2018-04-04 - HANCITOR MALSPAM - FAKE DHL NOTIFICATIONS

ASSOCIATED FILES:

  • 2018-04-04-Hancitor-malspam-infection-traffic.pcap   (2,313,650 bytes)
  • 2018-04-04-Hancitor-malspam-20-email-examples.txt   (89,685 bytes)
  • 2018-04-04-email-attachment-with-malcious-macro-for-Hancitor.doc   (191,488 bytes)
  • 2018-04-04-follow-up-malware-Zeus-Panda-Banker.exe   (167,936 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:


Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.