Hancitor 2017-06-29 MalSpam

Sender: james@consultechmgt.com
Subject: You have received a new document!

Compromised sites hosting Hancitor Doc:

  • correspondentfunding.com/file.php?document=[Base64 email address of recipient]
  • swellcoming.com/file.php?document=[Base64 email address of recipient]
  • rainierfootcareproducts.com/file.php?document=[Base64 email address of recipient]
  • ranermed.com/file.php?document=[Base64 email address of recipient]
  • HAVEFUNMAKEMONEYHELPPEOPLE.COM/file.php?document=[Base64 email address of recipient]
  • FROGMAN-SCUBA.COM/file.php?document=[Base64 email address of recipient]
  • ALLENSMECHANICAL.BIZ/file.php?document=[Base64 email address of recipient]
  • ALLENSMECHANICAL.CO/file.php?document=[Base64 email address of recipient]
  • allensmechanical.net/file.php?document=[Base64 email address of recipient]
  • CODYVICTOR.COM/file.php?document=[Base64 email address of recipient]

 

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-06-29-Hancitor-pcap.zip

 

Shown above: Email with link to download Hancitor Word document

 

Shown above: Malicious Word document after downloaded from above link to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 52.15.48.15 – correspondentfunding.com GET /file.php?document=[Base64 email address of recipient] – [HANCITOR DOC]
  • 23.21.138.252 – api.ipify.org
  • 137.74.150.55 – batbetorzen.com POST /ls5/forum.php
  • 193.228.150.200 – transoffice.org GET /wp-content/plugins/link-indication/1
  • 83.217.11.130 – repwasswithhow.com POST /bdl/gate.php
  • [FOLLOWED BY TOR TRAFFIC]

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Hancitor malspam

 

Shown above: Network traffic  associated with the download of Hancitor malicious document

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: