{
	"id": "42e0ae7b-e598-4a78-aedb-5fd0c48ec4b6",
	"created_at": "2026-04-06T00:13:03.811269Z",
	"updated_at": "2026-04-10T03:21:43.192648Z",
	"deleted_at": null,
	"sha1_hash": "3c99dbecce141c3f40ca1f4b121a4a6d3e100055",
	"title": "EvilExtractor Network Forensics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 166592,
	"plain_text": "EvilExtractor Network Forensics\r\nBy Erik Hjelmvik\r\nPublished: 2023-04-26 · Archived: 2026-04-05 20:47:57 UTC\r\n, \r\nWednesday, 26 April 2023 08:50:00 (UTC/GMT)\r\nI analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer\r\ncollects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is\r\ndesigned to autonomously collect and exfiltrate data rather than receiving commands from an operator through a\r\ncommand-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”.\r\nReal hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse\r\nshell? Try Evil Extractor to have golden bullet.\r\nI downloaded the Evil Extractor capture file from Triage to a Windows Sandbox environment, to avoid\r\naccidentally infecting my computer when extracting artifacts from the PCAP. I then opened it up in the free\r\nversion of NetworkMiner.\r\nNetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP\r\nconnection to a web server on 193.42.33.232 to download KK2023.zip. This zip archive contains a file called\r\n“Lst.exe” which is used to steal browser data, cookies and credentials according to Fortinet.\r\nImage: Files downloaded from TCP port 80\r\nTwenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. The username and\r\npassword used to authenticate to the FTP server was “u999382941” and “Test1234”.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nPage 1 of 5\n\nOn the FTP server EvilExtractor creates a directory named after the country and hostname of the victim's PC, such\r\nas “(Sweden)DESKTOP-VV03LJ”, in which it creates the following three sub directories:\r\n1-Password-Cookies\r\n2-Credentials\r\n3-Files\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nPage 2 of 5\n\nAfter uploading browser cookies, browser history and cached passwords from Chrome, Firefox and Edge to the\r\n“1-Password-Cookies” directory EvilExtractor sends a file called “Credentials.txt” to the “2-Credentials”\r\ndirectory. The contents of this text file looks something like this:\r\nPublic IP: [redacted]\r\nLocation: [lat],[long]\r\nComputer Name: [redacted]\r\nUsername: Admin\r\nRAM: 4 GB\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Bit: 64-bit\r\nKeyboard Language: en-US\r\nGPU: [redacted]\r\nCPU: Intel [redacted]\r\nMAC Address: [redacted]\r\nExtracted WIFI: [redacted]\r\nThe stealer also exfiltrates files with mpeg, docx, jpeg, pptx, zip, avi and rar extensions from the victim PC to the\r\n“3-Files” directory on the FTP server. The directory structure of the victim’s PC is maintained on the FTP server,\r\nso that files from the victim's desktop end up in a folder called “Desktop” on the FTP server.\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nPage 3 of 5\n\nThe stealer later downloaded a keylogger module (Confirm.zip) and a webcam module (MnMs.zip), but no\r\nadditional data was exfiltrated from this particular victim PC after that point.\r\nIOC List\r\nWeb server: 193.42.33.232:80\r\nFTP server: 89.116.53.55:21\r\nEvilExtractor: 9650ac3a9de8d51fddab092c7956bdae\r\nKK2023.zip: f07b919ff71fb33ee0f77e9e02c5445b\r\nLst.exe: 163d4e2d75f8ce6c838bab888bf9629c\r\nConfirm.zip: 30532a6121cb33afc04eea2b8dcea461\r\nConfirm.exe: 0c18c4669e7ca7e4d21974ddcd24fdca\r\nMnMs.zip: bda0bda512d3e2a81fc9e4cf393091eb\r\nMnMs.exe: fb970c4367609860c2e5b17737a9f460\r\nUsers with an account on Triage can download the analyzed PCAP file from here: https://tria.ge/230424-\r\nvv9wvsfb2v/behavioral2\r\nUpdate 2023-04-27\r\nJane tweeted a link to an execution of this same sample on ANY.RUN. This execution showed very similar results\r\nas the one on Triage, but with an interesting twist. Not only did the ANY.RUN execution exfiltrate images and\r\ndocuments from the Desktop and Downloads folders, it also exfiltrated “vv9wvsfb2v_pw_infected.zip”, which\r\ncontained the EvilExtractor EXE file that was being run!\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nPage 4 of 5\n\nThe PCAP from the ANY.RUN execution can be downloaded from here: https://app.any.run/tasks/43a11a79-4d1f-406c-86d7-158efb5ede01/\r\nPosted by Erik Hjelmvik on Wednesday, 26 April 2023 08:50:00 (UTC/GMT)\r\nTags: #FTP#NetworkMiner#Sandbox#Triage#ANY.RUN\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nhttps://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netresec.com/?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics"
	],
	"report_names": [
		"?page=Blog\u0026month=2023-04\u0026post=EvilExtractor-Network-Forensics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434383,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c99dbecce141c3f40ca1f4b121a4a6d3e100055.pdf",
		"text": "https://archive.orkl.eu/3c99dbecce141c3f40ca1f4b121a4a6d3e100055.txt",
		"img": "https://archive.orkl.eu/3c99dbecce141c3f40ca1f4b121a4a6d3e100055.jpg"
	}
}