2018-03-07 - HANCITOR MALSPAM - FAKE PAYPAL NOTICE

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-07-Hancitor-malspam-infection-traffic.zip   2.2 MB (2,224,049 bytes)

• 2018-03-07-Hancitor-infection-traffic.pcap   (2,484,788 bytes)
• 2018-03-07-Zeus-Panda-Banker-infection-traffic.pcap   (15,218 bytes)

• Zip archive of the emails:  2018-03-07-Hancitor-malspam-26-email-examples.txt.zip   13.5 kB (13,512 bytes)

• 2018-03-07-Hancitor-malspam-26-email-examples.txt   (442,183 bytes)

• Zip archive of the malware:  2018-03-07-Hancitor-infection-artifacts.zip   233 kB (233,430 bytes)

• 2018-03-07-Hancitor-maldoc-invoice_276194.doc   (226,304 bytes)
• 2018-03-07-Zeus-Panda-Banker.exe   (163,840 bytes)

NOTES:

• As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
• The block list contains additional post-infection URLs originally reported by @Techhelplistcom on the VirusTotal entry for today's Word document.
• My thanks to @Techhelplistcom, @James_inthe_box, and everyone else who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Screenshot from one of the emails.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• batcommunications.com
• creditdamageconsultant.com
• florida-pawn.com
• hnimgmt.com
• hollywood-pawn.com
• kanzlercompanies.com
• kastarqsr.com
• margate-pawn.com
• morris-law-firm.com
• myyogaberry.com
• starcorpinc.com
• toetallynailed.com
• cirewandbut.com
• babronwronot.ru
• romfinothad.ru
• hxxp://mypartnerforever.me/wp-includes/customize/1
• hxxp://mypartnerforever.me/wp-includes/customize/2
• hxxp://mypartnerforever.me/wp-includes/customize/3
• hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/1
• hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/2
• hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/3
• hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/1
• hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/2
• hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/3
• hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/1
• hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/2
• hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/3
• hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/1
• hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/2
• hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/3
• diheclerow.ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-03-07 as early as 16:28 UTC through at least 18:52 UTC

• Received: from rachelallan.com ([24.43.154.229])
• Received: from rachelallan.com ([67.212.207.69])
• Received: from rachelallan.com ([68.185.227.33])
• Received: from rachelallan.com ([70.90.35.129])
• Received: from rachelallan.com ([75.145.156.49])
• Received: from trivalleyurology.com ([24.240.172.42])
• Received: from trivalleyurology.com ([50.247.22.145])
• Received: from trivalleyurology.com ([50.248.192.49])
• Received: from trivalleyurology.com ([66.97.110.230])
• Received: from trivalleyurology.com ([67.221.222.194])
• Received: from trivalleyurology.com ([70.182.4.13])
• Received: from trivalleyurology.com ([71.206.183.184])
• Received: from trivalleyurology.com ([73.103.77.175])
• Received: from trivalleyurology.com ([73.237.189.90])
• Received: from trivalleyurology.com ([75.106.127.147])
• Received: from trivalleyurology.com ([75.129.211.11])
• Received: from trivalleyurology.com ([76.70.31.65])
• Received: from trivalleyurology.com ([96.82.224.81])
• Received: from trivalleyurology.com ([99.254.166.184])
• Received: from trivalleyurology.com ([108.20.23.234])
• Received: from trivalleyurology.com ([108.189.55.3])
• Received: from trivalleyurology.com ([199.5.189.237])
• Received: from trivalleyurology.com ([206.127.114.54])
• Received: from trivalleyurology.com ([207.150.250.2])
• Received: from trivalleyurology.com ([208.80.167.34])

• From: "PayPal Inc" <invoice@rachelallan.com>
• From: "PayPal Inc" <invoice@trivalleyurology.com>
• From: "PayPal Invoice Service" <invoice@rachelallan.com>
• From: "PayPal Invoice Service" <invoice@trivalleyurology.com>
• From: "PayPal Services" <invoice@rachelallan.com>
• From: "PayPal Services" <invoice@trivalleyurology.com>

• Subject: PayPal   Message
• Subject: PayPal   Notification
• Subject: PayPal  Invoice Message
• Subject: PayPal  Invoice Notification
• Subject: PayPal Automated  Message
• Subject: PayPal Automated  Notice
• Subject: PayPal Automated  Notification
• Subject: PayPal Automated Invoice Message
• Subject: PayPal Automated Invoice Notification
• Subject: PayPal Automatic  Message
• Subject: PayPal Automatic  Notice
• Subject: PayPal Automatic  Notification
• Subject: PayPal Automatic Invoice Message
• Subject: PayPal Electronic  Message
• Subject: PayPal Electronic  Notice
• Subject: PayPal Electronic Invoice Message
• Subject: PayPal Electronic Invoice Notice
• Subject: PayPal Electronic Invoice Notification

 

Shown above:  Clicking on a link from one of the malspam examples.

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Zeus Panda Banker traffic filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

• hxxp://batcommunications.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hollywood-pawn.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://kastarqsr.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://kastarqsr.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://margate-pawn.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://morris-law-firm.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://myyogaberry.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://starcorpinc.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://toetallynailed.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 95.213.200.176 port 80 - batcommunications.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 93.189.40.107 port 80 - cirewandbut.com - POST /ls5/forum.php
• 93.189.40.107 port 80 - cirewandbut.com - POST /mlu/forum.php
• 93.189.40.107 port 80 - cirewandbut.com - POST /d2/about.php
• 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/1
• 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/2
• 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/3
• 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/1
• 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/2
• 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/3
• 91.221.36.71 port 443 - diheclerow.ru - HTTPS/SSL/TLS traffic from Zeus Panda Banker
• port 443 - google.com - connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  1d63cfe0c0b6c80212aafef737fc63f63415634c74ac3159966f63c31c1a08d4
  File size:  226,304 bytes
  File name:  invoice_276194.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  b148c9c73420619ac3efa018261da3f29b5bf86e2b1aded5895cc26dd74dd159
  File size:  163,840 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

 

IMAGES

Shown above:  Zeus Panda Banker persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-03-07-Hancitor-malspam-infection-traffic.zip   2.2 MB (2,224,049 bytes)
• Zip archive of the emails:  2018-03-07-Hancitor-malspam-26-email-examples.txt.zip   13.5 kB (13,512 bytes)
• Zip archive of the malware:  2018-03-07-Hancitor-infection-artifacts.zip   233 kB (233,430 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.