Malware-Traffic-Analysis.net - 2018-04-11 - Hancitor malspam

2018-04-11 - HANCITOR MALSPAM - FAKE ATT NOTIFICATIONS

ASSOCIATED FILES:

2018-04-11-Hancitor-malspam-infection-traffic.pcap (2,645,333 bytes)

2018-04-11-Hancitor-malspam-15-email-examples.txt (94,925 bytes)

Zip archive of the malware: 2018-04-11-Hancitor-infection-artifacts.zip 235 kB (235,308 bytes)

2018-04-11-Word-doc-with-macro-for-Hancitor.doc (224,256 bytes)

2018-04-11-Zeus-Panda-Banker-sample.exe (184,320 bytes)

NOTES:

The block list contains additional post-infection URLs originally reported by @James_inthe_box reported on a Pastebin link here.
As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above: Flow chart for a typical Hancitor malspam infection.

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:

166e61.com
drywallexpo.com
estimating.training
finishtradeexpo.com
fleamarketfragrances.com
gurwitz.com
ourversionfragrances.com
ourversionscents.com
knockoffcologne.com
virtualdrywallexpo.com
gotsurievent.com
henfetanug.ru
saortonsjohn.ru
hxxp://contentsuperstar.com/wp-content/languages/plugins/1
hxxp://contentsuperstar.com/wp-content/languages/plugins/4
hxxp://contentsuperstar.com/wp-content/languages/plugins/5
hxxp://image-a.com/wp/wp-content/plugins/easy-media-gallery/includes/1
hxxp://image-a.com/wp/wp-content/plugins/easy-media-gallery/includes/4
hxxp://image-a.com/wp/wp-content/plugins/easy-media-gallery/includes/5
hxxp://kuchingsupplies.com/wp-content/plugins/gallery-by-supsystic/vendor/Twig/1
hxxp://kuchingsupplies.com/wp-content/plugins/gallery-by-supsystic/vendor/Twig/4
hxxp://kuchingsupplies.com/wp-content/plugins/gallery-by-supsystic/vendor/Twig/5
lyrintedba.com

Shown above: Screenshot from one of the emails.

EMAIL HEADERS:

Date/Time: Wednesday 2018-04-11 as early as 15:07 UTC through at least 17:42 UTC

Received: from baysingertrucking.com ([8.46.162.38])
Received: from baysingertrucking.com ([12.25.2.162])
Received: from baysingertrucking.com ([50.248.104.45])
Received: from baysingertrucking.com ([65.71.222.139])
Received: from baysingertrucking.com ([65.175.137.10])
Received: from baysingertrucking.com ([69.36.88.210])
Received: from baysingertrucking.com ([69.70.18.148])
Received: from baysingertrucking.com ([76.189.202.187])
Received: from baysingertrucking.com ([81.43.73.211])
Received: from baysingertrucking.com ([81.199.17.201])
Received: from baysingertrucking.com ([98.191.128.95])
Received: from baysingertrucking.com ([152.160.35.34])
Received: from baysingertrucking.com ([159.180.236.145])
Received: from baysingertrucking.com ([174.109.248.174])
Received: from baysingertrucking.com ([198.0.79.250])

Shown above: Malicious Word document downloaded from link in the malspam.

Shown above: Traffic from an infection filtered in Wireshark.

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

hxxp://166e61.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://estimating.training?[string of characters]=[encoded string representing recipient's email address]
hxxp://finishtradeexpo.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://fleamarketfragrances.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://gurwitz.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://knockoffcologne.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://ourversionfragrances.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://ourversionscents.com?[string of characters]=[encoded string representing recipient's email address]
hxxp://virtualdrywallexpo.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

35.204.196.178 port 80 - finishtradeexpo.com - GET /?[string of characters]=[encoded string representing recipient's email address]
port 80 - api.ipify.org - GET /
185.43.223.6 port 80 - gotsurievent.com - POST /ls5/forum.php
185.43.223.6 port 80 - gotsurievent.com - POST /mlu/about.php
185.43.223.6 port 80 - gotsurievent.com - POST /d2/about.php
217.174.156.249 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/1
217.174.156.249 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/4
217.174.156.249 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/5
146.185.254.16 port 443 - lyrintedba.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

SHA256 hash: d60dbc150c1ad9f052e4ed8c73d2dbcedf95ca02706697bb87b142afdc9351b6
File size: 224,256 bytes
File name: invoice_319872.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor

SHA256 hash: 73df38455456a94565f47f06839ab029a7e8dddb42dcdb3e8a0e2db4ee148fba
File size: 184,320 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker

Shown above: Zeus Panda Banker persistent on the infected Windows host.

Once again, here are the associated files:

Zip archive of the traffic: 2018-04-11-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,191,701 bytes)
Zip archive of the emails: 2018-04-11-Hancitor-malspam-15-email-examples.txt.zip 4.9 kB (4,855 bytes)
Zip archive of the malware: 2018-04-11-Hancitor-infection-artifacts.zip 235 kB (235,308 bytes)

Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.