2018-05-03 - HANCITOR MALSPAM - FAKE VEMNO NOTIFICATIONS
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-05-03-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,207,172 bytes)
- 2018-05-03-Hancitor-malspam-infection-traffic.pcap (2,546,485 bytes)
- Zip archive of the emails: 2018-05-03-Hancitor-malspam-60-email-examples.txt.zip 10.9 kB (10,871 bytes)
- 2018-05-03-Hancitor-malspam-60-email-examples.txt (232,606 bytes)
- Zip archive of the malware: 2018-05-03-Hancitor-infection-artifacts.zip 232 kB (232,405 bytes)
- 2018-05-03-Word-doc-with-macro-for-Hancitor.doc (188,928 bytes)
- 2018-05-03-Zeus-Panda-Banker-from-Hancitor-infection.exe (177,152 bytes)
NOTES:
- The block list contains additional info first reported in the VirusBay entry for the associated Word document.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- beachesofnwflorida.com
- coastalrealtycsb.com
- coastalrealtypsj.com
- costaljoe.com
- csbbeachrentals.com
- floridasbestescape.com
- gocoastalflorida.com
- isdgcom.net
- sgiflbeachhomes.com
- sgirentalhomes.com
- stgeorgeislandbeachhomes.com
- visitcsb.com
- tanreblingtold.com
- hedningdolac.ru
- atlerando.ru
- hxxp://yakshin.ru/wp-content/themes/omega/lib/1
- hxxp://yakshin.ru/wp-content/themes/omega/lib/2
- hxxp://yakshin.ru/wp-content/themes/omega/lib/3
- hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/1
- hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/2
- hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/3
- hxxp://newstotalk.com/wp-content/themes/wp-genius/1
- hxxp://newstotalk.com/wp-content/themes/wp-genius/2
- hxxp://newstotalk.com/wp-content/themes/wp-genius/3
- hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/1
- hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/2
- hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/3
- hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/1
- hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/2
- hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/3
- robwassotdint.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2018-05-03 as early as 14:59 UTC through at least 19:28 UTC
- Received: from burroughscompanies.com ([24.12.65.191])
- Received: from burroughscompanies.com ([50.201.223.204])
- Received: from burroughscompanies.com ([50.255.162.73])
- Received: from burroughscompanies.com ([50.77.19.245])
- Received: from burroughscompanies.com ([64.132.127.25])
- Received: from burroughscompanies.com ([67.214.229.146])
- Received: from burroughscompanies.com ([67.79.17.130])
- Received: from burroughscompanies.com ([68.116.68.2])
- Received: from burroughscompanies.com ([68.179.191.49])
- Received: from burroughscompanies.com ([69.170.122.68])
- Received: from burroughscompanies.com ([71.172.32.163])
- Received: from burroughscompanies.com ([73.63.17.35])
- Received: from burroughscompanies.com ([74.93.97.81])
- Received: from burroughscompanies.com ([97.80.48.154])
- Received: from burroughscompanies.com ([192.119.212.206])
- Received: from burroughscompanies.com ([209.23.243.106])
- Received: from burroughscompanies.com ([209.83.63.58])
- Received: from pinoswindow.com ([12.150.239.26])
- Received: from pinoswindow.com ([24.2.107.206])
- Received: from pinoswindow.com ([38.110.219.130])
- Received: from pinoswindow.com ([38.140.190.218])
- Received: from pinoswindow.com ([47.190.52.75])
- Received: from pinoswindow.com ([50.38.131.250])
- Received: from pinoswindow.com ([50.201.134.50])
- Received: from pinoswindow.com ([50.225.140.58])
- Received: from pinoswindow.com ([50.245.13.13])
- Received: from pinoswindow.com ([50.245.219.38])
- Received: from pinoswindow.com ([50.252.134.186])
- Received: from pinoswindow.com ([66.21.114.99])
- Received: from pinoswindow.com ([66.219.240.66])
- Received: from pinoswindow.com ([67.128.146.154])
- Received: from pinoswindow.com ([67.186.172.133])
- Received: from pinoswindow.com ([67.189.153.43])
- Received: from pinoswindow.com ([69.170.122.68])
- Received: from pinoswindow.com ([69.179.140.245])
- Received: from pinoswindow.com ([71.9.44.142])
- Received: from pinoswindow.com ([72.25.166.130])
- Received: from pinoswindow.com ([72.77.1.13])
- Received: from pinoswindow.com ([74.113.59.181])
- Received: from pinoswindow.com ([74.218.8.178])
- Received: from pinoswindow.com ([75.109.213.106])
- Received: from pinoswindow.com ([76.73.158.220])
- Received: from pinoswindow.com ([96.91.170.74])
- Received: from pinoswindow.com ([96.240.18.85])
- Received: from pinoswindow.com ([97.94.30.141])
- Received: from pinoswindow.com ([107.138.228.207])
- Received: from pinoswindow.com ([137.103.121.141])
- Received: from pinoswindow.com ([142.217.200.139])
- Received: from pinoswindow.com ([169.55.251.141])
- Received: from pinoswindow.com ([173.12.239.115])
- Received: from pinoswindow.com ([173.219.61.189])
- Received: from pinoswindow.com ([173.220.58.194])
- Received: from pinoswindow.com ([174.50.253.185])
- Received: from pinoswindow.com ([174.77.236.252])
- Received: from pinoswindow.com ([184.67.195.30])
- Received: from pinoswindow.com ([208.85.181.217])
- Received: from pinoswindow.com ([208.88.67.188])
- Received: from pinoswindow.com ([216.57.209.45])
- From: "Vemno Inc " <vemnoteam@burroughscompanies.com>
- From: "Vemno Inc " <vemnoteam@pinoswindow.com>
- From: "Vemno Inc All Rights Reserved" <vemnoteam@burroughscompanies.com>
- From: "Vemno Inc All Rights Reserved" <vemnoteam@pinoswindow.com>
- From: "Vemno Services " <vemnoteam@burroughscompanies.com>
- From: "Vemno Services " <vemnoteam@pinoswindow.com>
- From: "Vemno Services All Rights Reserved" <vemnoteam@burroughscompanies.com>
- From: "Vemno Services All Rights Reserved" <vemnoteam@pinoswindow.com>
- Subject: Automated Payment Message From Vemno
- Subject: Automated Payment Notice From Vemno
- Subject: Automated Payment Notification From Vemno
- Subject: Automatic Payment Message From Vemno
- Subject: Automatic Payment Notice From Vemno
- Subject: Automatic Payment Notification From Vemno
- Subject: Electronic Payment Message From Vemno
- Subject: Electronic Payment Notice From Vemno
- Subject: Electronic Payment Notification From Vemno
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://beachesofnwflorida.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://coastalrealtycsb.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://coastalrealtypsj.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://costaljoe.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://csbbeachrentals.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://floridasbestescape.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://gocoastalflorida.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://isdgcom.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://sgiflbeachhomes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://sgirentalhomes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://stgeorgeislandbeachhomes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://visitcsb.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.187.117.14 port 80 - isdgcom.net - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 185.43.223.6 port 80 - tanreblingtold.com - POST /4/forum.php
- 185.43.223.6 port 80 - tanreblingtold.com - POST /mlu/about.php
- 185.43.223.6 port 80 - tanreblingtold.com - POST /d2/about.php
- 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/1
- 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/2
- 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/3
- 185.174.175.14 port 443 - robwassotdint.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: fb82fd4534d7c32a3de8523fde2d59b7c26146eae1827c0b4202630e3004c587
File size: 188,928 bytes
File name: invoice_921483.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 429a5b8fee9b92d638bb4e27821eedbf9844a828ca9131b18f98b38ef16d6edf
File size: 177,152 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-05-03-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,207,172 bytes)
- Zip archive of the emails: 2018-05-03-Hancitor-malspam-60-email-examples.txt.zip 10.9 kB (10,871 bytes)
- Zip archive of the malware: 2018-05-03-Hancitor-infection-artifacts.zip 232 kB (232,405 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.