2018-12-19 - Hancitor malspam file info

1. 2018-12-19 - Hancitor malspam file info
2.  
3. Initial Excel spreadsheet from: 47.74.238[.]191 using the following domains:
4.  
5. raskinlegal[.]com
6. threadbasic[.]com
7. j3biosciences[.]com
8. healthmarketplus[.]com
9. lajecreations[.]com
10. indianaworkwear[.]com
11. bulkreolist[.]com
12. j3bioscience[.]com
13. visionsportmotors[.]com
14. rflippinbusiness[.]com
15.  
16. SHA256 hash: 627c6c64c1c4c7fca0cce96abcd8955f139410ecd8d82e03fe36af786b75891b
17. File size: 523,264 bytes
18. File name: invoice_012345.xls (random digits in the file name)
19. File description: Downoaded Excel spreadsheet with macro for Hancitor
20. CAPE sandbox analysis: https://cape.contextis.com/analysis/27647/
21. Reverse.it analysis: https://www.reverse.it/sample/627c6c64c1c4c7fca0cce96abcd8955f139410ecd8d82e03fe36af786b75891b
22.  
23. SHA256 hash: 70baae3ae48aa13a7e764c2608ab14edb89ede0765f8d1cbefd301b7c04eff34
24. File size: 95,746 bytes
25. File location: C:\Users\[username]\AppData\Local\Temp\4CB52522.com
26. File location: C:\Users\[username]\AppData\Local\Temp\6.pif
27. File description: Hancitor malware (Windows executable file)
28. CAPE sandbox analysis: https://cape.contextis.com/analysis/27648/
29. Reverse.it analysis: https://www.reverse.it/sample/70baae3ae48aa13a7e764c2608ab14edb89ede0765f8d1cbefd301b7c04eff34
30.  
31. SHA256 hash: 2bac8916741df425352e5c2220000abb3ffc1f92edadc16590d7d80aad41c07d
32. File size: 256,512 bytes
33. File location: C:\Users\[username]\AppData\Local\Temp\BN3A60.tmp
34. File description: Ursnif retrieved by Hancitor infected host
35. CAPE sandbox analysis: https://cape.contextis.com/analysis/27649/
36. Reverse.it analysis: https://www.reverse.it/sample/2bac8916741df425352e5c2220000abb3ffc1f92edadc16590d7d80aad41c07d