2017-07-20 - HANCITOR MALSPAM (INVOICE NOTIFICATION)

ASSOCIATED FILES:

  • 2017-07-20-Hancitor-malspam-traffic.pcap   (8,654,555 bytes)
  • 2017-07-20-Hancitor-malspam-1456-UTC.eml   (5,787 bytes)
  • 2017-07-20-Hancitor-malspam-1531-UTC.eml   (5,793 bytes)
  • 2017-07-20-Hancitor-malspam-1547-UTC.eml   (5,782 bytes)
  • 2017-07-20-Hancitor-malspam-1609-UTC.eml   (5,787 bytes)
  • 2017-07-20-Hancitor-malspam-1650-UTC.eml   (5,786 bytes)
  • 2017-07-20-Hancitor-malspam-1714-UTC.eml   (5,783 bytes)
  • 2017-07-20-Hancitor-malspam-1817-UTC.eml   (5,792 bytes)
  • 2017-07-20-Hancitor-malspam-1852-UTC.eml   (5,787 bytes)
  • BN9A1C.tmp   (194,048 bytes)
  • Intuit_Invoice_649272.doc   (296,960 bytes)

 

TWEETS COVERING THE 2017-07-20 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT THAT I SAW:

ADDITIONAL LINKS FOR THE WORD DOCUMENT REPORTED BY @CHEAPBYTE:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

ADDITIONAL POST-INFECTION URLS REPORTED BY @CHEAPBYTE:

ADDITIONAL POST-INFECTION URL NOTED IN REVERSE.IT ANALYSIS OF DELOADER/ZLOADER:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.