Forum Discussion

Sw33p's avatar
Sw33p
Icon for Bronze I rankBronze I
23 days ago

Incident Response Suspicious Email Part 2 last Question

Hello I am getting slowly crazy here.

The last question of Suspicious Email Part 2 asks to find the FQDN of the threat actor within the output that in the previous questions we had to deobfuscate after unpacking the vbaProject.bin using Oletools and / or a script.

I created a script to convert Decimal to ASCII and the Hash in the end was matching and I solved the 2nd to last question. However afterwards it says the FQDN should be in the file I just created. This is not the case. I checked the file with strings and even read the whole file line by line to find any FQDN. The only sites in there are apache and zeustech which are only in there because ApacheBench got used in the Malware. There is no trace of any further FQDN. So I'm effectively stuck there because I can't find any worthwhile Info.

Does anyone have any Idea? Or is this Lab just broken? I redid the whole Lab from scratch 2 times already. Both times I wrote a new Script aswell and everytime the Hash is correct but there is no FQDN to be found anywhere in there.

1 Reply

  • Something must be going wrong with your decoding somewhere? Running strings across the executable you created should definitely return someword.something-something.something, that they're looking for... 

    Though, I'm curious how you managed to get the right MD5 for the previous question, if this one isn't working... 🤔