2017-07-03 - HANCITOR MALSPAM (FEDEX TRACKING NOTIFICATION)

ASSOCIATED FILES:

  • 2017-07-03-Hancitor-malspam-traffic.pcap   (7,230,916 bytes)
  • 2017-07-03-Hancitor-malspam-142247-UTC.eml   (21,614 bytes)
  • 2017-07-03-Hancitor-malspam-142410-UTC.eml   (21,625 bytes)
  • 2017-07-03-Hancitor-malspam-143011-UTC.eml   (21,625 bytes)
  • 2017-07-03-Hancitor-malspam-143130-UTC.eml   (21,619 bytes)
  • 2017-07-03-Hancitor-malspam-143511-UTC.eml   (21,627 bytes)
  • 2017-07-03-Hancitor-malspam-150706-UTC.eml   (21,617 bytes)
  • 2017-07-03-Hancitor-malspam-151836-UTC.eml   (21,625 bytes)
  • 2017-07-03-Hancitor-malspam-160604-UTC.eml   (21,629 bytes)
  • 2017-07-03-Hancitor-malspam-162538-UTC.eml   (21,633 bytes)
  • BN2AE6.tmp   (197,120 bytes)
  • Invoice_yahoo.doc   (359,936 bytes)

 

SOME TWEETS COVERING THE 2017-07-03 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

HTTP REQUESTS FOR THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENTS:

POST-INFECTION TRAFFIC FROM MY ONE INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.