2017-01-25 - HANCITOR INFECTION WITH SEND SAFE ENTERPRISE (SSE) SPAMBOT TRAFFIC
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-25-Hancitor-infection-with-SendSafe-spambot-traffic.pcap.zip 9.8 MB (9,754,181 bytes)
- 2017-01-25-Hancitor-malspam-1521-UTC.eml.zip 1.6 kB (1,644 bytes)
- 2017-01-25-malware-from-Hancitor-infection.zip 1.7 MB (1,698,732 bytes)
NOTES:
- This is an email and traffic form the latest wave of apparent Hancitor/Pony/Vawtrak malspam.
- Traffic is similar to a recent ISC diary I wrote earlier this month at: https://isc.sans.edu/diary/HancitorPonyVawtrak+malspam/21919
- No Vawtrak this time, though.
- This one had malware downloaded of SendSafe Enterprise (SSE) based spambot malware designed to send out more Hancitor emails from the infected Windows host.
MALSPAM
Shown above: Screenshot of the email.
TRAFFIC
ASSOCIATED ACTIVITY:
Shown above: Pcap of the infection traffic filtered in Wireshark.
- 118.69.196[.]199 port 80 - www.lifelabs[.]vn - GET /api/get.php?id=[base64 string representing recipient's email address]
- api.ipify[.]org - GET /
- 95.169.190[.]104 port 80 - hedthowtorspar[.]com - POST /ls5/forum.php
- 95.169.190[.]104 port 80 - hedthowtorspar[.]com - POST /klu/forum.php
- 77.79.246[.]210 port 80 - sy-nitron[.]pl - GET /wp-content/themes/twentyfifteen/pm1
- 77.79.246[.]210 port 80 - sy-nitron[.]pl - GET /wp-content/themes/twentyfifteen/2501
- 62.76.89[.]178 port 80 - rowatterding.ru - POST /bdk/gate.php
- checkip.dyndns[.]org - GET /
- 219.94.192[.]63 port 80 - hiraso-farm[.]com - GET /wp-content/plugins/disable-google-fonts/84.exe
- 91.220.131[.]84 port 50004 - UDP post-infection traffic
- 91.220.131[.]84 port 50003 - TCP post-infection traffic
- several different IP addresses - port 25 - attempted SMTP traffic
MALWARE
MALWARE RETRIEVED FROM THE INFECTED HOST:
- 9c1ad87660e13b35fc48961f0936e9724aa763a3130e194bf67402a118d32657 - eFax_mark.doc (201,728 bytes)
- 8e436941dc1a9892cb5ee170f16116ca0cf2e5c25abf84ed74b4a15eaee94f4e - C:\Users\[username]\AppData\Local\Temp\84.exe (1,930,752 bytes)
it, look at the "about" page of this website.
Click here to return to the main page.