2018-07-03 - HANCITOR MALSPAM INFECTION TRAFFIC

ASSOCIATED FILES:

• 2018-07-03-Hancitor-malspam-1701-UTC.eml.zip   2.0 kB (1,990 bytes)

• 2018-07-03-Hancitor-malspam-1701-UTC.eml   (3,788 bytes)

• 2018-07-03-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,173,162 bytes)

• 2018-07-03-Hancitor-malspam-infection-traffic.pcap   (2,781,537 bytes)/li>

• 2018-07-03-malware-from-Hancitor-infection.zip   1.9 MB (1,902,335 bytes)

• 2018-07-03-Hancitor-malware-binary-6C.pif.exe   (73,216 bytes)
• 2018-07-03-Send-Safe-SSE-spambot-malware-from-Hancitor-infection.exe   (1,870,096 bytes)
• 2018-07-03-Zeus-Panda-Banker-caused-by-Hancitor.exe   (170,496 bytes)
• 2018-07-03-downloaded-Word-doc-with-macro-for-Hancitor.doc   (202,240 bytes)

 

NOTES:

• The block list contains additional info reported by @James_inthe_box, @Techhelplist, and @hazmalware..
• Today, I also saw follow-up malware for the Send Safe Enterprise (SSE) spambot installer.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for today's Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• dudz.biz
• golfdudz.biz
• golfdudz.com
• johnstontrav.com
• kickasstrophe.org
• mmmfrecklespbctw.com
• myidaz.com
• positivereinforcementdogtraining.com
• singleadultstravel.org
• singleadulttravel.com
• teachingpositively.com
• thezeilerfamily.com
• trainingpositively.com
• victoriastilwellacademy.com
• vspdt.net
• vspdt.org
• hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/1
• hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/2
• hxxp://aerotransgroup.com.au/wp-content/plugins/breadcrumbs/3
• hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/1
• hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/2
• hxxp://fiveamwakeupcall.com.au/wp-content/plugins/growmap-anti-spambot-plugin/3
• hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/1
• hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/2
• hxxp://theluggagelady.com/wp-content/plugins/elegantbuilder/includes/3
• hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/1
• hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/2
• hxxp://5amers.com.au/wp-content/plugins/backupbuddy/lib/3
• hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/1
• hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/2
• hxxp://wingedspurproductions.com.au/wp-content/plugins/easy-paypal-lte/lib/3
• lingrewlighrat.com
• tititbutha.ru
• woherstinsof.ru
• myaningmuchme.ru
• hxxp://nec-dsx-programming.com/blog/wp-content/plugins/socializer/59.exe
• orsileci.com

 

EMAILS

Shown above:  Example of the malspam.

 

EMAIL HEADERS FROM TODAY'S HANCITOR MALSPAM EXAMPLE:

Received: from psi4jobs.com ([209.64.58.226]) by [removed] for [removed];
        Tue, 03 Jul 2018 17:01:30 +0000 (UTC)
Message-ID: <FB3EC39B.47DDD340@psi4jobs.com>
Date: Tue, 03 Jul 2018 13:01:30 -0400
From: "eFax " <message@psi4jobs.com>
X-Mailer: Molto foriPad (2.1.0.8604)
MIME-Version: 1.0
TO: [removed]
Subject: This is efax Notification
Content-Type: text/html;
        charset="utf-8"
Content-Transfer-Encoding: 7bit

 

Shown above:  Word doc downloaded from link in the malspam.

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE MALICIOUS WORD DOCUMENT:

• hxxp://dudz.biz?[string of characters]=[encoded string representing recipient's email address]
• hxxp://golfdudz.biz?[string of characters]=[encoded string representing recipient's email address]
• hxxp://golfdudz.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://johnstontrav.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://kickasstrophe.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://mmmfrecklespbctw.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://myidaz.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://positivereinforcementdogtraining.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://singleadultstravel.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://singleadulttravel.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://teachingpositively.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://thezeilerfamily.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://trainingpositively.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://victoriastilwellacademy.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://vspdt.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://vspdt.org?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 46.161.54.2 port 80 - golfdudz.biz - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 91.227.68.173 port 80 - lingrewlighrat.com - POST /4/forum.php
• 91.227.68.173 port 80 - lingrewlighrat.com - POST /mlu/about.php
• 91.227.68.173 port 80 - lingrewlighrat.com - POST /d2/about.php
• 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/1
• 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/2
• 111.67.28.4 port 80 - aerotransgroup.com.au - GET /wp-content/plugins/breadcrumbs/3
• 5.188.232.238 port 443 - myaningmuchme.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
• 192.232.219.242 port 80 - nec-dsx-programming.com - GET /blog/wp-content/plugins/socializer/59.exe
• 31.41.46.118 port 443 - orsileci.com - HTTPS/SSL/TLS traffic (caused by Zeus Panda Banker?)
• 31.44.184.59 UDP port 50016 - SSE spambot UDP beacon

 

Shown above:  SSE spambot UDP beacon traffic from my infected lab host.

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED LAB HOST:

• SHA256 hash:  0068b73a8d1b3b962fb2292aaf0d17ed3ebc4590cdeaa03de52e32e2c3f2b186
  File size:  202,240 bytes
  File name:  invoice_[six random digits].doc
  File description:  Downloaded Word doc with macro for Hancitor

• SHA256 hash:  67f3865b714b0d62d96899311b5c1137f194e9bc7599ab21d565663068b91260
  File size:  73,216 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\6C.pif
  File description:  Hancitor malware binary

• SHA256 hash:  415a9e41259f52a38df6f7207519d7e239880ac8e419e3a3e478a64fbf3207b8
  File size:  170,496 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
  File description:  Zeus Panda banker caused by Hancitor infection

• SHA256 hash:  64797369a915d3ecb614db4f889b88626020fc4c4b4723c69118d913d6a03a5a
  File size:  397,312 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\upd6683d399\59.exe
  File location:  hxxp://nec-dsx-programming.com/blog/wp-content/plugins/socializer/59.exe
  File description:  Send Safe Enterprise (SSE) spambot installer

 

FINAL NOTES

Once again, here are the associated files:

• 2018-07-03-Hancitor-malspam-1701-UTC.eml.zip   2.0 kB (1,990 bytes)
• 2018-07-03-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,173,162 bytes)
• 2018-07-03-malware-from-Hancitor-infection.zip   1.9 MB (1,902,335 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.