2017-08-28 “Your order DELTA12345678 has been approved!” Hancitor/Pony/EvilPony/ZLoader

ANALYST NOTES
Phishing emails claiming to be a Delta credit card charge for a ticket. Typical Hancitor malspam with emails containing masked URLs with base64 encoded victim email in the phishing link. Phishing URLs download a weaponized word doc that injects Hancitor and downloads additional Pony/EvilPony/ZLoader payloads.

PHISHING EMAIL
SENDERS: “Delta Airlines Inc.” <delta@performanceair[.]com>
X-Mailer: iPhone Mail (13A452)
X-Mailer: iPhone Mail (12B435)
SUBJECT: Your order DELTA12345678 has been approved!
matching DELTA\d{8}

EMAIL SCREENSHOT


PHISHING URLs DOWNLOAD MALDOC
hxxp://ourrealtyguy[.]org/i.php?d=
hxxp://package2china[.]com/i.php?d=
hxxp://myhearthstonehomes[.]org/i.php?d=
hxxp://ourrealtyguy[.]info/i.php?d=
hxxp://ourrealtyguy[.]us/i.php?d=

MALICIOUS WORD DOC
MD5 af38eb9ab5f3de0cbfa2fba930cc1852
SHA1 d9621edc17f22fadb20a16205b11bf4ddbb66516
SHA256 8b48d6965f3222b877211f8b17be3ffc559071da36aae668a6302692ec38901e
SSDEEP 3072:KI1VIep0wo7HZqyR2OfEiu/tU9P6vo2X9JHKLC5r4m+8h9mrsr:7VIep0DHEy5CIEEm+8h9mg

HANCITOR EXTRACTED FROM MALDOC
RC4 decrypt key (hex) ‘0x4ee598e56c’
Hancitor Build Number ‘3008’
MD5 712c90b8034adfa2ea1dfb69a6e24795
SHA1 21cf3ed74f9b365fd750110ac05f788117f7f0a9
SHA256 379cd8722ec0be25840d9f96e7d976776f8c05050b4b608a4cd49bffe1fa99dc
SSDEEP 384:bLSBESxmmITmZg14QUo15KAZO2UB366DSAdg36Sp5O25Fxn75Zm7:3fSxmjhP5RZO2c366DSp335F5FFe
IMPHASH  653737339c3c6af2cc985a2434e080d1

DOWNLOADS ADDITIONAL PONY/EVILPONY/ZLOADER PAYLOADS
mebelucci[.]com[.]ua|193.169.189.72
hxxp://mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/1
hxxp://mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/2
hxxp://mebelucci[.]com[.]ua/wp-content/plugins/bwp-google-xml-sitemaps/3
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko

HANCITOR C2
uneventrendi[.]com|217.197.116.46
hxxp://uneventrendi[.]com/ls5/forum.php
hxxp://ketofonerof[.]ru/ls5/forum.php
hxxp://thettertrefbab[.]ru/ls5/forum.php
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko

PONY/EVILPONY C2
hxxp://uneventrendi[.]com/mlu/forum.php
hxxp://uneventrendi[.]com/d2/about.php
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

ZLOADER C2
lycasofrep[.]com|46.183.219.79
hxxp://lycasofrep[.]com/bdl/gate.php
rinbetarrab[.]com|62.76.178.214
hxxp://rinbetarrab[.]com/bdl/gate.php
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)