Analysis Report https://dhumketubd.com/DifferenceCard/login.php

Overview

General Information

Sample URL: https://dhumketubd.com/DifferenceCard/login.php
Analysis ID: 322836

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_7

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://dhumketubd.com/DifferenceCard/login.php SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_7
Source: Yara match File source: 051829.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\login[1].htm, type: DROPPED
Source: unknown DNS traffic detected: queries for: dhumketubd.com
Source: login[1].htm.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: imagestore.dat.2.dr String found in binary or memory: https://dhumketubd.com/DifferenceCard/images/shfi.png
Source: ~DF1AF4A5C2696034BC.TMP.1.dr String found in binary or memory: https://dhumketubd.com/DifferenceCard/login.php
Source: {2865563F-2F70-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://dhumketubd.com/DifferenceCard/login.phpRoot
Source: login[1].htm.2.dr String found in binary or memory: https://drive.google.com/file/d/1-p4CNC_xSDNE01gQqGq-Ohjep8M76e7W
Source: style[1].css.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN7rgOUuhv.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN8rsOUuhv.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOUuhv.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: style[1].css.2.dr String found in binary or memory: https://webpicture.cc/email-list/sharepoint/sp2/images/back.png
Source: style[1].css.2.dr String found in binary or memory: https://webpicture.cc/email-list/sharepoint/sp2/images/other-email-bg.jpg
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: classification engine Classification label: mal56.phis.win@3/21@3/6
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2865563D-2F70-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF14AB9EF650DA3F6B.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322836 URL: https://dhumketubd.com/Diff... Startdate: 25/11/2020 Architecture: WINDOWS Score: 56 16 dhumketubd.com 2->16 26 Antivirus / Scanner detection for submitted sample 2->26 28 Yara detected HtmlPhish_7 2->28 7 iexplore.exe 1 51 2->7         started        signatures3 process4 dnsIp5 18 192.168.2.1 unknown unknown 7->18 10 iexplore.exe 2 48 7->10         started        process6 dnsIp7 20 webpicture.cc 198.54.117.197, 443, 49733, 49734 NAMECHEAP-NETUS United States 10->20 22 198.54.117.198, 443, 49740, 49741 NAMECHEAP-NETUS United States 10->22 24 3 other IPs or domains 10->24 14 C:\Users\user\AppData\Local\...\login[1].htm, HTML 10->14 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.197
 unknown United States
22612 NAMECHEAP-NETUS false
198.54.117.198
 unknown United States
22612 NAMECHEAP-NETUS false
23.91.70.253
 unknown United States
62729 ASMALLORANGE1US false
198.54.117.199
 unknown United States
22612 NAMECHEAP-NETUS false
198.54.117.200
 unknown United States
22612 NAMECHEAP-NETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
webpicture.cc 198.54.117.197 true
dhumketubd.com 23.91.70.253 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dhumketubd.com/DifferenceCard/login.php true unknown