Analysis Report https://albanesebros.sendx.io/lp/shared-doc.html

Overview

General Information

Sample URL: https://albanesebros.sendx.io/lp/shared-doc.html
Analysis ID: 321361

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_10
Yara detected HtmlPhish_19
Yara detected HtmlPhish_7
HTML body contains low number of good links
HTML title does not match URL

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://makoenvirosol.com/wp-user/ut/ SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: 374653.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
Yara detected HtmlPhish_19
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
Yara detected HtmlPhish_7
Source: Yara match File source: 374653.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
HTML body contains low number of good links
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: Number of links: 0
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: No <meta name="author".. found
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: No <meta name="author".. found
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: No <meta name="copyright".. found
Source: https://makoenvirosol.com/wp-user/ut/ HTTP Parser: No <meta name="copyright".. found
Source: unknown DNS traffic detected: queries for: albanesebros.sendx.io
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: http://bonsaiden.github.io/JavaScript-Garden/#object.forinloop
Source: animate.min[1].css.2.dr String found in binary or memory: http://daneden.me/animate
Source: ut[1].htm.2.dr String found in binary or memory: http://google.com
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: animate.min[1].css.2.dr String found in binary or memory: http://opensource.org/licenses/MIT
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: ut[1].htm.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://albanesebros.s
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: https://albanesebros.sendx.io
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.html
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlRoot
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlcom/wp-user/ut/d-doc.htmlRoot
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlendx.io/lp/shared-doc.htmlRoot
Source: ~DF351345C6A60C39EE.TMP.1.dr String found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlo/lp/shared-doc.html
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: https://app.sendx.io/api/v1
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: https://cdn.sendx.io
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mustache.js/3.0.1/mustache.min.js
Source: ut[1].htm.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: ut[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: ut[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: ut[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: shared-doc[1].htm.2.dr String found in binary or memory: https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/840f4477-2071-4b5b-a7c9-79cd553fea12/
Source: free.min[1].css.2.dr, free-fa-solid-900[1].eot.2.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.2.dr String found in binary or memory: https://fontawesome.com/license/free
Source: free-fa-solid-900[1].eot.2.dr, free-fa-regular-400[1].eot.2.dr String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: shared-doc[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Anton
Source: ut[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: shared-doc[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Lato
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/anton/v12/1Ptgg87LROyAm3Kz-Ck.woff)
Source: css[1].css0.2.dr String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: css[2].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/lato/v17/S6uyw4BMUTPHjx4wWA.woff)
Source: bootstrap.min[2].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://getbootstrap.com/)
Source: hover[1].css.2.dr String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.2.dr String found in binary or memory: https://ka-f.fontawesome.com
Source: ut[1].htm.2.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: shared-doc[1].htm.2.dr String found in binary or memory: https://makoenvirosol.com/wp-user/ut/
Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://makoenvirosol.com/wp-user/ut/$Share
Source: ~DF351345C6A60C39EE.TMP.1.dr String found in binary or memory: https://makoenvirosol.com/wp-user/ut/d-doc.htmlo/lp/shared-doc.html
Source: ut[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: ut[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.dr String found in binary or memory: https://sendx.io
Source: ut[1].htm.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: classification engine Classification label: mal72.phis.win@3/35@11/5
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4BD0EC1-2B84-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFDDA0EFC4FBC12C3F.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321361 URL: https://albanesebros.sendx.... Startdate: 21/11/2020 Architecture: WINDOWS Score: 72 15 albanesebros.sendx.io 2->15 23 Antivirus detection for URL or domain 2->23 25 Yara detected HtmlPhish_19 2->25 27 Yara detected HtmlPhish_10 2->27 29 Yara detected HtmlPhish_7 2->29 7 iexplore.exe 1 52 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 68 7->9         started        dnsIp6 17 makoenvirosol.com 173.254.28.216, 443, 49759, 49760 UNIFIEDLAYER-AS-1US United States 9->17 19 cdnjs.cloudflare.com 104.16.19.94, 443, 49747, 49748 CLOUDFLARENETUS United States 9->19 21 9 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\ut[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.213.165.33
unknown United States
14618 AMAZON-AESUS false
13.224.93.47
unknown United States
16509 AMAZON-02US false
13.224.93.76
unknown United States
16509 AMAZON-02US false
104.16.19.94
unknown United States
13335 CLOUDFLARENETUS false
173.254.28.216
unknown United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
makoenvirosol.com 173.254.28.216 true
albanesebros.sendx.io 3.213.165.33 true
dt3a4gi3hg28i.cloudfront.net 13.224.93.47 true
cdnjs.cloudflare.com 104.16.19.94 true
d15k2d11r6t6rl.cloudfront.net 13.224.93.76 true
stackpath.bootstrapcdn.com unknown unknown
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
kit.fontawesome.com unknown unknown
cdn.sendx.io unknown unknown
maxcdn.bootstrapcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://makoenvirosol.com/wp-user/ut/ true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
unknown
https://albanesebros.sendx.io/lp/shared-doc.html false
    high