2017-03-15 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-15-Hancitor-infection-with-ZLoader.pcap.zip   14.2 MB (14,184,843 bytes)

• 2017-03-15-Hancitor-infection-with-ZLoader.pcap   (15,044,942 bytes)

• 2017-03-15-Hancitor-malspam-8-examples.zip   6.5 kB (6,450 bytes)

• 2017-03-15-Hancitor-malspam-1627-UTC.eml   (763 bytes)
• 2017-03-15-Hancitor-malspam-1707-UTC.eml   (790 bytes)
• 2017-03-15-Hancitor-malspam-1708-UTC.eml   (813 bytes)
• 2017-03-15-Hancitor-malspam-1741-UTC.eml   (712 bytes)
• 2017-03-15-Hancitor-malspam-1803-UTC.eml   (815 bytes)
• 2017-03-15-Hancitor-malspam-1911-UTC.eml   (787 bytes)
• 2017-03-15-Hancitor-malspam-1945-UTC.eml   (732 bytes)
• 2017-03-15-Hancitor-malspam-1946-UTC.eml   (787 bytes)

• 2017-03-15-malware-from-Hancitor-infection.zip   231.3 kB (231,336 bytes)

• BN750.tmp.exe   (158,720 bytes)
• Subpoena_jake.naldorn.doc   (198,144 bytes)

 

 

EMAIL HEADERS:

• From: (spoofed) "David Bukzin" <david.bukzin@evansllp[.]com>
• From: (spoofed) "David Bukzin" <david.bukzin@marcuscinelli[.]com>
• Subject: RE: subpoena

 

ASSOCIATED DOMAINS:

• 118.67.70[.]56 port 80 - lumenjapan[.]co[.]jp - GET /subpoenas/subpoena.php?id=[base64 string]
• 95.175.98[.]222 port 80 - athentitevent[.]com - POST /ls5/forum.php
• 95.175.98[.]222 port 80 - athentitevent[.]com - POST /mlu/forum.php
• 95.175.98[.]222 port 80 - athentitevent[.]com - POST /d1/about.php
• 60.43.178[.]142 port 80 - 7hoshi[.]co[.]jp - GET /wp-content/themes/corporate_tcd011/1
• 60.43.178[.]142 port 80 - 7hoshi[.]co[.]jp - GET /wp-content/themes/corporate_tcd011/2
• 60.43.178[.]142 port 80 - 7hoshi[.]co[.]jp - GET /wp-content/themes/corporate_tcd011/a1
• 185.158.153[.]228 port 80 - littmautrow[.]com - POST /bdk/gate.php

 

FILE HASHES:

• SHA256 hash:  62e6e5dc0c3927a8c5d708688ca2b56df93848b15a4c38aab173c5a8384395f9
  File location:  Subpoena_jake.naldorn.doc
  File description:  Hancitor maldoc

• SHA256 hash:  ccc62f5d74dc000f9d8054579ea0c22e3f875231eabf3f66dd80040d56a438b6
  File location:  C:\Users[username]\AppData\Local\Temp\BN750.tmp
  File description:  DELoader (ZLoader)

 

Click here to return to the main page.