2017-03-06 - HANCITOR MALSPAM - FAKE DELTA AIRLINES EMAILS

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-06-Hancitor-malspam-traffic.pcap.zip   2.3 MB (2,287,184 bytes)

• 2017-03-06-Hancitor-malspam-traffic.pcap   (2,771,544 bytes)

• ZIP archive of the email and malware:  2017-03-06-Hancitor-malspam-and-artifacts.zip   226 kB (226,145 bytes)

• 2017-03-06-Hancitor-malspam-1537-UTC.eml   (2,189 bytes)
• 2017-03-06-Hancitor-malspam-1646-UTC.eml   (2,237 bytes)
• 2017-03-06-Hancitor-malspam-1647-UTC.eml   (2,241 bytes)
• 2017-03-06-Hancitor-malspam-1703-UTC.eml   (2,184 bytes)
• 2017-03-06-Hancitor-malspam-1718-UTC.eml   (2,217 bytes)
• BN7EF2.tmp.exe   (153,088 bytes)
• Delta_Ticket_gene.mandell.doc   (184,320 bytes)

NOTES:

• Associated blog about this malspam (with more indicators) is at:

• https://techhelplist.com/spam-list/1111-2017-03-06-your-flight-ticket-invoice-malware

 

Shown above:  Flow chart for today's traffic.

 

EMAIL

DESCRIPTION:

• Malicious spam (malspam) with link that downloaded a malcious Microsoft Word document (Hancitor).  The Hancitor malware document is designed to download and infect Windows hosts with malware.

 

EMAIL HEADERS:

• Date:  Monday, 2017-03-06 as early as 15:37 UTC thru at least 17:18 UTC
• From (spoofed):  "Delta Air Lines" <DeltaAirLines@t.delta.com>

• Subject:  Your Flight Ticket Invoice 08518 - [recipient's name from the email address]
• Subject:  Your Flight Ticket Invoice 08680 - [recipient's name from the email address]
• Subject:  Your Flight Ticket Invoice 30825 - [recipient's name from the email address]
• Subject:  Your Flight Ticket Invoice 42874 - [recipient's name from the email address]
• Subject:  Your Flight Ticket Invoice 47174 - [recipient's name from the email address]

• Message-ID:  <32D3FF24.109A2BE4@t.delta.com>
• Message-ID:  <38799D32.4BAB4791@t.delta.com>
• Message-ID:  <B9F55FB2.9A801B1C@t.delta.com>
• Message-ID:  <C351785A.65BC35B7@t.delta.com>
• Message-ID:  <D0A43245.98019F4B@t.delta.com>

• X-Mailer:  Apple Mail (2.1084)
• X-Mailer:  Apple Mail (2.1510)
• X-Mailer:  iPad Mail (11D257)
• X-Mailer:  iPad Mail (12A405)
• X-Mailer:  iPhone Mail (11D257)

 

Shown above:  Screenshot from one of the emails.

 

Shown above:  Malicious Word document (Hancitor).

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• 103.21.182.106 port 80 - www.malton.com.my - GET /api/getn.php?id=[base64 string]
• 82.200.247.241 port 80 - agroeconom.kz - GET /api/getn.php?id=[base64 string]
• 146.185.254.163 port 80 - hepbetretgot.com - POST /ls5/forum.php
• 146.185.254.163 port 80 - hepbetretgot.com - POST /mlu/forum.php
• 146.185.254.163 port 80 - hepbetretgot.com - POST /d1/about.php
• 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/1
• 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/12
• 92.243.3.82 port 80 - mangosdehacha.org - GET /images/uploads/books/_medium/a1
• 109.248.222.16 port 80 - hershepcomi.com - POST /bdk/gate.php
• api.ipify.org - GET /

 

FILE HASHES

HANCITOR MALDOC:

• SHA256 hash:  e2b8af79b1d874352e8f833b6ffa860bced91c059d60c821860a9cc69852c5e6
• File name:  Delta_Ticket_gene.mandell.doc
• File size:  184,320 bytes
• File description:  Hancitor maldoc

FROM THE INFECTED HOST:

• SHA256 hash:  e8dfbdbbb201d808915004e840395f7c77b339894880de3e7e2ef9df9356bbd4
• File location:  C:\Users\[username]\AppData\Local\Temp\BN7EF2.tmp
• File size:  153,088 bytes
• File description:  ZLoader/DELoader (I think)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-06-Hancitor-malspam-traffic.pcap.zip   2.3 MB (2,287,184 bytes)
• ZIP archive of the email and malware:  2017-03-06-Hancitor-malspam-and-artifacts.zip   226 kB (226,145 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.