Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://ptyquabrig.betusisave.store/?email=

Overview

General Information

Sample URL:https://ptyquabrig.betusisave.store/?email=
Analysis ID:1606861
Infos:

Detection

EvilProxy, HTMLPhisher
Score:76
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Found malware configuration
Yara detected Evil Proxy Phishing kit
Yara detected HtmlPhish10
AI detected suspicious Javascript
HTML body contains low number of good links
HTML title does not match URL
Invalid T&C link found

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 2140 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 1440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,1092090699780099162,600696839747166947,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ptyquabrig.betusisave.store/?email=" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

Threatname: Evil Proxy

{"pagemsg": "{\\\"LoginPage\\\":{\\\"text\\\":null,\\\"color\\\":\\\"black\\\"},\\\"PassPage\\\":{\\\"text\\\":null,\\\"color\\\":\\\"black\\\"}}", "semail": "", "urlx": "script.php", "lmode": "b"}

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.0.id.script.csvJoeSecurity_EvilProxyYara detected Evil Proxy Phishing kitJoe Security
    1.2..script.csvJoeSecurity_EvilProxyYara detected Evil Proxy Phishing kitJoe Security
      1.1.pages.csvJoeSecurity_EvilProxyYara detected Evil Proxy Phishing kitJoe Security
        1.2.pages.csvJoeSecurity_EvilProxyYara detected Evil Proxy Phishing kitJoe Security
          1.3.pages.csvJoeSecurity_EvilProxyYara detected Evil Proxy Phishing kitJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0.0.id.script.csvMalware Configuration Extractor: Evil Proxy {"pagemsg": "{\\\"LoginPage\\\":{\\\"text\\\":null,\\\"color\\\":\\\"black\\\"},\\\"PassPage\\\":{\\\"text\\\":null,\\\"color\\\":\\\"black\\\"}}", "semail": "", "urlx": "script.php", "lmode": "b"}

            Phishing

            barindex
            AI detected phishing page
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'ptyquabrig.betusisave.store' does not match the legitimate domain., The URL contains suspicious elements such as an unusual domain extension '.store' and unrelated words 'ptyquabrig' and 'betusisave'., The URL does not have any recognizable association with Microsoft., The presence of input fields for 'Email or phone' is common in phishing attempts targeting Microsoft accounts. DOM: 1.1.pages.csv
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmJoe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The URL 'ptyquabrig.betusisave.store' does not match the legitimate domain 'microsoft.com'., The domain 'betusisave.store' is suspicious and not associated with Microsoft., The use of a random subdomain 'ptyquabrig' and an unusual domain extension '.store' are common phishing tactics., The email-like input field 'u74zmq@kovf.co' suggests a potential attempt to harvest credentials. DOM: 1.2.pages.csv
            Yara detected Evil Proxy Phishing kit
            Source: Yara matchFile source: 0.0.id.script.csv, type: HTML
            Source: Yara matchFile source: 1.2..script.csv, type: HTML
            Source: Yara matchFile source: 1.1.pages.csv, type: HTML
            Source: Yara matchFile source: 1.2.pages.csv, type: HTML
            Source: Yara matchFile source: 1.3.pages.csv, type: HTML
            Source: Yara matchFile source: 1.0.pages.csv, type: HTML
            Yara detected HtmlPhish10
            Source: Yara matchFile source: 1.1.pages.csv, type: HTML
            Source: Yara matchFile source: 1.2.pages.csv, type: HTML
            Source: Yara matchFile source: 1.3.pages.csv, type: HTML
            Source: Yara matchFile source: 1.0.pages.csv, type: HTML
            AI detected suspicious Javascript
            Source: 0.0.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://ptyquabrig.betusisave.store/m/2b643487bbc7... This JavaScript snippet exhibits several high-risk behaviors, indicating a potentially malicious intent. It includes dynamic code execution, data exfiltration, and obfuscated code/URLs, which are all considered high-risk indicators. Additionally, the script appears to be interacting with suspicious domains and exhibiting behavior inconsistent with its apparent purpose. Overall, this script demonstrates a high level of risk and should be thoroughly investigated.
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Number of links: 0
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Title: MTXTDFGGYWD3I74QATU4 does not match URL
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Terms of use
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Privacy & cookies
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Terms of use
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Privacy & cookies
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Terms of use
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Privacy & cookies
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Terms of use
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: Invalid link: Privacy & cookies
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="author".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="author".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="author".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="author".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="copyright".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="copyright".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="copyright".. found
            Source: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmHTTP Parser: No <meta name="copyright".. found
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.117
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
            Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.117
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /?email= HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /m/2b643487bbc7982ff271dda0c2c54c3b.htm HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/cxx/0HPYYKDVVKG4785FFJ5S1FIHZ HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/sm/G0UIGY28ZRM8SRS32KDFLYQHX HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/jx/CLTQYS7CTTF8W10B5MVWYWUB6 HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/mxl/mlg.svg?LGUCMIMV4B304VZH4QFEBU6IX HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/aty/FQ1T8UF43MSIZWSAU8MEXRL9J HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/mxl/sig_op.svg HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/ecpt/CRS543O1KSR7OFOSEPYRIQWG9 HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/bxg/9UACUTQO4MZ67R5JUO9IKYTL9 HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/jx/CLTQYS7CTTF8W10B5MVWYWUB6 HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/mxl/mlg.svg?LGUCMIMV4B304VZH4QFEBU6IX HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/javascript, */*; q=0.01sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://ptyquabrig.betusisave.storeSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ptyquabrig.betusisave.store/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /m/aty/FQ1T8UF43MSIZWSAU8MEXRL9J HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/mxl/sig_op.svg HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /?format=json HTTP/1.1Host: api.ipify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /m/ecpt/CRS543O1KSR7OFOSEPYRIQWG9 HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/ic/4FX3FOEDO94SDQKL6Y781IMMK HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/ic/4FX3FOEDO94SDQKL6Y781IMMK HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficHTTP traffic detected: GET /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: ptyquabrig.betusisave.store
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: unknownHTTP traffic detected: POST /m/script.php HTTP/1.1Host: ptyquabrig.betusisave.storeConnection: keep-aliveContent-Length: 220sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://ptyquabrig.betusisave.storeSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ptyquabrig.betusisave.store/m/2b643487bbc7982ff271dda0c2c54c3b.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=6fbc7fcaf203f0b9b388dc5996f3c23e; rt=2b643487bbc7982ff271dda0c2c54c3b.htm
            Source: chromecache_59.2.drString found in binary or memory: https://acctcdn.msauth.net/images/clear1x1.png
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: classification engineClassification label: mal76.phis.win@16/27@10/5
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,1092090699780099162,600696839747166947,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ptyquabrig.betusisave.store/?email="
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,1092090699780099162,600696839747166947,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            Browser Extensions            		1
            Process Injection            		1
            Process Injection            		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Ingress Tool Transfer            		Traffic DuplicationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious