Monday, March 20, 2017

Fattura Invoice PDF zip exe that uses eMailExtractor

So I'm still learning at this, but I thought I'd walk through my thought process and see if anybody wanted to explain what I did right or wrong :-) A few days ago there was this link


When extracted you ended up with

0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe

I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.

When I ran strings I saw text that seemed to indicate a different program called emailExtractor

When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe

After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php

So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.


More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment