Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecureMessageAtt.html

HTML document, ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	HTML document, ASCII text, with CRLF line terminators
Entropy:	6.077024401281931
Filename:	SecureMessageAtt.html
Filesize:	2456635
MD5:	1d28aebc4cb2e6a1b2973430272e171b
SHA1:	849718ff3229686c9608c1a17e785e20222ce35b
SHA256:	bcff3b94d850c48c0bbd760791a4dd28b754d3e94d6e958ff54579284402d2c0
SHA512:	398e9b8e53c0475a3f10c0df0e0f5bec61404a93e6c4a106d53093757724101485b9640653dc7263646e09083d9c0d97f66a55136f2a31ed695289eeda997cb2
SSDEEP:	24576:QsSEtwnnZAQQDor2MiinkFlbPAbd2i8wctNgeBV7B8G5osLTRSKwGuUebwqHeBmp:56ZN0G8CPGFNTE6Tub4ElOod
Preview:	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">..<html>....<head>.. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. Branding: You'll probably want to set the title. -->.. <title>Proo

Signature Hits	Behavior Group	Mitre Attack
Contains VNC / remote desktop functionality (version string found)	Remote Access Functionality	Remote Desktop Protocol Remote Access Software
HTML page is missing a favicon	Phishing
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
URLs found in memory or binary data	Networking
Submission file is bigger than most known malware samples	System Summary

Chrome Cache Entry: 82

GIF image data, version 89a, 90 x 68

dropped

Details

File:	Chrome Cache Entry: 82
Category:	dropped
Dump:	chromecache_82.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	GIF image data, version 89a, 90 x 68
Entropy:	7.69368813786086
Encrypted:	false
Ssdeep:	48:0iDSa/lZFiVs1W5mcGunaDYrBfPP3wk4HhbxuuXl80of:0iDSa/ToVs9woYBfnANb4d0w
Size:	1984
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 83

GIF image data, version 89a, 187 x 42

dropped

Details

File:	Chrome Cache Entry: 83
Category:	dropped
Dump:	chromecache_83.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	GIF image data, version 89a, 187 x 42
Entropy:	7.772752509343987
Encrypted:	false
Ssdeep:	48:4AnBxIfxXQmp/HXqmg+pQLRB0ou+doAKV4NSV28AUHzdxOmzVH0LgBOO:pnBO5AGHBOvnuy8L2T40iF0EBOO
Size:	2197
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 84

GIF image data, version 89a, 90 x 68

downloaded

Details

File:	Chrome Cache Entry: 84
Category:	downloaded
Dump:	chromecache_84.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	GIF image data, version 89a, 90 x 68
Entropy:	7.69368813786086
Encrypted:	false
Ssdeep:	48:0iDSa/lZFiVs1W5mcGunaDYrBfPP3wk4HhbxuuXl80of:0iDSa/ToVs9woYBfnANb4d0w
Size:	1984
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 85

HTML document, ASCII text, with very long lines (455), with CRLF line terminators

downloaded

Details

File:	Chrome Cache Entry: 85
Category:	downloaded
Dump:	chromecache_85.2.dr
ID:	dr_8
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	HTML document, ASCII text, with very long lines (455), with CRLF line terminators
Entropy:	4.76884765493212
Encrypted:	false
Ssdeep:	192:VR+blWeX7ptGuV+WtLIVs5lWXagpHYz3PakCE8hkhOR:VIRptv7dIVs/3gpCPa48hkhOR
Size:	8905
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 86

GIF image data, version 89a, 187 x 42

downloaded

Details

File:	Chrome Cache Entry: 86
Category:	downloaded
Dump:	chromecache_86.2.dr
ID:	dr_9
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	GIF image data, version 89a, 187 x 42
Entropy:	7.772752509343987
Encrypted:	false
Ssdeep:	48:4AnBxIfxXQmp/HXqmg+pQLRB0ou+doAKV4NSV28AUHzdxOmzVH0LgBOO:pnBO5AGHBOvnuy8L2T40iF0EBOO
Size:	2197
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 87

MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel

dropped

Details

File:	Chrome Cache Entry: 87
Category:	dropped
Dump:	chromecache_87.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Entropy:	5.223148900731864
Encrypted:	false
Ssdeep:	24:tqAwGyTSQB24gTAhnsx1nD+o1NMTTJaz:tL+bgTinelDMd
Size:	1150
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 88

MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel

downloaded

Details

File:	Chrome Cache Entry: 88
Category:	downloaded
Dump:	chromecache_88.2.dr
ID:	dr_10
Target ID:	2
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Entropy:	5.223148900731864
Encrypted:	false
Ssdeep:	24:tqAwGyTSQB24gTAhnsx1nD+o1NMTTJaz:tL+bgTinelDMd
Size:	1150
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\SecureMessageAtt.html"

Details

Is windows:	true
Is dropped:	false
PID:	7072
Target ID:	0
Parent PID:	5268
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\SecureMessageAtt.html"
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	00:06:39
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1996,i,3822043218176268392,2533187350089635544,262144 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	5160
Target ID:	2
Parent PID:	7072
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1996,i,3822043218176268392,2533187350089635544,262144 /prefetch:8
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	00:06:42
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

file:///C:/Users/user/Desktop/SecureMessageAtt.html

https://securemail.americanfidelity.com/help/enus_encryption.htm

https://securemail.americanfidelity.com/formpostdir/safeformpost.aspx

unknown

https://securemail.americanfidelity.com/help/enus_encryption.htm#Reading_a_Secure_Message_on_a_Smart_Phone

https://securemail.americanfidelity.com/help/enus_encryption.htm#Troubleshooting

https://securemail.americanfidelity.com/securereader/help.jsf?lang=enus

https://securemail.americanfidelity.com/help/enus_encryption.htm#Adding_Recipients

https://securemail.americanfidelity.com/favicon.ico

67.231.149.122

https://securemail.americanfidelity.com/securereader/Image?c=logo&b=1&i=0&rnd=9.80372576023722

67.231.149.122

https://securemail.americanfidelity.com/help/enus_encryption.htm#Replying_or_Forwarding

https://securemail.americanfidelity.com/securereader/Image?c=lock&b=1&rnd=2.99930044764984

67.231.149.122

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

www.google.com

172.253.124.147

pe-0018f201.gslb.pphosted.com

67.231.149.122

securemail.americanfidelity.com

unknown

Details

Name:	securemail.americanfidelity.com
TargetID:	2
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

67.231.149.122

pe-0018f201.gslb.pphosted.com

United States

239.255.255.250

unknown

Reserved

192.168.2.4

unknown

192.168.2.6

unknown

172.253.124.147

www.google.com

United States

DOM / HTML

URL

Malicious

file:///C:/Users/user/Desktop/SecureMessageAtt.html

https://securemail.americanfidelity.com/securereader/help.jsf?lang=enus

https://securemail.americanfidelity.com/help/enus_encryption.htm

https://securemail.americanfidelity.com/help/enus_encryption.htm#Replying_or_Forwarding

https://securemail.americanfidelity.com/help/enus_encryption.htm#Adding_Recipients

https://securemail.americanfidelity.com/help/enus_encryption.htm#Reading_a_Secure_Message_on_a_Smart_Phone

https://securemail.americanfidelity.com/help/enus_encryption.htm#Resetting_Your_Expired_Password

https://securemail.americanfidelity.com/help/enus_encryption.htm#Troubleshooting

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecureMessageAtt.html

Files

Processes

URLs

Domains

IPs

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecureMessageAtt.html

Files

Processes

URLs

Domains

IPs

DOM / HTML

IOC Report
SecureMessageAtt.html