Malware-Traffic-Analysis.net - 2018-01-24 - Quick post: Hancitor malspam

2018-01-24 - QUICK POST: HANCITOR MALSPAM

ASSOCIATED FILES:

Zip archive of the traffic: 2018-01-24-Hancitor-infection-traffic.pcap.zip 4.6 MB (4,554,087 bytes)

2018-01-24-Hancitor-infection-traffic.pcap (9,461,350 bytes)

Zip archive of the emails: 2018-01-24-Hancitor-malspam-12-emails.txt.zip 2.2 kB (2,164 bytes)

2018-01-24-Hancitor-malspam-12-emails.txt (25,671 bytes)

Zip archive of the malware: 2018-01-24-Hancitor-infection-malware-and-artifacts.zip 1.9 MB (1,857,712 bytes)

2018-01-24-Hancitor-RTF-sample-invoice_254455.doc (156,854 bytes)

2018-01-24-Hancitor-decoded-from-base64-string-in-RTF-file.exe (41,472 bytes)

2018-01-24-Zeus-Panda-Banker-sample.exe (204,800 bytes)

2018-01-24-follow-up-malware-spambot-intaller.exe (2,040,320 bytes)

NOTES:

I wrote an ISC diary covering yesterday's Hancitor: RTF files for Hancitor utilize exploit for CVE-2017-11882
Read that diary for a better understanding of today's traffic.
There are two differences in Today's Hancitor compared to yesterday:

1) Script with the base64 string for the Hancitor binary was embedded in the RTF file instead of being retrieved from a server.
2) My infected lab host spewed a great deal of additional Hancitor malspam in the post-infection SMTP traffic.

Zip files are password-protected. If you don't know the password, look at the "about" page of this website.

INDICATORS:

EMAIL INFO:

- Subject: Shipment status changed for parcel #1234!
- From: usps@ncasef.com

BLOCK LIST FROM INDICATORS IN THE PCAP:

- 777rent.com
- boxerproperty.info
- boxerworkstyle.net
- buildmyofficespace.com
- buildyourofficespace.com
- cheap-office-space.net
- denver-office-space.net
- el-paso-office-space.com
- houston-executive-suites.net
- jbaportfolio.com
- naveundpa.com
- suptalefthed.ru
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/1
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/2
- hxxp://www.dressedfortime.com/wp-content/plugins/title-and-nofollow-for-links/inc/3
- hxxp://store.firmbarbershop.com/wp-content/plugins/custom-firmshop/62b.exe

MALWARE:

- SHA256 hash: b489ca02dcea8dc7d5420908ad5d58f99a6fef160721dcecfd512095f2163f7a
- Description: 2018-01-24 Hancitor RTF sample: invoice_254455.doc

- SHA256 hash: e205b987b1faa34dc3457c76299779f5b1fe604a276cf578fc5642e708be5f12
- Description: 2018-01-24 Hancitor binary decoded from base64 string in RTF file

- SHA256 hash: 92c07ff5e7e08360ed324a574d6b3db9a2d6934bff6eb4cd1deee80e72f7ed33
- Description: 2018-01-24 Zeus Panda Banker

- SHA256 hash: 998184a140b0998732144be054f4c8f5c1609d997155830c52feee05160db3b8
- Description: 2018-01-24 follow-up malware: Send-Safe spambot installer

IMAGES:

Click here to return to the main page.