Email Analysis

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

What is the sending email address?

Let's check the HTML source of the email.

The answer lies in the From field.

Answer

yanting@united.com.sg

What is the email address of the recipient?

The answer lies in the To field.

Answer

admin@malware-traffic-analysis.net

What is the subject line of the email?

The answer lies in the Subject field.

Answer

united scientific equipment

What date was the Email sent? Date format: MM/DD/YYYY

The answer lies in the Date field.

The answer should be in MM/DD/YYYY format.

Answer

02/08/2021

What is the originating IP?

The answer lies in the Received field.

Answer

71.19.248.52

What country is the ip address from?

We can use IPData to lookup the location and threat profile of the IP address.

Answer

Canada

What is the name of the attachment when you unzip it? (with extension)

Let's unzip the attachment.

$ unzip united+scientific+equipent.zip 
Archive:  united+scientific+equipent.zip
[united+scientific+equipent.zip] united scientific equipent.exe password: 
  inflating: united scientific equipent.exe  

Answer

united scientific equipent.exe 

What is the sha256 hash of the File?

We can use the sha256sum utility to find the hash of the attachment file.

$ sha256sum 'united scientific equipent.exe'
9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415  united scientific equipent.exe

Answer

9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415

Is the email attachment malicious? Yes/No

We can use Virustotal to check if a file is malicious or not by simply entering the SHA256 hash we generated.

Answer

Yes