2017-03-06 - HANCITOR MALSPAM - FAKE DELTA AIRLINES EMAILS
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-06-Hancitor-malspam-traffic.pcap.zip 2.3 MB (2,287,184 bytes)
- 2017-03-06-Hancitor-malspam-traffic.pcap (2,771,544 bytes)
- ZIP archive of the email and malware: 2017-03-06-Hancitor-malspam-and-artifacts.zip 226 kB (226,145 bytes)
- 2017-03-06-Hancitor-malspam-1537-UTC.eml (2,189 bytes)
- 2017-03-06-Hancitor-malspam-1646-UTC.eml (2,237 bytes)
- 2017-03-06-Hancitor-malspam-1647-UTC.eml (2,241 bytes)
- 2017-03-06-Hancitor-malspam-1703-UTC.eml (2,184 bytes)
- 2017-03-06-Hancitor-malspam-1718-UTC.eml (2,217 bytes)
- BN7EF2.tmp.exe (153,088 bytes)
- Delta_Ticket_gene.mandell.doc (184,320 bytes)
NOTES:
- Associated blog about this malspam (with more indicators) is at:
Shown above: Flow chart for today's traffic.
DESCRIPTION:
- Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor). The Hancitor malware document is designed to download and infect Windows hosts with malware.
EMAIL HEADERS:
- Date: Monday, 2017-03-06 as early as 15:37 UTC thru at least 17:18 UTC
- From (spoofed): "Delta Air Lines" <DeltaAirLines@t.delta.com>
- Subject: Your Flight Ticket Invoice 08518 - [recipient's name from the email address]
- Subject: Your Flight Ticket Invoice 08680 - [recipient's name from the email address]
- Subject: Your Flight Ticket Invoice 30825 - [recipient's name from the email address]
- Subject: Your Flight Ticket Invoice 42874 - [recipient's name from the email address]
- Subject: Your Flight Ticket Invoice 47174 - [recipient's name from the email address]
- Message-ID: <32D3FF24.109A2BE4@t.delta.com>
- Message-ID: <38799D32.4BAB4791@t.delta.com>
- Message-ID: <B9F55FB2.9A801B1C@t.delta.com>
- Message-ID: <C351785A.65BC35B7@t.delta.com>
- Message-ID: <D0A43245.98019F4B@t.delta.com>
- X-Mailer: Apple Mail (2.1084)
- X-Mailer: Apple Mail (2.1510)
- X-Mailer: iPad Mail (11D257)
- X-Mailer: iPad Mail (12A405)
- X-Mailer: iPhone Mail (11D257)
Shown above: Screenshot from one of the emails.
Shown above: Malicious Word document (Hancitor).
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- 103.21.182.106 port 80 - www.malton.com.my - GET /api/getn.php?id=[base64 string]
- 82.200.247.241 port 80 - agroeconom.kz - GET /api/getn.php?id=[base64 string]
- 146.185.254.163 port 80 - hepbetretgot.com - POST /ls5/forum.php
- 146.185.254.163 port 80 - hepbetretgot.com - POST /mlu/forum.php
- 146.185.254.163 port 80 - hepbetretgot.com - POST /d1/about.php
- 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/1
- 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/12
- 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/a1
- 109.248.222.16 port 80 - hershepcomi.com - POST /bdk/gate.php
- api.ipify.org - GET /
FILE HASHES
HANCITOR MALDOC:
- SHA256 hash: e2b8af79b1d874352e8f833b6ffa860bced91c059d60c821860a9cc69852c5e6
- File name: Delta_Ticket_gene.mandell.doc
- File size: 184,320 bytes
- File description: Hancitor maldoc
FROM THE INFECTED HOST:
- SHA256 hash: e8dfbdbbb201d808915004e840395f7c77b339894880de3e7e2ef9df9356bbd4
- File location: C:\Users\[username]\AppData\Local\Temp\BN7EF2.tmp
- File size: 153,088 bytes
- File description: ZLoader/DELoader (I think)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-06-Hancitor-malspam-traffic.pcap.zip 2.3 MB (2,287,184 bytes)
- ZIP archive of the email and malware: 2017-03-06-Hancitor-malspam-and-artifacts.zip 226 kB (226,145 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.