2017-06-26 - HANCITOR MALSPAM (FAKE ADP PAYROLL)

ASSOCIATED FILES:

  • 2017-06-26-Hancitor-malspam-traffic.pcap   (9,721,184 bytes)
  • 2017-06-26-Hancitor-malspam-1548-UTC.eml   (1,924 bytes)
  • 2017-06-26-Hancitor-malspam-1552-UTC.eml   (1,925 bytes)
  • 2017-06-26-Hancitor-malspam-1556-UTC.eml   (1,931 bytes)
  • 2017-06-26-Hancitor-malspam-1557-UTC.eml   (1,922 bytes)
  • 2017-06-26-Hancitor-malspam-1613-UTC.eml   (1,924 bytes)
  • 2017-06-26-Hancitor-malspam-1626-UTC.eml   (1,930 bytes)
  • 2017-06-26-Hancitor-malspam-1754-UTC.eml   (1,924 bytes)
  • 2017-06-26-Hancitor-malspam-1828-UTC.eml   (1,927 bytes)
  • 2017-06-26-Hancitor-malspam-1927-UTC.eml   (1,927 bytes)
  • 2017-06-26-Hancitor-malspam-1938-UTC.eml   (1,933 bytes)
  • BN5466.tmp   (186,368 bytes)
  • Invoice_yahoo.doc   (221,696 bytes)

 

A BLOG POST AND SOME TWEETS COVERING THE 2017-06-26 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.