Analysis Report https://217181.8b.io/

Overview

General Information

Sample URL: https://217181.8b.io/
Analysis ID: 339210

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_6
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: https://app.8b.io/app/themes/webamp/projects/agency/assets/images/logo.pngn Avira URL Cloud: Label: phishing
Source: https://app.8b.io/app/themes/webamp/projects/agency/assets/images/logo.png Avira URL Cloud: Label: phishing

Phishing:

barindex
Yara detected HtmlPhish_6
Source: Yara match File source: 818225.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://boawd.com/cgi-inc/new/s/files/logo.png Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
Phishing site detected (based on logo template match)
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: Number of links: 0
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: Title: Validation does not match URL
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: Title: Validation does not match URL
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: No <meta name="author".. found
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: No <meta name="author".. found
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: No <meta name="copyright".. found
Source: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.188.108.191:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.188.108.191:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: 217181.8b.io
Source: amp-mustache-0.2[1].js.2.dr String found in binary or memory: http://github.com/janl/mustache.js
Source: AEU170SU.htm.2.dr, {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://217181.8b.io/
Source: {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://217181.8b.io/L
Source: {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://217181.8b.io/Root
Source: amp-mustache-0.2[1].js.2.dr, amp-analytics-0.1[1].js.2.dr, v0[1].js.2.dr String found in binary or memory: https://3p.ampproject.net
Source: AEU170SU.htm.2.dr String found in binary or memory: https://8b.com
Source: v0[1].js.2.dr String found in binary or memory: https://amp.dev/documentation/guides-and-tutorials/develop/style_and_layout/control_layout
Source: v0[1].js.2.dr String found in binary or memory: https://amp.dev/documentation/guides-and-tutorials/learn/experimental
Source: v0[1].js.2.dr String found in binary or memory: https://ampcid.google.com/v1/cache:getClientId?key=AIzaSyDKtqGxnoeIqVM33Uf7hRSa3GJxuzR7mLc
Source: v0[1].js.2.dr String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId?key=
Source: AEU170SU.htm.2.dr String found in binary or memory: https://app.8b.io/app/themes/webamp/projects/agency/assets/images/logo.png
Source: imagestore.dat.2.dr String found in binary or memory: https://app.8b.io/app/themes/webamp/projects/agency/assets/images/logo.pngn
Source: {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://boawd.com/cgi-
Source: {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://boawd.com/cgi-L
Source: AEU170SU.htm.2.dr String found in binary or memory: https://boawd.com/cgi-inc/new
Source: new[1].htm.2.dr String found in binary or memory: https://boawd.com/cgi-inc/new/
Source: {F464A1CA-5607-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd3
Source: amp-mustache-0.2[1].js.2.dr, amp-analytics-0.1[1].js.2.dr, v0[1].js.2.dr String found in binary or memory: https://cdn.ampproject.org
Source: AEU170SU.htm.2.dr String found in binary or memory: https://cdn.ampproject.org/v0.js
Source: AEU170SU.htm.2.dr String found in binary or memory: https://cdn.ampproject.org/v0/amp-analytics-0.1.js
Source: AEU170SU.htm.2.dr String found in binary or memory: https://cdn.ampproject.org/v0/amp-mustache-0.2.js
Source: v0[1].js.2.dr String found in binary or memory: https://developers.google.com/open-source/licenses/bsd
Source: AEU170SU.htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:100
Source: css[1].css0.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOUuhv.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOiCnqEu92Fr1Mu51QrEzAdKQ.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOjCnqEu92Fr1Mu51S7ACc6CsI.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOjCnqEu92Fr1Mu51TLBCc6CsI.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOjCnqEu92Fr1Mu51TjASc6CsI.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOjCnqEu92Fr1Mu51TzBic6CsI.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOkCnqEu92Fr1MmgVxIIzQ.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOkCnqEu92Fr1Mu51xIIzQ.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9fBBc-.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmSU5fBBc-.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc-.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmYUtfBBc-.woff)
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: amp-analytics-0.1[1].js.2.dr String found in binary or memory: https://github.com/ampproject/amphtml/blob/master/spec/amp-iframe-origin-policy.md
Source: v0[1].js.2.dr String found in binary or memory: https://log.amp.dev/?v=012012301722000&id=
Source: amp-loader-0.1[1].js.2.dr String found in binary or memory: https://mths.be/cssescape
Source: AEU170SU.htm.2.dr String found in binary or memory: https://r.8b.io/217181/images/background5-h_kjv9je6u.jpg
Source: amp-mustache-0.2[1].js.2.dr, amp-analytics-0.1[1].js.2.dr, v0[1].js.2.dr String found in binary or memory: https://us-central1-amp-error-reporting.cloudfunctions.net/r
Source: amp-mustache-0.2[1].js.2.dr, amp-analytics-0.1[1].js.2.dr, v0[1].js.2.dr String found in binary or memory: https://us-central1-amp-error-reporting.cloudfunctions.net/r-beta
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.105.39:443 -> 192.168.2.3:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.188.108.191:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.188.108.191:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: classification engine Classification label: mal64.phis.win@3/25@6/5
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFE8C735A3CF508A06.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339210 URL: https://217181.8b.io/ Startdate: 13/01/2021 Architecture: WINDOWS Score: 64 15 app.8b.io 2->15 23 Antivirus detection for URL or domain 2->23 25 Yara detected HtmlPhish_6 2->25 27 Phishing site detected (based on image similarity) 2->27 29 Phishing site detected (based on logo template match) 2->29 7 iexplore.exe 2 61 2->7         started        signatures3 process4 process5 9 iexplore.exe 3 52 7->9         started        dnsIp6 17 cdn-content.ampproject.org 108.177.119.132, 443, 49690, 49691 GOOGLEUS United States 9->17 19 boawd.com 5.188.108.191, 443, 49707, 49708 GCOREAT Luxembourg 9->19 21 5 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\s[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.177.119.132
 unknown United States
15169 GOOGLEUS false
5.188.108.191
 unknown Luxembourg
199524 GCOREAT false
52.201.120.251
 unknown United States
14618 AMAZON-AESUS false
104.24.105.39
 unknown United States
13335 CLOUDFLARENETUS false
104.24.104.39
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
app.8b.io 104.24.105.39 true
r.8b.io 104.24.104.39 true
proxy-8b-io-1762796164.us-east-1.elb.amazonaws.com 52.201.120.251 true
cdn-content.ampproject.org 108.177.119.132 true
boawd.com 5.188.108.191 true
217181.8b.io unknown unknown
cdn.ampproject.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://217181.8b.io/ true
    		unknown
    https://boawd.com/cgi-inc/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=875dea8150642da2c39cd31a7e0474fda47bea7f8b87125553305f0662243590ed7af3d6 true
    • SlashNext: Fake Login Page type: Phishing & Social Engineering
    		 unknown