2018-04-04 - HANCITOR MALSPAM - FAKE DHL NOTIFICATIONS

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-04-04-Hancitor-malspam-infection-traffic.pcap.zip   2.05 MB (2,048,333 bytes)

• 2018-04-04-Hancitor-malspam-infection-traffic.pcap   (2,313,650 bytes)

• Zip archive of the emails:  2018-04-04-Hancitor-malspam-20-email-examples.txt.zip   5.9 kB (5,866 bytes)

• 2018-04-04-Hancitor-malspam-20-email-examples.txt   (89,685 bytes)

• Zip archive of the malware:  2018-04-04-Hancitor-infection-artifacts.zip   235 kB (235,308 bytes)

• 2018-04-04-email-attachment-with-malcious-macro-for-Hancitor.doc   (191,488 bytes)
• 2018-04-04-follow-up-malware-Zeus-Panda-Banker.exe   (167,936 bytes)

NOTES:

• The block list contains additional post-infection URLs originally reported by @Ring0x0 reported on a Pastebin link here.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• arcpercussivewelder.com
• arcpercussivewelding.com
• austinrealestateexchange.com
• bonitaluxe.com
• colloidsforlife.co
• dfwrealestateexchange.com
• durawares.com
• joliethearingcenter.net
• marnicobeauty.net
• marnicobeauty.us
• mokenahearingcenter.net
• silvercolloidal.co
• silverwater.co
• tilvera.com
• onkesandre.com
• ledrighlittleft.ru
• torscimeled.ru
• hxxp://risparmiato.com/wp-content/plugins/really-simple-captcha/2
• hxxp://risparmiato.com/wp-content/plugins/really-simple-captcha/3
• hxxp://siteslikecraigslist.com/wp-content/plugins/w3-total-cache/2
• hxxp://siteslikecraigslist.com/wp-content/plugins/w3-total-cache/3
• hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/3
• hxxp://animalhealthcenterinc.com/wp-content/plugins/post-expirator/3
• oldsinedtdin.com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-04-04 as early as 15:04 UTC through at least 18:53 UTC

• Received: from factorco2.com ([208.181.214.155])
• Received: from texaspipeworks.com ([24.59.231.41])
• Received: from texaspipeworks.com ([24.98.122.253])
• Received: from texaspipeworks.com ([50.78.213.182])
• Received: from texaspipeworks.com ([63.142.59.182])
• Received: from texaspipeworks.com ([68.236.120.88])
• Received: from texaspipeworks.com ([70.62.179.154])
• Received: from texaspipeworks.com ([72.52.101.226])
• Received: from texaspipeworks.com ([75.149.57.254])
• Received: from texaspipeworks.com ([76.99.21.230])
• Received: from texaspipeworks.com ([81.255.30.139])
• Received: from texaspipeworks.com ([98.174.169.236])
• Received: from texaspipeworks.com ([207.228.78.4])
• Received: from timmaloneysales.com ([24.123.173.42])
• Received: from timmaloneysales.com ([66.37.89.105])
• Received: from timmaloneysales.com ([67.221.222.194])
• Received: from timmaloneysales.com ([73.34.196.197])
• Received: from timmaloneysales.com ([206.81.64.108])
• Received: from timmaloneysales.com ([209.33.115.244])
• Received: from timmaloneysales.com ([216.70.134.158])

• From: "DHL " <delivery@texaspipeworks.com>
• From: "DHL " <delivery@timmaloneysales.com>
• From: "DHL Express" <delivery@factorco2.com>
• From: "DHL Express" <delivery@texaspipeworks.com>
• From: "DHL Express" <delivery@timmaloneysales.com>
• From: "DHL Inc." <delivery@texaspipeworks.com>
• From: "DHL Inc." <delivery@timmaloneysales.com>

• Subject: You have a package coming
• Subject: You have a package coming from DHL
• Subject: You have a package coming to you
• Subject: You have a package on it's way to you
• Subject: You have a package on its way
• Subject: You have a shipment coming
• Subject: You have a shipment coming from DHL
• Subject: You have a shipment coming to you from DHL
• Subject: You have a shipment on it's way
• Subject: You have a shipment on it's way from DHL
• Subject: You have a shipment on it's way to you
• Subject: You have a shipment on it's way to you from DHL
• Subject: You have a shipment on its way from DHL

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

• hxxp://arcpercussivewelder.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://arcpercussivewelding.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://austinrealestateexchange.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://bonitaluxe.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://colloidsforlife.co?[string of characters]=[encoded string representing recipient's email address]
• hxxp://dfwrealestateexchange.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://durawares.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://joliethearingcenter.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://marnicobeauty.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://marnicobeauty.us?[string of characters]=[encoded string representing recipient's email address]
• hxxp://silvercolloidal.co?[string of characters]=[encoded string representing recipient's email address]
• hxxp://silverwater.co?[string of characters]=[encoded string representing recipient's email address]
• hxxp://tilvera.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 104.199.36.43 port 80 - marnicobeauty.us - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 91.227.68.36 port 80 - onkesandre.com - POST /ls5/forum.php
• 91.227.68.36 port 80 - onkesandre.com - POST /d2/about.php
• 92.61.152.31 port 80 - risparmiato.com - GET /wp-content/plugins/really-simple-captcha/2
• 92.61.152.31 port 80 - risparmiato.com - GET /wp-content/plugins/really-simple-captcha/32
• 45.76.114.241 port 443 - oldsinedtdin.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  b2972114e6e5039b60c323d7cc74ad9f9edb78c8582878b4b2e93ae2a9b723bd
  File size:  191,488 bytes
  File name:  invoice_447148.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  114e686376515143aab1873beb5953a8a1e67917a869a165ec23ecd871e5f996
  File size:  167,936 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-04-04-Hancitor-malspam-infection-traffic.pcap.zip   2.05 MB (2,048,333 bytes)
• Zip archive of the emails:  2018-04-04-Hancitor-malspam-20-email-examples.txt.zip   5.9 kB (5,866 bytes)
• Zip archive of the malware:  2018-04-04-Hancitor-infection-artifacts.zip   235 kB (235,308 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.