2017-02-21 - HANCITOR INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-21-traffic-from-Hancitor-infection.pcap.zip   8.2 MB (8,214,344 bytes)

• 2017-02-21-traffic-from-Hancitor-infection.pcap   (8,791,842 bytes)

• 2017-02-21-Hancitor-malspam-1550-UTC.eml.zip   1.1 kB (1,146 bytes)

• 2017-02-21-Hancitor-malspam-1550-UTC.eml   (1,610 bytes)

• 2017-02-21-malware-from-Hancitor-infection.zip   289.9 kB (289,921 bytes)

• BNACA3.tmp.exe   (246,784 bytes)
• USPS_Notice_william.abedalrahman.doc   (172,032 bytes)

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with link that downloaded a malicious Microsoft Word document (Hancitor).  The Hancitor document is designed to download and infect Windows hosts with Pony and DELoader (ZLoader).

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Subject:  Shipment status change notification for parcel #58733370
• Date:  Tuesday 2017-02-21 15:50:12 UTC
• From:  "USPS" <usps@usps-shipment[.]com>
• Message-ID:  <D699FF62.BE135E87@usps-shipment[.]com>
• X-Mailer:  Apple Mail (2.1082)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

INITIAL GET REQUEST FOR WORD DOCUMENT, CHECK-IN, AND FOLLOW-UP DOWNLOADS:

• 202.181.99[.]53 port 80 - lilcedar.sakura[.]ne[.]jp - GET /api/getn.php?id=[base64 string representing recipient's email address]
• 91.201.214[.]251 port 80 - palittnagu[.]com - POST /ls5/forum.php
• 91.201.214[.]251 port 80 - palittnagu[.]com - POST /klu/forum.php
• 89.46.234[.]42 port 80 - www.paraportal[.]eu - GET /templates/beez5/html/1
• 89.46.234[.]42 port 80 - www.paraportal[.]eu - GET /templates/beez5/html/a1

 

POST-INFECTION CHECK-IN:

• 185.42.14[.]74 port 80 - gowronnogot[.]com - POST /bdk/gate.php
• 93.171.202[.]191 port 80 - kinnomehad[.]ru - POST /bdk/gate.php
• 83.96.168[.]183 port 80 - 83.96.168[.]183 - POST /bdk/gate.php
• 80.78.253[.]177 port 80 - nataranrep[.]com - POST /bdk/gate.php

 

IP ADDRESS CHECKS:

• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /

 

DOMAINS REQUESTS THAT RESOLVED, BUT NO FOLLOW-UP TRAFFIC:

• 185.121.177[.]73 port 53 - TCP-based DNS query for lactalhedttin[.]bit (answer: 83.96.168[.]183)
• DNS query for kedugutret[.]ru (answer: 188.127.239[.]35)
• DNS query for sindintmoro[.]ru (answer: 91.221.37[.]160)

 

DOMAIN REQUESTS THAT DIDN'T RESOLVE:

• DNS query for andrinredin[.]ru
• DNS query for coandwitred[.]ru
• DNS query for didnwitjohers[.]ru
• DNS query for feenloning[.]com
• DNS query for hatronrebid[.]ru
• DNS query for herstihenone[.]com
• DNS query for johnbehat[.]ru
• DNS query for kekettoldrit[.]ru
• DNS query for lyonperugh[.]ru
• DNS query for mirightover[.]ru
• DNS query for rowresedsi[.]ru
• DNS query for suhanbutar[.]com
• DNS query for tonssoflejus[.]ru

 

FILE HASHES

HANCITOR MALSPAM:

• SHA256 hash:  c0701ed11efb14e00b5135ab9931c672611604447420ae12a14370e89adaa6fe
• File name:  USPS_Notice_william.abedalrahman.doc

DELOADER (ZLOADER):

• SHA256 hash:  7ab6936ad40377ecea070401a55ef15033c9ee2e441a2aaa0dc963a081502761
• File location:  C:\Users\[username]\AppData\Local\Temp\BNACA3.tmp

 

Click here to return to the main page.