4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29

Details

EventID: 29
Event Time: Oct. 29, 2020, 7:43 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 191.233.193.73
Source Address icianb@hotmail.com
Destination Address sofia@letsdefend.io
E-mail Subject Invoice
Device Action Blocked

playbook

Are there attachments or URLs in the email?

Mail

Invoice

From: icianb@hotmail.com Oct. 29, 2020, 7:43 p.m.
To: sofia@letsdefend.io Oct. 29, 2020, 7:43 p.m.

Hello,

Attached copy of your unpaid invoice & Statement Our Statement shows 2 invoices are paid. Our AP did confirmed payment was paid on the 13th of October into your Bank account.

Thank you.

Attachments:
4abd5dd8377e5810116f3665bd8d92f0.zip

Answer:Yes

Analyze Url/Attachment

メール元はhotmailなので何とも言えず。今回問題はAttachmentsにありそうだ。

$ sha256sum 43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe 
43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa  43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa.exe

VirusTotal 35/68: https://www.virustotal.com/gui/file/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/detection
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/43fb4c1abaa3a8d79300fcc9eb12214a0b821ffe32f6389cd5e45ba5360e06aa/5f9d102805f963128371eff5
とりあえずのところMaliciousで問題は無い。network device lookupを行っているのも怪しいと。VTにはAPT Scannerであるというレポートがある。

Answer:Malicious

Check If Mail Delivered to User?

Device Action Blocked

Answer:Not Delivered

Add Artifacts

Value Type Comment
icianb@hotmail.com E-mail Sender 191.233.193.73
4abd5dd8377e5810116f3665bd8d92f0 MD5 Hash APT Scanner? Malicious by VT

End

f:id:Zarat:20220330200152p:plain
close alert event-id 29