2017-04-24 - HANCITOR MALSPAM - SUBJECT: RE: RE: WRONG AMOUNT FOR INVOICE # 1234567

ASSOCIATED FILES:

  • 2017-04-24-Hancitor-malspam-traffic.pcap   (13,312,274 bytes)
  • 2017-04-24-Hancitor-malspam-155034-UTC.eml   (2,403 bytes)
  • 2017-04-24-Hancitor-malspam-161335-UTC.eml   (2,408 bytes)
  • 2017-04-24-Hancitor-malspam-161400-UTC.eml   (2,405 bytes)
  • 2017-04-24-Hancitor-malspam-161408-UTC.eml   (2,404 bytes)
  • 123.xls   (15,766 bytes)
  • BNC476.tmp   (169,984 bytes)
  • TestWordDoc.doc   (19,456 bytes)
  • invoice_wartell.zueber.doc   (6,059 bytes)
  • putty.exe   (150,016 bytes)

NOTES:

 

EMAIL


Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious RTF file from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUEST FOR THE RTF FILE:

 

POST-INFECTION TRAFFIC:

 

FILE HASHES

RTF FILE FROM LINK IN THE EMAIL:

MALWARE FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.