2017-05-02 - HANCITOR INFECTION WITH ZLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-05-02-Hancitor-infection-traffic.pcap.zip   278.9 kB (278,928 bytes)

• 2017-05-02-Hancitor-infection-traffic.pcap   (376,376 bytes)

• 2017-05-02-Hancitor-malspam-1705-UTC.eml.zip   4.2 kB (4,204 bytes)

• 2017-05-02-Hancitor-malspam-1705-UTC.eml   (58,535 bytes)

• 2017-05-02-malware-from-Hancitor-infection.zip   248.4 kB (248,392 bytes)

• BNA4D6.tmp   (194,560 bytes)
• Verizon_Bill_nerval.highbot.doc   (191,488 bytes)

 

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2017-05-02 at 17:03:26 UTC
• From:  (spoofed) "Verizon Wireless" <verizon@alestaloetzel[.]com>
• Subject:  Your online bill is available. Amount due $484.45

 

Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUEST FOR THE WORD DOCUMENT:

• 62.213.103[.]60 port 80 - porkaporka[.]com - GET /view.php?id=[base64 string]
• 62.213.103[.]60 port 80 - neveralonehomecare[.]org - GET /view.php?id=[base64 string]
• 62.213.103[.]60 port 80 - REGINATSHIRTS[.]INFO - GET /view.php?id=[base64 string]

 

POST-INFECTION TRAFFIC:

• 80.85.158[.]216 port 80 - andvewouse[.]com - POST /ls5/forum.php
• 80.85.158[.]216 port 80 - andvewouse[.]com - POST /mlu/forum.php
• 185.84.108[.]22 port 80 - umberto40[.]ru - GET /wp-includes/1
• 185.84.108[.]22 port 80 - umberto40[.]ru - GET /wp-includes/a1
• 198.105.244[.]64 port 80 - hissupsparve[.]com - POST /bdk/gate.php
• api.ipify[.]org - GET /
• 146.185.254.14 port 80 - myrerithad[.]ru - POST /ls5/forum.php
• 176.103.49.221 port 80 - hesoneheci[.]ru - POST /ls5/forum.php

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

• SHA256 hash:  ccd600d5ebb12770bad5a60e61bd4ff12c10dcec675d97343c8774f1ce40c443
  File name:  Verizon_Bill_nerval.highbot.doc
  File size:  191,488 bytes
  File description:  Hancitor maldoc

MALWARE FROM THE INFECTED HOST:

• SHA256 hash:  3e1fa8d0cbe73caf572cd186e72b1aee8e734d055e7da6fa6c1945fb2e7423a8
  File location:  C:\Users\[username]\AppData\Local\Temp\BNA4D6.tmp
  File size:  194,560 bytes
  File descriptio;n:  DELoader/ZLoader

 

Click here to return to the main page.