2017-06-14 - HANCITOR MALSPAM (FAKE ADP BILL)

ASSOCIATED FILES:

  • 2017-06-14-Hancitor-malspam-traffic.pcap   (10,505,738 bytes)
  • 2017-06-14-Hancitor-malspam-1505-UTC.eml   (1,533 bytes)
  • 2017-06-14-Hancitor-malspam-1626-UTC.eml   (1,528 bytes)
  • 2017-06-14-Hancitor-malspam-1727-UTC.eml   (1,527 bytes)
  • 2017-06-14-Hancitor-malspam-1747-UTC.eml   (1,526 bytes)
  • 2017-06-14-Hancitor-malspam-1750-UTC.eml   (1,529 bytes)
  • 2017-06-14-Hancitor-malspam-1945-UTC.eml   (1,527 bytes)
  • 2017-06-14-Hancitor-malspam-2028-UTC.eml   (1,524 bytes)
  • ADP_Bill_yahoo.doc   (247,296 bytes)
  • BND058.tmp   (199,680 bytes)

 

SOME TWEETS ABOUT TODAY'S #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.