VirusTotal Collection:
1. Overview
The malware sample was initially analyzed by a third party via Any.Run with no immediate threats detected. However, a deeper dive revealed multiple phishing redirections targeting Microsoft O365 credentials.
2. IOCs and Hash Analysis
- Attachment Hash:
f6d618128d0850704da57558c80a0a0602ef369aacda7ce65f2b580c84d8d311 - Email Hash:
fe2131b728d87262b96e42fd0f52900e5efb83fc2babe9a50700
3. Email Header Findings
- DMARC: Not Implemented
- SPF: Passed Verification
4. Phishing Attack Vector
Initial QR Code URL:
https://epyfl.org/ad_hits.asp?idBanner=17&txtLink=https://auth-endpoint-gfh7ape8h5auesae.westus-01.azurewebsites.net/index.php/auth/v/?id=abc123XYZ4567890/message?data=/login.aspxRedirection Path:
- Leads to Cloudflare bot check and finally to a fake O365 login page hosted at:
https://three03828922939389248u2u22.onrender.com/gov-ni-nda/3039923002302393898944.html#X
- Leads to Cloudflare bot check and finally to a fake O365 login page hosted at:
5. Script Analysis
- Embedded obfuscated Base64 script decoded via CyberChef:
Revealed credentials harvesting URL by modifying script to output decrypted URL to console:https://blackmooncoo.ru//
6. Threat Attribution
- Any.Run Analysis: Identified as [Storm-1575] ThunderDash.
Additional Resources:
For full IOC details, refer to the VirusTotal Collection.
Comments
Post a Comment