2018-12-17 - QUICK POST: HANCITOR MALSPAM LINKS TO XLS FILES INSTEAD OF WORD DOCS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Malspam examples: 2018-12-17-Hancitor-malspam-10-email-examples.txt.zip 4.2 kB (4,207 bytes)
- 2018-12-17-Hancitor-malspam-10-email-examples.txt (57,766 bytes)
- Pcap of the infection traffic: 2018-12-17-Hancitor-infection-with-Urnsif.pcap.zip 1.2 MB (1,248,047 bytes)
- 2018-12-17-Hancitor-infection-with-Urnsif.pcap (1,516,687 bytes)
- Associated malware: 2018-12-17-malware-from-Hancitor-with-Urnsif-infection.zip 3.5 MB (3,475,493 bytes)
- 2018-12-17-downloaded-Excel-sheet-with-macro-for-Hancitor.xls (428,032 bytes)
- 2018-12-17-Hancitor-malware-binary-dropped-by-Excel-macro.exe (69,632 bytes)
- 2018-12-17-Ursnif-retrieved-by-Hancitor-infected-host.exe (123,392 bytes)
- 2018-12-17-registry-updated-caused-by-Urnsif.txt (13,835,644 bytes)
NOTES:
- Looks like malspam pushing Hancitor is using links to Excel spreadsheets today, instead of the usual Word docs.
- Same type of macro, though, whether it's an Excel spreadsheet or Word doc.
- A Twitter thread with more details can be found here.
Shown above: Hancitor malspam today used Excel spreadsheets instead of Word docs.
Click here to return to the main page.