Analysis Report https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at

Overview

General Information

Sample URL: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at
Analysis ID: 323053

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_20
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
URL contains potential PII (phishing indication)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at UrlScan: detection malicious, Label: phishing brand: outlook web access Perma Link
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_20
Source: Yara match File source: 618321.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\1RWIY0K9.htm, type: DROPPED
Phishing site detected (based on logo template match)
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at Matcher: Template: outlook matched
HTML body contains low number of good links
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: Number of links: 0
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: Title: Signin Outlook WebApp Settings does not match URL
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: Title: Signin Outlook WebApp Settings does not match URL
URL contains potential PII (phishing indication)
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at Sample URL: PII: comp@hansi.at
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: No <meta name="copyright".. found
Source: https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at HTTP Parser: No <meta name="copyright".. found
Source: unknown DNS traffic detected: queries for: sugar-stirring-mockingbird.glitch.me
Source: fontawesome-webfont[1].eot.2.dr, font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io/license
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.io/license/
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: bootstrap.min[1].css.2.dr String found in binary or memory: http://getbootstrap.com)
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://api.ipify.org?format=json
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://autosoftug.com/wp-content/themes/satenet/inc/xz4/processor.php
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://cdn.jsdelivr.net/npm/sweetalert2
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.min.js
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-migrate-3.1.0.min.js
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/owa-68183.appspot.com/o/owa.html?alt=media&token=e35b9f3
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://getbootstrap.com/)
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://github.com/danieledesantis/jquery-browser-detection
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: imagestore.dat.2.dr, 1RWIY0K9.htm.2.dr String found in binary or memory: https://ow2.res.office365.com/owalanding/2020.1.16.01/images/favicon.ico?v=4
Source: imagestore.dat.2.dr String found in binary or memory: https://ow2.res.office365.com/owalanding/2020.1.16.01/images/favicon.ico?v=4~
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
Source: ~DF7B847ADEC881B843.TMP.1.dr String found in binary or memory: https://sugar-stirring-mockingbird.glitch.me/
Source: ~DF7B847ADEC881B843.TMP.1.dr, {6D30CF7E-300B-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://sugar-stirring-mockingbird.glitch.me/#comp
Source: 1RWIY0K9.htm.2.dr String found in binary or memory: https://web.cytrack.com/wpv1/wp-content/uploads/microsoft-outlook-logo.jpg
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: classification engine Classification label: mal60.phis.win@3/19@10/4
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFFE506D96E3CD96F1.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:68 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:68 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323053 URL: https://sugar-stirring-mock... Startdate: 26/11/2020 Architecture: WINDOWS Score: 60 15 ow2.res.office365.com 2->15 23 Antivirus / Scanner detection for submitted sample 2->23 25 Yara detected HtmlPhish_20 2->25 27 Phishing site detected (based on logo template match) 2->27 7 iexplore.exe 2 61 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 48 7->9         started        dnsIp6 17 web.cytrack.com 20.37.219.194, 443, 49713, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->17 19 cdnjs.cloudflare.com 104.16.18.94, 443, 49707, 49708 CLOUDFLARENETUS United States 9->19 21 9 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\1RWIY0K9.htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.37.219.194
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
54.225.169.28
 unknown United States
14618 AMAZON-AESUS false
52.205.236.122
 unknown United States
14618 AMAZON-AESUS false
104.16.18.94
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.169.28 true
cdnjs.cloudflare.com 104.16.18.94 true
web.cytrack.com 20.37.219.194 true
sugar-stirring-mockingbird.glitch.me 52.205.236.122 true
stackpath.bootstrapcdn.com unknown unknown
code.jquery.com unknown unknown
cdn.jsdelivr.net unknown unknown
maxcdn.bootstrapcdn.com unknown unknown
ow2.res.office365.com unknown unknown
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at false
    		high