Hancitor 2017-08-07 MalSpam

Sender: ups@mybestore.com
Subject: Delivery halted for shipment #531277

COMPROMISED SITES HOSTING HANCITOR DOC’S:

  • claytonturner.net/f.php?d=[Base64 email address of recipient]
  • premierbenefitservices.net/f.php?d=[Base64 email address of recipient]
  • PREMIERBENEFITSDIRECT.NET/f.php?d=[Base64 email address of recipient]
  • BUSINESSTECHNOLOGYSUPPORT.COM/f.php?d=[Base64 email address of recipient]
  • innsbrook-braces.com/f.php?d=[Base64 email address of recipient]
  • richmondhvac.net/f.php?d=[Base64 email address of recipient]
  • CONTRACTORS-SEMINARS.COM/f.php?d=[Base64 email address of recipient]

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-08-07-Hancitor-pcap.zip

 

Shown above: Email with link to download Hancitor Word document

 

Shown above: Malicious Word document after downloaded from above link to start infection chain

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 35.162.172.227 – claytonturner.net GET /f.php?d=[Base64 email address of recipient]
  • 184.73.220.206 – api.ipify.org
  • 77.120.123.209 – jecheddecy.com POST /ls5/forum.php
  • 213.186.33.17 – www.ecoledulaveu.be GET /wp-content/plugins/simple-facebook-connect/1
  • 77.120.123.209 – jecheddecy.com POST /mlu/forum.php
  • 213.186.33.17 – www.ecoledulaveu.be GET /wp-content/plugins/simple-facebook-connect/2
  • 77.120.123.209 – jecheddecy.com POST /d2/about.php

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Hancitor malspam

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: