2018-04-19 - HANCITOR MALSPAM - FAKE HELLOFAX NOTIFICATIONS
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-04-19-Hancitor-malspam-infection-traffic.pcap.zip 4.0 MB (4,004,462 bytes)
- 2018-04-19-Hancitor-malspam-infection-traffic.pcap (5,194,979 bytes)
- Zip archive of the emails: 2018-04-19-Hancitor-malspam-54-email-examples.txt.zip 11 kB (11,111 bytes)
- 2018-04-19-Hancitor-malspam-54-email-examples.txt (333,283 bytes)
- Zip archive of the malware: 2018-04-19-Hancitor-malspam-infection-artifacts.zip 1.9 MB (1,881,376 bytes)
- 2018-04-19-Hancitor-infection-follow-up-malware-81a.exe (1,892,352 bytes)
- 2018-04-19-Word-doc-with-macro-for-Hancitor.doc (265,216 bytes)
- 2018-04-19-Zeus-Panda-Banker-seen-during-Hancitor-malspam-infection.exe (204,800 bytes)
NOTES:
- The block list contains additional info reported by @Techhelplistcom in a VirusTotal comment for the associated Word document.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
- Today, I also saw follow-up malware for the Send Safe Enterprise (SSE) spambot installer.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- estimatorfind.com
- garywhitakerfamily.com
- garywhitakerfamily.net
- headshopsmell.com
- ilovepatchouli.com
- patchouliscent.com
- virtualpaintexpo.com
- caharthenret.com
- naotuseor.ru
- pertacikin.ru
- hxxp://flushstance.com/1
- hxxp://flushstance.com/2
- hxxp://flushstance.com/3
- hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/1
- hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/2
- hxxp://saedpartnership.org/wp-content/plugins/envato-market/inc/3
- hxxp://weddinggames.com.au/wp-content/themes/twentyten/1
- hxxp://weddinggames.com.au/wp-content/themes/twentyten/2
- hxxp://weddinggames.com.au/wp-content/themes/twentyten/3
- hxxp://www.cdiqra.com/components/com_content/helpers/1
- hxxp://www.cdiqra.com/components/com_content/helpers/2
- hxxp://www.cdiqra.com/components/com_content/helpers/3
- hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/1
- hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/2
- hxxp://ofczianka.hu/wp-content/themes/twentyfifteen/inc/3
- taldiparep.ru
- hxxp://www.unsafedrugs.com/81a.exe
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2018-04-19 as early as 14:59 UTC through at least 18:14 UTC
- Received: from ([12.106.90.2])
- Received: from ([173.8.37.101])
- Received: from grandjkc.com ([5.89.22.195])
- Received: from grandjkc.com ([24.116.113.74])
- Received: from grandjkc.com ([24.230.94.38])
- Received: from grandjkc.com ([38.106.98.31])
- Received: from grandjkc.com ([50.204.18.30]))
- Received: from grandjkc.com ([65.122.188.170])
- Received: from grandjkc.com ([67.49.49.239])
- Received: from grandjkc.com ([69.27.48.150])
- Received: from grandjkc.com ([70.90.55.134])
- Received: from grandjkc.com ([70.90.219.225])
- Received: from grandjkc.com ([71.80.60.221])
- Received: from grandjkc.com ([73.161.105.233])
- Received: from grandjkc.com ([75.148.247.113])
- Received: from grandjkc.com ([96.84.215.1])
- Received: from grandjkc.com ([96.95.225.170])
- Received: from grandjkc.com ([204.195.154.167])
- Received: from thecarltun.com ([12.186.237.244])
- Received: from thecarltun.com ([23.24.67.153])
- Received: from thecarltun.com ([23.30.54.177])
- Received: from thecarltun.com ([24.205.165.132])
- Received: from thecarltun.com ([24.249.81.126])
- Received: from thecarltun.com ([38.106.98.31])
- Received: from thecarltun.com ([45.59.254.20])
- Received: from thecarltun.com ([50.198.179.162])
- Received: from thecarltun.com ([50.225.140.58])
- Received: from thecarltun.com ([50.243.56.185])
- Received: from thecarltun.com ([50.255.203.185])
- Received: from thecarltun.com ([64.62.60.154])
- Received: from thecarltun.com ([67.186.172.133])
- Received: from thecarltun.com ([67.208.133.132])
- Received: from thecarltun.com ([72.24.104.186])
- Received: from thecarltun.com ([72.25.166.130])
- Received: from thecarltun.com ([73.34.196.197])
- Received: from thecarltun.com ([75.146.90.69])
- Received: from thecarltun.com ([75.148.254.54])
- Received: from thecarltun.com ([76.8.204.66])
- Received: from thecarltun.com ([96.33.250.2])
- Received: from thecarltun.com ([96.37.147.182])
- Received: from thecarltun.com ([96.83.60.30])
- Received: from thecarltun.com ([98.189.148.233])
- Received: from thecarltun.com ([108.46.196.93])
- Received: from thecarltun.com ([173.8.37.101])
- Received: from thecarltun.com ([173.8.52.203])
- Received: from thecarltun.com ([192.171.200.46])
- Received: from thecarltun.com ([197.159.123.130])
- Received: from thecarltun.com ([207.237.12.116])
- Received: from thecarltun.com ([209.23.243.106])
- Received: from thecarltun.com ([216.201.198.182])
- From: "HelloFax Inc." <hellofax@grandjkc.com>
- From: "HelloFax Inc." <hellofax@thecarltun.com>
- From: "HelloFax" <hellofax@grandjkc.com>
- From: "HelloFax" <hellofax@thecarltun.com>
- Subject: HelloFax, Here is Your Fax
- Subject: HelloFax, Someone Sent You a Fax
- Subject: Welcome to HelloFax, Here is Your Fax
- Subject: Welcome to HelloFax, Someone Sent You a Fax
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Traffic from the infected host for SSE spambot UDP beacon.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://estimatorfind.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://garywhitakerfamily.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://garywhitakerfamily.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://headshopsmell.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ilovepatchouli.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://patchouliscent.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://virtualpaintexpo.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.204.196.178 port 80 - garywhitakerfamily.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 185.43.223.6 port 80 - caharthenret.com - POST /4/forum.php
- 185.43.223.6 port 80 - caharthenret.com - POST /mlu/about.php
- 185.43.223.6 port 80 - caharthenret.com - POST /d2/about.php
- 70.39.144.54 port 80 - flushstance.com - GET /1
- 70.39.144.54 port 80 - flushstance.com - GET /2
- 91.230.61.33 port 443 - taldiparep.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
- 45.63.85.179 port 80 - www.unsafedrugs.com - GET /81a.exe (returned SSE spambot installer)
- 31.44.184.81 port 50014 - UDP beacon caused by SSE spambot malware
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 6195d0f2f52397842d57759a124abf280309c0639a13ed314d319286bc4a46d7
File size: 265,216 bytes
File name: fac_591073.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 47340ab357291de9bcb8cac8232b1c94ba4fdf1ddddeea5b43fab814ebff9881
File size: 204,800 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
- SHA256 hash: e74a8652a357912698551a459f1820901d4c92adef0e1826e42d3c761047bede
File size: 1,892,352 bytes
File location: hxxp://www.unsafedrugs.com/81a.exe
File description: Follow-up malware - Send Safe Enterprise (SSE) spambot installer
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-04-19-Hancitor-malspam-infection-traffic.pcap.zip 4.0 MB (4,004,462 bytes)
- Zip archive of the emails: 2018-04-19-Hancitor-malspam-54-email-examples.txt.zip 11 kB (11,111 bytes)
- Zip archive of the malware: 2018-04-19-Hancitor-malspam-infection-artifacts.zip 1.9 MB (1,881,376 bytes) -
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.