2017-11-28 - TWO DAYS OF HANCITOR MALSPAM
ASSOCIATED FILES:
- 2017-11-27-Hancitor-malspam-emails.txt.zip 4.0 kB (4,039 bytes)
- 2017-11-27-Hancitor-malspam-traffic.pcap.zip 1.9 MB (1,854,349 bytes)
- 2017-11-27-Hancitor-malspam-malware.zip 669 kB (669,496 bytes)
- 2017-11-28-Hancitor-malspam-emails.txt.zip 3.2 kB (3,206 bytes)
- 2017-11-28-Hancitor-malspam-traffic.pcap.zip 470 kB (470,341 bytes)
- 2017-11-28-Hancitor-malspam-malware.zip 227 kB (226,719 bytes)
NOTES:
- This post contains two days of Hancitor malspam, because I didn't have time to do a separate blog yesterday.
- Yesterday (2017-11-27) Hancitor maldocs were pushing a file downloader that grabbed the IcedID bankingTrojan, but today (2017-11-28) Hancitor is back to pushing Zeus Panda Banker (along with Pony and EvilPony, resident in memory, as usual).
Shown above: Traffic from an infection filtered in Wireshark (Monday 2017-11-27).
Shown above: Traffic from an infection filtered in Wireshark (Tuesday 2017-11-28).
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- compression-pump.info
- compression-pumps.info
- compression-pumps.net
- compression-sock.info
- compression-socks.info
- jobst-compression-stockings.com
- juzo-compression-socks.com
- juzo-compression-stockings.info
- lymphedema-pumps.info
- maternity-stockings.com
- nrgcompression.com
- socks4runners.com
- hxxp://www.sa-la.org/1
- hxxp://www.sa-la.org/2
- hxxp://www.sa-la.org/4
- dintretrewor.com
- faperropma.ru
- agaratas.com
- atlanimeday.com
- gooblesooq.com
- diti.tips
- dititips.com
- getcepsocks.com
- jobstcompressionstocking.com
- juzo.us
- liha.tips
- newtecantips.com
- sigvarisperformancesocks.com
- socksforwintersports.com
- tecan.tips
- zensahcompressionsleeves.com
- hxxp://bigiftprod.cloudapp.net/1
- hxxp://bigiftprod.cloudapp.net/2
- hxxp://bigiftprod.cloudapp.net/3
- hxxp://mail.geekenfreude.com/1
- hxxp://mail.geekenfreude.com/2
- hxxp://mail.geekenfreude.com/3
- inspartorswa.com
- rowrorofrat.com
EMAILS
MALSPAM INFO - MONDAY 2017-11-27:
- Date/Time: Monday 2017-11-27 as early as 15:43 UTC through at least 18:30 UTC
- Subject: [recipient's email domain] accounting statements
- From: "Abe Duron" <finance@fairwaypm.com>
- From: "Darius Brundidge" <finance@derenztransport.com>
- From: "Dean Danley" <finance@fairwaypm.com>
- From: "Devin Stangle" <finance@derenztransport.com>
- From: "Fredric Nathaniel" <finance@derenztransport.com>
- From: "Gil Mcglinchey" <finance@derenztransport.com>
- From: "Gil Mcglinchey" <finance@derenztransport.com>
- From: "Gregorio Barrentine" <finance@fairwaypm.com>
- From: "Homer Beaudette" <finance@fairwaypm.com>
- From: "Jed Poffenberger" <finance@derenztransport.com>
- From: "Kermit Cowling" <finance@fairwaypm.com>
- From: "Leandro Maginnis" <finance@derenztransport.com>
- From: "Louie Meador" <finance@derenztransport.com>
- From: "Marvin Kozak" <finance@derenztransport.com>
- From: "Moshe Winston" <finance@derenztransport.com>
- From: "Ned Peavey" <finance@derenztransport.com>
- From: "Ned Peavey" <finance@derenztransport.com>
- From: "Ned Peavey" <finance@derenztransport.com>
- From: "Perry Vermeulen" <finance@fairwaypm.com>
- From: "Perry Vermeulen" <finance@fairwaypm.com>
- From: "Stanford Magnuson" <finance@fairwaypm.com>
- From: "Wayne Grey" <finance@derenztransport.com>
- From: "Whitney Grange" <finance@derenztransport.com>
- From: "Wilfred Cabezas" <finance@derenztransport.com>
- Received: from derenztransport.com ([4.16.101.182])
- Received: from derenztransport.com ([23.30.139.233])
- Received: from derenztransport.com ([24.159.72.85])
- Received: from derenztransport.com ([24.172.35.186])
- Received: from derenztransport.com ([50.242.168.2])
- Received: from derenztransport.com ([50.247.22.145])
- Received: from derenztransport.com ([64.179.211.192])
- Received: from derenztransport.com ([67.52.110.14])
- Received: from derenztransport.com ([96.37.147.182])
- Received: from derenztransport.com ([108.32.132.32])
- Received: from derenztransport.com ([122.175.39.24])
- Received: from derenztransport.com ([173.14.168.185])
- Received: from derenztransport.com ([199.6.38.172])
- Received: from derenztransport.com ([206.217.6.169])
- Received: from derenztransport.com ([208.41.239.26])
- Received: from fairwaypm.com ([23.176.0.45])
- Received: from fairwaypm.com ([63.142.196.118])
- Received: from fairwaypm.com ([65.60.113.202])
- Received: from fairwaypm.com ([66.166.194.58])
- Received: from fairwaypm.com ([142.176.85.144])
- Received: from fairwaypm.com ([158.222.66.172])
- Received: from fairwaypm.com ([173.58.193.44])
- Received: from fairwaypm.com ([192.154.121.214])
MALSPAM INFO - TUESDAY 2017-11-28:
- Date/Time: Tuesday 2017-11-28 as early as 16:09 UTC through at least 18:47 UTC
- From: "eFax" <efax@faxmail.com>
- Subject: 800-241-5331 has faxed you a document.
- Subject: 800-241-8328 has faxed you a document.
- Subject: 801-241-0241 has faxed you a document.
- Subject: 801-241-1014 has faxed you a document.
- Subject: 801-241-5068 has faxed you a document.
- Subject: 802-241-0514 has faxed you a document.
- Subject: 803-241-1160 has faxed you a document.
- Subject: 804-241-6041 has faxed you a document.
- Subject: 804-241-6600 has faxed you a document.
- Subject: 804-241-8681 has faxed you a document.
- Subject: 805-241-5668 has faxed you a document.
- Subject: 806-241-1475 has faxed you a document.
- Subject: 806-241-2183 has faxed you a document.
- Subject: 806-241-3742 has faxed you a document.
- Subject: 807-241-0001 has faxed you a document.
- Subject: 807-241-1351 has faxed you a document.
- Subject: 807-241-2240 has faxed you a document.
- Subject: 807-241-6075 has faxed you a document.
- Subject: 807-241-7725 has faxed you a document.
- Subject: 808-241-4650 has faxed you a document.
- Received: from faxmail.com ([24.172.42.90])
- Received: from faxmail.com ([50.78.78.249])
- Received: from faxmail.com ([68.44.48.36])
- Received: from faxmail.com ([69.167.229.69])
- Received: from faxmail.com ([70.123.237.77])
- Received: from faxmail.com ([72.240.14.244])
- Received: from faxmail.com ([75.176.84.83])
- Received: from faxmail.com ([96.70.38.129])
- Received: from faxmail.com ([97.78.8.202])
- Received: from faxmail.com ([97.94.254.91])
- Received: from faxmail.com ([98.118.52.41])
- Received: from faxmail.com ([142.176.85.144])
- Received: from faxmail.com ([173.12.239.115])
- Received: from faxmail.com ([173.219.81.251])
- Received: from faxmail.com ([173.220.58.194])
- Received: from faxmail.com ([173.240.19.73])
- Received: from faxmail.com ([174.136.51.207])
- Received: from faxmail.com ([204.195.154.167])
- Received: from faxmail.com ([216.174.138.18])
- Received: from faxmail.com ([216.255.252.98])
LINKS FROM THE EMAILS ON MONDAY 2017-11-27:
- hxxp://compression-pump.info?4oVX1Ua8Efmy8i30u=[recipient's email address]
- hxxp://compression-pump.info?jhU30u355u=[recipient's email address]
- hxxp://compression-pumps.info?60yxQOK3T088axu=[recipient's email address]
- hxxp://compression-pumps.net?27PGUFE1LQ7=[recipient's email address]
- hxxp://compression-pumps.net?8in8YJ8yOSAiAza=[recipient's email address]
- hxxp://compression-pumps.net?TsO5ME1r85UO4O6m3=[recipient's email address]
- hxxp://compression-sock.info?HipaUyXUf1a53Vet11=[recipient's email address]
- hxxp://compression-sock.info?LTAUyiqCD5o8IKo2=[recipient's email address]
- hxxp://compression-socks.info?l3m1OgYc54nO=[recipient's email address]
- hxxp://jobst-compression-stockings.com?jMUe4=[recipient's email address]
- hxxp://jobst-compression-stockings.com?xvYHauO16oz36=[recipient's email address]
- hxxp://juzo-compression-socks.com?A8ofU5AdYOl=[recipient's email address]
- hxxp://juzo-compression-stockings.com?4iu8Zvh06oeHA=[recipient's email address]
- hxxp://juzo-compression-stockings.info?0i25Ebaq=[recipient's email address]
- hxxp://juzo-compression-stockings.info?86YcE827eB7H6U=[recipient's email address]
- hxxp://juzo-compression-stockings.info?oj54gy4jJojifF1l0k=[recipient's email address]
- hxxp://lymphedema-pumps.info?8Iw6b1tag=[recipient's email address]
- hxxp://lymphedema-pumps.info?f2AQ06uLm1sAo6=[recipient's email address]
- hxxp://lymphedema-pumps.info?I14Y4AewE2=[recipient's email address]
- hxxp://lymphedema-pumps.info?x0VpOiZn=[recipient's email address]
- hxxp://lymphedema-pumps.info?zEE0RyuPIjEL=[recipient's email address]
- hxxp://maternity-stockings.com?4ZfA1bbES7dEV35Efk=[recipient's email address]
- hxxp://nrgcompression.com?A5oMJv=[recipient's email address]
- hxxp://socks4runners.com?myd1iU0HhI1Ah4uj=[recipient's email address]
LINKS FROM THE EMAILS ON TUESDAY 2017-11-28:
- hxxp://diti.tips?01ut718OlavyU1O=[recipient's email address]
- hxxp://diti.tips?0q7tB8J1et1ifoe=[recipient's email address]
- hxxp://diti.tips?sY5Q1uNCoXuxa=[recipient's email address]
- hxxp://dititips.com?584k10120886AuVY4=[recipient's email address]
- hxxp://dititips.com?ySWn=[recipient's email address]
- hxxp://getcepsocks.com?l1z1l4uIH4=[recipient's email address]
- hxxp://jobstcompressionstocking.com?S1POJh7E5A02=[recipient's email address]
- hxxp://jobstcompressionstocking.com?yOz1pa4046X=[recipient's email address]
- hxxp://juzo.us?76Mie4iME5=[recipient's email address]
- hxxp://liha.tips?442Wsl5IqoN58182iA=[recipient's email address]
- hxxp://liha.tips?huPTMA5UgIa4=[recipient's email address]
- hxxp://liha.tips?lJyyAvO161H041=[recipient's email address]
- hxxp://newtecantips.com?h7AKlK0l=[recipient's email address]
- hxxp://sigvarisperformancesocks.com?KiEvahYOc0utFUcY=[recipient's email address]
- hxxp://socksforwintersports.com?2pOq=[recipient's email address]
- hxxp://socksforwintersports.com?i8DuS4H3em=[recipient's email address]
- hxxp://tecan.tips?ow2JCAti50IamU287=[recipient's email address]
- hxxp://tecan.tips?Ve637558Gq8g030=[recipient's email address]
- hxxp://zensahcompressionsleeves.com?5684XUZeDe75a=[recipient's email address]
- hxxp://zensahcompressionsleeves.com?F31JAoW1I1yveO5=[recipient's email address]
TRAFFIC
TRAFFIC FROM AN INFECTED HOST ON MONDAY 2017-11-27:
- 169.239.128.117 port 80 - compression-sock.info - GET /?LTAUyiqCD5o8IKo2=[recipient's email address]
- port 80 - api.ipify.org - GET /
- 146.120.110.146 port 80 - dintretrewor.com - POST /ls5/forum.php
- 197.255.147.146 port 80 - www.sa-la.org - GET /1
- 197.255.147.146 port 80 - www.sa-la.org - GET /2
- 197.255.147.146 port 80 - www.sa-la.org - GET /4
- 185.111.107.150 port 80 - faperropma.ru - POST /mlu/forum.php
- 185.111.107.150 port 80 - faperropma.ru - POST /d2/about.php
- 185.153.198.40 port 80 - agaratas.com - GET /docs/new?id=bcEFC1C8E5
- 185.153.198.40 port 80 - agaratas.com - GET /docs/new?id=bc8A600FD9
- 185.48.56.139 port 443 - atlanimeday.com - HTTPS/TLS/SSL traffic caused by IcedID
- 185.48.56.139 port 443 - localhost - HTTPS/TLS/SSL traffic caused by IcedID
- 185.127.26.227 port 443 - gooblesooq.com - HTTPS/TLS/SSL traffic caused by IcedID
TRAFFIC FROM AN INFECTED HOST ON TUESDAY 2017-11-28:
- 169.239.128.117 port 80 - diti.tips - GET /?sY5Q1uNCoXuxa=[recipient's email address]
- 185.111.107.150 port 80 - inspartorswa.com - POST /ls5/forum.php
- 185.111.107.150 port 80 - inspartorswa.com - POST /d2/about.php
- port 80 - api.ipify.org - GET /
- 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /1
- 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /2
- 65.52.78.162 port 80 - bigiftprod.cloudapp.net - GET /3
- 66.147.244.133 port 80 - mail.geekenfreude.com - GET /1
- 66.147.244.133 port 80 - mail.geekenfreude.com - GET /2
- 66.147.244.133 port 80 - mail.geekenfreude.com - GET /3
- 185.174.173.6 port 443 - rowrorofrat.com - HTTPS/TLS/SSL traffic caused by Zeus Panda Banker
MALWARE
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: c9fc8b6b4da58b5e2fb739f171b8d259546370767fbff177f2480211b6b3f602
File description: 2017-11-27 malicious Word doc with Hancitor macro (scan_325147.doc)
File size: 343,552 bytes
- SHA256 hash: 32a683ac11d966d73fedf4e249573022891ac902086167e4d20b18be28bd2c1d
File description: 2017-11-27 Downloader for IcedID banking Trojan (.exe file)
File size: 579,072 bytes
- SHA256 hash: c80655eea1346e6587bb2b4567bcbca8d58979bc7e2bda96b48633987b8c148f
File description: 2017-11-27 IcedID banking Trojan (.exe file)
File size: 732,160 bytes
- SHA256 hash: 075a45a6dce497ef689c3211ebc3e84f9de6fd1027ec80c7653cc60fcc1d3275
File description: 2017-11-28 malicious Word doc with Hancitor macro (fax_928826.doc)
File size: 179,712 bytes
- SHA256 hash: 89a63d2bdee386ab69227938124052aee367aff1909005364538c4e89d5ebb72
File description: 2017-11-28 Zeus Panda Banker (.exe file)
File size: 181,760 bytes
FINAL NOTES
Once again, here are the associated files:
- 2017-11-27-Hancitor-malspam-emails.txt.zip 4.0 kB (4,039 bytes)
- 2017-11-27-Hancitor-malspam-traffic.pcap.zip 1.9 MB (1,854,349 bytes)
- 2017-11-27-Hancitor-malspam-malware.zip 669 kB (669,496 bytes)
- 2017-11-28-Hancitor-malspam-emails.txt.zip 3.2 kB (3,206 bytes)
- 2017-11-28-Hancitor-malspam-traffic.pcap.zip 470 kB (470,341 bytes)
- 2017-11-28-Hancitor-malspam-malware.zip 227 kB (226,719 bytes)
Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.