2017-02-07 - HANCITOR/PONY MALSPAM - SUBJECT: YOU RECEIVED A NEW EFAX FROM 202-935-2034

ASSOCIATED FILES:

  • 2017-02-07-Hancitor-Pony-malspam-traffic.pcap   (9,494,012 bytes)
  • 2017-02-07-hancitor-pony-malspam-1607-UTC.eml   (3,936 bytes)
  • 2017-02-07-hancitor-maldoc.doc   (194,560 bytes)
  • 2017-02-07-follow-up-malware-Terdot.A-Zloader.exe   (255,488 bytes)

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EMAIL


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Word document downloaded from link in the email.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

WORD DOCUMENT:

 

TERDOT.A/ZLOADER:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.