hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip
When extracted you ended up with
0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe
I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.
When I ran strings I saw text that seemed to indicate a different program called emailExtractor
When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe
After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php
So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.
Thoughts?
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
