# Internet Storm Center

**isc.sans.edu/diary/Infostealer Malware with Double Extension/29354**

## Infostealer Malware with Double Extension

**Published: 2022-12-18**

**Last Updated: 2022-12-18 17:28:06 UTC**

**by** [Guy Bruneau (Version: 1)](https://isc.sans.edu/handler_list.html#guy-bruneau)

[2 comment(s)](https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354/#comments)
Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The
attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted,
it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning
engines.

Using [CyberChef Forensics -> Extract Files, you can view a list of files part of the executable from the .exe, .zlib](https://gchq.github.io/CyberChef/)
and various mp3 and png.


-----

Saving some of the files to review and analyze them:

**Indicators of Compromise**


-----

Filename: payment_copy.pdf.z -> RAR archive data

[SHA256: 37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b](https://www.virustotal.com/gui/file/37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b)

SSDEEP:
12288:jiE0YCjbwMh6ny+h+n6SN/PAQDnNNTtcvCEYLPQE5FiER3RiSbhXwS:eE3K0Mh6nyU+6SOQ77lPQaFpbeS

Filename: payment_copy.pdf.exe

IPs: 3.232.242[.]170, 52.20.78[.]240, 54.91.59[.]199, 65.108.213[.]43, 209.197.3[.]8

Domains: api.ipify[.]org, api.ipify.org.herokudns[.]com, mail.reousaomilia[.]gr, reousaomilia[.]gr,
www.inkscape[.]org

[SHA256: 3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492](https://www.virustotal.com/gui/file/3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492)

[1]
https://www.virustotal.com/gui/file/37da8f89540f4dae114f1f55cfd4d89be9582fbd480ac6ed6c34ac04ec8d576b

[2] https://www.virustotal.com/gui/file/3ccaf74f465a79ec320fdb7e44ae09551f4348efd3bf8bf7b3638cc0c1cd8492

[3] https://gchq.github.io/CyberChef/

----------
Guy Bruneau [IPSS Inc.](http://www.ipss.ca/)

[My Handler Page](https://handlers.sans.org/gbruneau/)

Twitter: [GuyBruneau](https://twitter.com/guybruneau)

gbruneau at isc dot sans dot edu

[Keywords: CyberChef](https://isc.sans.edu/tag.html?tag=CyberChef) [Infostealer](https://isc.sans.edu/tag.html?tag=Infostealer) [Malware](https://isc.sans.edu/tag.html?tag=Malware)
[2 comment(s)](https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354/#comments)

### Comments

Thanks for the article, hashes, and IoCs. It's the phishiest time of the year!

Do you have any phish subject line, sender emails, or headers you could share? Thanks again.

**Two_Ecks**

**Dec 22nd 2022**

**6 days ago**

Thanks for the article, hashes, and IoCs. It's the phishiest time of the year!

Do you have any phish subject line, sender emails, or headers you could share? Thanks again.

**Two_Ecks**

**Dec 22nd 2022**

**6 days ago**

[Login here to join the discussion.](https://isc.sans.edu/login)

Top of page
×

[Diary Archives](https://isc.sans.edu/diaryarchive.html)


-----