2017-08-02 - HANCITOR MALSPAM (ADP PAYROLL INVOICE)

ASSOCIATED FILES:

  • 2017-08-02-Hancitor-malspam-traffic.pcap   (512,864 bytes)
  • 2017-08-02-Hancitor-malspam-145839-UTC.eml   (1,998 bytes)
  • 2017-08-02-Hancitor-malspam-171842-UTC.eml   (1,997 bytes)
  • 2017-08-02-Hancitor-malspam-181153-UTC.eml   (2,002 bytes)
  • ADP_Invoice_989046.doc   (241,664 bytes)
  • BN2F78.tmp   (210,432 bytes)

 

TODAY'S TWEETS COVERING THE 2017-08-02 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.