Analysis Report https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com

Overview

General Information

Sample URL: https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com
Analysis ID: 321242

Most interesting Screenshot:

Errors
  • URL not reachable

Detection

Phisher
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Phisher
URL contains potential PII (phishing indication)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com Avira URL Cloud: detection malicious, Label: phishing
Antivirus detection for URL or domain
Source: https://hospitalpicks.com/vm/index.html#gjeffries Avira URL Cloud: Label: phishing
Source: https://bakrisoil.com/wp-content/cd.php?e=gjeffries Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: bakrisoil.com Virustotal: Detection: 6% Perma Link
Source: https://bakrisoil.com/ Virustotal: Detection: 6% Perma Link

Phishing:

barindex
Yara detected Phisher
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cd[1].htm, type: DROPPED
URL contains potential PII (phishing indication)
Source: https://bakrisoil.com/wp-content/cd.php?e=gjeffries@hughesellard.com Sample URL: PII: gjeffries@hughesellard.com
Source: unknown DNS traffic detected: queries for: bakrisoil.com
Source: {5702468C-2B4A-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://bakrisoil.com/
Source: {5702468C-2B4A-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://bakrisoil.com/wp-content/cd.php?e=gjeffries
Source: {5702468C-2B4A-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://bakrisoilcom/vm/index.html#gjeffries
Source: {5702468C-2B4A-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://bakrisoilwp-content/cd.php?e=gjeffries
Source: cd[1].htm.2.dr, ~DF240D9F52873C5C2B.TMP.1.dr String found in binary or memory: https://hospitalpicks.com/vm/index.html#gjeffries
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: classification engine Classification label: mal72.phis.win@3/15@2/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5702468A-2B4A-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF1BC5B961A0D11AC7.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321242 URL: https://bakrisoil.com/wp-co... Startdate: 20/11/2020 Architecture: WINDOWS Score: 72 18 Multi AV Scanner detection for domain / URL 2->18 20 Antivirus detection for URL or domain 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Yara detected Phisher 2->24 6 iexplore.exe 1 51 2->6         started        process3 process4 8 iexplore.exe 44 6->8         started        dnsIp5 14 bakrisoil.com 66.96.149.32, 443, 49735, 49736 BIZLAND-SDUS United States 8->14 16 hospitalpicks.com 104.218.51.229, 443, 49737, 49738 IS-AS-1US United States 8->16 12 C:\Users\user\AppData\Local\...\cd[1].htm, ASCII 8->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.96.149.32
unknown United States
29873 BIZLAND-SDUS true
104.218.51.229
unknown United States
19318 IS-AS-1US false

Contacted Domains

Name IP Active
bakrisoil.com 66.96.149.32 true
hospitalpicks.com 104.218.51.229 true