2017-03-06 - HANCITOR MALSPAM - FAKE DELTA AIRLINES EMAILS

ASSOCIATED FILES:

  • 2017-03-06-Hancitor-malspam-traffic.pcap   (2,771,544 bytes)
  • 2017-03-06-Hancitor-malspam-1537-UTC.eml   (2,189 bytes)
  • 2017-03-06-Hancitor-malspam-1646-UTC.eml   (2,237 bytes)
  • 2017-03-06-Hancitor-malspam-1647-UTC.eml   (2,241 bytes)
  • 2017-03-06-Hancitor-malspam-1703-UTC.eml   (2,184 bytes)
  • 2017-03-06-Hancitor-malspam-1718-UTC.eml   (2,217 bytes)
  • BN7EF2.tmp.exe   (153,088 bytes)
  • Delta_Ticket_gene.mandell.doc   (184,320 bytes)

NOTES:

 


Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

 

EMAIL HEADERS:

 


Shown above:  Screenshot from one of the emails.

 


Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

HANCITOR MALDOC:

FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.