Analysis Report https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt

Overview

General Information

Sample URL: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt
Analysis ID: 323112

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Yara detected HtmlPhish_10
Phishing site detected (based on logo template match)
Form action URLs do not match main URL
HTML body contains low number of good links
HTML title does not match URL
Suspicious form URL found
URL contains potential PII (phishing indication)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt Avira URL Cloud: detection malicious, Label: phishing
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt UrlScan: detection malicious, Label: phishing brand: outlook web access Perma Link
Antivirus detection for URL or domain
Source: https://hosting-e899f.web.app/ Avira URL Cloud: Label: phishing
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\W3YTSHKB.htm Avira: detection malicious, Label: HTML/Infected.WebPage.Gen
Multi AV Scanner detection for domain / URL
Source: hosting-e899f.web.app Virustotal: Detection: 10% Perma Link

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: 405464.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\W3YTSHKB.htm, type: DROPPED
Phishing site detected (based on logo template match)
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt Matcher: Template: outlook matched
Form action URLs do not match main URL
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Form action: https://aogtechnics.cc/aa.php web aogtechnics
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Form action: https://aogtechnics.cc/aa.php web aogtechnics
HTML body contains low number of good links
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Number of links: 0
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Title: Signin Outlook WebApp Settings does not match URL
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Title: Signin Outlook WebApp Settings does not match URL
Suspicious form URL found
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Form action: https://aogtechnics.cc/aa.php
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: Form action: https://aogtechnics.cc/aa.php
URL contains potential PII (phishing indication)
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt Sample URL: PII: ba11_go_coa_chf@emfa.pt
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: No <meta name="copyright".. found
Source: https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt HTTP Parser: No <meta name="copyright".. found
Source: unknown DNS traffic detected: queries for: hosting-e899f.web.app
Source: fontawesome-webfont[1].eot.2.dr, font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io/license
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.io/license/
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: bootstrap.min[1].css.2.dr String found in binary or memory: http://getbootstrap.com)
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://aogtechnics.cc/aa.php
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://cdn.jsdelivr.net/npm/sweetalert2
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.min.js
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-migrate-3.1.0.min.js
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: ~DFCEAC2B6E86150DAD.TMP.1.dr String found in binary or memory: https://hosting-e899f.web.app/
Source: ~DFCEAC2B6E86150DAD.TMP.1.dr, {914E1A2B-2FCF-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://hosting-e899f.web.app/#ba11_go_coa_chf
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
Source: W3YTSHKB.htm.2.dr String found in binary or memory: https://web.cytrack.com/wpv1/wp-content/uploads/microsoft-outlook-logo.jpg
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: classification engine Classification label: mal84.phis.win@3/16@7/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{914E1A29-2FCF-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD904113CBEB3043B.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5860 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5860 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323112 URL: https://hosting-e899f.web.a... Startdate: 26/11/2020 Architecture: WINDOWS Score: 84 20 Multi AV Scanner detection for domain / URL 2->20 22 Antivirus detection for URL or domain 2->22 24 Antivirus detection for dropped file 2->24 26 3 other signatures 2->26 6 iexplore.exe 1 51 2->6         started        process3 process4 8 iexplore.exe 2 45 6->8         started        dnsIp5 14 hosting-e899f.web.app 151.101.1.195, 443, 49732, 49733 FASTLYUS United States 8->14 16 web.cytrack.com 20.37.219.194, 443, 49741, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->16 18 5 other IPs or domains 8->18 12 C:\Users\user\AppData\Local\...\W3YTSHKB.htm, HTML 8->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.37.219.194
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.16.18.94
 unknown United States
13335 CLOUDFLARENETUS false
151.101.1.195
 unknown United States
54113 FASTLYUS true

Contacted Domains

Name IP Active
hosting-e899f.web.app 151.101.1.195 true
cdnjs.cloudflare.com 104.16.18.94 true
web.cytrack.com 20.37.219.194 true
stackpath.bootstrapcdn.com unknown unknown
code.jquery.com unknown unknown
cdn.jsdelivr.net unknown unknown
maxcdn.bootstrapcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://hosting-e899f.web.app/#ba11_go_coa_chf@emfa.pt true unknown