Loading... Additional Content is being loaded

Windows Analysis Report
https://infector.sh/index

General Information

Sample URL:	https://infector.sh/index
Analysis ID:	1705195
Infos:	yara

Detection

CAPTCHA Scam ClickFix

Score:	64
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Invalid 'forgot password' link found

Invalid T&C link found

Classification

Signatures

Phishing

AI detected phishing page

Source: https://infector.sh/index

Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'infector.sh' does not match the legitimate domain for Microsoft., The domain 'infector.sh' is suspicious as it does not relate to Microsoft and uses an unusual domain extension '.sh'., The presence of input fields like 'Email, phone, or Skype' suggests an attempt to collect sensitive information, which is common in phishing sites. DOM: 0.0.pages.csv

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_49, type: DROPPED

HTML body contains low number of good links

Source: https://infector.sh/index

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://infector.sh/index

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://infector.sh/index

HTTP Parser: Title: Sign in to your Microsoft account does not match URL

Invalid 'forgot password' link found

Source: https://infector.sh/index

HTTP Parser: Invalid link: Forgot password?

Invalid T&C link found

Source: https://infector.sh/index	HTTP Parser: Invalid link: Terms of use
Source: https://infector.sh/index	HTTP Parser: Invalid link: Privacy & cookies
Source: https://infector.sh/index	HTTP Parser: Invalid link: Terms of use
Source: https://infector.sh/index	HTTP Parser: Invalid link: Privacy & cookies

Source: https://infector.sh/index

HTTP Parser: Iframe src: clickfix

Source: https://infector.sh/index

HTTP Parser: <input type="password" .../> found

Source: https://infector.sh/index

HTTP Parser: No favicon

Source: https://infector.sh/index	HTTP Parser: No <meta name="author".. found
Source: https://infector.sh/index	HTTP Parser: No <meta name="author".. found

Source: https://infector.sh/index	HTTP Parser: No <meta name="copyright".. found
Source: https://infector.sh/index	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49712 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2058473 - Severity 1 - ET MALWARE Observed ClickFix Powershell Delivery Page Inbound : 130.51.23.140:443 -> 192.168.2.9:49697

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.73.143
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.63
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208

Source: global traffic	HTTP traffic detected: GET /index HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/app.js HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/favicon.ico HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kBUXzdk7tC9LXCO&MD=fZzy5pta HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /clickfix HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kBUXzdk7tC9LXCO&MD=fZzy5pta HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: infector.sh

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1host: www.bing.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045content-length: 511cache-control: no-cacheorigin: https://www.bing.comreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: */*accept-language: en-CHcontent-type: text/xmlx-agent-deviceid: 01000A4109008071x-bm-cbt: 1741354868x-bm-dateformat: dd/MM/yyyyx-bm-devicedimensions: 784x984x-bm-devicedimensionslogical: 784x984x-bm-devicescale: 100x-bm-dtz: 0x-bm-market: CHx-bm-theme: 000000;0078d7x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12EC0B54,FX:12F0AC91,FX:12FF5D3C,FX:13083122,FX:13143E2F,FX:1318CA30,FX:1318CAEE,FX:1318CAEF,FX:1318CBED,FX:1318CBF1,FX:13214552,FX:13283A3B,FX:133A07C7,FX:133BFFE3,FX:13404069,FX:134128A5,FX:1342B470,FX:13499FAF,FX:134B0F33,FX:1355BA1D,FX:135DF0BBx-device-clientsession: A1A2AC28AE634D2FA6586B168043CEABx-device-isoptin: falsex-device-machineid: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}x-device-ossku: 48x-device-touch: fa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 0date: Tue, 03 Jun 2025 17:16:57 GMT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 0date: Tue, 03 Jun 2025 17:16:57 GMT

Source: chromecache_50.1.dr	String found in binary or memory: https://github.com/Octagon-simon/microsoft-login-clone/tree/main
Source: chromecache_49.1.dr	String found in binary or memory: https://infector.sh/hdrs
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/?utm_source=challenge&utm_campaign=
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/privacypolicy/
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/website-terms/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49712 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@21/8@4/3

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,15948481530305296831,5204982787352517307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://infector.sh/index"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,15948481530305296831,5204982787352517307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

AI Summary

Source: https://infector.sh/index

# Phishing Threat Analysis: Microsoft Brand Impersonation

## Threat Overview
A sophisticated phishing attempt targeting Microsoft users has been detected, using a deceptive login page to harvest user credentials through brand impersonation.

## Key Findings

### Brand Impersonation Tactics
- The attacker has created a pixel-perfect replica of a legitimate Microsoft sign-in page
- Leverages the official Microsoft logo and login interface design to appear authentic
- Hosted on a suspicious domain 'infector.sh', which is unrelated to Microsoft

### Credential Harvesting Mechanism
- Presents a familiar login interface requesting:
  - Email, phone, or Skype credentials
  - Includes "No account? Create one!" and "Sign in with a security key" options to mimic genuine Microsoft login flow
- Strategic placement of input fields designed to trick users into voluntarily submitting sensitive authentication information

### Technical Red Flags
- Domain mismatch: 'infector.sh' vs legitimate 'microsoft.com'
- Unusual top-level domain '.sh' signals potential malicious infrastructure
- High risk score of 9/10 indicating a high-confidence phishing attempt

## Conclusion
This phishing site represents a carefully crafted impersonation of Microsoft's login page, engineered to deceive users and capture their credentials through visual mimicry and social engineering techniques.

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.138.99	www.google.com	United States		15169	GOOGLEUS	false
130.51.23.140	infector.sh	Reserved		15601	BaringInvestmentServicesGB	true

Private

IP
192.168.2.9

Contacted Domains

Name	IP	Active
www.google.com	142.250.138.99	true
infector.sh	130.51.23.140	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://c.pki.goog/r/r4.crl	false		high
https://infector.sh/index	true		unknown
https://infector.sh/assets/favicon.ico	true		unknown
https://infector.sh/assets/app.js	true		unknown
https://infector.sh/clickfix	true		unknown

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 47	gzip compressed data, max compression, truncated	8F5D1BCD40FE2D360819C01A59AB7A56	04EF4B3654056DB95992A8E4F4E6FF1FD584F309	EB36CCBA07BEB1EF1EACD8E48A783C557483DD8C27033A19BEEC96F86459BD89
Chrome Cache Entry: 48	gzip compressed data, max compression, original size modulo 2^32 32	822B3E1C9A80D38A21B1CA72FBB405FF	4A95D57B3B54B7AF8B7306A8A93A30FB633469C6	BA0847E6558E8D342496B3B2A9E97BE84F93DE9D03E098D3F33AED95AFC53E4E
Chrome Cache Entry: 49	HTML document, ASCII text, with very long lines (51354)	8E0F5963C61608C54D661F7E91C9A522	475447E64F59F908ABD77DAB7A313B906E692D8F	788F1733F0A80F3566E7518F36DA75BFB21298FC493D4951B77C132FE2B228ED
Chrome Cache Entry: 50	HTML document, ASCII text, with very long lines (1947)	43CDDC41A8139D36D2F096EEB30E65FC	7BA09DCD33739409920C92A9C0D20503CB2CED41	5F09D3F10EEB12CEA71CD0727F99247217995D6A0B57D523B4CDCD47C38CDB6C

Phishing

AI detected phishing page

Source: https://infector.sh/index

Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'infector.sh' does not match the legitimate domain for Microsoft., The domain 'infector.sh' is suspicious as it does not relate to Microsoft and uses an unusual domain extension '.sh'., The presence of input fields like 'Email, phone, or Skype' suggests an attempt to collect sensitive information, which is common in phishing sites. DOM: 0.0.pages.csv

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_49, type: DROPPED

HTML body contains low number of good links

Source: https://infector.sh/index

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://infector.sh/index

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://infector.sh/index

HTTP Parser: Title: Sign in to your Microsoft account does not match URL

Invalid 'forgot password' link found

Source: https://infector.sh/index

HTTP Parser: Invalid link: Forgot password?

Invalid T&C link found

Source: https://infector.sh/index	HTTP Parser: Invalid link: Terms of use
Source: https://infector.sh/index	HTTP Parser: Invalid link: Privacy & cookies
Source: https://infector.sh/index	HTTP Parser: Invalid link: Terms of use
Source: https://infector.sh/index	HTTP Parser: Invalid link: Privacy & cookies

Source: https://infector.sh/index

HTTP Parser: Iframe src: clickfix

Source: https://infector.sh/index

HTTP Parser: <input type="password" .../> found

Source: https://infector.sh/index

HTTP Parser: No favicon

Source: https://infector.sh/index	HTTP Parser: No <meta name="author".. found
Source: https://infector.sh/index	HTTP Parser: No <meta name="author".. found

Source: https://infector.sh/index	HTTP Parser: No <meta name="copyright".. found
Source: https://infector.sh/index	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49712 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2058473 - Severity 1 - ET MALWARE Observed ClickFix Powershell Delivery Page Inbound : 130.51.23.140:443 -> 192.168.2.9:49697

Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.73.143
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.63
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.215
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.94
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208

Source: global traffic	HTTP traffic detected: GET /index HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/app.js HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/favicon.ico HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kBUXzdk7tC9LXCO&MD=fZzy5pta HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /clickfix HTTP/1.1Host: infector.shConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://infector.sh/indexAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kBUXzdk7tC9LXCO&MD=fZzy5pta HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: infector.sh

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1host: www.bing.comuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045content-length: 511cache-control: no-cacheorigin: https://www.bing.comreferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Initaccept: */*accept-language: en-CHcontent-type: text/xmlx-agent-deviceid: 01000A4109008071x-bm-cbt: 1741354868x-bm-dateformat: dd/MM/yyyyx-bm-devicedimensions: 784x984x-bm-devicedimensionslogical: 784x984x-bm-devicescale: 100x-bm-dtz: 0x-bm-market: CHx-bm-theme: 000000;0078d7x-bm-windowsflights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124117A5,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E,FX:12CDE644,FX:12D1574C,FX:12D281C4,FX:12E8312D,FX:12EC0B54,FX:12F0AC91,FX:12FF5D3C,FX:13083122,FX:13143E2F,FX:1318CA30,FX:1318CAEE,FX:1318CAEF,FX:1318CBED,FX:1318CBF1,FX:13214552,FX:13283A3B,FX:133A07C7,FX:133BFFE3,FX:13404069,FX:134128A5,FX:1342B470,FX:13499FAF,FX:134B0F33,FX:1355BA1D,FX:135DF0BBx-device-clientsession: A1A2AC28AE634D2FA6586B168043CEABx-device-isoptin: falsex-device-machineid: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}x-device-ossku: 48x-device-touch: fa

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 0date: Tue, 03 Jun 2025 17:16:57 GMT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-length: 0date: Tue, 03 Jun 2025 17:16:57 GMT

Source: chromecache_50.1.dr	String found in binary or memory: https://github.com/Octagon-simon/microsoft-login-clone/tree/main
Source: chromecache_49.1.dr	String found in binary or memory: https://infector.sh/hdrs
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/?utm_source=challenge&utm_campaign=
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/privacypolicy/
Source: chromecache_49.1.dr	String found in binary or memory: https://www.cloudflare.com/website-terms/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.227.208:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.9:49712 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@21/8@4/3

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,15948481530305296831,5204982787352517307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://infector.sh/index"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2044,i,15948481530305296831,5204982787352517307,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected