• Details
• playbook
  • Are there attachments or URLs in the email?
  • Analyze Url/Attachment
    • 送信側アドレス
      • cashbank[.]com
      • 172.82.128.241
    • mail Attachments
  • Check If Mail Delivered to User?
  • Check If Someone Opened the Malicios File/URL?
  • Add Artifacts
• End

Details

EventID: 18
Event Time: Sept. 22, 2020, 3:35 p.m.
Rule: SOC101 - Phishing Mail Detected
Level: Security Analyst
SMTP Address 172.82.128.241
Source Address david@cashbank.com
Destination Address katharine@letsdefend.io
E-mail Subject URGENT! Your bank account may have fallen into the hands of fraudsters!
Device Action Allowed

URGENT! Your bank account may have fallen into the hands of fraudsters!

From: david@cashbank.com Sept. 22, 2020, 3:35 p.m.
To: katharine@letsdefend.io Sept. 22, 2020, 3:35 p.m.

Hi,

I'm working in the CASHBANK fraud department. We urgently expect information from you about the following topic.

I tried to reach you by phone but I could not reach you because your phone was turned off.

We detected suspicious activities in your account. We suspect fraudsters have taken over your credit card.

Can you quickly check your attached credit card statement and return to us?

Yours truly.

Attachments
7299c49dd85069e47d6514ab5e10c264.zip

playbook

Are there attachments or URLs in the email?

Answer: Yes

Analyze Url/Attachment

送信側アドレス

cashbank[.]com

VirusTotal: https://www.virustotal.com/gui/domain/cashbank.com

172.82.128.241

VirusTotal: https://www.virustotal.com/gui/ip-address/172.82.128.241
ドメインもIPもMaliciousとは言えない。

mail Attachments

$ md5sum creditcard 
7299c49dd85069e47d6514ab5e10c264  creditcard

これは、LetsDefend level 1 alert SOC107 - Privilege Escalation Detected event-id 19 - 4ensiXで解析したものと同じであった。

Answer: Malicious

Check If Mail Delivered to User?

Device Action Allowed

アラートと以前の調査から、届いた上で実行している。
Answer: Delivered

Check If Someone Opened the Malicios File/URL?

以前の調査から、実行してしまっている。
Answer: Opened

Add Artifacts

End