Analysis Report INVOICE.html

Overview

General Information

Sample Name: INVOICE.html
Analysis ID: 323932
MD5: c23676897af888d51882cc82cdb613f5
SHA1: 425fd76dd126543ba5e2548090e701d387d0fd0a
SHA256: 662992de22ac1118ff3ef15bf9f2505aab3de92012e2850b89dac517ec35f532

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish_10
HTML body contains low number of good links
JA3 SSL client fingerprint seen in connection with other malware
No HTML title found
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found

Classification

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: 942247.pages.csv, type: HTML
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Number of links: 0
No HTML title found
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: HTML title missing
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Has password / email / username input fields
Suspicious form URL found
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Form action: https://paradisetele.com/wp-includes/images/BTCC/i.php
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: Form action: https://paradisetele.com/wp-includes/images/BTCC/i.php
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/INVOICE.html HTTP Parser: No <meta name="copyright".. found

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2c99bb30,0x01d6c4fe</date><accdate>0x2c99bb30,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2c99bb30,0x01d6c4fe</date><accdate>0x2c99bb30,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cb3f4f4,0x01d6c4fe</date><accdate>0x2cb3f4f4,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cb3f4f4,0x01d6c4fe</date><accdate>0x2cb3f4f4,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cb65746,0x01d6c4fe</date><accdate>0x2cb65746,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cb65746,0x01d6c4fe</date><accdate>0x2cb65746,0x01d6c4fe</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: i.ibb.co
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7g.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_ZpC3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_aZA3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_bZF3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_c5H3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_cJD3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_dJE3gnD-A.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTUSjIg1_i6t8kCHKm459WlhzQ.woff)
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: classification engine Classification label: mal48.phis.winHTML@3/26@2/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{56772179-30F1-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD78511B2F90E11B4.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6944 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6944 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323932 Sample: INVOICE.html Startdate: 27/11/2020 Architecture: WINDOWS Score: 48 15 Yara detected HtmlPhish_10 2->15 6 iexplore.exe 1 76 2->6         started        process3 process4 8 iexplore.exe 1 43 6->8         started        dnsIp5 11 i.ibb.co 145.239.131.60, 443, 49740, 49741 OVHFR France 8->11 13 mayhutsuahanoi.com 103.221.222.30, 443, 49738, 49739 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 8->13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
145.239.131.60
unknown France
16276 OVHFR false
103.221.222.30
unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo false

Contacted Domains

Name IP Active
mayhutsuahanoi.com 103.221.222.30 true
i.ibb.co 145.239.131.60 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/INVOICE.html true
    low