USPS Courier Parcel Malware

2nd February 2017 | By admin

Comodo Threat Research Labs

[31 Jan 2017] – [USPS courier parcel Malware] – SUBJECT : [Our USPS courier can not contact you parcel # 08376715]

Comodo Threat Research Labs (CTRL) identified a new phishing email, that contains a malware file, and spread to email user with subject “Our USPS courier can not contact you parcel # 08376715”.

ASSOCIATED FILES:

ZIP archive of the malware: [31 Jan 2017] – [Delivery-Details.zip] 36.0 KB (36,864 bytes)

  • Our USPS courier can not contact you parcel # 08376715.eml 52.0 KB (53,248 bytes)
  • Delivery-Details.js 40.0 KB (40,960 bytes)
  • USPS.pcapng 4.16 MB (4,362,240 bytes)
  • Dropped File.rar 204 KB (208,896 bytes)

THE EMAIL:

usps malware email

EMAIL DATA:

Received: (qmail 5139 invoked from network); 31 Jan 2017 05:56:37 -0000
Received: from mmmail1.mcr.colo.comodoca.net (192.168.156.203)
by mail.chennai.office.comodo.net with ESMTPS (DHE-RSA-AES256-GCM-SHA384 encrypted); 31 Jan 2017 05:56:37 -0000
Received: (qmail 25862 invoked by alias); 31 Jan 2017 05:56:37 -0000
Received: (qmail 25793 invoked by alias); 31 Jan 2017 05:56:36 -0000
Received: (qmail 25773 invoked by uid 1009); 31 Jan 2017 05:56:36 -0000
Received: from email.mcr.camdpams.net (HELO comodo.com) (192.168.8.20)
by mmmail1.mcr.colo.comodoca.net (qpsmtpd/0.40) with (AES256-SHA encrypted) ESMTPS; Tue, 31 Jan 2017 05:56:36 +0000
Received: (qmail 30413 invoked by alias); 31 Jan 2017 05:56:36 -0000
Received: (qmail 30366 invoked from network); 31 Jan 2017 05:56:33 -0000
Received: from unknown (HELO griscon.com) (109.196.204.139)
by email.mcr.camdpams.net with SMTP; 31 Jan 2017 05:56:33 -0000
Message-ID: <9A6D7FCE.CEB4C672@griscon.com>
Date: Tue, 31 Jan 2017 06:56:22 +0100
From: “USPS Support Management” <ralglevi5286@griscon.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080724 Thunderbird/2.0.0.16
MIME-Version: 1.0
Subject: Our USPS courier can not contact you parcel # 08376715
Content-Type: multipart/mixed;boundary=”————226730870111485846307670″
X-Comodo-Virus-Checked: Checked by ClamAV on mmmail1.mcr.colo.comodoca.net
X-Comodo-ClamAV-Virus-Program: ClamAV 0.98.4/22975/Tue Jan 31 04:28:15 2017

THE ATTACHMENT:

usps malware attachment

usps email malware attachment

EXTRACTED FILE DETAILS:

extracted file details

File Name : Delivery-Details.js 40.0 KB (40,960 bytes)
MD5 hash : 93e4523dc320167493bee01b11b6fc51
SHA1 hash : aac24661e205e6b6879adb5cafc05a162cc0ee40
SHA256 hash : cc490ad8401bcbf206e55d796134795b601e3ba9284f67b33b6d1a000c971ad9

File Name : 23152.exe 224 KB (229,376 bytes)
MD5 hash : 26f3b9b60aa40c8798767e8be429781b
SHA1 hash : 2b7a2d420b5817b3bc93fa29ebdd306164e20562
SHA256 hash : 30aa80c0b52036598a920185d47e4f8337e69d43ad9892bc63ff9790dba113e4

File Name : DolXRXWIz.js 4.00 KB (4,096 bytes)
MD5 hash : 404c6a266b2208f478bef231fcf4e958
SHA1 hash : 4e27cc9f980738d3abb868ba6460e2a5747b6931
SHA256 hash : b0db234cb139847e51d1e1063edd0019bbf080aa15a124ce827fe2536021fe61

TRAFFIC:

traffic

ASSOCIATED URLS:

2017-01-31 13:17:29 185.69.154.94 HTTP 240 GET /dd/15.exe HTTP/1.1
2017-01-31 13:20:19 185.69.154.94 HTTP 240 GET /dd/15.exe HTTP/1.1
2017-01-31 13:25:08 104.16.26.216 HTTP 419 GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk 2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b 0cFilTHMDMfTuDAEDmGnwCDFuDpAoI54qRHJ3hag%3D%3D HTTP/1.1
2017-01-31 13:25:08 198.41.215.182 HTTP 430 GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQ CBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKU CE1oAAy8FcNl%2Bq8UBrk0AAQADLwU%3D HTTP/1.1
2017-01-31 14:07:36 184.26.162.49 HTTP 313 GET /pki/crl/products/WinPCA.crl HTTP/1.1
2017-01-31 14:07:36 23.66.237.138 HTTP 328 GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
2017-01-31 14:07:36 184.26.162.49 HTTP 335 GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
2017-01-31 14:07:36 184.26.162.49 HTTP 325 GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
2017-01-31 14:07:36 198.41.215.184 HTTP 428 GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7N bzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXse zKUCE1oABbBe7e9pdSjAzXoAAQAFsF4%3D HTTP/1.1

VALKYRIE LINK FOR REFERENCE:
https://valkyrie.comodo.com/get_info?sha1=2b7a2d420b5817b3bc93fa29ebdd306164e20562

FINAL NOTES:

Once again, here are the associated files:

ASSOCIATED FILES:

ZIP archive of the malware: [31 Jan 2017] – [Delivery-Details.zip] 36.0 KB (36,864 bytes)

  • Our USPS courier can not contact you parcel # 08376715.eml 52.0 KB (53,248 bytes)
  • Delivery-Details.js 40.0 KB (40,960 bytes)
  • USPS.pcapng 4.16 MB (4,362,240 bytes)
  • Dropped File.rar 204 KB (208,896 bytes)
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now