2017-09-18 - HANCITOR MALSPAM (SEPT INVOICE)

ASSOCIATED FILES:

  • 2017-09-18-Hancitor-malspam-traffic.pcap   (9,608,961 bytes)
  • 2017-09-18-Hancitor-malspam-1451-UTC.eml   (1,222 bytes)
  • 2017-09-18-Hancitor-malspam-1452-UTC.eml   (1,282 bytes)
  • 2017-09-18-Hancitor-malspam-1508-UTC.eml   (1,220 bytes)
  • 2017-09-18-Hancitor-malspam-1511-UTC.eml   (1,265 bytes)
  • 2017-09-18-Hancitor-malspam-1551-UTC.eml   (1,278 bytes)
  • 2017-09-18-Hancitor-malspam-1552-UTC.eml   (1,244 bytes)
  • 2017-09-18-Hancitor-malspam-1620-UTC.eml   (1,258 bytes)
  • 2017-09-18-Hancitor-malspam-1642-UTC.eml   (1,288 bytes)
  • 2017-09-18-Hancitor-malspam-1705-UTC.eml   (1,203 bytes)
  • 2017-09-18-Hancitor-malspam-1730-UTC.eml   (1,225 bytes)
  • invoice_950094.doc   (257,024 bytes)
  • uvur.exe   (173,568 bytes)

 

TODAY'S TWEETS COVERING THE 2017-09-18 WAVE OF #HANCITOR MALSPAM:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

LINKS IN THE EMAILS THE WORD DOCUMENT:

NAME FOR THE MALICIOUS WORD DOCUMENT:

POST-INFECTION TRAFFIC FROM MY INFECTED HOST:

 

FILE HASHES

WORD DOCUMENT FROM LINK IN THE EMAIL:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.