Loading ...

Play interactive tourEdit tour

Analysis Report #U266bWaV_M39.html

Overview

General Information

Sample Name:#U266bWaV_M39.html
MD5:6c0a1e72b053157d7a47056467c67cde
SHA1:072f5a12a8293117928fbb884d67a67adabaa66d
SHA256:961d8e2b4bb9221e82e5a8a3cb89379086d1ea39973e686bda396f5f046a7fea

Most interesting Screenshot:

Detection

Phisher
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for sample
Yara detected Phisher
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
#U266bWaV_M39.htmlJoeSecurity_Phisher_1Yara detected PhisherJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for sampleShow sources
    Source: #U266bWaV_M39.htmlAvira: detection malicious, Label: HTML/Infected.WebPage.Gen2

    Phishing:

    barindex
    Yara detected PhisherShow sources
    Source: Yara matchFile source: #U266bWaV_M39.html, type: SAMPLE

    Source: unknownDNS traffic detected: query: micrsoft-acountvalidate.site replaycode: Name error (3)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7d905d62,0x01d62a6f</date><accdate>0x7d905d62,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7d905d62,0x01d62a6f</date><accdate>0x7d905d62,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7dc1b029,0x01d62a6f</date><accdate>0x7dc1b029,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7dc1b029,0x01d62a6f</date><accdate>0x7dc1b029,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7dc42591,0x01d62a6f</date><accdate>0x7dc42591,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7dc42591,0x01d62a6f</date><accdate>0x7dc42591,0x01d62a6f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: micrsoft-acountvalidate.site
    Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
    Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
    Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
    Source: #U266bWaV_M39.htmlString found in binary or memory: https://micrsoft-acountvalidate.site/?email=angelique&#46;grado
    Source: ~DF58675EDD56744D95.TMP.1.drString found in binary or memory: https://micrsoft-acountvalidate.site/?email=angelique.grado

    Source: classification engineClassification label: mal56.phis.winHTML@3/20@3/0
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF959B23EB2DA1E3D5.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5360 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5360 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 230381 Sample: #U266bWaV_M39.html Startdate: 14/05/2020 Architecture: WINDOWS Score: 56 13 Antivirus detection for sample 2->13 15 Yara detected Phisher 2->15 6 iexplore.exe 3 84 2->6         started        process3 process4 8 iexplore.exe 36 6->8         started        dnsIp5 11 micrsoft-acountvalidate.site 8->11

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.