Analysis Report #U03bd#U03bf#U0456#U0441#U0435m#U0430#U0456l202114170492f#U0433#U03bfm+19796076561 19796076561.HTM

Overview

General Information

Sample Name: #U03bd#U03bf#U0456#U0441#U0435m#U0430#U0456l202114170492f#U0433#U03bfm+19796076561 19796076561.HTM
Analysis ID: 339225
MD5: a459550229cce40c15f886dc9ba3bcd8
SHA1: 5f3bc52767b84da9b1febc37e4fa90046a8900d1
SHA256: 3cbf7d91c4bc9c1b5d0955d19c038408843b49b9b20e02a995b45792f72a0d8c

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected obfuscated html page
Obfuscated HTML file found
JA3 SSL client fingerprint seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://iccisc.com/images/new/sense/authorize_client_id:6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla43sejbi17xcvowr2h9fnp5du6tqzy0zn8705xdg6a2o4yelkpbt9u31ismhqcvwfrjt3h5igr8zpdbeo4nq67ywc1af2mlu9vjkxs0?data=YmlrcmFtLmd1cnVuZ0BicmV3aW4uY28udWs= SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Phishing site detected (based on favicon image match)
Source: https://iccisc.com/images/new/sense/authorize_client_id:6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla43sejbi17xcvowr2h9fnp5du6tqzy0zn8705xdg6a2o4yelkpbt9u31ismhqcvwfrjt3h5igr8zpdbeo4nq67ywc1af2mlu9vjkxs0?data=YmlrcmFtLmd1cnVuZ0BicmV3aW4uY28udWs= Matcher: Template: microsoft matched with high similarity
Yara detected HtmlPhish_10
Source: Yara match File source: 767668.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\authorize_client_id_6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla43sejbi17xcvowr2h9fnp5du6tqzy0zn8705xdg6a2o4yelkpbt9u31ismhqcvwfrjt3h5igr8zpdbeo4nq67ywc1af2mlu9vjkxs0[1].htm, type: DROPPED
Yara detected obfuscated html page
Source: Yara match File source: #U03bd#U03bf#U0456#U0441#U0435m#U0430#U0456l202114170492f#U0433#U03bfm+19796076561 19796076561.HTM, type: SAMPLE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49732 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: iccisc.com
Source: authorize_client_id_6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla43sejbi17xcvowr2h9fnp5du6tqzy0zn8705xdg6a2o4yelkpbt9u31ismhqcvwfrjt3h5igr8zpdbeo4nq67ywc1af2mlu9vjkxs0[1].htm.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
Source: {E40FA487-55BE-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://iccisc.com/ima
Source: ~DF2C3DE4B398643922.TMP.1.dr String found in binary or memory: https://iccisc.com/images/new/sense/authorize_client_id:6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla4
Source: imagestore.dat.2.dr String found in binary or memory: https://iccisc.com/images/new/sense/images/favicon.ico~
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.27.87.65:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: classification engine Classification label: mal76.phis.evad.winHTM@3/19@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E40FA485-55BE-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF36A0BF1EB91DC84B.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3136 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3136 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Confirm
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Obfuscated HTML file found
Source: #U03bd#U03bf#U0456#U0441#U0435m#U0430#U0456l202114170492f#U0433#U03bfm+19796076561 19796076561.HTM Initial file: Did not found title: "Voice message" in HTML/HTM content
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339225 Sample: #U03bd#U03bf#U0456#U0441#U0... Startdate: 13/01/2021 Architecture: WINDOWS Score: 76 15 iccisc.com 2->15 19 Antivirus detection for URL or domain 2->19 21 Phishing site detected (based on favicon image match) 2->21 23 Yara detected HtmlPhish_10 2->23 25 2 other signatures 2->25 7 iexplore.exe 1 54 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 45 7->9         started        dnsIp6 17 iccisc.com 103.27.87.65, 443, 49725, 49726 CTRLS-AS-INCtrlSDatacentersLtdIN India 9->17 13 authorize_client_i...f2mlu9vjkxs0[1].htm, data 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.27.87.65
 unknown India
18229 CTRLS-AS-INCtrlSDatacentersLtdIN false

Contacted Domains

Name IP Active
iccisc.com 103.27.87.65 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://iccisc.com/images/new/sense/authorize_client_id:6yamswq8-z0x3-g8qm-rhyk-607iytq3huoc_kg8mla43sejbi17xcvowr2h9fnp5du6tqzy0zn8705xdg6a2o4yelkpbt9u31ismhqcvwfrjt3h5igr8zpdbeo4nq67ywc1af2mlu9vjkxs0?data=YmlrcmFtLmd1cnVuZ0BicmV3aW4uY28udWs= true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown