![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2020\/03\/emails.png\")
<\/a><\/p>\nRunning this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the “C:\\Users\\%username%\\AppData\\Roaming” folder.<\/p>\n
When looking at the results from a simple filter in Process Monitor (Process name = Company Profile, Product Specification And Trial Order.pdf.exe and Operation = QueryDirectory and Operation = QueryNetworkOpenInformationFile) we can see that the malware is looking for the usual things (ie: installed applications and creds). <\/p>\n Artifacts can be found over at my Github located here<\/a>.<\/p>\n Reference http:\/\/www.virustotal.com\/gui\/file\/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19\/community<\/a> Artifacts IOCs mail.gandi.net:587 (TCP)<\/p>\n Email hashes bcf37b670630f8834c9bd263347071b9a46230ef576681ce9c06ce541c6b8790 — gtyoyi630112974655.eml File hashes 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 — Company Profile, Product Specification And Trial Order.pdf.img Machinae results $ machinae 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 [+] VirusTotal File Report Results [+] VirusTotal File Report Results $ machinae mail.gandi.net [-] No URLVoid Results Munin results 1 \/ 3 > Suspicious 2 \/ 3 > Suspicious 3 \/ 3 > Malicious Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the…<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\n==========<\/p>\n
\nhttp:\/\/bazaar.abuse.ch\/sample\/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19\/<\/a>
\nhttp:\/\/malshare.com\/sample.php?action=detail&hash=b72502adc492cd694cd064d56a93fed5<\/a>
\nhttp:\/\/app.any.run\/tasks\/dd1cf69a-09a0-4664-a7a2-752fe5449c43<\/a><\/p>\n
\n==========<\/p>\n
\n—–<\/p>\n
\n————-<\/p>\n
\nf160a285f7602e4e406ee7c3e2708035c27864ddd8c943a4320bca9062388053 — hsmeyc831822974665.eml
\nf6efc1aec315b5a410c48b49cb8c538a86d12bed3d6b5f7155fc87a15045ea27 — iyhdyx543761974662.eml
\n616576256b6b137c7cee036503a35361ab2b94e003ad585f361bef24ee01b179 — jsyjse866746974660.eml
\n6e49dd91110f1c7bce55696ccc6db1e1ae4b49dc83144dafcdf722a592458fa1 — kkpenr753224974660.eml
\n7b1a3cbb808a4797132fab4d7d00f7123117022f0b3ba0ed45dc3ae7da689ee5 — lmdrjp449105974662.eml
\nda3e59d57ccdfb336afdb452ca366a2eb663582a360adfd20475d0b936285bd3 — pmzdyv370806974662.eml
\n980c16beea6827fac0a763c67bfb59b9252d6f8d9e041f3460f70671030ba724 — tonfxb666161974660.eml
\ncbe2f144d554f092e3ac98e555d2da27f2e7f86e660637122c87466db6bd1fbd — xgybkt701416974655.eml<\/p>\n
\n————<\/p>\n
\n398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 — Company Profile, Product Specification And Trial Order.exe
\n398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 — doQsVLzQv.exe
\n– File location: C:\\Users\\%username%\\AppData\\Roaming<\/p>\n
\n—————–<\/p>\n
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 (GET)
\n********************************************************************************
\n* Information for 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
\n[-] Date submitted: 2020-03-23 08:46:30
\n[-] Detected engines: 10
\n[-] Total engines: 72
\n[-] Scans: (‘FireEye’, ‘Generic[.]mg.b72502adc492cd69’)
\n[-] Scans: (‘Cylance’, ‘Unsafe’)
\n[-] Scans: (‘Sangfor’, ‘Malware’)
\n[-] Scans: (‘Alibaba’, ‘Trojan:Win32\/starter[.]ali1000139’)
\n[-] Scans: (‘Cybereason’, ‘malicious.176ae4’)
\n[-] Scans: (‘ESET-NOD32’, ‘a variant of MSIL\/GenKryptik[.]EGKX’)
\n[-] Scans: (‘Ikarus’, ‘Trojan[.]Agent[.]EX’)
\n[-] Scans: (‘Microsoft’, ‘Trojan:Win32\/Wacatac.C!ml’)
\n[-] Scans: (‘Malwarebytes’, ‘Trojan[.]MalPack[.]ADC’)
\n[-] Scans: (‘APEX’, ‘Malicious’)
\n********************************************************************************
\n* Information for 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
\n[-] Date submitted: 2020-03-23 13:55:36
\n[-] Detected engines: 12
\n[-] Total engines: 61
\n[-] Scans: (‘Sangfor’, ‘Malware’)
\n[-] Scans: (‘Symantec’, ‘Trojan[.]Gen.2’)
\n[-] Scans: (‘TrendMicro-HouseCall’, ‘Possible_GENISO-6’)
\n[-] Scans: (‘Rising’, ‘Trojan[.]GenKryptik!8.AA55 (CLOUD)’)
\n[-] Scans: (‘TrendMicro’, ‘Possible_GENISO-6’)
\n[-] Scans: (‘McAfee-GW-Edition’, ‘Artemis!B72502ADC492’)
\n[-] Scans: (‘Ikarus’, ‘Trojan[.]Agent[.]EX’)
\n[-] Scans: (‘Cyren’, ‘W32\/MSIL_Kryptik[.]AJW[.]gen!Eldorado’)
\n[-] Scans: (‘Fortinet’, ‘MSIL\/GenKryptik[.]EGKX!tr’)
\n[-] Scans: (‘Microsoft’, ‘Trojan:Win32\/Wacatac.C!ml’)
\n[-] Scans: (‘McAfee’, ‘Artemis!B72502ADC492’)
\n[-] Scans: (‘ESET-NOD32’, ‘a variant of MSIL\/GenKryptik[.]EGVF’)<\/p>\n
\n[.] Requesting http:\/\/www.urlvoid.com\/scan\/mail.gandi.net (GET)
\n[.] Requesting http:\/\/www.toolsvoid.com\/unshorten-url (POST)
\n[.] Requesting http:\/\/malc0de.com\/database\/index.php?search=mail.gandi.net (GET)
\n[.] Requesting http:\/\/www.fortiguard.com\/webfilter?q=mail.gandi.net (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/domain\/report?domain=mail.gandi.net&apikey=XXX (GET)
\n[.] Requesting http:\/\/www.reputationauthority.org\/lookup.php?ip=mail.gandi.net (GET)
\n[.] Requesting http:\/\/www.mcafee.com\/threat-intelligence\/domain\/default.aspx?domain=mail.gandi.net (GET)
\n[.] Requesting http:\/\/cymon.io\/api\/nexus\/v1\/domain\/mail.gandi.net (GET)
\n********************************************************************************
\n* Information for mail.gandi.net
\n* Observable type: fqdn (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
\n[-] No URL Unshorten Results
\n[-] No Malc0de Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Web-based Email
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2019-12-12’, ‘217[.]70.178.9’)
\n[-] pDNS data from VirusTotal: (‘2014-05-15’, ‘217[.]70.184.11’)
\n[-] Webutation Safety score: 100
\n[+] Reputation Authority Results
\n[-] Reputation Authority Score: 50\/100
\n[+] McAfee Threat Results
\n[-] McAfee Web Risk: Minimal
\n[-] McAfee Last Seen: 2020-03-23<\/p>\n
\n————–<\/p>\n
\nHASH: 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 COMMENT: doQsVLzQv.exe
\nVIRUS: Microsoft: Trojan:Win32\/Wacatac.C!ml \/ ESET-NOD32: a variant of MSIL\/GenKryptik.EGKX
\nTYPE: Win32 EXE SIZE: 779.5 KB FILENAMES: vjKPwLdpyllsI.exe, doqsvlzqv.exe, Company Profile, Product Specification And Trial Order.exe, vjKPwLdpyllsI.exe
\nCOPYRIGHT: Copyright 2019 DESCRIPTION: Calculator
\nFIRST: 2020-03-23 08:46:30 LAST: 2020-03-23 08:46:30 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 1 USERS: thor TAGS: PEEXE ASSEMBLY DIRECT-CPU-CLOCK-ACCESS DETECT-DEBUG-ENVIRONMENT RUNTIME-MODULES
\nRESULT: 10 \/ 72
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19<\/a><\/p>\n
\nHASH: 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 COMMENT: Company Profile Product Specification And Trial Order.exe
\nVIRUS: Microsoft: Trojan:Win32\/Wacatac.C!ml \/ ESET-NOD32: a variant of MSIL\/GenKryptik.EGKX
\nTYPE: Win32 EXE SIZE: 779.5 KB FILENAMES: vjKPwLdpyllsI.exe, doqsvlzqv.exe, Company Profile, Product Specification And Trial Order.exe, vjKPwLdpyllsI.exe
\nCOPYRIGHT: Copyright 2019 DESCRIPTION: Calculator
\nFIRST: 2020-03-23 08:46:30 LAST: 2020-03-23 08:46:30 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 1 USERS: thor TAGS: PEEXE ASSEMBLY DIRECT-CPU-CLOCK-ACCESS DETECT-DEBUG-ENVIRONMENT RUNTIME-MODULES
\nRESULT: 10 \/ 72
\n[!] Imphash – appeared 2 times in this batch f34d5f2d4577ed6d9ceec516c1f5a744
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19<\/a><\/p>\n
\nHASH: 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 COMMENT: Company Profile Product Specification And Trial Order.pdf.img
\nVIRUS: Microsoft: Trojan:Win32\/Wacatac.C!ml \/ McAfee: Artemis!B72502ADC492 \/ TrendMicro: Possible_GENISO-6 \/ ESET-NOD32: a variant of MSIL\/GenKryptik.EGVF \/ Symantec: Trojan.Gen.2
\nTYPE: unknown SIZE: 1.31 MB FILENAMES: mime-part–27738-3415.img, mime-part–27738-3415.img
\nFIRST: 2020-03-23 08:46:26 LAST: 2020-03-23 13:55:36 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS: CONTAINS-PE
\nRESULT: 12 \/ 61<\/p>\n","protected":false},"excerpt":{"rendered":"