![]() The username and password used to authenticate to the FTP server was “u999382941” and “Test1234”. Twenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. This zip archive contains a file called “Lst.exe” which is used to steal browser data, cookies and credentials according to Fortinet. NetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP connection to a web server on 193.42.33.232 to download KK2023.zip. I then opened it up in the free version of NetworkMiner. Triage to a Windows Sandbox environment, to avoid accidentally infecting my computer when extracting artifacts from the PCAP. I downloaded the Evil Extractor capture file from Real hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse shell? Try Evil Extractor to have golden bullet. The EvilExtractor creators market this feature as a “golden bullet”. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. ![]() This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. ![]() I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |