2024-12-26-Kuwait-Investment-Company.md

Basic Static Analysis

Stage 1

• Steps taken:

  • Downloaded from Protonmail on host system

  • Compressed and encrypted with password due to being a live, possibly dangerous sample

  • Transferred to Remnux VM

• Notes:

  • type: email

  • email received: 12/20/2024

  • received from: petromasila.com address

  • ip address: 82.114.168.116

  • ip lookup (courtesy of iplocation.net): Yemen

  • Dump of transport header info

  • Forwarded from an external gmail before it was sent to my account

  • UrlVoid scan from site at end of email

  • Virustotal Scan

Basic Dynamic Analysis

Stage 1

• Steps taken:

  • Copied eml file to Windows 10 Flare-VM testbed by FTP server (with limited write access from Windows back over)

  • Accessed site through Remnux to do a live visual analysis

• Notes:

  • Had a brief scare. This game launcher was in my task manager and looked suspicious. It's for a game a friend asked me to download; I was looking at the Recently Installed Apps Tab on accident.

  • Site was down but still tried to save the TLS1.3 cetificate to a non-existent Application Data folder (IP address hidden for security)

  • There were also many calls to various social media, brand affiliate services, and ad services

  • There was one suspicious call: I wasn't able to capture it fast enough, but there was a payload packet sent to the IP address of a local sports shop. It was labeled as kic.com.kw.localdomain

Original Email (with my personal data removed)

Return-Path: <[email protected]>
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit
 rsa-sha256 signature) header.d=petromasila.com header.a=rsa-sha256
Authentication-Results: mail.protonmail.ch; dmarc=pass (p=quarantine dis=none)
 header.from=petromasila.com
Authentication-Results: mail.protonmail.ch; spf=pass smtp.mailfrom=petromasila.com
Authentication-Results: mail.protonmail.ch; arc=pass smtp.remote-ip=40.107.20.137
 arc.chain=:microsoft.com
Authentication-Results: mail.protonmail.ch; dkim=pass (2048-bit key)
 header.d=petromasila.com [email protected] header.b="ZYHxEpNf"
Received: from EUR05-DB8-obe.outbound.protection.outlook.com
 (mail-db8eur05on2137.outbound.protection.outlook.com [40.107.20.137]) (using TLSv1.3
 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id
 4YFSXq3F5SzGrqp1 for <>; Sat, 21 Dec 2024 02:14:51 +0000 (UTC)
Received: from DUZPR01CA0306.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b7::16) by
 AS8PR07MB7190.eurprd07.prod.outlook.com (2603:10a6:20b:251::6) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8272.16;
 Sat, 21 Dec 2024 02:14:49 +0000
Received: from DU6PEPF0000A7DE.eurprd02.prod.outlook.com (2603:10a6:10:4b7:cafe::b4) by
 DUZPR01CA0306.outlook.office365.com (2603:10a6:10:4b7::16) with Microsoft SMTP Server
 (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8251.26 via Frontend Transport;
 Sat, 21 Dec 2024 02:14:49 +0000
Received: from mail.petromasila.com (82.114.168.116) by
 DU6PEPF0000A7DE.mail.protection.outlook.com (10.167.8.38) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8251.15 via
 Frontend Transport; Sat, 21 Dec 2024 02:14:49 +0000
Received: from Sanexch7.global.ad (10.49.4.124) by Sanexch7.global.ad (10.49.4.124) with
 Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.4; Sat, 21 Dec 2024 05:07:36 +0300
Received: from WIN-9QL4SDRB93L (10.51.1.1) by Sanexch7.global.ad (10.49.4.124) with
 Microsoft SMTP Server id 15.2.1544.4 via Frontend Transport; Sat, 21 Dec 2024 05:07:36
 +0300
Arc-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=KuQADzHMFxW3RAvf3URNCxRoOE1abp+MwkXZSv7sj1NciBHZ2qc7r5OX1NZGuBsLj6WcPaijCGU4ETxWthOh+WkMQ3S94/P1v8I1H/Oc7bEHvsvu2G6sMSveGzvIfDV98TtLQorYmRGY/qdnqV/GeijDmJrR+nFKu01rGkKgY1pzJwyDLOF5W89YaBzezKx4ZhqHuzQCvRkydwzxVvB16NMq4N7/g4yQUoEp5mE7iyqDaAewWgdkuzLMOdjwxWYi7uYOVOLPeOC65yX6Ytr+cSD1zL3A2No6APYBmGQFshLL5w8740Ggs9YimNqh6+lKUeDeSU2Tv6J2raF1mxK7og==
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=7CZkqGbHOUQp7a8bWn3eQfLMkmfkBmsRC1wcn7GSKkk=;
 b=jYtWpARgYJGfSGa3y25mTmO2nkGHAe0qu3fOdozBmnZC2dcWxEOesc9e6LOwGzijqZCf1kvqGNIFgxgPZjHvNAqkm/Qxr5RVgzkSy6AvH8P221aq9r7CJLzPgV/bPr3AXdl7Y1/aSkIKWCfPOO7oaD8iGL74QljI8oLN2WWtkB6a5Gesr8rK8w6YBiQBOcZyG7TBD2awr6jGGcpHcGptMJCiHDB2o0MQgEQCcIp/HrRIfLyBkFoW3ZpmFX8gtm07aMAJ1R0q50ceNxtHmCy9mHaJz3dRsxdRMgbZrOBTbsjYhvK4s3Pa4oJUz6wYPCeqYmOWhTaVPa0TezzbPbKcFA==
Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is
 82.114.168.116) smtp.rcpttodomain=brandongrows.me smtp.mailfrom=petromasila.com;
 dmarc=fail (p=quarantine sp=quarantine pct=100) action=quarantine
 header.from=petromasila.com; dkim=none (message not signed); arc=none (0)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=petromasila.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=7CZkqGbHOUQp7a8bWn3eQfLMkmfkBmsRC1wcn7GSKkk=;
 b=ZYHxEpNf306meqvMHNhsFHlwMe1PdJ3dKr/Y5OgSpDZzwZdhqGoMyPuCNis7x3eXQmLOTkEIxw4IGm2IqKFzYgqyoW04ah9nKL/Js8RRYceUC4Zqgb9M6XAjJ4D5bkCz9Zj75XWYhn+h6iethQxvGP9c4ar+k/lniaHfHaQiQy6rK4lMglJFSO5xOdVALBgkQNJwJE/9nFCMIaqqP+TUFPDA4eAjZHxNluG1H+naqqw4jhauA6adT/vp24V2T6I42RHY1QJyF6dMMcRwQ6xRu5z7fjAZ0CCC3G2e3rolFmtBI/2AwdkLOkACfYHMH+aZ5lhEb0n1f976OoHTNIa3Uw==
X-Ms-Exchange-Authentication-Results: spf=fail (sender IP is 82.114.168.116)
 smtp.mailfrom=petromasila.com; dkim=none (message not signed) header.d=none;dmarc=fail
 action=quarantine header.from=petromasila.com;
Received-Spf: Fail (protection.outlook.com: domain of petromasila.com does not designate
 82.114.168.116 as permitted sender) receiver=protection.outlook.com;
 client-ip=82.114.168.116; helo=mail.petromasila.com;
Message-Id: <0457bc09-45646-dde97564334722@win-9ql4sdrb93l>
Reply-To: Kuwait Investment Company <[email protected]>
From: Kuwait Investment Company <[email protected]>
Date: Fri, 20 Dec 2024 18:09:16 -0800
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary=---------------------8ca8b949db4eb645d02f7e9baf71ef81
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-Eopattributedmessage: 0
X-Ms-Publictraffictype: Email
X-Ms-Traffictypediagnostic: DU6PEPF0000A7DE:EE_|AS8PR07MB7190:EE_
X-Ms-Office365-Filtering-Correlation-Id: d4d69206-9e0b-40ec-90e0-08dd21653f8f
X-Ms-Exchange-Atpmessageproperties: SA
X-Ms-Exchange-Senderadcheck: 1
X-Ms-Exchange-Antispam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|61400799027|36860700013;
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?zuPCzL0asDDTldNEPHU+TYarMPdbpl7x8U2hjhmPAw3+0OJJY0MEr5SilzCNVoZBnOfCUQVxqXs6U7yBPsI2u3w7qqCycTZi25jqYG8vt8LGWl8/KXFFkNpQL70DZ5C16fr7gBpr9ExZjSQxPYHl/+y/GqzENdUOryOXxtlWGZVn0mU+KIxREkZTlVNTQK23jrOc4JONJf6JB2VUawRhvR8OnOvJfEliBGJtiGaCi8GzjmcyWf8nLc7JviADWOLX3soyHf18XkRo5Z4x+5Y0Fs6Ra0V66caSTmzd8KutLH73tnhfVkOz0wLLLVlRnJL6rKuApbj2VnONvRCYdw7ATyPFosFNZgVR8yAIxcWeeBo6joPP23oBV2tYmkQbH0njKohNR1rYHJC0ESgKTviIwDFsI7+Qakd/5MUMC5udSI4lmznW756QzqNUK7H8tJbmfpwwe6ag7a2oQdbHeogF3fqRyMS/s5oyrzr7TiduI6U0a2QS2SDdRIjlyWdvyik5wS+UclDBl5LjIHkuyNu4ELzZ9gKRgxyiMPehQf3/3qsKd0npN+Jnaq38J+xI6+2F/EP53jfjcb6YkCBeHtj8AUBd0gQXfngJgIzGmOeFoKKeYQSgLRVQ9GUIgqu8s35gRtuNKxrSpyUwZLvDfwgGFU9M/xTvA8pfPUIgA02Y+U4A23uVxhrIIvElWH3AhXIbAgUnx48jS9Fh2/FZ+5RHUj6hN9OdTl637mVWTGZa0phij2Kg4TyjSrhYh1ZjTScZUqI4D4OdMKS/zFWzpL2YeCG8464GgkPE1uG191koVCKR7NKclyAXo0oF2TwwuMFU0Ect8/7Aq6vMa/CmWmIRkmWvGNNIHb1i5CqfEwFhHKTdx6OjSYAfoqTjzJwh1HgfG92VkQtkN3Y9b2CSv2wDg4IEEpMlF/Yeg3p8A6fiue33Fj13m6EWnmY2AfyYRQy0drzIJxP3eQc8Z6K2p/U4vq?=
 =?us-ascii?Q?BYBaYYtUCJ5RH3yBRRKqMgzd2L2OauRcEZvlI4G1zk0s3B4PHKe3/iW77eSja2VmDHO4CFjRbgrs6eKkbFQ2fzs0L2HAnBeyBEBrNhEgazOb+ie8fgwAYaHPUuAh+mREOek4CW/WbWda5DlG/iM74k9XOwlYQS8mfU40eK9+o8lYRDtBZG6gDOCs74RfqwQd6EFrb4AtzMFale7dz8DYI2FmjEa+TCn1vjoukTVQSu3Ob7sGcUPcrqirKE4UkKCuVxC2ireN1PhL4zgYhdKcPKx0VmOjrh+MhBvpn+hxVRmaDl5tyzaLKgQuHjVnF5cUV8YG6T0i6KpZo8IWOd6cCl120RUdg5ajBbIDmDLO4lBHirH9VNwQDtAO7Tzhsl4l4ncnq7gM4Z0OkOLB2vYk8Htddlo5R72pmatnm2XFxq0HL82RTSM6IMnG4dkbdO/iCKP1nPxvf5A3yNx5CQKPw=3D?=
X-Forefront-Antispam-Report: CIP:82.114.168.116;CTRY:YE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.petromasila.com;PTR:smtp.petromasila.com;CAT:NONE;SFS:(13230040)(82310400026)(376014)(61400799027)(36860700013);DIR:OUT;SFP:1102;
X-Originatororg: petromasila.com
X-Ms-Exchange-Crosstenant-Originalarrivaltime: 21 Dec 2024 02:14:49.5296 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id: d4d69206-9e0b-40ec-90e0-08dd21653f8f
X-Ms-Exchange-Crosstenant-Id: 59b0c87e-8eb0-48de-9f71-bdd4b5485762
X-Ms-Exchange-Crosstenant-Originalattributedtenantconnectingip: TenantId=59b0c87e-8eb0-48de-9f71-bdd4b5485762;Ip=[82.114.168.116];Helo=[mail.petromasila.com]
X-Ms-Exchange-Crosstenant-Authsource: DU6PEPF0000A7DE.eurprd02.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas: Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader: HybridOnPrem
X-Ms-Exchange-Transport-Crosstenantheadersstamped: AS8PR07MB7190
X-Spam: Yes
X-Pm-Spam: 0yezJI6YSpyJec91ztFGcjIxoJyLCvXBZcQniisnOkQZFNfRViTANOslxzJCL2Yy9ogZ
 T0C4MOkT3s0lIkILR1fSUH0lUTVkEbpjICMx4wiXSJEtRT9VWJxUQCR6I0wWydjFLLJCENl0S1XBZl
 ETEV0FXIpjbuATLVMs0ZSIkNUVRQlUMPZ0XkUFd9SRFMVBRWRVPbpjIVMs0xPIkfFNVTZ0fO9UTVRi
 ksxOliSwXT9UOflVRlRFJ1BRUfUxSUVkQi8EVlOxsNdLjNCJLT50FO9VW0TUhwiTUwlsOLdjdNJCL0
 UJd9GRFNk9UX10UI9VQUREFIiRVwlsOXwSifh0UESMJVNX0MUlQUIy6sgzWmIkF1tYW0XNdYBXoAJW
 Y2Zh1wuaWt29YI0lsQNlIlRI9xPRUP05XTUkiwslOSXiwBGU1B1BXUM1itslOFMs0NVIlMkJUXh0BC
 h0UFTF9FJTU6CITWIzskFmIWYt1N0dXoXBYY5Si0F2WWXtdlsYWvmNLbJSdTJCLVVCJ9ITFIVNQQxk
 fB1URUSfxVQUkiFkTOslzhJCLGZtFVzbXwGFdaEGuhtlYFdn1FpbWjC5bb02iiwSX1USVxfQkTEFSS
 JEMNd0XUQMlpbIjiywMYRWh11Wb3chRhhcGbmJLYRXdh12ZWauw9tY2sl0IIRlPOl0X1XVNoiQkwls
 OLFjdiwSf2cvNUicmxjIOLJCzy92YWZiQIxOjiSwfcI3iisnOWY0N9uaWijoIcB3hsISbmIhNVndG5
 3JbIojiPJFUUTU99OSUsyIUI1msjN3X3blJp7IjSlBITQ0i0IjOCLQJ9EUkQzNXUIi6w4CMjM1IQ5O
 T1TkOMEj53AzNSNiwJPUFQF9RUVkEUNUSUSO9oxIjSCJLUIy614yNCLTJI6QSsjEMI9lk1JWZ1Zp9Z
 vbm7jpIIBlSiQ0TnOis1haWf2VZbFmt6ISZmIzhFjdGm19aa5Wl1R3XmbkVB1X3wzIXMQjwzETNiIi
 wNfaXwW1abJ3005WYjIwoJtLCsWlYXNzwt9lc2blRI6bChm1IaxW0ucWY2Yt9luYmfWRZZlmu1RXZm
 bkVIwLjwjQMMIjxrNmLHciQJtLCsWlYXNzww9lcmci9owIjyjALMUj55kDNTOyUk3MT1DcMLJCtslW
 Y2XhNVndG53JbX12vsVGZjIioFpbWhGNbd5Cji12bWal59mZFlW5adVHuuQWZjMyAAyNDujEMYt2ws
 ICdmIh1xfaW02FYZdWvflncmbtFI6ZSSlBIT10PPlEVlTiMJtLCsWlYXN2hnVGd3b5JByX3i2IbOAj
 u2YTNzN4QIzMDzDMMMQTyiwSMFcz9FtcGwjoILkj5wIDODO5kYzOT4zcMOETs1JnIlbu91lYWijoIb
 Vm3lNXLmblRJ9cisX0fINnyiQWaiO2IY2Nz5jQMYgzwjljMzNldE5OTlTBOZUTifX0=
X-Pm-Origin: external
X-Pm-Transfer-Encryption: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
X-Pm-Content-Encryption: on-delivery
X-Pm-Spamscore: 21
X-Pm-Spam-Action: spam

-----------------------8ca8b949db4eb645d02f7e9baf71ef81
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;charset=utf-8

Greetings,

We the Kuwait Investment Company invite you to partner with us and
benefit in our new Loan and Project funding program. We offer flexible
loans and funding for various projects bypassing the usual rigorous
procedures. This Funding program allows a client to enjoy low interest
payback for as low as 2% interest rate per annul for a period of
15-20 years. We can approve a loan/funding for up to $50,000.USD To $100 Billion (One Hundred Billion United States Dollars) or more
depending on the nature
of business. We are currently funding for:

- Starting up a Franchise
- Business Acquisition
- Business Expansion
- Commercial Real Estate purchase
- Contract Execution

We are open to having a good business relationship with you. If you
think you have a solid background and idea of making good profit in
any venture, please do not hesitate to contact us for possible
business co-operation.

Best Regards,
Business Investment Director.
Kuwait Investment Company,
Kuwait,
Website: https://www.kic.com.kw

-----------------------8ca8b949db4eb645d02f7e9baf71ef81--