# EvilExtractor Network Forensics **netresec.com/** Erik Hjelmvik , Wednesday, 26 April 2023 08:50:00 (UTC/GMT) April 26, 2023 I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”. Real hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse shell? Try Evil Extractor to have golden bullet. [I downloaded the Evil Extractor capture file from Triage to a](https://tria.ge/230424-vv9wvsfb2v/behavioral2) [Windows Sandbox environment,](https://netresec.com/?b=215d5b5) to avoid accidentally infecting my computer when extracting artifacts from the PCAP. I then [opened it up in the free version of NetworkMiner.](https://www.netresec.com/?page=Networkminer) NetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP connection to a web server on 193.42.33.232 to download KK2023.zip. This zip archive contains a file called “Lst.exe” which is used to steal browser data, cookies [and credentials according to Fortinet.](https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer) ----- _Image: Files downloaded from TCP port 80_ Twenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. The username and password used to authenticate to the FTP server was “u999382941” and “Test1234”. ----- On the FTP server EvilExtractor creates a directory named after the country and hostname of the victim's PC, such as “(Sweden)DESKTOP-VV03LJ”, in which it creates the following three sub directories: 1-Password-Cookies 2-Credentials 3-Files ----- After uploading browser cookies, browser history and cached passwords from Chrome, Firefox and Edge to the “1-Password-Cookies” directory EvilExtractor sends a file called “Credentials.txt” to the “2-Credentials” directory. The contents of this text file looks something like this: Public IP: [redacted] Location: [lat],[long] Computer Name: [redacted] Username: Admin RAM: 4 GB OS Name: Microsoft Windows 10 Pro OS Bit: 64-bit Keyboard Language: en-US GPU: [redacted] CPU: Intel [redacted] MAC Address: [redacted] Extracted WIFI: [redacted] The stealer also exfiltrates files with mpeg, docx, jpeg, pptx, zip, avi and rar extensions from the victim PC to the “3-Files” directory on the FTP server. The directory structure of the victim’s PC is maintained on the FTP server, so that files from the victim's desktop end up in a folder called “Desktop” on the FTP server. ----- The stealer later downloaded a keylogger module (Confirm.zip) and a webcam module (MnMs.zip), but no additional data was exfiltrated from this particular victim PC after that point. **IOC List** Web server: 193.42.33.232:80 FTP server: 89.116.53.55:21 EvilExtractor: 9650ac3a9de8d51fddab092c7956bdae KK2023.zip: f07b919ff71fb33ee0f77e9e02c5445b Lst.exe: 163d4e2d75f8ce6c838bab888bf9629c Confirm.zip: 30532a6121cb33afc04eea2b8dcea461 Confirm.exe: 0c18c4669e7ca7e4d21974ddcd24fdca MnMs.zip: bda0bda512d3e2a81fc9e4cf393091eb MnMs.exe: fb970c4367609860c2e5b17737a9f460 Users with an account on Triage can download the analyzed PCAP file from here: [https://tria.ge/230424-vv9wvsfb2v/behavioral2](https://tria.ge/230424-vv9wvsfb2v/behavioral2) **Update 2023-04-27** [Jane tweeted a link to an execution of this same sample on ANY.RUN. This execution](https://twitter.com/Jane_0sint/status/1651306419331661833) showed very similar results as the one on Triage, but with an interesting twist. Not only did the ANY.RUN execution exfiltrate images and documents from the Desktop and Downloads folders, it also exfiltrated “vv9wvsfb2v_pw_infected.zip”, which contained the EvilExtractor EXE file that was being run! ----- The PCAP from the ANY.RUN execution can be downloaded from here: [https://app.any.run/tasks/43a11a79-4d1f-406c-86d7-158efb5ede01/](https://app.any.run/tasks/43a11a79-4d1f-406c-86d7-158efb5ede01/) Posted by Erik Hjelmvik on Wednesday, 26 April 2023 08:50:00 (UTC/GMT) [Tags: #FTP​ #NetworkMiner​ #Sandbox​ #ANY.RUN​](https://www.netresec.com/?page=Blog&tag=FTP) ## Recent Posts » [EvilExtractor Network Forensics](https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics) » [QakBot C2 Traffic](https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic) » [TLS Redirection and Dynamic Decryption Bypass in PolarProxy](https://www.netresec.com/?page=Blog&month=2023-02&post=TLS-Redirection-and-Dynamic-Decryption-Bypass-in-PolarProxy) » [How to Identify IcedID Network Traffic](https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic) » [CapLoader 1.9.5 Alerts on Malicious Traffic](https://www.netresec.com/?page=Blog&month=2023-02&post=CapLoader-1-9-5-Alerts-on-Malicious-Traffic) » [Online Network Forensics Class](https://www.netresec.com/?page=Blog&month=2023-01&post=Online-Network-Forensics-Class) » [IEC-104 File Transfer Extraction](https://www.netresec.com/?page=Blog&month=2023-01&post=IEC-104-File-Transfer-Extraction) » [NetworkMiner 2.8 Released](https://www.netresec.com/?page=Blog&month=2023-01&post=NetworkMiner-2-8-Released) ## Blog Archive » [2023 Blog Posts](https://www.netresec.com/?page=Blog&year=2023) » [2022 Blog Posts](https://www.netresec.com/?page=Blog&year=2022) ----- » [2021 Blog Posts](https://www.netresec.com/?page=Blog&year=2021) » [2020 Blog Posts](https://www.netresec.com/?page=Blog&year=2020) » [2019 Blog Posts](https://www.netresec.com/?page=Blog&year=2019) » [2018 Blog Posts](https://www.netresec.com/?page=Blog&year=2018) » [2017 Blog Posts](https://www.netresec.com/?page=Blog&year=2017) » [2016 Blog Posts](https://www.netresec.com/?page=Blog&year=2016) » [2015 Blog Posts](https://www.netresec.com/?page=Blog&year=2015) » [2014 Blog Posts](https://www.netresec.com/?page=Blog&year=2014) » [2013 Blog Posts](https://www.netresec.com/?page=Blog&year=2013) » [2012 Blog Posts](https://www.netresec.com/?page=Blog&year=2012) » [2011 Blog Posts](https://www.netresec.com/?page=Blog&year=2011) [List all blog posts](https://www.netresec.com/?page=Blog&blogPostList=true) ## News Feeds » [Google News](https://news.google.com/publications/CAAqBwgKMIKCogswxYy6Aw) » [FeedBurner](https://feeds.feedburner.com/Netresec-Network-Security-Blog) » [RSS Feed](https://www.netresec.com/rss.ashx) [NETRESEC on Mastodon: @netresec@infosec.exchange](https://infosec.exchange/@netresec) NETRESEC on Twitter: [@netresec](https://twitter.com/netresec) -----