Analysis Report https://dealmaker.pl/au_au.html

Overview

General Information

Sample URL: https://dealmaker.pl/au_au.html
Analysis ID: 323467

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_30
HTML body contains low number of good links
HTML title does not match URL
Suspicious form URL found

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://dealmaker.pl/au_au.html SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_30
Source: Yara match File source: 305090.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\au_au[1].htm, type: DROPPED
HTML body contains low number of good links
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Number of links: 0
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Title: Email Encryption does not match URL
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Title: Email Encryption does not match URL
Suspicious form URL found
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Form action: auth.php
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: Form action: auth.php
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: No <meta name="author".. found
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: No <meta name="author".. found
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: No <meta name="copyright".. found
Source: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ HTTP Parser: No <meta name="copyright".. found
Source: unknown DNS traffic detected: queries for: dealmaker.pl
Source: ga[1].js.2.dr String found in binary or memory: http://www.google-analytics.com
Source: detect_timezone[1].js.2.dr String found in binary or memory: http://www.onlineaspect.com)
Source: PDF_NEW_AU[1].htm0.2.dr String found in binary or memory: http://www.silversky.com/
Source: {90926100-3051-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://dealmaker.pl/P
Source: au_au[1].htm.2.dr String found in binary or memory: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU
Source: ~DFFCCD4F00A28E9D19.TMP.1.dr, PDF_NEW_AU[1].htm.2.dr String found in binary or memory: https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/
Source: {90926100-3051-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://dealmaker.pl/Pu_au.html
Source: {90926100-3051-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://dealmaker.pl/au_au.html
Source: {90926100-3051-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://dealmaker.pl/au_au.htmlRoot
Source: PDF_NEW_AU[1].htm0.2.dr String found in binary or memory: https://mailsafe.perimeterusa.com/tpl/Door/Login
Source: PDF_NEW_AU[1].htm0.2.dr String found in binary or memory: https://silversky.com/privacy-policy/
Source: ga[1].js.2.dr String found in binary or memory: https://ssl.google-analytics.com
Source: ga[1].js.2.dr String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: ga[1].js.2.dr String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: ga[1].js.2.dr String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: ga[1].js.2.dr String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: PDF_NEW_AU[1].htm0.2.dr String found in binary or memory: https://www.google.com/s2/favicons?domain=?v=BUILD_HASH
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: classification engine Classification label: mal56.phis.win@3/13@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{909260FE-3051-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFC47929C17D3041B0.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6904 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6904 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323467 URL: https://dealmaker.pl/au_au.html Startdate: 27/11/2020 Architecture: WINDOWS Score: 56 15 dealmaker.pl 2->15 19 Antivirus / Scanner detection for submitted sample 2->19 21 Yara detected HtmlPhish_30 2->21 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 42 7->9         started        dnsIp6 17 dealmaker.pl 192.185.186.178, 443, 49748, 49749 UNIFIEDLAYER-AS-1US United States 9->17 13 C:\Users\user\AppData\Local\...\au_au[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.186.178
 unknown United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
dealmaker.pl 192.185.186.178 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dealmaker.pl/PDF_NEW_AU/PDF_NEW_AU/ true
    		unknown
    https://dealmaker.pl/au_au.html true
      		unknown