Lets Defend — Password Stealer Detected

Malware Ben
5 min readJan 16, 2022

--

SOC143 — Password Stealer Detected

LetsDefend

LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.

SOC143 — Password Stealer Detected

Today we will analyze a password stealer used in a real cyber attack. Password stealers are a type of malware that steals account information.

Monitoring

Our investigation start at the Monitoring page which simulates a real working SOC environment. More details about the incident can be found here. Looking at the details, we can see the source address, SMTP address and more. Our next step is to copy the sender address and look for it in our mailbox.

Monitoring Window

Mailbox

By searching for the source address in the mailbox, we find the copy of the email that generated the alert.

Copy of the malicious email

We can extract important information found in the email, that could be useful in the future:

  • Subject: .
  • Sender: bill@microsoft[.]com
  • Recipient(s): ellie@letsdefend[.]io
  • Attachment(s): bd05664f01205fa90774f42468a8743a.zip

Next, we will download the attachment and unzip it in a safe environment. In our case, we are using REMnux (https://remnux.org).

After unzipping the attachment, we found one html file:

Generating MD5

By using md5sum, a tool built-in in REMnux, we are calculating the hash of the file in the attachment. Hashes are useful for positively identifying a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware ( a sort of fingerprint).

Generating MD5 Hash Window

Virus Total

Next, we perform a hash search on VirusTotal (VT). VT allows you to search through their dataset in order to identify files that match certain criteria. To search for a file that has a given MD5, just type in the hash under consideration in the main search box.

Virus Total Window

According to VT, the file is flagged malicious. At the time of our scan, the result reports 5 antivirus engines claiming the HTML file is malicious.

Dissecting HTML File

The user is prompted to enter his credentials on a fake Outlook login page by opening the HTML file. The name of the file, shown below, suggests that the actor was targeting the user.

HTML Phishing File

As seen below, attempting to enter credentials in the fake login panel will establish a network communication to the domain tecyardit[.]com. The credentials are sent as a POST request to the URI /post.php

Inspect Element Window

According to VT, the URI is flagged malicious. At the time of our scan, the result reports 7 antivirus engines claiming the URI is malicious.

Virus Total Results

URLscan is a website scanner written by Johannes Gilger, focusing on analyzing all possible details about any established HTTP connection, site content, relations with other sites and much more.

In our case, the site seems to be unreachable.

URLScan Window

ViewDNS is an online source for DNS related tools. The tool provided by ViewDNS allow us to gather a large amount of data about a given website or IP address.

In the figure below, we can see the IP history of the malicious domain.

ViewDNS Window

According to VT, the IP is flagged malicious. At the time of our scan, the result reports 1 antivirus engine claiming the IP is malicious.

Virus Total Results

Indicators of Compromise

  • 58c45547bccce5eb16d84bae13eb0c2813ffe03e34eae622b65468a6b289ca37
  • 109[.]68[.]33[.]64
  • 180[.]76[.]101[.]229
  • tecyardit[.]com
  • tecyardit[.]com/wp-content/card/2/post.php

Log Management

We will now use the Log Management page and check if the URL/IPs were accessed.

No log entry were found. It means that the user didn’t enter his credentials.

Log Management Window

Case Management Detail

Now we are packed with enough information to conlude that the alert is a true positive and that an incident should be open.

We can answer the questions of the playbook with the information we’ve collected during our analysis.

Case Management Window

Playbook

A security playbook is a list of required steps and actions needed to successfully respond to any incident or threat. Playbooks provide a step-by-step approach to orchestration, helping security teams to establish standardized incident response processes and ensuring the steps are followed in compliance with regulatory frameworks.

Playbook Window
  • When was it sent?
    April 26, 2021, 11:03 PM
  • What is the email’s SMTP address?
    180[.]76[.]101[.]229
  • What is the sender address?
    bill@microsoft[.]com
  • What is the recipient address?
    ellie@letsdefend.io
  • Is the mail content suspicious?
    Yes.
  • Are there any attachment?
    Yes.

References

https://whois.domaintools.com/tecyardit.com

https://viewdns.info/iphistory/?domain=tecyardit.com

https://whois.domaintools.com/104.47.53.36

--

--