2019-07-01 - QUICK POST: HANCITOR MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-07-01-Hancitor-malspam-example.eml.zip   2.2 kB (2,243 bytes)
• 2019-07-01-infection-traffic-from-Hancitor-malspam.pcap.zip   962 kB (961,610 bytes)
• 2019-07-01-malware-and-artifacts-from-Hancitor-infection.zip   277 kB (277,118 bytes)

 

NOTES:

• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
• Indicators are available in this Twitter thread (more indicators than I saw).

 

Shown above:  Flow chart for today's Hancitor malspam infection.

 

Shown above:  Example of the malspam.

 

Shown above:  Traffic from my infection filtered in Wireshark.

 

Click here to return to the main page.