Hancitor 2017-07-06 MalSpam

Sender: joseph@rogers.com
Subject: RE:RE: shipping information

Compromised sites hosting Hancitor Doc:

  • PRESTIGEHYUNDAI.COM/file.php?d=[Base64 email address of recipient]
  • prestigetireshop.com/file.php?d=[Base64 email address of recipient]
  • samscoupon.com/file.php?d=[Base64 email address of recipient]
  • WINDOWSREPUBLIC.COM/file.php?d=[Base64 email address of recipient]
  • CLASSIFIEDSMOON.COM/file.php?d=[Base64 email address of recipient]
  • animalpj.com/file.php?d=[Base64 email address of recipient]
  • prestigetireshop.com/file.php?d=[Base64 email address of recipient]
  • ANGIESTOY.COM/file.php?d=[Base64 email address of recipient]
  • PRESTIGETOYOTA-NY.NET/file.php?d=[Base64 email address of recipient]
  • prestigeautoservicecenter.com/file.php?d=[Base64 email address of recipient]

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-07-06-Hancitor-pcap.zip

 

Shown above: Email with link to download Hancitor Word document

 

Shown above: Malicious Word document after downloaded from above link to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 194.87.94.1 – prestigehyundai.com GET /file.php?d=[Base64 email address of recipient] – [HANCITOR DOC]
  • 23.23.102.58 – api.ipify.org
  • 185.7.30.140 – resinelkeft.com POST /ls5/forum.php
  • 62.210.16.62 – transformationsociety.org GET /wp-content/plugins/page-links-to/1

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Hancitor malspam

 

Shown above: Network traffic  associated with the download of Hancitor malicious document

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: