2018-07-03 - HANCITOR MALSPAM INFECTION TRAFFIC
ASSOCIATED FILES:
- 2018-07-03-Hancitor-malspam-1701-UTC.eml.zip 2.0 kB (1,990 bytes)
- 2018-07-03-Hancitor-malspam-1701-UTC.eml (3,788 bytes)
- 2018-07-03-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,173,162 bytes)
- 2018-07-03-Hancitor-malspam-infection-traffic.pcap (2,781,537 bytes)/li>
- 2018-07-03-malware-from-Hancitor-infection.zip 1.9 MB (1,902,335 bytes)
- 2018-07-03-Hancitor-malware-binary-6C.pif.exe (73,216 bytes)
- 2018-07-03-Send-Safe-SSE-spambot-malware-from-Hancitor-infection.exe (1,870,096 bytes)
- 2018-07-03-Zeus-Panda-Banker-caused-by-Hancitor.exe (170,496 bytes)
- 2018-07-03-downloaded-Word-doc-with-macro-for-Hancitor.doc (202,240 bytes)
NOTES:
- The block list contains additional info reported by @James_inthe_box, @Techhelplist, and @hazmalware..
- Today, I also saw follow-up malware for the Send Safe Enterprise (SSE) spambot installer.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for today's Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- dudz.biz
- golfdudz.biz
- golfdudz.com
- johnstontrav.com
- kickasstrophe.org
- mmmfrecklespbctw.com
- myidaz.com
- positivereinforcementdogtraining.com
- singleadultstravel.org
- singleadulttravel.com
- teachingpositively.com
- thezeilerfamily.com
- trainingpositively.com
- victoriastilwellacademy.com
- vspdt.net
- vspdt.org
- hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/1
- hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/2
- hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/3
- hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/1
- hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/2
- hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/3
- hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/1
- hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/2
- hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/3
- hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/1
- hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/2
- hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/3
- hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/1
- hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/2
- hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/3
- lingrewlighrat.com
- tititbutha.ru
- woherstinsof.ru
- myaningmuchme.ru
- hxxp://nec-dsx-programming.com/blog/wp-content/plugins/socializer/59.exe
- orsileci.com
EMAILS
Shown above: Example of the malspam.
EMAIL HEADERS FROM TODAY'S HANCITOR MALSPAM EXAMPLE:
Received: from psi4jobs.com ([209.64.58.226]) by [removed] for [removed];
Tue, 03 Jul 2018 17:01:30 +0000 (UTC)
Message-ID: <FB3EC39B.47DDD340@psi4jobs.com>
Date: Tue, 03 Jul 2018 13:01:30 -0400
From: "eFax " <message@psi4jobs.com>
X-Mailer: Molto foriPad (2.1.0.8604)
MIME-Version: 1.0
TO: [removed]
Subject: This is efax Notification
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: 7bit
Shown above: Word doc downloaded from link in the malspam.
INFECTION TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:
- hxxp://dudz.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://golfdudz.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://golfdudz.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://johnstontrav.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kickasstrophe.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://mmmfrecklespbctw.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://myidaz.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://positivereinforcementdogtraining.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://singleadultstravel.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://singleadulttravel.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://teachingpositively.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://thezeilerfamily.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://trainingpositively.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://victoriastilwellacademy.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://vspdt.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://vspdt.org?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 46.161.54.2 port 80 - golfdudz.biz - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 91.227.68.173 port 80 - lingrewlighrat.com - POST /4/forum.php
- 91.227.68.173 port 80 - lingrewlighrat.com - POST /mlu/about.php
- 91.227.68.173 port 80 - lingrewlighrat.com - POST /d2/about.php
- 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/1
- 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/2
- 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/3
- 5.188.232.238 port 443 - myaningmuchme.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
- 192.232.219.242 port 80 - nec-dsx-programming.com - GET /blog/wp-content/plugins/socializer/59.exe
- 31.41.46.118 port 443 - orsileci.com - HTTPS/SSL/TLS traffic (caused by Zeus Panda Banker?)
- 31.44.184.59 UDP port 50016 - SSE spambot UDP beacon
Shown above: SSE spambot UDP beacon traffic from my infected lab host.
MALWARE
MALWARE RETRIEVED FROM MY INFECTED LAB HOST:
- SHA256 hash: 0068b73a8d1b3b962fb2292aaf0d17ed3ebc4590cdeaa03de52e32e2c3f2b186
File size: 202,240 bytes
File name: invoice_[six random digits].doc
File description: Downloaded Word doc with macro for Hancitor
- SHA256 hash: 67f3865b714b0d62d96899311b5c1137f194e9bc7599ab21d565663068b91260
File size: 73,216 bytes
File location: C:\Users\[username]\AppData\Local\Temp\6C.pif
File description: Hancitor malware binary
- SHA256 hash: 415a9e41259f52a38df6f7207519d7e239880ac8e419e3a3e478a64fbf3207b8
File size: 170,496 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda banker caused by Hancitor infection
- SHA256 hash: 64797369a915d3ecb614db4f889b88626020fc4c4b4723c69118d913d6a03a5a
File size: 397,312 bytes
File location: C:\Users\[username]\AppData\Local\Temp\upd6683d399\59.exe
File location: hxxp://nec-dsx-programming.com/blog/wp-content/plugins/socializer/59.exe
File description: Send Safe Enterprise (SSE) spambot installer
FINAL NOTES
Once again, here are the associated files:
- 2018-07-03-Hancitor-malspam-1701-UTC.eml.zip 2.0 kB (1,990 bytes)
- 2018-07-03-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,173,162 bytes)
- 2018-07-03-malware-from-Hancitor-infection.zip 1.9 MB (1,902,335 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.