220.58.194])
• Received: from faxmail.com ([173.240.19.73])
• Received: from faxmail.com ([174.136.51.207])
• Received: from faxmail.com ([204.195.154.167])
• Received: from faxmail.com ([216.174.138.18])
• Received: from faxmail.com ([216.255.252.98])

 

LINKS FROM THE EMAILS ON MONDAY 2017-11-27:

• hxxp://compression-pump.info?4oVX1Ua8Efmy8i30u=[recipient's email address]
• hxxp://compression-pump.info?jhU30u355u=[recipient's email address]
• hxxp://compression-pumps.info?60yxQOK3T088axu=[recipient's email address]
• hxxp://compression-pumps.net?27PGUFE1LQ7=[recipient's email address]
• hxxp://compression-pumps.net?8in8YJ8yOSAiAza=[recipient's email address]
• hxxp://compression-pumps.net?TsO5ME1r85UO4O6m3=[recipient's email address]
• hxxp://compression-sock.info?HipaUyXUf1a53Vet11=[recipient's email address]
• hxxp://compression-sock.info?LTAUyiqCD5o8IKo2=[recipient's email address]
• hxxp://compression-socks.info?l3m1OgYc54nO=[recipient's email address]
• hxxp://jobst-compression-stockings.com?jMUe4=[recipient's email address]
• hxxp://jobst-compression-stockings.com?xvYHauO16oz36=[recipient's email address]
• hxxp://juzo-compression-socks.com?A8ofU5AdYOl=[recipient's email address]
• hxxp://juzo-compression-stockings.com?4iu8Zvh06oeHA=[recipient's email address]
• hxxp://juzo-compression-stockings.info?0i25Ebaq=[recipient's email address]
• hxxp://juzo-compression-stockings.info?86YcE827eB7H6U=[recipient's email address]
• hxxp://juzo-compression-stockings.info?oj54gy4jJojifF1l0k=[recipient's email address]
• hxxp://lymphedema-pumps.info?8Iw6b1tag=[recipient's email address]
• hxxp://lymphedema-pumps.info?f2AQ06uLm1sAo6=[recipient's email address]
• hxxp://lymphedema-pumps.info?I14Y4AewE2=[recipient's email address]
• hxxp://lymphedema-pumps.info?x0VpOiZn=[recipient's email address]
• hxxp://lymphedema-pumps.info?zEE0RyuPIjEL=[recipient's email address]
• hxxp://maternity-stockings.com?4ZfA1bbES7dEV35Efk=[recipient's email address]
• hxxp://nrgcompression.com?A5oMJv=[recipient's email address]
• hxxp://socks4runners.com?myd1iU0HhI1Ah4uj=[recipient's email address]

 

LINKS FROM THE EMAILS ON TUESDAY 2017-11-28:

• hxxp://diti.tips?01ut718OlavyU1O=[recipient's email address]
• hxxp://diti.tips?0q7tB8J1et1ifoe=[recipient's email address]
• hxxp://diti.tips?sY5Q1uNCoXuxa=[recipient's email address]
• hxxp://dititips.com?584k10120886AuVY4=[recipient's email address]
• hxxp://dititips.com?ySWn=[recipient's email address]
• hxxp://getcepsocks.com?l1z1l4uIH4=[recipient's email address]
• hxxp://jobstcompressionstocking.com?S1POJh7E5A02=[recipient's email address]
• hxxp://jobstcompressionstocking.com?yOz1pa4046X=[recipient's email address]
• hxxp://juzo.us?76Mie4iME5=[recipient's email address]
• hxxp://liha.tips?442Wsl5IqoN58182iA=[recipient's email address]
• hxxp://liha.tips?huPTMA5UgIa4=[recipient's email address]
• hxxp://liha.tips?lJyyAvO161H041=[recipient's email address]
• hxxp://newtecantips.com?h7AKlK0l=[recipient's email address]
• hxxp://sigvarisperformancesocks.com?KiEvahYOc0utFUcY=[recipient's email address]
• hxxp://socksforwintersports.com?2pOq=[recipient's email address]
• hxxp://socksforwintersports.com?i8DuS4H3em=[recipient's email address]
• hxxp://tecan.tips?ow2JCAti50IamU287=[recipient's email address]
• hxxp://tecan.tips?Ve637558Gq8g030=[recipient's email address]
• hxxp://zensahcompressionsleeves.com?5684XUZeDe75a=[recipient's email address]
• hxxp://zensahcompressionsleeves.com?F31JAoW1I1yveO5=[recipient's email address]

 

TRAFFIC

TRAFFIC FROM AN INFECTED HOST ON MONDAY 2017-11-27:

• 169.239.128.117 port 80 - compression-sock.info - GET /?LTAUyiqCD5o8IKo2=[recipient's email address]
• port 80 - api.ipify.org - GET /
• 146.120.110.146 port 80 - dintretrewor.com - POST /ls5/forum.php
• 197.255.147.146 port 80 - www.sa-la.org - GET /1
• 197.255.147.146 port 80 - www.sa-la.org - GET /2
• 197.255.147.146 port 80 - www.sa-la.org - GET /4
• 185.111.107.150 port 80 - faperropma.ru - POST /mlu/forum.php
• 185.111.107.150 port 80 - faperropma.ru - POST /d2/about.php
• 185.153.198.40 port 80 - agaratas.com - GET /docs/new?id=bcEFC1C8E5
• 185.153.198.40 port 80 - agaratas.com - GET /docs/new?id=bc8A600FD9
• 185.48.56.139 port 443 - atlanimeday.com - HTTPS/TLS/SSL traffic caused by IcedID
• 185.48.56.139 port 443 - localhost - HTTPS/TLS/SSL traffic caused by IcedID
• 185.127.26.227 port 443 - gooblesooq.com - HTTPS/TLS/SSL traffic caused by IcedID

 

TRAFFIC FROM AN INFECTED HOST ON TUESDAY 2017-11-28:

• 169.239.128.117 port 80 - diti.tips - GET /?sY5Q1uNCoXuxa=[recipient's email address]
• 185.111.107.150 port 80 - inspartorswa.com - POST /ls5/forum.php
• 185.111.107.150 port 80 - inspartorswa.com - POST /d2/about.php
• port 80 - api.ipify.org - GET /
• 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /1
• 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /2
• 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /3
• 66.147.244.133 port 80 - mail.geekenfreude.com - GET /1
• 66.147.244.133 port 80 - mail.geekenfreude.com - GET /2
• 66.147.244.133 port 80 - mail.geekenfreude.com - GET /3
• 185.174.173.6 port 443 - rowrorofrat.com - HTTPS/TLS/SSL traffic caused by Zeus Panda Banker

 

MALWARE

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash: c9fc8b6b4da58b5e2fb739f171b8d259546370767fbff177f2480211b6b3f602
  File description: 2017-11-27 malicious Word doc with Hancitor macro (scan_325147.doc)
  File size: 343,552 bytes

• SHA256 hash: 32a683ac11d966d73fedf4e249573022891ac902086167e4d20b18be28bd2c1d
  File description: 2017-11-27 Downloader for IcedID banking Trojan (.exe file)
  File size: 579,072 bytes

• SHA256 hash: c80655eea1346e6587bb2b4567bcbca8d58979bc7e2bda96b48633987b8c148f
  File description: 2017-11-27 IcedID banking Trojan (.exe file)
  File size: 732,160 bytes

 

• SHA256 hash: 075a45a6dce497ef689c3211ebc3e84f9de6fd1027ec80c7653cc60fcc1d3275
  File description: 2017-11-28 malicious Word doc with Hancitor macro (fax_928826.doc)
  File size: 179,712 bytes

• SHA256 hash: 89a63d2bdee386ab69227938124052aee367aff1909005364538c4e89d5ebb72
  File description: 2017-11-28 Zeus Panda Banker (.exe file)
  File size: 181,760 bytes

 

FINAL NOTES

Once again, here are the associated files:

• 2017-11-27-Hancitor-malspam-emails.txt.zip   4.0 kB (4,039 bytes)
• 2017-11-27-Hancitor-malspam-traffic.pcap.zip   1.9 MB (1,854,349 bytes)
• 2017-11-27-Hancitor-malspam-malware.zip   669 kB (669,496 bytes)

• 2017-11-28-Hancitor-malspam-emails.txt.zip   3.2 kB (3,206 bytes)
• 2017-11-28-Hancitor-malspam-traffic.pcap.zip   470 kB (470,341 bytes)
• 2017-11-28-Hancitor-malspam-malware.zip   227 kB (226,719 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.