Windows Analysis Report
4G1n4pmjH3.html

General Information

Sample name: 4G1n4pmjH3.html
renamed because original name is a hash value
Original sample name: b56a47d08edf4a0f1b1956e86b7e2b78174022c3b301d520cf15cf612749cee7.html
Analysis ID: 1703181
Has dependencies: false
MD5: 707400fc80c4466466c1f05494ff652b
SHA1: ff7496bb48687961d3e64c90abadb5681217027b
SHA256: b56a47d08edf4a0f1b1956e86b7e2b78174022c3b301d520cf15cf612749cee7
Tags: htmlsdfwer234-comuser-JAMESWT_WT
Infos: yara

Detection

CAPTCHA Scam ClickFix
Score: 60
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected CAPTCHA Scam ClickFix
Suspicious Javascript code found in HTML file
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 4G1n4pmjH3.html Virustotal: Detection: 32% Perma Link
Source: 4G1n4pmjH3.html ReversingLabs: Detection: 36%

Phishing
barindex
Yara detected CAPTCHA Scam ClickFix
Source: Yara match File source: 4G1n4pmjH3.html, type: SAMPLE
Source: Yara match File source: 0.0.pages.csv, type: HTML
Suspicious Javascript code found in HTML file
Source: 4G1n4pmjH3.html HTTP Parser: .location
Source: 4G1n4pmjH3.html HTTP Parser: .location
Source: 4G1n4pmjH3.html HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/4G1n4pmjH3.html HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49713 version: TLS 1.2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View IP Address: 104.21.27.152 104.21.27.152
Source: Joe Sandbox View IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View IP Address: 104.21.96.1 104.21.96.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zZ3w7YWrFPxOB31&MD=gulZsSlr HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic HTTP traffic detected: GET /apc/trans.gif?fcb56c85667cf95d3e6d7dffe46dcc7d HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5accept-language: en-CHaccept-encoding: gzip, deflate, bruser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic HTTP traffic detected: GET /apc/trans.gif?41daae4991a558c007bc1c761ae255a6 HTTP/1.1host: ax-ring.msedge.netreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5accept-language: en-CHaccept-encoding: gzip, deflate, bruser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
Source: global traffic HTTP traffic detected: GET /releases/v5.0.0/css/all.css HTTP/1.1host: use.fontawesome.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: text/css,*/*;q=0.1sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: stylesec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=0
Source: global traffic HTTP traffic detected: GET /lander/tradingview/recaptcha-project-browser-transparent.png HTTP/1.1host: tradingviewprime.comsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: cross-sitesec-fetch-mode: no-corssec-fetch-dest: imagesec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /releases/v5.0.0/webfonts/fa-brands-400.woff2 HTTP/1.1host: use.fontawesome.comorigin: nullsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: */*sec-fetch-site: cross-sitesec-fetch-mode: corssec-fetch-dest: fontreferer: https://use.fontawesome.com/releases/v5.0.0/css/all.cssaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=4
Source: global traffic HTTP traffic detected: GET /lander/tradingview/recaptcha-project-browser-transparent.png HTTP/1.1host: tradingviewprime.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: */*sec-fetch-site: nonesec-fetch-mode: corssec-fetch-dest: emptysec-fetch-storage-access: activeaccept-encoding: gzip, deflate, br, zstdaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zZ3w7YWrFPxOB31&MD=gulZsSlr HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: c.pki.goog
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: use.fontawesome.com
Source: global traffic DNS traffic detected: DNS query: tradingviewprime.com
Source: 4G1n4pmjH3.html String found in binary or memory: https://sdfwer234.com/13.vbs
Source: 4G1n4pmjH3.html String found in binary or memory: https://tradingviewprime.com/lander/tradingview/recaptcha-project-browser-transparent.png
Source: 4G1n4pmjH3.html String found in binary or memory: https://tradingviewprime.com/lander/tradingview/recaptcha-verify.html
Source: 4G1n4pmjH3.html String found in binary or memory: https://use.fontawesome.com/releases/v5.0.0/css/all.css
Source: 4G1n4pmjH3.html String found in binary or memory: https://www.google.com/intl/en/policies/privacy/
Source: 4G1n4pmjH3.html String found in binary or memory: https://www.google.com/intl/en/policies/terms/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: classification engine Classification label: mal60.phis.winHTML@24/7@9/5
Source: 4G1n4pmjH3.html Virustotal: Detection: 32%
Source: 4G1n4pmjH3.html ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1968,i,2488983959081157426,10894814468624279180,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2232 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1968,i,2488983959081157426,10894814468624279180,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3852 /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\4G1n4pmjH3.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1968,i,2488983959081157426,10894814468624279180,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2232 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1968,i,2488983959081157426,10894814468624279180,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=3852 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703181 Sample: 4G1n4pmjH3.html Startdate: 01/06/2025 Architecture: WINDOWS Score: 60 17 pki-goog.l.google.com 2->17 19 c.pki.goog 2->19 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected CAPTCHA Scam ClickFix 2->31 33 Suspicious Javascript code found in HTML file 2->33 7 chrome.exe 2 2->7         started        10 chrome.exe 2->10         started        signatures3 process4 dnsIp5 21 192.168.2.5, 138, 443, 49221 unknown unknown 7->21 12 chrome.exe 7->12         started        15 chrome.exe 7->15         started        process6 dnsIp7 23 www.google.com 173.194.208.106, 443, 49702, 49717 GOOGLEUS United States 12->23 25 use.fontawesome.com.cdn.cloudflare.net 104.21.27.152, 443, 49703, 49707 CLOUDFLARENETUS United States 12->25 27 3 other IPs or domains 12->27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.48.1
 tradingviewprime.com United States 13335 CLOUDFLARENETUS false
173.194.208.106
 www.google.com United States 15169 GOOGLEUS false
104.21.27.152
 use.fontawesome.com.cdn.cloudflare.net United States 13335 CLOUDFLARENETUS false
104.21.96.1
 unknown United States 13335 CLOUDFLARENETUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
tradingviewprime.com 104.21.48.1 true
www.google.com 173.194.208.106 true
use.fontawesome.com.cdn.cloudflare.net 104.21.27.152 true
pki-goog.l.google.com 142.250.113.94 true
use.fontawesome.com unknown unknown
c.pki.goog unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://c.pki.goog/r/r4.crl false
    		high
    file:///C:/Users/user/Desktop/4G1n4pmjH3.html true
      		unknown