Hancitor 2017-06-26 MalSpam

Sender: run.payroll.invoice@performancesales.com
Subject: ADP Payroll Invoice for week ending 06/24/2017 – 02414. Invoice: 06662222

Download Links:

  • thepillownurse.net/file.php?document=[Base64 email address of recipient]
  • thepillownurse.org/file.php?document=[Base64 email address of recipient]
  • thepillownurse.info/file.php?document=[Base64 email address of recipient]
  • THOMASGUYTON.COM/file.php?document=[Base64 email address of recipient]

 

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-06-26-Hancitor-pcap.zip

 

Shown above: Email with link to download Hancitor Word document

 

Shown above: Malicious Word document after downloaded from above link to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 62.109.16.234 – thepillownurse.org GET /file.php?document=aW5mb0BiYS5jb20= – [HANCITOR DOC]
  • 23.23.102.58 – api.ipify.org
  • 146.120.110.121 – dintrolletone.com POST /ls5/forum.php
  • 177.93.111.181 – pousadaruralsolardosventos.com GET /wp-content/plugins/google-maps-widget/1
  • 176.31.200.66 – cajohnorro.com POST /bdl/gate.php
  • 216.146.38.70 – checkip.dyndns.org
  • 217.160.108.64 – ibericodirecto.com GET /wp-content/plugins/google-analytics-for-wordpress/31.exe – [SendSafe]

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network trafficĀ  associated with the Hancitor malspam

 

Shown above: Traffic looks like it is associated with Sendsafe malspammer downloaded from ibericodirecto.com [31.exe] during infection chain

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: