Hancitor Malspam 2017-11-13: 806-241-6731 has faxed you a document

Subject: 806-241-6731 has faxed you a document.
Subject: 800-241-4764 has faxed you a document.
Subject: 805-241-6352 has faxed you a document.
Subject: 800-241-3741 has faxed you a document.
Subject: 801-241-5802 has faxed you a document.

Subject regex (PCRE): \d{0,3}-\d{0,3}-\d{0,4}\b has faxed you a document\.

X-MAILER: iPad Mail (11B511)
X-MAILER: Apple Mail (2.3096.5)

Date: November 13th 2017, 11:26:55.000

MD5 : d6222c76176eaa9c7916f9e02af9ea68
SHA-1: 8770153eff8682d658c665dfcde212e1d2eb340a
SHA-256: 106fcd233b12b9e79dc6b87b62f28005f45baba2a4c460d6fc1a82fbdf8f3b45
VT:(payload from:hxxp://udm-express[.]com?V8484obEieM0oEF07H=email@address) VirusTotal

Body:

806-241-6731 has faxed you a new document. Date & Time : Mon, 13 Nov 2017 00:38 PM Size ( pages ) : 16 Visit the link below to view your fax in Microsoft Word: hxxps://messaging.efax[.]com/inbox/view.asp?item_id=6033322&type=fax&account=removed_mail.com If you require help, you can visit our faq section hxxps://www.efax[.]com/help/faq . Thank you for choosing eFax {%END_SPLIT76%}

All the domains appear to point here: VirusTotal

Date resolved Domain
2017-11-13 statewidelending[.]net
2017-11-13 mykidsplate[.]com
2017-11-13 polyprovision[.]com
2017-11-13 sellhomein28days[.]com
2017-11-13 cedarmillshutters[.]com
2017-11-13 udm-express[.]com
2017-11-13 therestaurantmom[.]com
2017-11-13 loganweaver[.]com
2017-11-13 orlandobaconbattle[.]com
2017-11-13 orlandosbestburger[.]com
2017-11-13 outpostbeercompany[.]com

URL Details:

“domain”: “udm-express[.]com”,
“url”: “hxxp://udm-express[.]com?V8484obEieM0oEF07H=email_removed”,
“ip”: “78.155.207.67”,
“hostname”: “udm-express[.]com”,
“cc”: “RU”,
“location”: {
“lat”: 55.73859999999999,
“lon”: 37.60679999999999
},
“asn_desc”: “OOO Network of data-centers Selectel”,
“tld”: “com”,
“subdomain”: “”,
“asn”: “49505”

“domain”: “udm-express[.]com”,
“url”: “hxxp://udm-express[.]com?p0R26FahMvQEQE6YB=email_removed”,
“ip”: “78.155.207.67”,
“hostname”: “udm-express[.]com”,
“cc”: “RU”,
“location”: {
“lat”: 55.73859999999999,
“lon”: 37.60679999999999
},
“asn_desc”: “OOO Network of data-centers Selectel”,
“tld”: “com”,
“subdomain”: “”,
“asn”: “49505”

“domain”: “loganweaver[.]com”,
“url”: “hxxp://loganweaver[.]com?l4Wa=email_removed”,
“ip”: “78.155.207.67”,
“hostname”: “loganweaver[.]com”,
“cc”: “RU”,
“location”: {
“lat”: 55.73859999999999,
“lon”: 37.60679999999999
},
“asn_desc”: “OOO Network of data-centers Selectel”,
“tld”: “com”,
“subdomain”: “”,
“asn”: “49505”

“domain”: “outpostbeercompany[.]com”,
“url”: “hxxp://outpostbeercompany[.]com?sUQ8D43wiHo5U7pR4=email_removed”,
“ip”: “78.155.207.67”,
“hostname”: “outpostbeercompany[.]com”,
“cc”: “RU”,
“location”: {
“lat”: 55.73859999999999,
“lon”: 37.60679999999999
},
“asn_desc”: “OOO Network of data-centers Selectel”,
“tld”: “com”,
“subdomain”: “”,
“asn”: “49505”

“domain”: “polyprovision[.]com”,
“url”: “hxxp://polyprovision[.]com?gowkX4lu7IBO=email_removed”,
“ip”: “78.155.207.67”,
“hostname”: “polyprovision[.]com”,
“cc”: “RU”,
“location”: {
“lat”: 55.73859999999999,
“lon”: 37.60679999999999
},
“asn_desc”: “OOO Network of data-centers Selectel”,
“tld”: “com”,
“subdomain”: “”,
“asn”: “49505”



https://www.hybrid-analysis.com/sample/106fcd233b12b9e79dc6b87b62f28005f45baba2a4c460d6fc1a82fbdf8f3b45?environmentId=100

https://www.threatcrowd.org/ip.php?ip=78.155.207.67

doc dl
hxxp://mykidsplate[.]com?b7SOwKKE750a3X3Eir=
hxxp://statewidelending[.]net?xY5l34SOhAC88=
hxxp://polyprovision[.]com?q24ja1ik5HKY=

hancitor c2
hxxp://roprewonewit[.]com/ls5/forum[.]php
hxxp://thesidarat[.]ru/ls5/forum[.]php
hxxp://geetredcal[.]ru/ls5/forum[.]php

additional payload dl
enchantedprose[.]com/wp-content/plugins/simple-link-list-widget/1
enchantedprose[.]com/wp-content/plugins/simple-link-list-widget/2
enchantedprose[.]com/wp-content/plugins/simple-link-list-widget/3

pony c2
roprewonewit[.]com/mlu/forum[.]php

evil-pony c2
roprewonewit[.]com/d2/about[.]php

pandabanker dl
hxxps://rowrorofrat[.]com/3rafesimuuvutubazromu[.]dat
hxxps://rowrorofrat[.]com/webinjects[.]dat
hxxps://rowrorofrat[.]com/3rafesimuuvutubazromu[.]exe
hxxps://rowrorofrat[.]com/webinject32[.]bin
hxxps://rowrorofrat[.]com/grabber[.]bin
hxxps://rowrorofrat[.]com/vnc32[.]bin
hxxps://rowrorofrat[.]com/backsocks[.]bin
hxxps://rowrorofrat[.]com/keylogger[.]bin

https://pastebin.com/CNaXPjDe
credit to https://twitter.com/James_inthe_box