Hancitor 2017-06-26 MalSpam
Sender: run.payroll.invoice@
Subject: ADP Payroll Invoice for week ending 06/24/2017 – 02414. Invoice: 06662222
Download Links:
- thepillownurse.net/file.php?
document=[Base64 email address of recipient] - thepillownurse.org/file.php?
document=[Base64 email address of recipient] - thepillownurse.info/file.php?
document=[Base64 email address of recipient] - THOMASGUYTON.COM/file.php?document=[Base64 email address of recipient]
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2017-06-26-Hancitor-pcap.zip
Shown above: Email with link to download Hancitor Word document
Shown above: Malicious Word document after downloaded from above link to start infection chain
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 62.109.16.234 – thepillownurse.org GET /file.php?document=aW5mb0BiYS5jb20= – [HANCITOR DOC]
- 23.23.102.58 – api.ipify.org
- 146.120.110.121 – dintrolletone.com POST /ls5/forum.php
- 177.93.111.181 – pousadaruralsolardosventos.com GET /wp-content/plugins/google-maps-widget/1
- 176.31.200.66 – cajohnorro.com POST /bdl/gate.php
- 216.146.38.70 – checkip.dyndns.org
- 217.160.108.64 – ibericodirecto.com GET /wp-content/plugins/google-analytics-for-wordpress/31.exe – [SendSafe]
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Hancitor malspam
Shown above: Traffic looks like it is associated with Sendsafe malspammer downloaded from ibericodirecto.com [31.exe] during infection chain
MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM:
- Malicious Word document
Virus Total - 31.exe
Virus Total