2017-02-16 - HANCITOR INFECTIONS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-16-Hancitor-infection-traffic-2-pcaps.zip   16.5 MB (16,493,861 bytes)
• 2017-02-16-Hancitor-malspam-2-examples.zip   3.1 kB (3,085 bytes)
• 2017-02-16-malware-from-Hancitor-infections.zip   604.8 kB (604,833 bytes)

 

EMAILS

FROM MONDAY 2017-02-13:

• Date:  Monday, 2017-02-13 at 16:40 UTC
• From:  "Amazon[.]com" <amazon@amazon-sales[.]com>
• Subject:  Your Amazon[.]com order has shipped (#254-01842113-8362234115)
• Message-ID:  <A3DF14A3.1B272B8E@amazon-sales[.]com>
• X-Mailer:  iPad Mail (11D167)

 

FROM THURSDAY 2017-02-16:

• Date:  Thursday, 2017-02-16 at 16:33 UTC
• From:  "Apache Mall" <accountant@apachemall[.]com>
• Subject:  FW: subpoena
• Message-ID:  <7C4B486E.ED81F6DF@apachemall[.]com>
• X-Mailer:  iPod Mail (10B500)

 

TRAFFIC

Shown above:  Traffic from the Monday 2017-02-13 infection filtered in Wireshark.

 

ASSOCIATED DOMAINS FROM MONDAY 2017-02-13:

• 198.144.191[.]168 port 80 - www.chuppon[.]cl - GET /api/get.php?id=[base64 string]
• api.ipify[.]org - GET /
• 178.32.212[.]37 port 80 - hisgotinla[.]com - POST /ls5/forum.php
• 178.32.212[.]37 port 80 - hisgotinla[.]com - POST /klu/forum.php
• 198.27.82[.]180 port 80 - buladoremedio[.]com - GET /wp-includes/1
• 198.27.82[.]180 port 80 - buladoremedio[.]com - GET /wp-includes/a1
• 62.75.198[.]163 port 80 - usedintgould[.]com - POST /bdk/gate.php
• checkip.dyndns[.]org - GET /
• 148.251.34[.]82 port 80 - refronnotning[.]ru - POST /bdk/gate.php
• 95.215.111[.]73 port 80 - hecknoforheg[.]ru - POST /bdk/gate.php
• 83.96.168[.183 port 80 - 83.96.168[.]183 - POST /bdk/gate.php
• 91.221.37[.]160 port 80 - sindintmoro[.]ru - POST /bdk/gate.php
• 188.127.239[.]35 port 80 - kedugutret[.]ru - POST /bdk/gate.php

 

Shown above:  Traffic from the Thursday 2017-02-16 infection filtered in Wireshark.

 

ASSOCIATED DOMAINS FROM THURSDAY 2017-02-16:

• 220.130.141[.]206 port 80 - lilyland[.]com[.]tw - GET /api/getn.php?id=[base64 string]
• api.ipify[.]org - GET /
• 91.201.214[.]251 port 80 - babbowitwas[.]com - POST /ls5/forum.php
• 91.201.214[.]251 port 80 - babbowitwas[.]com - POST /klu/forum.php
• 162.144.0[.]85 port 80 - searchenginemarketing[.]gr - GET /clients/epartners/1
• 162.144.0[.]85 port 80 - searchenginemarketing[.]gr - GET /clients/epartners/a1
• 46.148.26[.]79 port 80 - withtylebet[.]com - POST /bdk/gate.php
• checkip.dyndns[.]org - GET /

 

FILE HASHES

HANCITOR MALDOCS:

• 0b8f91277f2161875cfe2f49ef1e499bcb60d1caa677d7d2e96b71437c648e5d - 2017-02-13 Hancitor maldoc (Amazon_invoice.doc)
• ab2ece498057bda06572c25bc74652f307670df0f55e85a2bb3fd5ccdb0e8b4f - 2017-02-16 Hancitor maldoc (subpoena_from.doc)

 

FOLLOW-UP MALWARE:

• ba05a2b22d749ebb0974d676ad68dae386d024e427946149e6ab680d823f8561 - 2017-02-13 ZLoader (BNAF32.tmp.exe)
• 480358462314ab7d4837df7ac8a1047ec6883f97d0581d0a049485c8d6fcb9fb - 2017-02-16 ZLoader (BN8F45.tmp.exe)

 

Click here to return to the main page.