Courier Delivery Malware

27th January 2017 | By admin

Comodo Threat Research Labs

[11 Jan 2017] – [Courier Delivery Malware] – SUBJECT: [Courier was not able to deliver your parcel (ID000193141, FedEx)]

Comodo Threat Research Labs (CTRL) identified a new phishing email, that contains a malware file, and spread to email user with subject “Courier was not able to deliver your parcel (ID000193141, FedEx)”.

ASSOCIATED FILES

ZIP archive of the malware: [11 Jan 2017] – [Courier Delivery Malware] 228 KB (233,472 bytes)

  • 17562-1483926203-795865.eml 4.0 KB (4,096 bytes bytes)
  • a1.exe 362 KB (372,736 bytes)

THE EMAIL

Courier Malware Email

EMAIL DATA

  • Received: from unknown (HELO server.7e-it.com) (62.210.88.161) by 0
  • with SMTP; 9 Jan 2017 01:43:26 -0000
  • Received-SPF: unknown (0: domain at spf-trusted-fwd1.surgate.net does not
  • designate permitted sender hosts)
  • Received: from ql3a by server.7e-it.com
  • with local (Exim 4.87) (envelope-from <ql3a@server.7e-it.com>)
  • id 1cQOzR-0007zw-CQ for cpanel@isimtescil.net;
  • Mon, 09 Jan 2017 04:43:13 +0300
  • Subject: Courier was not able to deliver your parcel (ID000193141, FedEx)
  • X-PHP-Script: ql3a.com/post.php for 198.63.44.200, 198.63.44.200
  • Date: Mon, 9 Jan 2017 01:43:13 +0000
  • MIME-Version: 1.0
  • Message-ID: <0da359d641f6f28df0bea53d2f2d3040@ql3a.com>
  • Reply-To: “FedEx Support” <lee.frye@ql3a.com>
  • From: FedEx Support <lee.frye@ql3a.com>

THE ATTACHMENT

Courier Malware Attachment

 

Courier Malware Email Attachment

ATTACHMENT AND EXTRACTED .Exe FILE

File Name : Delivery-Details-000193141.zip 4.0 KB (4,096 bytes))
MD5 hash : FA1C32D825A7F96F85BD979AD6410BE4
SHA1 hash : DF686285D96D0717D24311431287AB6262C97219
SHA256 hash : 3DE550000FF7C2F16A74E2DED84D9D4AD696BF12B27C651D6F042EA02A6A1394
File Name : a1.exe 362 KB (372,736 bytes)
MD5 hash : 1F96C54C09C09D861F037F2A8566EB7E
SHA1 hash : B66CF3FA6C873ABD76C56FD02210999C95935A1B
SHA256 hash : 8D454A55BC379B04B61978BB2301C0E49F7E5E4D1CB8CB92CD2396F3D4EDD8F8

TRAFFIC

Traffic

ASSOCIATED URLS:

  • 2017-01-11 18:36:43 52.5.23.72 HTTP 753 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:36:07 54.200.7.198 HTTP 723 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:35:38 116.66.250.164 HTTP 695 POST / HTTP/1.1 (application/x-www-form-urlencoded)Continuation
  • 2017-01-11 18:34:42 52.5.23.72 HTTP 312 GET /Login.aspx HTTP/1.1
  • 2017-01-11 18:34:41 52.5.23.72 HTTP 645 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:34:42 52.5.23.72 HTTP 312 GET /Login.aspx HTTP/1.1
  • 2017-01-11 18:34:41 52.5.23.72 HTTP 645 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:34:07 54.200.7.198 HTTP 663 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:34:01 122.114.107.39 HTTP 709 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:33:36 178.255.83.1 HTTP 285 GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpR aC9iQ6hJWc99DtDoo2ucCEQCQsNv40c5DgsKh1KK1q3Sn HTTP/1.1
  • 2017-01-11 18:33:35 178.255.83.1 HTTP 287 GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36p vE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D HTTP/1.1
  • 2017-01-11 18:33:34 116.66.250.164 HTTP 665 POST / HTTP/1.1 (application/x-www-form-urlencoded)
  • 2017-01-11 18:32:50 117.18.237.191 HTTP 302 GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBQMTgO%2ByzcKo2VaZokUXxSYAadGDgQU5C27kQFl Jh%2B0ej%2BjFSWkzoxEMzsCFHhv74OQSnil01wd5v89Zwkf5Do0 HTTP/1.1
  • 2017-01-11 18:32:47 64.18.25.46 HTTP 185 GET /vpssg142.crt HTTP/1.1

IMAGES:

Images
VALKYRIE LINK FOR REFERENCE:

https://valkyrie.comodo.com/get_info?sha1=b66cf3fa6c873abd76c56fd02210999c95935a1b

FINAL NOTES

Once again, here are the associated files:

ASSOCIATED FILES

ZIP archive of the malware: [11 Jan 2017] – [Courier Delivery Malware] 228 KB (233,472 bytes)

  • 17562-1483926203-795865.eml 4.0 KB (4,096 bytes bytes)
  • a1.exe 362 KB (372,736 bytes)
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *
Be Sociable, Share!

Add new comment

Your name
Comment

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>