Windows Analysis Report
Encrypted_PaymentAdvice_Reference.html

Overview

General Information

Sample name:	Encrypted_PaymentAdvice_Reference.html
Analysis ID:	1428929
MD5:	ecb7975e1af12d03f172521e9db666e0
SHA1:	99454e6d1656a09891549d74c716d58ee4bd60fe
SHA256:	45ac36f35c90139f810c607aacc9cea31ebb0ac00bdd51ca6e5c0167ec2ad89e
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Detected javascript redirector / loader

HTML Script injector detected

HTML document with suspicious name

HTML document with suspicious title

HTML file submission containing password form

HTML sample is only containing javascript code

Phishing site detected (based on image similarity)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 0.1.pages.csv, type: HTML

Detected javascript redirector / loader

Source: Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: New script, src: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

Tab title: Sign in to your account

HTML sample is only containing javascript code

Source: Encrypted_PaymentAdvice_Reference.html

HTTP Parser: <script>const a0C=a0p;function a0V(){const l=['MbYhp','zAuY29tL2xuay93ZWIuanM=','809165mfloFe','\x22></','6MGRnMHMzZGQzZ2M5bXgwc','4374saMzMy','3551180arRAja','JtKjJ','800519jBYFUx','adempster@cnv.org','64c0133d-a1b2-42cf-bff9-cd88814d0179','217MdRYp...

Phishing site detected (based on image similarity)

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

Matcher: Found strong image similarity, brand: MICROSOFT

HTML body contains low number of good links

Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo...

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Title: Sign in to your account does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: <input type="password" .../> found

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: No <meta name="author".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo	HTTP Parser: No <meta name="author".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: No <meta name="copyright".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo...	HTTP Parser: No <meta name="copyright".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo...	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49801 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 152.199.4.44 152.199.4.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /lnk/web.js HTTP/1.1Host: bc1qr4pajz0dg0s3dd3gc9mx0s0.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/jquery/3.6.0/jquery.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_8owwt4u-33ps0wawi7tmow2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/bannerlogo?ts=637885838665437121 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/v3/auth HTTP/1.1Host: bc1q3jc6cu9q5t35vc9jt7h47pw.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/bannerlogo?ts=637885838665437121 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/illustration?ts=637885838649916089 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/illustration?ts=637885838649916089 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XGTrf5PErdE5NGK&MD=tullWw3L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XGTrf5PErdE5NGK&MD=tullWw3L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: bc1qr4pajz0dg0s3dd3gc9mx0s0.com

Source: unknown

HTTP traffic detected: POST /api/v3/auth HTTP/1.1Host: bc1q3jc6cu9q5t35vc9jt7h47pw.comConnection: keep-aliveContent-Length: 169sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_86.2.dr

String found in binary or memory: https://account.live.com/resetpassword.aspx

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49801 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Encrypted_PaymentAdvice_Reference.html

Initial sample: payment

Source: classification engine

Classification label: mal76.phis.winHTML@25/72@22/11

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Encrypted_PaymentAdvice_Reference.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2152,i,4203618253092181966,8330422003287132863,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2152,i,4203618253092181966,8330422003287132863,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
13.107.246.41	part-0013.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.199.4.44	cs1100.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
13.107.213.38	part-0010.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.107.213.40	part-0012.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.216.70.216	bc1qr4pajz0dg0s3dd3gc9mx0s0.com	Germany	43659	CLOUDCOMPUTINGDE	false
193.222.96.119	bc1q3jc6cu9q5t35vc9jt7h47pw.com	Germany	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
108.177.122.99	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
part-0013.t-0009.t-msedge.net	13.107.246.41	true
cs1100.wpc.omegacdn.net	152.199.4.44	true
bc1q3jc6cu9q5t35vc9jt7h47pw.com	193.222.96.119	true
cdnjs.cloudflare.com	104.17.24.14	true
bc1qr4pajz0dg0s3dd3gc9mx0s0.com	185.216.70.216	true
www.google.com	108.177.122.99	true
part-0012.t-0009.t-msedge.net	13.107.213.40	true
part-0010.t-0009.t-msedge.net	13.107.213.38	true
passwordreset.microsoftonline.com	unknown	unknown
aadcdn.msftauth.net	unknown	unknown
ajax.aspnetcdn.com	unknown	unknown
aadcdn.msftauthimages.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js	false	high
https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_8owwt4u-33ps0wawi7tmow2.css	false	unknown
https://aadcdn.msftauthimages.net/dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/illustration?ts=637885838649916089	false	unknown
file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	true	low
https://aadcdn.msftauthimages.net/dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/bannerlogo?ts=637885838665437121	false	unknown
https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeoesM0oZ-JoCnVyLvV_7L8OnVG8mkb7Ytp9uxtOn6P5Y_XoucrR59-fDs1d7R98of0&mkt=en-US&hosted=0&device_platform=Windows+10	false	high
https://bc1qr4pajz0dg0s3dd3gc9mx0s0.com/lnk/web.js	false	unknown
https://bc1q3jc6cu9q5t35vc9jt7h47pw.com/api/v3/auth	false	unknown

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 100	PNG image data, 240 x 59, 8-bit/color RGBA, non-interlaced	346C8F6ACBCE0D7A0113C6E5AD2B535D	7A11F5E8FE4AF491E11F4186A1AB0EC37B642532	BCEE0CA70481CFBF41C11797FE681A6EEC5E27A15B5E422A8BF15756C9EE632F
Chrome Cache Entry: 101	PNG image data, 16 x 25, 8-bit/color RGBA, non-interlaced	D4FFE61373F6AA32EEB8CA7CD41AB980	4925FAC4BC73EFB7C7BBC32B11C435ECF1D61674	D5C54FFC6B8BD44D932BE8F37B1CD5B666205C7574F9D56EF68E56F83E08FFAD
Chrome Cache Entry: 102	MS Windows icon resource - 4 icons, 64x64, 32 bits/pixel, 32x32, 32 bits/pixel	877784A5F5808CEFA2B61E73BFCF8EAE	6A0E7EDA2734D7BBBA3CE38D37B347DF001B1DBF	BE7F0632337BC381D4962125545A5CC3C1E84E2D03DBDB97AB3D79AD78B91B6D
Chrome Cache Entry: 103	ASCII text, with CRLF line terminators	B3D7A123BE5203A1A3F0F10233ED373F	F4C61F321D8F79A805B356C6EC94090C0D96215C	EF9453F74B2617D43DCEF4242CF5845101FCFB57289C81BCEB20042B0023A192
Chrome Cache Entry: 104	ASCII text, with CRLF line terminators	11FE4E6509513DB245F1F97E37C5D3AB	05322C35B6BFAE84CE8C626BD7B1F8C4A6F15A6D	78D437B40A85299F96ED9D02E35F23FD3D3EF63D844D8D2523A15516F7E1D09C
Chrome Cache Entry: 105	ASCII text, with very long lines (39257), with CRLF line terminators	DA9DC1C32E89C02FC1E9EEB7E5AAB91E	3EFB110EFA6068CE6B586A67F87DA5125310BC30	398CDF1B27EF247E5BC77805F266BB441E60355463FC3D1776F41AAE58B08CF1
Chrome Cache Entry: 106	PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced	8DC34013E911C5F68FC2BCA0400CB06F	16BAFA91AF100D65C4945F04E0C6E1643B98CF00	795029D360C3D16233FCE96F1BFF13C261535C0885FAE806CFF766F32D96BCEE
Chrome Cache Entry: 107	PNG image data, 16 x 25, 8-bit/color RGBA, non-interlaced	D4FFE61373F6AA32EEB8CA7CD41AB980	4925FAC4BC73EFB7C7BBC32B11C435ECF1D61674	D5C54FFC6B8BD44D932BE8F37B1CD5B666205C7574F9D56EF68E56F83E08FFAD
Chrome Cache Entry: 108	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=16, height=4000, bps=206, PhotometricIntepretation=RGB, manufacturer=NIKON CORPORATION, model=NIKON D7100, orientation=upper-left, width=6000], baseline, precision 8, 1920x1080, components 3	03FC7F13B4320519D0EB47D8CDC8357D	DDF71CA9F0D0604FBED9A0FF964F066BB33FF869	C08C5DDF46AC0420B88C69D06351757C110A822E36DD23CC3A9F9906FA5D7DDC
Chrome Cache Entry: 109	PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced	BC89C1FBFBC227DC5A7ED9B2797E240D	8A9390297FDD0963C466CF2FD35D5B1F88A46B6A	744A8CD0A4D15DFCF4A5D2E832FF556D950F8AF24D7B66104AB2EF4FE2605D9A
Chrome Cache Entry: 110	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	ACA0F1B02DC406E76DDC5F2BDEBEC6CE	594C930BE86B8843377565E349D2A10F1755A13A	0446C6FD9AEB7DCD7CC089FA25323B1AE9AFA77B4CF8D4449F7D2D1B2467393A
Chrome Cache Entry: 111	ASCII text, with very long lines (65447)	8FB8FEE4FCC3CC86FF6C724154C49C42	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
Chrome Cache Entry: 112	ASCII text, with no line terminators	D1690731F22021E1466FBCD0DB6326EF	78F95BA0B7F82BBB7067000242DE860594ABD9C3	490216DF4F089BB5C249BCF4034D0671254CA4236EC3ECA935AAC4B17E0FC7F3
Chrome Cache Entry: 113	ASCII text, with very long lines (65536), with no line terminators	3CBB8908E329B01594BA33DA639C216D	BB07D11ED06FF46566A4F9FE02188E5649F69E69	10EE6218481850701761C89DEF0C6D2239552CB051450B4DD669713EAB5E7779
Chrome Cache Entry: 114	ASCII text, with CRLF line terminators	DBFAC7887A157C9B73DC42927FC15B74	435FD188BF66F0207EEB298DD13228D17D36E4D1	FC66E3943BC6EDC7B1F79D952D31DABCBA3BD576190DEEB9A7518CEE6B75C5A1
Chrome Cache Entry: 115	GIF image data, version 89a, 22 x 22	309B41EE7A44BD51E5D1B52CCC620E5B	B162CE55DE01BF7C005F8CE4D4D7C32E7AEACA08	F213507641FD02EC43981535823474ECFDE973D1B33A6CD385F1F0827FD4B528
Chrome Cache Entry: 116	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 110554	C60D83111FACE767A068BE9B5178B887	BDBE2ED3247BB647CB318A9D0A4182E65B66473D	62F6067588E8E74833692A1511AC8AF5B66F380E8BFC842B7EC7B2785494AEC3
Chrome Cache Entry: 117	PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced	BC89C1FBFBC227DC5A7ED9B2797E240D	8A9390297FDD0963C466CF2FD35D5B1F88A46B6A	744A8CD0A4D15DFCF4A5D2E832FF556D950F8AF24D7B66104AB2EF4FE2605D9A
Chrome Cache Entry: 118	GIF image data, version 89a, 22 x 22	309B41EE7A44BD51E5D1B52CCC620E5B	B162CE55DE01BF7C005F8CE4D4D7C32E7AEACA08	F213507641FD02EC43981535823474ECFDE973D1B33A6CD385F1F0827FD4B528
Chrome Cache Entry: 119	PNG image data, 240 x 59, 8-bit/color RGBA, non-interlaced	346C8F6ACBCE0D7A0113C6E5AD2B535D	7A11F5E8FE4AF491E11F4186A1AB0EC37B642532	BCEE0CA70481CFBF41C11797FE681A6EEC5E27A15B5E422A8BF15756C9EE632F
Chrome Cache Entry: 120	GIF image data, version 89a, 24 x 24	93DE6FB07C1382459E473381DA5D0E7E	4E1208D482A7ABA8C86FDCF8E0E92C90BB8C8C8A	E97FA0CFE4B0A7BB22E9713A67D4667DA064E674A944D607E78F0D3BF48E57A5
Chrome Cache Entry: 121	ASCII text, with very long lines (65447)	8FB8FEE4FCC3CC86FF6C724154C49C42	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
Chrome Cache Entry: 122	ASCII text, with CRLF line terminators	90EA7274F19755002360945D54C2A0D7	647B5D8BF7D119A2C97895363A07A0C6EB8CD284	40732E9DCFA704CF615E4691BB07AECFD1CC5E063220A46E4A7FF6560C77F5DB
Chrome Cache Entry: 123	GIF image data, version 89a, 24 x 24	93DE6FB07C1382459E473381DA5D0E7E	4E1208D482A7ABA8C86FDCF8E0E92C90BB8C8C8A	E97FA0CFE4B0A7BB22E9713A67D4667DA064E674A944D607E78F0D3BF48E57A5
Chrome Cache Entry: 124	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=16, height=4000, bps=206, PhotometricIntepretation=RGB, manufacturer=NIKON CORPORATION, model=NIKON D7100, orientation=upper-left, width=6000], baseline, precision 8, 1920x1080, components 3	03FC7F13B4320519D0EB47D8CDC8357D	DDF71CA9F0D0604FBED9A0FF964F066BB33FF869	C08C5DDF46AC0420B88C69D06351757C110A822E36DD23CC3A9F9906FA5D7DDC
Chrome Cache Entry: 125	PNG image data, 338 x 72, 8-bit/color RGBA, non-interlaced	36AFB641BECFAD75FED5F4E6E8C39268	2495652F017B7A06D796AFE9C4A06ECD54F9CCFE	5C2192A3932CB78B431A1AC0F3F3D73414A31C63D5CB279F2687E58C72694200
Chrome Cache Entry: 126	JSON data	2D7D30EA1C6F925302D2C3ABED382951	5BA6BBC5670C4AF1125CF9AC0AA1CA2811E744D1	83C09BA9A8DAEDB136F90B17A294CAA90AD471A016E430DF6E229ACB5A81E100
Chrome Cache Entry: 84	ASCII text, with very long lines (61177)	F0E5964F8BBEDF73D2D3001623BB663B	AADF3504D5E5A93E678487EEB4A63398F2699341	9537F00CA371747A97A2ACCA388F7B2379A7FA7C59BDE18C3D2621C0DE8DE492
Chrome Cache Entry: 85	ASCII text, with very long lines (65329), with CRLF line terminators	C89EAA5B28DF1E17376BE71D71649173	2B34DF4C66BB57DE5A24A2EF0896271DFCA4F4CD	66B804E7A96A87C11E1DD74EA04AC2285DF5AD9043F48046C3E5000114D39B1C
Chrome Cache Entry: 86	HTML document, Unicode text, UTF-8 text, with very long lines (941), with CRLF line terminators	861E438A2D29B7DBF36EC0B3948F70EA	78323192A9C1957B5A56C00DC07F50C9A8358456	9406DEF76C8EA7C24507970CAC36D8256E5A666B8765A726D87A627E616D930F
Chrome Cache Entry: 87	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	8EDFCD3F7A179CFF6B123DFF50F29770	7A2D9BB4B9F6072AB3049E6421021A5BA0A3DADF	D0B747C7F7414A08B0D5107832B2F4BB44A9BB4A3AAD28390F58EDE8BBEA6AE1
Chrome Cache Entry: 88	PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced	8DC34013E911C5F68FC2BCA0400CB06F	16BAFA91AF100D65C4945F04E0C6E1643B98CF00	795029D360C3D16233FCE96F1BFF13C261535C0885FAE806CFF766F32D96BCEE
Chrome Cache Entry: 89	MS Windows icon resource - 4 icons, 64x64, 32 bits/pixel, 32x32, 32 bits/pixel	877784A5F5808CEFA2B61E73BFCF8EAE	6A0E7EDA2734D7BBBA3CE38D37B347DF001B1DBF	BE7F0632337BC381D4962125545A5CC3C1E84E2D03DBDB97AB3D79AD78B91B6D
Chrome Cache Entry: 90	PNG image data, 17 x 25, 8-bit/color RGBA, non-interlaced	C651D60A08FF0F579E2EB9BE6043A3C6	E7BCBB896EEA20A4DC68EDD2EF5B336E92690A55	7B4B6ADAA1DDA648143A18A52B51DFAAB54775BDB6284DFF5C869235CD385230
Chrome Cache Entry: 91	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513	4E3510919D29D18EEB6E3E8B2687D2F5	31522A9EC576A462C3F1FFA65C010D4EB77E9A85	1707BE1284617ACC0A66A14448207214D55C3DA4AAF25854E137E138E089257E
Chrome Cache Entry: 92	PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced	BC89C1FBFBC227DC5A7ED9B2797E240D	8A9390297FDD0963C466CF2FD35D5B1F88A46B6A	744A8CD0A4D15DFCF4A5D2E832FF556D950F8AF24D7B66104AB2EF4FE2605D9A
Chrome Cache Entry: 93	HTML document, Unicode text, UTF-8 text, with very long lines (1237), with CRLF line terminators	3A9449ED09119D29505C688C582A88F2	9CC7328B7AAE710C755A557CDC32177DE61156B5	D9BC757146A73695BFDFADFF45CDCE52A02156B0777FA2FB5BAAECA826127AB0
Chrome Cache Entry: 94	PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced	BC89C1FBFBC227DC5A7ED9B2797E240D	8A9390297FDD0963C466CF2FD35D5B1F88A46B6A	744A8CD0A4D15DFCF4A5D2E832FF556D950F8AF24D7B66104AB2EF4FE2605D9A
Chrome Cache Entry: 95	ASCII text, with CRLF line terminators	A17520454D4A65A399B863B5CC46D3FC	0A02C72D7AFCD5198C590108E7F2302A1F75544D	62E5E7DC19D018BEDB24E2C89ED41271B9D94A6DDE3359CC9CABBC315385C0E5
Chrome Cache Entry: 96	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513	4E3510919D29D18EEB6E3E8B2687D2F5	31522A9EC576A462C3F1FFA65C010D4EB77E9A85	1707BE1284617ACC0A66A14448207214D55C3DA4AAF25854E137E138E089257E
Chrome Cache Entry: 97	PNG image data, 338 x 72, 8-bit/color RGBA, non-interlaced	36AFB641BECFAD75FED5F4E6E8C39268	2495652F017B7A06D796AFE9C4A06ECD54F9CCFE	5C2192A3932CB78B431A1AC0F3F3D73414A31C63D5CB279F2687E58C72694200
Chrome Cache Entry: 98	PNG image data, 17 x 25, 8-bit/color RGBA, non-interlaced	C651D60A08FF0F579E2EB9BE6043A3C6	E7BCBB896EEA20A4DC68EDD2EF5B336E92690A55	7B4B6ADAA1DDA648143A18A52B51DFAAB54775BDB6284DFF5C869235CD385230
Chrome Cache Entry: 99	ASCII text, with CRLF line terminators	A870B45AC5D6B0D4E18C4829C7B660B4	2D3CA0E1F19EFDEB9B2DD3DCFFB17F8ABA118AA0	144524233F795D6A425B76F7AE5C0BB622B5F67E2E6AE73532AD526528CA07CF

Phishing

Yara detected HtmlPhish10

Source: Yara match

File source: 0.1.pages.csv, type: HTML

Detected javascript redirector / loader

Source: Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: New script, src: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

Tab title: Sign in to your account

HTML sample is only containing javascript code

Source: Encrypted_PaymentAdvice_Reference.html

Phishing site detected (based on image similarity)

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

Matcher: Found strong image similarity, brand: MICROSOFT

HTML body contains low number of good links

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Title: Sign in to your account does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: <input type="password" .../> found

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: No <meta name="author".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo	HTTP Parser: No <meta name="author".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html	HTTP Parser: No <meta name="copyright".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo...	HTTP Parser: No <meta name="copyright".. found
Source: https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQQIARAAhZLNa9MAAMWbdq1b0dlNET0IEzzIJG2-0xR2SJt-pFuStU0amoOlaZM0bZqkbdK0uYseB8LAgRcPojt6Ei8Kehi7uPP8DwRFPMiObnoeXh7v8d7t_ZLLRBom0lAa2owhaSh3HyMJHMNwFUSRLgFilAqBWVQjQLhHoecVQhLdzmQ9mXr8xL-3_yNTePN8bbO59fnFIbDR9zx3mstkgiBIO7pudrV01xllrI7dM21jhrwDgBMAOIjGNRuUGofRKYFmYZTCYQInYRQlYRhJt0QabslsqAw4TyizGG9CkCJagx25OuTCoseLUtgKhwuuXMQUWYK4cAgrMhcI4tDjRmzIFy72tcWO2B8JIudxTG3BDaSAZySEZ2r4afS6QPteH7kQZ2KG2q_oiu5MRm3XmXoHsf0oa2_LVLkyq3f8Rcjy42q1gpCmQMlwFxs7xZaUX_TC1rRdsn18Z9uFFFrtg9VCXfLl4XAATjhyx9iFbFKCkOliYbCo2K-apqzkLV0k59uUU1B5vcD2XAItBc1i1RBMexdCbdjrBzZfLpXzou808Www5STOmtfAkS_DeAlSF0h7e9jlVa_RbWBzmOk4vR4KVXlZ1gJK1gdsVt015tREwAl80pg3CmatrxqjsSVW8CZV4uyybMrZPO-5TYyzS2irgyjCjDXyltFG9VCv0_zApcJsvUkTSjB383gFZECD7jShRnAYu3PJvTPkbSxxbkaOfRwjHVezzd6GO3F009IuQ2KGZIS_qeKMtDRtWSdLwLelW8uJVOp2ZCPy4CYUyy0vJ1ORi3S2BLyMnxMXxlcTj-4q9OuVr59-j6nIcTzTLNgMjVMGKs_6XmgV8g8JXrJ0oYQTZTxDDOcNX-34vfmYcbbgHLyXAPYSiePEGsu0-aLYEGmeo...	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49801 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 152.199.4.44 152.199.4.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.63.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.40.205.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /lnk/web.js HTTP/1.1Host: bc1qr4pajz0dg0s3dd3gc9mx0s0.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/jquery/3.6.0/jquery.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhleg2.css HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/cdnbundles/converged.v2.login.min_8owwt4u-33ps0wawi7tmow2.css HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Purpose: prefetchSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/bannerlogo?ts=637885838665437121 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/v3/auth HTTP/1.1Host: bc1q3jc6cu9q5t35vc9jt7h47pw.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/bannerlogo?ts=637885838665437121 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/illustration?ts=637885838649916089 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dbd5a2dd-m8dyygmh3oeovo2dixhqqyboaqeae6piveon-rl-2di/logintenantbranding/0/illustration?ts=637885838649916089 HTTP/1.1Host: aadcdn.msftauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XGTrf5PErdE5NGK&MD=tullWw3L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XGTrf5PErdE5NGK&MD=tullWw3L HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

DNS traffic detected: queries for: bc1qr4pajz0dg0s3dd3gc9mx0s0.com

Source: unknown

Source: chromecache_86.2.dr

String found in binary or memory: https://account.live.com/resetpassword.aspx

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49801 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Encrypted_PaymentAdvice_Reference.html

Initial sample: payment

Source: classification engine

Classification label: mal76.phis.winHTML@25/72@22/11

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Encrypted_PaymentAdvice_Reference.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2152,i,4203618253092181966,8330422003287132863,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2152,i,4203618253092181966,8330422003287132863,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

HTTP Parser: file:///C:/Users/user/Desktop/Encrypted_PaymentAdvice_Reference.html

ID:	1428929
Product:	CloudBasic
Start time:	21:29:04
Start date:	19.04.2024
Sample:	Encrypted_PaymentAdvice_Reference.html
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ecb7975e1af12d03f172521e9db666e0
SHA1:	99454e6d1656a09891549d74c716d58ee4bd60fe
SHA256:	45ac36f35c90139f810c607aacc9cea31ebb0ac00bdd51ca6e5c0167ec2ad89e
Filetype:	HyperText Markup Language (13008/1) 61.90%

Windows Analysis Report
Encrypted_PaymentAdvice_Reference.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Encrypted_PaymentAdvice_Reference.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Encrypted_PaymentAdvice_Reference.html