Analysis Report http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==

Overview

General Information

Sample URL:	http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==
Analysis ID:	322904
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Phishing site detected (based on image similarity)

HTML body contains low number of good links

HTML title does not match URL

Invalid T&C link found

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\s7m8ltg71guzhecccs888xuj[1].htm, type: DROPPED

Phishing site detected (based on image similarity)

Source: https://sanatiamlak.com/wp-content/upgrade/lib/img/logo2.svg

Matcher: Found strong image similarity, brand: Microsoft

Jump to dropped file

HTML body contains low number of good links

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Number of links: 0
Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Title: Sign in to your account does not match URL

Invalid T&C link found

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Invalid link: Terms of use
Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: Invalid link: Terms of use

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: No <meta name="author".. found
Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: No <meta name="author".. found

Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: No <meta name="copyright".. found
Source: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	HTTP Parser: No <meta name="copyright".. found

Source: global traffic

HTTP traffic detected: GET /kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ== HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: bihhwidigojbtkic.lfllavv.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: bihhwidigojbtkic.lfllavv.com

Source: ~DF058445AA7ACBCBBD.TMP.1.dr	String found in binary or memory: http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==
Source: {2C0A73F0-2F93-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==Root
Source: {2C0A73F0-2F93-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://sanatiamlak.coc.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==m/wp-content/upgra
Source: Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==[1].htm.2.dr	String found in binary or memory: https://sanatiamlak.com/wp-content/upgrade/?corporate.actions.au2
Source: imagestore.dat.2.dr	String found in binary or memory: https://sanatiamlak.com/wp-content/upgrade/lib/img/favicon.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://sanatiamlak.com/wp-content/upgrade/lib/img/favicon.ico~
Source: imagestore.dat.2.dr	String found in binary or memory: https://sanatiamlak.com/wp-content/upgrade/lib/img/favicon.ico~(
Source: ~DF058445AA7ACBCBBD.TMP.1.dr	String found in binary or memory: https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: classification engine

Classification label: mal76.phis.win@3/16@3/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C0A73EE-2F93-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFECEF3B821227381B.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6840 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.132.82.145	unknown	Iran (ISLAMIC Republic Of)		43212	PEJVAK-ERTEBATATIR	false
52.186.153.24	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Contacted Domains

Name	IP	Active
bihhwidigojbtkic.lfllavv.com	52.186.153.24	true
sanatiamlak.com	185.132.82.145	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sanatiamlak.com/wp-content/upgrade/s7m8ltg71guzhecccs888xuj.php?MTYwNjM1OTQ4MTZkMDZjNTRlMTMzYjlkYjc1ZjYxZDhiY2U4OTBlZWU4OTcyNmFkYTE1MDk1MWM5OTc5YjQwYzJjMzgwNjE0YTk0OTZiYWE4Zg==&data=Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown
http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==	true		unknown

ID:	322904
Product:	CloudBasic
Start time:	03:57:07
Start date:	26.11.2020
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C0A73EE-2F93-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	B712895E973E62DE97F2CCEC75743DA1	38BD10678ED3228DE6DBA157DA840F2CB02BDF2B	D84643D7FD7564F69DC05750E683BFC2EC5071F3D131AA6E2613ACAB20F35C5C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2C0A73F0-2F93-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	DADDBA401E6D36277FEC0B6DE7E825CD	BA1572CFB689B6062AF2D67C80FD49B2D463695B	83D735484425AB6BB42BAF73973614DD0605BA0034B1225367BD8D764E1267E6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{35E4EA04-2F93-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	19E46E78E97E26111BFA3A4039EA8D71	78E9BD6726A70F1418AE13234358DFDC10A6E185	439CADFA80C115FB6E243D3E9025A298E09CF2663645FB03D00EEE4915AD6BA0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat	data	A19693B7CBEAC13D16ED8D1E68276B0B	736A58707C90FD6F5DE88FCC13A404934F019DC1	EFD323B3279576BE6743CCDCA59755C3FAE3EAFED3CE5B53BF80C2D97C316E55
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==[1].htm	HTML document, ASCII text	BA1633F97C23DBF2D64FDCBD905B5B9D	E852874A3DEF0F9635DF3EC75BEF698EDE8CB3AC	3A5BBC3E8447FC61CE241DD1B9F6458857218F33D686FE935353193D30410959
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\login[1].css	ASCII text, with very long lines	4DB4A299AE7E73B3CB53351867416D0C	36C0DFF7A6742EAD3229E476F05C559069C3080F	10C50B88EBF99FDF813A4CCE86BA218A6E2EA3D266146520529F1E1BDDC5EBD3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\white_ellipsis[1].svg	SVG Scalable Vector Graphics image	5AC590EE72BFE06A7CECFD75B588AD73	DDA2CB89A241BC424746D8CF2A22A35535094611	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\logo2[1].svg	SVG Scalable Vector Graphics image	EE5C8D9FB6248C938FD0DC19370E90BD	D01A22720918B781338B5BBF9202B241A5F99EE4	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\arrow[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\background[1].jpg	[TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2], progressive, precision 8, 1920x1080, frames 3	B204756661AE1F820ACDBF507B2C0FE7	8BCC62CD820991FE0C4D35C2E397E9D2E225D4A0	A33593E9043EFEFBAF94D9CA220C885CE1C42DD2A7707F30ED072D7D71587DA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\favicon[1].ico	MS Windows icon resource - 6 icons, 128x128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\logo3[1].png	PNG image data, 342 x 72, 4-bit colormap, non-interlaced	533E293F0C8947ADA653B47C00E394E2	0F507BB89C42F937A290D0EEDA3F2E0DBFCAD5C1	B5D587F6C48A9B22BBE97150249E0C0655AC1780BD273431480A22F8A5BFEF6C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\s7m8ltg71guzhecccs888xuj[1].htm	HTML document, UTF-8 Unicode text, with CRLF line terminators	BFDF928CEB75ABE05314B55BBC59E38D	A4259DD254B0AF95F106189AA805ABED33E4B3EB	1C53EA945C96009E1AB9064D06EAFE9A2C3AFCEE2BC0548DCCF1236D1E579C83
C:\Users\user\AppData\Local\Temp\~DF058445AA7ACBCBBD.TMP	data	D793E61EC5F79EC6AC4A33FA03820235	4EE23FBCAFF95700602D92F205DED74E8B9D7B1B	88EA3588A4ACC49113E830CA4121D64CA8F0CACF6C7F566C1F15CB19D3ECC5F6
C:\Users\user\AppData\Local\Temp\~DF0C7E4045ADA69AC9.TMP	data	B28C9B7BF08302CF7E564B67DC270CEB	9E8949D9C77A8479EBF09A51CA4FA4B61BD02144	795E6FE13F9DA3405EAA82A8F370CEBEA7F9F38CF28B628CCFBD1930AA450E94
C:\Users\user\AppData\Local\Temp\~DFECEF3B821227381B.TMP	data	A88FEA16A348DFF8D8D39603073867AC	E2CE5ADF83ECAD87A9E28DD5EDAF5B6FB04C6FB6	B3C804675108BDDD92DB485BDE5DA47A9B9F348AEC17BD167F6DEAA62E127886

Analysis Report http://bihhwidigojbtkic.lfllavv.com/kampo/Y29ycG9yYXRlLmFjdGlvbnMuYXUyQGlnLmNvbQ==

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs