Filtering on the phishing email address we quickly find the email; and the answers to the questions:
Yes, it is indeed suspicious.
Yes, there is an attachment.
Yeah, there was both a URL and an attachment of the same thing: “free-coffee.zip”
I would just throw the URL into VirusTotal; however, to avoid hosting actual malware, there is an extra screen that requires confirmation before downloading. So if you are in a security analyst environment where it is safe to be downloading malware, great! If not, this is the SHA-256 hash to follow along: 6f33ae4bf134c49faa14517a275c039ca1818b24fc2304649869e399ab2fb389
Both the attachment at the bottom and the big button lead to the file download.
Note: If you do this in Chrome, it will block it by default.
You can throw either the hash or the zip file into VirusTotal:
Yep, indeed malicious. Let’s dig into the details to see if we can find C2 IPs to use as IOCs.
Under “RELATIONS,” we can find the Bundled Files, and it looks like the included EXE is known. You can click on that SHA-256 hash to go straight to its report.
Let’s dig for C2 IP or hostnames.
Okay, not using domain names. The “Contacted IP addresses” list contains many unrelated IPs.
Ah, found it. Under the “BEHAVIOR” tab, you can find a subcategory of “Network Communication”, and 37.120.223.226:3451 is the only connection all the sandboxes agree on.
We know it’s malicious, time to continue the playbook.
Indeed Malicious.
We know this from the Alert details in our notes: It was “allowed”, which means it was delivered.
Brief stop over at Email Security.
Back to playbook!
Ah, I had a feeling that the C2 address would come in handy. Let’s check log management.
The Basic view is good enough; only 4 logs appear when I enter the C2 address.
Yes, the endpoint did indeed contact the C2. Looks like the endpoint is infected.
I’d like to immediately quarantine the endpoint, but I’ll follow the playbook.
Yes, the endpoint is infected.
Oh, good to know my gut was right. Let’s head over to Endpoint Security.
