Analysis Report https://lhklzbenyc.objects-us-east-1.dream.io/liinkk.html#qs=r-abacacfekhccacaeikheababacafeadbfaccagjdacjekaibfgjacb

Overview

General Information

Sample URL:	https://lhklzbenyc.objects-us-east-1.dream.io/liinkk.html#qs=r-abacacfekhccacaeikheababacafeadbfaccagjdacjekaibfgjacb
Analysis ID:	322846
Most interesting Screenshot:
Errors URL not reachable

Detection

Phisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Phisher

Classification

Signatures

Phishing:

Yara detected Phisher

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\liinkk[1].htm, type: DROPPED

Source: global traffic

HTTP traffic detected: GET /qs=r-abacacfekhccacaeikheababacafeadbfaccagjdacjekaibfgjacb HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gizmoskiff.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: lhklzbenyc.objects-us-east-1.dream.io

Source: liinkk[1].htm.2.dr	String found in binary or memory: http://gizmoskiff.com/
Source: {A6FA38B5-2FBF-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://lhklzbenyc.obj
Source: ~DF2F607BA7733F9ACF.TMP.1.dr	String found in binary or memory: https://lhklzbenyc.objects-us-east-1.dream.io/liinkk.html
Source: ~DF2F607BA7733F9ACF.TMP.1.dr, {A6FA38B5-2FBF-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://lhklzbenyc.objects-us-east-1.dream.io/liinkk.html#qs=r-abacacfekhccacaeikheababacafeadbfacca
Source: {A6FA38B5-2FBF-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://luckyxguy.com/
Source: ~DF2F607BA7733F9ACF.TMP.1.dr	String found in binary or memory: https://luckyxguy.com/0/0/0/12b675ea62affcf4faac04f5d20e8bdd/37963_1_11/0_1_0_0_1_1439611_43_1839_70

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: classification engine

Classification label: mal48.phis.win@3/15@4/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB7E7B6F16E3436F0.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
111.90.140.95	unknown	Malaysia	45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	false
51.15.153.186	unknown	France	12876	OnlineSASFR	false
208.113.201.33	unknown	United States	26347	DREAMHOST-ASUS	false

Contacted Domains

Name	IP	Active
objects-us-east-1.dream.io	208.113.201.33	true
luckyxguy.com	111.90.140.95	true
gizmoskiff.com	51.15.153.186	true
lhklzbenyc.objects-us-east-1.dream.io	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gizmoskiff.com/qs=r-abacacfekhccacaeikheababacafeadbfaccagjdacjekaibfgjacb	false	Avira URL Cloud: safe	unknown

ID:	322846
Product:	CloudBasic
Start time:	00:15:28
Start date:	26.11.2020
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A6FA38B3-2FBF-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	E1F0B420E758FE4C7FF194DDF037C669	29C7ABA121994E5E7C2FB76D512E87E4E8C99BE8	BECA1FBA5A8E7C0F9A2560299EF0B4A6BB5A9829BB260C92B8AE61DBEB5AE221
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A6FA38B5-2FBF-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	A877C17E71EE687BD97F1575B54BB40C	9EDE09E80DEFE69B66F5FE0E979B4404EC332030	65EF57B3CEC55AACA13B6DDEEBF2704DEB13C850D9238CDCAC545B9F161CB0E7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AD7A6107-2FBF-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	2F81B3224D8143A6ACDC7FC27054F797	F7AADE38857D3D7645023AD5DDF479B6D0C8C173	E1AABA221B2139C41F6244B284444532E6B2F5573AB68451CFC98CE804E2DEB4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http_403[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	3215E2E80AA8B9FABA83D76AEF71F1B9	C7582D414EE6A1DAE098F6DBBBF68ED9641D0023	D91C22EF6451561F346B8C8BC6F98897E2E5C28135A421EE946800F6C8451B24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\liinkk[1].htm	HTML document, ASCII text, with no line terminators	7F4C13A05A98AF88115B54D97338C0BD	7BFA51D43467659FA2965F338E09AA4E899EF3EE	795F51FBF78F0C6225C58BECDB4D34082D42D1F2266AC75E334F61C0E7E8F491
C:\Users\user\AppData\Local\Temp\~DF2F607BA7733F9ACF.TMP	data	1ED41B158D205CE7EDF5C7CFC5D42A5F	9127694339CBE58131DE5DEE7FE473985F12FE0E	DB1321FA28A68F3CB2F5EA6DAB00709B31C3A07925EE7B8637D70C48FA523C12
C:\Users\user\AppData\Local\Temp\~DF55A80DF302D01A96.TMP	data	7DA1144C781AB85AB41C54FF25B1C771	56B6208446BD8498219279A5B68E1FE658BCB5AC	F16931FFBC6FDBBD1A453AC88CF63B93C1E2D0D6613F5C3D985B7CB5327F9C2C
C:\Users\user\AppData\Local\Temp\~DFB7E7B6F16E3436F0.TMP	data	E1BEEFF6620ECA40A593B714E778C9E1	5D5EA9F64196E12B0A5923202538DCA5C8A1C16F	69F4B09B2045A940C0B132C54C6C87FAE522DEB9B1FF7AA543141457C5125BBC

Analysis Report https://lhklzbenyc.objects-us-east-1.dream.io/liinkk.html#qs=r-abacacfekhccacaeikheababacafeadbfaccagjdacjekaibfgjacb

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs