SOC143 - Password Stealer Detected Writeup

You can find this challenge on Let’s Defend, a platform for Cyber Defenders.

Let’s take this one and you can see the given details as following.

As soon as you create the case, you are asked to gather the details of received email.

So, I went to mailbox and started looking for incoming email from [email protected] which is already provided as source address.

And you will see the conversation as follow.

Possible Phishing Email from [email protected]

According to the email conversation, the answers are as follows.

Q: When was it sent?
A: April 26, 2021, 11:03 p.m.

Q: What is the email’s SMTP address?
A: 180.76.101.229

Q: What is the sender address?
A: [email protected]

Q: What is the recipient address?
A: [email protected]

Q: Is the mail content suspicious?
A: Yes

Q: Are there any attachment?
A: Yes (ZIP File)

Next Question – Are there attachments or URLS in the email? Yesssssssss.

Analyze the attachment to know it’s malicious or not.

So, I downloaded the attachment and unzip it. Then, upload the unzipped file to Virus Total to see if it’s marked as malicious. As you can see here, it is malicious.

Next question asks if the email delivered to the user or not. As you can see Device Action is allowed in the first picture, the email is delivered to the user.

You are now instructed to delete the email. Click the “Delete” button.

Check if someone opened the malicious file.

Let’s go to online malware sandbox called “any.run” first. This is intended to find the C2 server or domain and we will check it in the log.

As you can see above, the malicious document tried to connect to its C2 domain which is “tecyardit.com”.

Now, let’s go “Log Management” section and find the log with C2 Domain. You can see there is no connection. So the malicious file is not opened by the user.