Hancitor distributed through coronavirus-themed malspam
Introduction
The criminal group behind Hancitor malware has been quiet during the past few weeks. For the past year or so, this group has stuck with DocuSign-themed malspam to distribute Hancitor (like this example from January 2020). However, today @mesa_matt reported a new wave of Hancitor malspam using a coronavirus theme. Today's diary reviews two quick infection runs using information from @mesa_matt's Twitter thread on Wednesday 2020-03-11.
My thanks to everyone on Twitter who keeps an eye on Hancitor and tweets about it.
Shown above: Screenshot of the malspam from a tweet by @mesa_matt on 2020-03-11.
Infection traffic
We're still seeing the same sequence of events from previous Hancitor runs so far this year.
- Step 1: Link from malspam
- Step 2: leads to another URL that returns a zip archive
- Step 3: Extract VBS from zip archive
- Step 4: VBS drops and executes Hancitor DLL
- Step 5: Hancitor-style post-infection traffic
Shown above: Traffic from an infection filtered in Wireshark.
Indicators of Compromise (IoCs)
Traffic from an infected Windows host:
- URL from link in the malspam (various URLs from step 1, not in my pcaps)
- 8.208.77[.]171 port 80 - freetospeak[.]me - GET /0843_43.php
- port 80 - api.ipify[.]org - GET /
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /4/forum.php
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /mlu/forum.php
- 45.153.73[.]33 port 80 - thumbeks[.]com - POST /d2/about.php
- 68.183.232[.]255 port 80 - shop.artaffinittee[.]com - GET /wp-includes/sodium_compat/1
- 68.183.232[.]255 port 80 - shop.artaffinittee[.]com - GET /wp-includes/sodium_compat/2
Malware from my infected lab hosts:
SHA256 hash: 4f6d4d8f279c03f1ddfa20f95af152109b7578a2bec0a16a56ff87745585169a
- File size: 230,431 bytes
- File location: hxxp://freetospeak[.]me/0843_43.php
- File name: SE-670131329809_5500.zip
- File description: zip archive downloaded from link in malspam distributing Hancitor (1st run)
SHA256 hash: 6897a3b85046ba97fb3868dfb82338e5ed098136720a6cf73625e784fc1e1e51
- File size: 1,130,515 bytes
- File name: SE670131329809.vbs
- File description: VBS file extracted from downloaded zip archive (1st run)
SHA256 hash: 8a9333204db83c2571463278cb6a6241ae5f215b2166bf4af5693d611049d5a9
- File size: 228,383 bytes
- File location: hxxp://freetospeak[.]me/0843_43.php
- File name: QU-555033076467_5558.zip
- File description: zip archive downloaded from link in malspam distributing Hancitor (2nd run)
SHA256 hash: 8da0eb3a2378d218043e9f3188e59e3158f1fd01bbcd979f05197c74c2fb7a1c
- File size: 1,125,138 bytes
- File name: QU555033076467.vbs
- File description: VBS file extracted from downloaded zip archive (2bd run)
SHA256 hash: 291a4eb06358eca87fbc1f133ee162b6c532f4ec3e6f39c2646cde5de60e80f9
- File size: 253,952 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\adobe.txt
- File description: Hancitor DLL dropped after executing above VBS files (both runs)
For further information:
- Twitter thread from @mesa_matt with a screenshot of a malspam example: link
- Initial info on Pastebin for Hancitor malspam from @mesa_matt Twitter thread: link
- Any.Run sandbox analysis for URL used to kick off my infection runs: link
- File hashes on Pastebin for this Hancitor from paste by JAMES_INTHE_BOX: link
Final words
Pcaps of my infection traffic along with the associated malware can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Comments