Hancitor 2017-07-18 MalSpam

Sender: dse@novusimaging.com
Subject: Your document Leasing Contract 857 for [Recipient Domain] is ready for signature!

Compromised sites hosting Hancitor Doc:

  • bestmedcard.us/file.php?d=[Base64 email address of recipient]
  • bestmedcard.info/file.php?d=[Base64 email address of recipient]
  • therapynola.com/file.php?d=[Base64 email address of recipient]
  • uptowntherapist.com/file.php?d=[Base64 email address of recipient]
  • BETTERBENEFITSPLAN.COM/file.php?d=[Base64 email address of recipient]
  • louisianaphysiciansaco.com/file.php?d=[Base64 email address of recipient]
  • mdentree.com/file.php?d=[Base64 email address of recipient]

 

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-07-18-Hancitor-pcap.zip

 

 

Shown above: Email with link to download Hancitor Word document

 

Shown above: Malicious Word document after downloaded from above link to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 52.14.155.100 – bestmedcard.us GET /file.php?d=[Base64 email address of recipient]
  • 50.19.238.1 – api.ipify.org
  • 46.173.213.210 – torslingtoftof.com POST /ls5/forum.php
  • 72.52.142.199 – highpointbaptistchurch.com GET /wp-content/plugins/easyrotator-for-wordpress/1

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Hancitor malspam

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM:

Hancitor.doc
Hybrid-Analysis