Analysis Report https://facop5.com/toj/ZXNjdWxsaW5AbnMxLmNvbQ==

Overview

General Information

Sample URL: https://facop5.com/toj/ZXNjdWxsaW5AbnMxLmNvbQ==
Analysis ID: 339222

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_3
Phishing site detected (based on image similarity)
HTML body contains low number of good links
HTML title does not match URL

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://facop5.com/toj/ZXNjdWxsaW5AbnMxLmNvbQ== SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Antivirus detection for URL or domain
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Phishing site detected (based on favicon image match)
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== Matcher: Template: microsoft matched with high similarity
Yara detected HtmlPhish_10
Source: Yara match File source: 767668.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm, type: DROPPED
Yara detected HtmlPhish_3
Source: Yara match File source: 767668.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://lobnet.org/tok/images/inv-big-background.jpg Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
HTML body contains low number of good links
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: Number of links: 0
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: Title: login to your account does not match URL
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: Title: login to your account does not match URL
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: No <meta name="author".. found
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: No <meta name="author".. found
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: No <meta name="copyright".. found
Source: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.19:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.19:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: facop5.com
Source: ~DFFC49718EF75D1642.TMP.2.dr String found in binary or memory: https://facop5.com/toj/ZXNjdWxsaW5AbnMxLmNvbQ==
Source: {3A7C75D6-5609-11EB-90E6-ECF4BB82F7E0}.dat.2.dr String found in binary or memory: https://facop5.com/toj/ZXNjdWxsaW5AbnMxLmNvbQ==Root
Source: h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm.3.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
Source: h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm.3.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UNirkOUuhs.ttf)
Source: h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm.3.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem8YaGs126MiZpBA-UFVZ0e.ttf)
Source: ZXNjdWxsaW5AbnMxLmNvbQ==[1].htm.3.dr String found in binary or memory: https://lobnet.org/tok/ZXNjdWxsaW5AbnMxLmNvbQ==
Source: {3A7C75D6-5609-11EB-90E6-ECF4BB82F7E0}.dat.2.dr String found in binary or memory: https://lobnet.org/tok/ZXNjdWxsaW5AbnMxLmNvbQ==/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv
Source: ~DFFC49718EF75D1642.TMP.2.dr String found in binary or memory: https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io
Source: imagestore.dat.3.dr String found in binary or memory: https://lobnet.org/tok/images/favicon.ico~
Source: h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb[1].htm.3.dr String found in binary or memory: https://logo.clearbit.com/ns1.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.19:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.19:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.144.238.203:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: classification engine Classification label: mal84.phis.win@3/21@4/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A7C75D4-5609-11EB-90E6-ECF4BB82F7E0}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user~1\AppData\Local\Temp\~DFE26B57A9F59CC8F5.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3960 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3960 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339222 URL: https://facop5.com/toj/ZXNj... Startdate: 13/01/2021 Architecture: WINDOWS Score: 84 15 lobnet.org 2->15 23 Antivirus detection for URL or domain 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Phishing site detected (based on favicon image match) 2->27 29 3 other signatures 2->29 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 48 7->9         started        dnsIp6 17 lobnet.org 162.144.238.203, 443, 49709, 49710 UNIFIEDLAYER-AS-1US United States 9->17 19 d26p066pn2w0s0.cloudfront.net 13.224.194.19, 443, 49717, 49718 AMAZON-02US United States 9->19 21 2 other IPs or domains 9->21 13 h63gwz2mqbo70kvt81...hrcwg4ly6jsb[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.144.238.203
unknown United States
46606 UNIFIEDLAYER-AS-1US false
13.224.194.19
unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
d26p066pn2w0s0.cloudfront.net 13.224.194.19 true
facop5.com 162.144.238.203 true
lobnet.org 162.144.238.203 true
logo.clearbit.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://lobnet.org/tok/h63gwz2mqbo70kvt815cyspe4f9nxajrludi7de5wx0q6i4fs1hv2onz9urymlbjk3ca8tgp3a0io5tnzp1mxqvde92ufk87hrcwg4ly6jsb?data=ZXNjdWxsaW5AbnMxLmNvbQ== true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
unknown