Play interactive tourEdit tour

# Analysis Report http://scanotec.dk/8w1gx8/r0pb0.html

## Overview

### General Information

 Sample URL: http://scanotec.dk/8w1gx8/r0pb0.html Most interesting Screenshot:

### Detection

Phisher
 Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Yara detected Phisher

### Classification

 System is w10x64iexplore.exe (PID: 1732 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 1656 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1732 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\r0pb0[1].htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### Phishing:

 Yara detected Phisher Show sources
 Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5N37O3UG\r0pb0[1].htm, type: DROPPED

 Source: global traffic HTTP traffic detected: GET /8w1gx8/r0pb0.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: scanotec.dkConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: scanotec.dkConnection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: scanotec.dk
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 26 Jun 2020 13:45:24 GMTContent-Length: 5177Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 37 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 43 42 45 31 45 46 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 34 30 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 20 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64
 Urls found in memory or binary data Show sources
 Source: ~DF3BA7C0E2516F0BD8.TMP.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.html Source: {4778CA84-B7B3-11EA-AAE7-9CC1A2A860C6}.dat.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.htmlHhttp://sRoot Source: ~DF3BA7C0E2516F0BD8.TMP.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.htmlHhttp://scanotec.dk/8w1gx8/r0pb0.html Source: {4778CA84-B7B3-11EA-AAE7-9CC1A2A860C6}.dat.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.htmlHhttp://sm/2l0azne4mepklm7jmepp/Root Source: {4778CA84-B7B3-11EA-AAE7-9CC1A2A860C6}.dat.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.htmlRoot Source: ~DF3BA7C0E2516F0BD8.TMP.1.dr String found in binary or memory: http://scanotec.dk/8w1gx8/r0pb0.htmlj Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/ Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/ Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/ Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/ Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/ Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/ Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/ Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/ Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js Source: {4778CA84-B7B3-11EA-AAE7-9CC1A2A860C6}.dat.1.dr String found in binary or memory: https://app.boxrcdn.co Source: {4778CA84-B7B3-11EA-AAE7-9CC1A2A860C6}.dat.1.dr String found in binary or memory: https://app.boxrcdn.cogx8/r0pb0.htmlj Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://app.boxrcdn.com Source: ~DF3BA7C0E2516F0BD8.TMP.1.dr String found in binary or memory: https://app.boxrcdn.com/2l0azne4mepklm7jmepp/ Source: ~DF3BA7C0E2516F0BD8.TMP.1.dr String found in binary or memory: https://app.boxrcdn.com/2l0azne4mepklm7jmepp/0Checking Source: 2l0azne4mepklm7jmepp[1].htm.2.dr String found in binary or memory: https://iplogger.org/2vGde6 Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://s.wow.link/css/template.css?3.0.0 Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://s.wow.link/img/icons/favicon.ico Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://u.wow.link/C/FPmU7X52s2IqojIMepKyHqvfQqzj3dhCyzQT88x1WXUqwtkvm2XU6s3ppobQmbmP.png Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://wow.link Source: 2vGde6[1].htm.2.dr String found in binary or memory: https://wow.link/SC_3
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718 Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716 Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723

 Classification label Show sources
 Source: classification engine Classification label: mal48.phis.win@3/19@4/3
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1732 CREDAT:17410 /prefetch:2 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1732 CREDAT:17410 /prefetch:2 Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll Jump to behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy3Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy3SIM Card SwapPremium SMS Toll Fraud
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
• Internet

### Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.