2017-03-16 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-16-Hancitor-infection-with-ZLoader.pcap.zip   13.9 MB (13,947,388 bytes)

• 2017-03-16-Hancitor-infection-with-ZLoader.pcap   (14,894,790 bytes)

• 2017-03-16-Hancitor-malspam-5-examples.zip   5.0 kB (5,015 bytes)

• 2017-03-16-Hancitor-malspam-1604-UTC.eml   (1,093 bytes)
• 2017-03-16-Hancitor-malspam-1737-UTC.eml   (1,070 bytes)
• 2017-03-16-Hancitor-malspam-1758-UTC.eml   (1,090 bytes)
• 2017-03-16-Hancitor-malspam-1821-UTC.eml   (1,095 bytes)
• 2017-03-16-Hancitor-malspam-1948-UTC.eml   (1,094 bytes)

• Z2017-03-16-malware-from-Hancitor-infection.zip   223.0 kB (223,046 bytes)

• BN898B.tmp.exe   (159,744 bytes)
• Divorce_gene.staples.doc   (181,760 bytes)

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Thursday 2017-03-16 as early as 16:04 thru at least 18:21 UTC
• From:  (spoofed) "Vincent R. Cappucci" <vcappucci@ent-law[.]com>
• Subject:  RE: divorce papers

 

Shown above:  Malicious Word document (Hancitor) from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE INITIAL DOCUMENT:

• 133.242.215[.]147 port 80 - fortyfour[.]jp - GET /divorce/divorce.php?id=[base64 string]
• 41.185.8[.]224 port 80 - byteshop[.]co[.]za - GET /divorce/divorce.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 95.175.98[.]222 port 80 - wihotitbu[.]com - POST /ls5/forum.php
• 95.175.98[.]222 port 80 - wihotitbu[.]com - POST /mlu/forum.php
• 95.175.98[.]222 port 80 - wihotitbu[.]com - POST /d1/about.php
• 186.202.153[.]204 port 80 - turismarviagens[.]com[.]br - GET /wp-content/plugins/cyclone-slider/inc/1
• 186.202.153[.]204 port 80 - turismarviagens[.]com[.]br - GET /wp-content/plugins/cyclone-slider/inc/2
• 186.202.153[.]204 port 80 - turismarviagens[.]com[.]br - GET /wp-content/plugins/cyclone-slider/inc/a1
• 192.186.235[.]32 port 80 - www.oberlincarbonmanagement[.]org - GET /wp-content/plugins/quick-setup/modules/1
• 192.186.235[.]32 port 80 - www.oberlincarbonmanagement[.]org - GET /wp-content/plugins/quick-setup/modules/2
• 192.186.235[.]32 port 80 - www.oberlincarbonmanagement[.]org - GET /wp-content/plugins/quick-setup/modules/a1
• 193.124.176[.]37 port 80 - arratritthe[.]com - POST /bdk/gate.php
• api.ipify[.]org - GET /
• checkip.dyndns[.]org - GET /
• Various IP addresses, various ports - Tor traffic

 

FILE HASHES

FROM LINK IN THE EMAIL:

• SHA256 hash:  7b8bd7b3aae87c57adbb8bdd2d2ce543a6db88f1fa9c0eefa65f4d8409884ffa
  File location:  Divorce_bela.hermaas.doc
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  c8989c184174f25a13a23242d9e7d2c99f74ca9e283d1d4b1ad642bdcb89ba63
  File location:  C:\Users[username]\AppData\Local\Temp\BN898B.tmp
  File description:  DELoader (ZLoader)

 

FINAL NOTES

Click here to return to the main page.