Loading ...

Play interactive tourEdit tour

Analysis Report https://u1699748.ct.sendgrid.net/ls/click?upn=Tq6yiGCKpWixGK98qoglKwLmWWZ7F1kMSDKBQKR12McrgLNWJUOUG7NxrQzNoTrRucxGrGxGPuTuX1OknPhquXK1I9uYaWi3MVAI4pnRHHE-3DlvvT_UBYKePGbZonskOFro-2B-2FRipPoVkAMfcu9G29-2FWY6jkNHo5mjR4L96sFfG2-2FxxWI655ZcWALjXo8fCy5-2Frx2g4sasITMRZp4PV9m5Zlzk0G62LxxLUzSiyskyXlPPZjRbEzbMygCZA7HCBTB7z6unreGk4sK373mPpJP7z9-2FdWka-2Bf-2FxMVck7b5oRzTGYeGr952xN4f7-2BGxu8njwri-2BqzQ8Q-3D-3D

Overview

General Information

Sample URL:https://u1699748.ct.sendgrid.net/ls/click?upn=Tq6yiGCKpWixGK98qoglKwLmWWZ7F1kMSDKBQKR12McrgLNWJUOUG7NxrQzNoTrRucxGrGxGPuTuX1OknPhquXK1I9uYaWi3MVAI4pnRHHE-3DlvvT_UBYKePGbZonskOFro-2B-2FRipPoVkAMfcu9G29-2FWY6jkNHo5mjR4L96sFfG2-2FxxWI655ZcWALjXo8fCy5-2Frx2g4sasITMRZp4PV9m5Zlzk0G62LxxLUzSiyskyXlPPZjRbEzbMygCZA7HCBTB7z6unreGk4sK373mPpJP7z9-2FdWka-2Bf-2FxMVck7b5oRzTGYeGr952xN4f7-2BGxu8njwri-2BqzQ8Q-3D-3D

Most interesting Screenshot:

Detection

Phisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Yara detected HtmlPhish_10
Yara detected Phisher
HTML body contains low number of good links
HTML title does not match URL
Suspicious form URL found

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 4312 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5088 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4312 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\general[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\cn[1].htmJoeSecurity_Phisher_1Yara detected PhisherJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\cn[1].htmAvira: detection malicious, Label: HTML/Infected.WebPage.Gen2

      Phishing:

      barindex
      Yara detected HtmlPhish_10Show sources
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\general[1].htm, type: DROPPED
      Yara detected PhisherShow sources
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\cn[1].htm, type: DROPPED
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Number of links: 0
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Number of links: 0
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Title: Sampension Webmail - Login Page does not match URL
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Title: Sampension Webmail - Login Page does not match URL
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Form action: processlogin.php
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: Form action: processlogin.php
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: No <meta name="author".. found
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: No <meta name="author".. found
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: No <meta name="copyright".. found
      Source: https://codlagnostics.com/general/?email=msh@sampension.dkHTTP Parser: No <meta name="copyright".. found

      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sampension.dkConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: sampension.dk
      Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7adc4fde,0x01d64ae7</date><accdate>0x7adc4fde,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
      Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7adc4fde,0x01d64ae7</date><accdate>0x7adc4fde,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
      Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7ae1ad47,0x01d64ae7</date><accdate>0x7ae1ad47,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
      Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7ae1ad47,0x01d64ae7</date><accdate>0x7ae1ad47,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
      Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7ae40f8f,0x01d64ae7</date><accdate>0x7ae40f8f,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
      Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7ae40f8f,0x01d64ae7</date><accdate>0x7ae40f8f,0x01d64ae7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
      Source: unknownDNS traffic detected: queries for: u1699748.ct.sendgrid.net
      Source: jquery-1.3.2.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/License
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Accordion
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Datepicker
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Dialog
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Draggables
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Droppables
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Blind
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Bounce
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Clip
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Drop
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Explode
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Fold
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Highlight
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Pulsate
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Scale
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Shake
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Slide
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Effects/Transfer
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Progressbar
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Resizables
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Selectables
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Slider
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Sortables
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://docs.jquery.com/UI/Tabs
      Source: jquery-1.3.2.min[1].js.2.drString found in binary or memory: http://jquery.com/
      Source: jquery-ui-1.7.2.custom.min[1].js.2.drString found in binary or memory: http://jqueryui.com/about)
      Source: general[1].htm.2.drString found in binary or memory: http://sampension.dk/favicon.ico
      Source: jquery-1.3.2.min[1].js.2.drString found in binary or memory: http://sizzlejs.com/
      Source: xp[1].js.2.drString found in binary or memory: http://webbasedemail.com/question.ehtml?admin=
      Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
      Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
      Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
      Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
      Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
      Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
      Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
      Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/css/jquery.ui.dialog.css
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/css/lang.css?6.20.13
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/js/browsercheck.js
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/js/jQuery/jquery-1.3.2.min.js
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/js/jQuery/ui/jquery-ui-1.7.2.custom.min.js
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/js/rememberme.js
      Source: general[1].htm.2.drString found in binary or memory: https://altmail.blacknight.com/js/xp.js
      Source: ~DF06F7737DF7124EC7.TMP.1.dr, cn[1].htm.2.drString found in binary or memory: https://codlagnostics.com/general/?email=msh
      Source: {A46B0B9A-B6DA-11EA-AAE7-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://codlagnostics.wp-content/themes/cn.php?e=msh
      Source: imagestore.dat.2.drString found in binary or memory: https://malarouge.com/favicon.icoa
      Source: ~DF06F7737DF7124EC7.TMP.1.dr, {A46B0B9A-B6DA-11EA-AAE7-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://malarouge.com/wp-content/themes/cn.php?e=msh
      Source: general[1].htm.2.drString found in binary or memory: https://sampension.dk/favicon.ico
      Source: general[1].htm.2.drString found in binary or memory: https://sampension.dk/images/favicon.ico
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

      Source: classification engineClassification label: mal64.phis.win@3/30@6/5
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A46B0B98-B6DA-11EA-AAE7-9CC1A2A860C6}.datJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF323550280A322CE6.TMPJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4312 CREDAT:17410 /prefetch:2
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4312 CREDAT:17410 /prefetch:2Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.