2017-02-28 - HANCITOR MALSPAM - FAKE USPS EMAILS

ASSOCIATED FILES:

  • 2017-02-28-Hancitor-malspam-traffic.pcap   (15,049,538 bytes)
  • 2017-02-28-Hancitor-malspam-1534-UTC.eml   (1,712 bytes)
  • 2017-02-28-Hancitor-malspam-1618-UTC.eml   (1,643 bytes)
  • 2017-02-28-Hancitor-malspam-1624-UTC.eml   (1,669 bytes)
  • 2017-02-28-Hancitor-malspam-1641-UTC.eml   (1,643 bytes)
  • BN2FDA.tmp.exe   (150,528 bytes)
  • USPS_Notice.doc   (184,832 bytes)

NOTES:

 


Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

 

EMAIL HEADERS:

 


Shown above:  Screenshot from one of the emails.

 


Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

HANCITOR MALDOC:

DELOADER (ZLOADER):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.