2018-04-19 - HANCITOR MALSPAM - FAKE HELLOFAX NOTIFICATIONS

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-04-19-Hancitor-malspam-infection-traffic.pcap.zip   4.0 MB (4,004,462 bytes)

• 2018-04-19-Hancitor-malspam-infection-traffic.pcap   (5,194,979 bytes)

• Zip archive of the emails:  2018-04-19-Hancitor-malspam-54-email-examples.txt.zip   11 kB (11,111 bytes)

• 2018-04-19-Hancitor-malspam-54-email-examples.txt   (333,283 bytes)

• Zip archive of the malware:  2018-04-19-Hancitor-malspam-infection-artifacts.zip   1.9 MB (1,881,376 bytes)

• 2018-04-19-Hancitor-infection-follow-up-malware-81a.exe   (1,892,352 bytes)
• 2018-04-19-Word-doc-with-macro-for-Hancitor.doc   (265,216 bytes)
• 2018-04-19-Zeus-Panda-Banker-seen-during-Hancitor-malspam-infection.exe   (204,800 bytes)

NOTES:

• The block list contains additional info reported by @Techhelplistcom in a VirusTotal comment for the associated Word document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
• Today, I also saw follow-up malware for the Send Safe Enterprise (SSE) spambot installer.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• estimatorfind.com
• garywhitakerfamily.com
• garywhitakerfamily.net
• headshopsmell.com
• ilovepatchouli.com
• patchouliscent.com
• virtualpaintexpo.com
• caharthenret.com
• naotuseor.ru
• pertacikin.ru
• hxxp://flushstance.com/1
• hxxp://flushstance.com/2
• hxxp://flushstance.com/3
• hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/1
• hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/2
• hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/3
• hxxp://weddinggames.com.au/wp-content/themes/twentyten/1
• hxxp://weddinggames.com.au/wp-content/themes/twentyten/2
• hxxp://weddinggames.com.au/wp-content/themes/twentyten/3
• hxxp://www.cdiqra.com/components/com_content/helpers/1
• hxxp://www.cdiqra.com/components/com_content/helpers/2
• hxxp://www.cdiqra.com/components/com_content/helpers/3
• hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/1
• hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/2
• hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/3
• taldiparep.ru
• hxxp://www.unsafedrugs.com/81a.exe

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Thursday 2018-04-19 as early as 14:59 UTC through at least 18:14 UTC

• Received: from ([12.106.90.2])
• Received: from ([173.8.37.101])
• Received: from grandjkc.com ([5.89.22.195])
• Received: from grandjkc.com ([24.116.113.74])
• Received: from grandjkc.com ([24.230.94.38])
• Received: from grandjkc.com ([38.106.98.31])
• Received: from grandjkc.com ([50.204.18.30]))
• Received: from grandjkc.com ([65.122.188.170])
• Received: from grandjkc.com ([67.49.49.239])
• Received: from grandjkc.com ([69.27.48.150])
• Received: from grandjkc.com ([70.90.55.134])
• Received: from grandjkc.com ([70.90.219.225])
• Received: from grandjkc.com ([71.80.60.221])
• Received: from grandjkc.com ([73.161.105.233])
• Received: from grandjkc.com ([75.148.247.113])
• Received: from grandjkc.com ([96.84.215.1])
• Received: from grandjkc.com ([96.95.225.170])
• Received: from grandjkc.com ([204.195.154.167])
• Received: from thecarltun.com ([12.186.237.244])
• Received: from thecarltun.com ([23.24.67.153])
• Received: from thecarltun.com ([23.30.54.177])
• Received: from thecarltun.com ([24.205.165.132])
• Received: from thecarltun.com ([24.249.81.126])
• Received: from thecarltun.com ([38.106.98.31])
• Received: from thecarltun.com ([45.59.254.20])
• Received: from thecarltun.com ([50.198.179.162])
• Received: from thecarltun.com ([50.225.140.58])
• Received: from thecarltun.com ([50.243.56.185])
• Received: from thecarltun.com ([50.255.203.185])
• Received: from thecarltun.com ([64.62.60.154])
• Received: from thecarltun.com ([67.186.172.133])
• Received: from thecarltun.com ([67.208.133.132])
• Received: from thecarltun.com ([72.24.104.186])
• Received: from thecarltun.com ([72.25.166.130])
• Received: from thecarltun.com ([73.34.196.197])
• Received: from thecarltun.com ([75.146.90.69])
• Received: from thecarltun.com ([75.148.254.54])
• Received: from thecarltun.com ([76.8.204.66])
• Received: from thecarltun.com ([96.33.250.2])
• Received: from thecarltun.com ([96.37.147.182])
• Received: from thecarltun.com ([96.83.60.30])
• Received: from thecarltun.com ([98.189.148.233])
• Received: from thecarltun.com ([108.46.196.93])
• Received: from thecarltun.com ([173.8.37.101])
• Received: from thecarltun.com ([173.8.52.203])
• Received: from thecarltun.com ([192.171.200.46])
• Received: from thecarltun.com ([197.159.123.130])
• Received: from thecarltun.com ([207.237.12.116])
• Received: from thecarltun.com ([209.23.243.106])
• Received: from thecarltun.com ([216.201.198.182])

• From: "HelloFax Inc." <hellofax@grandjkc.com>
• From: "HelloFax Inc." <hellofax@thecarltun.com>
• From: "HelloFax" <hellofax@grandjkc.com>
• From: "HelloFax" <hellofax@thecarltun.com>

• Subject: HelloFax, Here is Your Fax
• Subject: HelloFax, Someone Sent You a Fax
• Subject: Welcome to HelloFax, Here is Your Fax
• Subject: Welcome to HelloFax, Someone Sent You a Fax

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Traffic from the infected host for SSE spambot UDP beacon.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://estimatorfind.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://garywhitakerfamily.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://garywhitakerfamily.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://headshopsmell.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://ilovepatchouli.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://patchouliscent.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://virtualpaintexpo.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.204.196.178 port 80 - garywhitakerfamily.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 185.43.223.6 port 80 - caharthenret.com - POST /4/forum.php
• 185.43.223.6 port 80 - caharthenret.com - POST /mlu/about.php
• 185.43.223.6 port 80 - caharthenret.com - POST /d2/about.php
• 70.39.144.54 port 80 - flushstance.com - GET /1
• 70.39.144.54 port 80 - flushstance.com - GET /2
• 91.230.61.33 port 443 - taldiparep.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
• 45.63.85.179 port 80 - www.unsafedrugs.com - GET /81a.exe   (returned SSE spambot installer)
• 31.44.184.81 port 50014 - UDP beacon caused by SSE spambot malware

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  6195d0f2f52397842d57759a124abf280309c0639a13ed314d319286bc4a46d7
  File size:  265,216 bytes
  File name:  fac_591073.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  47340ab357291de9bcb8cac8232b1c94ba4fdf1ddddeea5b43fab814ebff9881
  File size:  204,800 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

• SHA256 hash:  e74a8652a357912698551a459f1820901d4c92adef0e1826e42d3c761047bede
  File size:  1,892,352 bytes
  File location:  hxxp://www.unsafedrugs.com/81a.exe
  File description:  Follow-up malware - Send Safe Enterprise (SSE) spambot installer

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-04-19-Hancitor-malspam-infection-traffic.pcap.zip   4.0 MB (4,004,462 bytes)
• Zip archive of the emails:  2018-04-19-Hancitor-malspam-54-email-examples.txt.zip   11 kB (11,111 bytes)
• Zip archive of the malware:  2018-04-19-Hancitor-malspam-infection-artifacts.zip   1.9 MB (1,881,376 bytes)
-

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.