Loading ...

Play interactive tourEdit tour

Analysis Report https://albanesebros.sendx.io/lp/shared-doc.html

Overview

General Information

Sample URL:https://albanesebros.sendx.io/lp/shared-doc.html
Analysis ID:321361

Most interesting Screenshot:

Detection

HTMLPhisher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_10
Yara detected HtmlPhish_19
Yara detected HtmlPhish_7
HTML body contains low number of good links
HTML title does not match URL

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6832 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6888 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htmJoeSecurity_HtmlPhish_7Yara detected HtmlPhish_7Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htmJoeSecurity_HtmlPhish_19Yara detected HtmlPhish_19Joe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: https://makoenvirosol.com/wp-user/ut/SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

        Phishing:

        barindex
        Yara detected HtmlPhish_10Show sources
        Source: Yara matchFile source: 374653.0.links.csv, type: HTML
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
        Yara detected HtmlPhish_19Show sources
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
        Yara detected HtmlPhish_7Show sources
        Source: Yara matchFile source: 374653.0.links.csv, type: HTML
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\ut[1].htm, type: DROPPED
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: Number of links: 0
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: Number of links: 0
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: Title: Share Point Online does not match URL
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: Title: Share Point Online does not match URL
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: No <meta name="author".. found
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: No <meta name="author".. found
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: No <meta name="copyright".. found
        Source: https://makoenvirosol.com/wp-user/ut/HTTP Parser: No <meta name="copyright".. found
        Source: unknownDNS traffic detected: queries for: albanesebros.sendx.io
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: http://bonsaiden.github.io/JavaScript-Garden/#object.forinloop
        Source: animate.min[1].css.2.drString found in binary or memory: http://daneden.me/animate
        Source: ut[1].htm.2.drString found in binary or memory: http://google.com
        Source: hover[1].css.2.drString found in binary or memory: http://ianlunn.co.uk/
        Source: hover[1].css.2.drString found in binary or memory: http://ianlunn.github.io/Hover/)
        Source: animate.min[1].css.2.drString found in binary or memory: http://opensource.org/licenses/MIT
        Source: popper.min[1].js.2.drString found in binary or memory: http://opensource.org/licenses/MIT).
        Source: ut[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://albanesebros.s
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: https://albanesebros.sendx.io
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.html
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlRoot
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlcom/wp-user/ut/d-doc.htmlRoot
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlendx.io/lp/shared-doc.htmlRoot
        Source: ~DF351345C6A60C39EE.TMP.1.drString found in binary or memory: https://albanesebros.sendx.io/lp/shared-doc.htmlo/lp/shared-doc.html
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: https://app.sendx.io/api/v1
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: https://cdn.sendx.io
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mustache.js/3.0.1/mustache.min.js
        Source: ut[1].htm.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
        Source: ut[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
        Source: ut[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
        Source: ut[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
        Source: shared-doc[1].htm.2.drString found in binary or memory: https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/840f4477-2071-4b5b-a7c9-79cd553fea12/
        Source: free.min[1].css.2.dr, free-fa-solid-900[1].eot.2.drString found in binary or memory: https://fontawesome.com
        Source: free.min[1].css.2.drString found in binary or memory: https://fontawesome.com/license/free
        Source: free-fa-solid-900[1].eot.2.dr, free-fa-regular-400[1].eot.2.drString found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
        Source: shared-doc[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Anton
        Source: ut[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
        Source: shared-doc[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Lato
        Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/anton/v12/1Ptgg87LROyAm3Kz-Ck.woff)
        Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
        Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/lato/v17/S6uyw4BMUTPHjx4wWA.woff)
        Source: bootstrap.min[2].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://getbootstrap.com)
        Source: bootstrap.min[1].js.2.drString found in binary or memory: https://getbootstrap.com/)
        Source: hover[1].css.2.drString found in binary or memory: https://github.com/IanLunn/Hover
        Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
        Source: bootstrap.min[1].js.2.drString found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
        Source: 585b051251[1].js.2.drString found in binary or memory: https://ka-f.fontawesome.com
        Source: ut[1].htm.2.drString found in binary or memory: https://kit.fontawesome.com/585b051251.js
        Source: shared-doc[1].htm.2.drString found in binary or memory: https://makoenvirosol.com/wp-user/ut/
        Source: {A4BD0EC3-2B84-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://makoenvirosol.com/wp-user/ut/$Share
        Source: ~DF351345C6A60C39EE.TMP.1.drString found in binary or memory: https://makoenvirosol.com/wp-user/ut/d-doc.htmlo/lp/shared-doc.html
        Source: ut[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
        Source: ut[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
        Source: Fd6p0u0JQc3Amio6O4W1it[1].js.2.drString found in binary or memory: https://sendx.io
        Source: ut[1].htm.2.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
        Source: classification engineClassification label: mal72.phis.win@3/35@11/5
        Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4BD0EC1-2B84-11EB-90EB-ECF4BBEA1588}.datJump to behavior
        Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDDA0EFC4FBC12C3F.TMPJump to behavior
        Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2
        Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.