Analysis Report https://217023.8b.io/

Overview

General Information

Sample URL: https://217023.8b.io/
Analysis ID: 339270

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish_10
HTML body contains low number of good links
HTML title does not match URL
Suspicious form URL found

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://lacecompound.com/sm/mfile/ SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: 899552.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\mfile[1].htm, type: DROPPED
HTML body contains low number of good links
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Number of links: 0
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Title: Sharing Link Validation does not match URL
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Title: Sharing Link Validation does not match URL
Suspicious form URL found
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Form action: mai.php
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: Form action: mai.php
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: No <meta name="author".. found
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: No <meta name="author".. found
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: No <meta name="copyright".. found
Source: https://lacecompound.com/sm/mfile/ HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.181.244.134:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.181.244.134:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: 217023.8b.io
Source: amp-mustache-0.2[1].js.3.dr String found in binary or memory: http://github.com/janl/mustache.js
Source: ~DFE679E51CD7555755.TMP.2.dr, 03OIYGP2.htm.3.dr String found in binary or memory: https://217023.8b.io/
Source: {FDCDEC83-5617-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: https://217023.8b.io/Root
Source: amp-mustache-0.2[1].js.3.dr, amp-analytics-0.1[1].js.3.dr, v0[1].js.3.dr String found in binary or memory: https://3p.ampproject.net
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://8b.com
Source: v0[1].js.3.dr String found in binary or memory: https://amp.dev/documentation/guides-and-tutorials/develop/style_and_layout/control_layout
Source: v0[1].js.3.dr String found in binary or memory: https://amp.dev/documentation/guides-and-tutorials/learn/experimental
Source: v0[1].js.3.dr String found in binary or memory: https://ampcid.google.com/v1/cache:getClientId?key=AIzaSyDKtqGxnoeIqVM33Uf7hRSa3GJxuzR7mLc
Source: v0[1].js.3.dr String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId?key=
Source: imagestore.dat.3.dr, 03OIYGP2.htm.3.dr String found in binary or memory: https://app.8b.io/app/themes/webamp/projects/writer/assets/images/logo1.png
Source: amp-mustache-0.2[1].js.3.dr, amp-analytics-0.1[1].js.3.dr, v0[1].js.3.dr String found in binary or memory: https://cdn.ampproject.org
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://cdn.ampproject.org/v0.js
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://cdn.ampproject.org/v0/amp-analytics-0.1.js
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://cdn.ampproject.org/v0/amp-mustache-0.2.js
Source: v0[1].js.3.dr String found in binary or memory: https://developers.google.com/open-source/licenses/bsd
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Forum:400
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Neucha:400
Source: css[2].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/forum/v11/6aey4Ky-Vb8Ew8IROpQ.woff)
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/neucha/v12/q5uGsou0JOdh94bfvQlr.woff)
Source: amp-analytics-0.1[1].js.3.dr String found in binary or memory: https://github.com/ampproject/amphtml/blob/master/spec/amp-iframe-origin-policy.md
Source: {FDCDEC83-5617-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: https://lacecompound.c
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://lacecompound.com/sm/mfile
Source: ~DFE679E51CD7555755.TMP.2.dr, mfile[1].htm.3.dr String found in binary or memory: https://lacecompound.com/sm/mfile/
Source: ~DFE679E51CD7555755.TMP.2.dr String found in binary or memory: https://lacecompound.com/sm/mfile/.Sharing
Source: ~DFE679E51CD7555755.TMP.2.dr String found in binary or memory: https://lacecompound.com/sm/mfile/L
Source: {FDCDEC83-5617-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: https://lacecompound.com/sm/mfile/Root
Source: v0[1].js.3.dr String found in binary or memory: https://log.amp.dev/?v=012012301722001&id=
Source: amp-intersection-observer-polyfill-0.1[1].js.3.dr String found in binary or memory: https://mths.be/cssescape
Source: 03OIYGP2.htm.3.dr String found in binary or memory: https://r.8b.io/217023/images/background5-h_kjukqdlq.jpg
Source: mfile[1].htm0.3.dr String found in binary or memory: https://spoprod-a.akamaihd.net
Source: amp-mustache-0.2[1].js.3.dr, amp-analytics-0.1[1].js.3.dr, v0[1].js.3.dr String found in binary or memory: https://us-central1-amp-error-reporting.cloudfunctions.net/r
Source: amp-mustache-0.2[1].js.3.dr, amp-analytics-0.1[1].js.3.dr, v0[1].js.3.dr String found in binary or memory: https://us-central1-amp-error-reporting.cloudfunctions.net/r-beta
Source: mfile[1].htm0.3.dr String found in binary or memory: https://vikinggenetics-my.sharepoint.com/personal/datho_vikinggenetics_com_au/_layouts/15/images/pdf
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.201.120.251:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.177.119.132:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.24.104.39:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.181.244.134:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.181.244.134:443 -> 192.168.2.3:49736 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.win@3/24@7/5
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFBBCE481DAF4343C1.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339270 URL: https://217023.8b.io/ Startdate: 13/01/2021 Architecture: WINDOWS Score: 56 15 app.8b.io 2->15 23 Antivirus detection for URL or domain 2->23 25 Yara detected HtmlPhish_10 2->25 7 iexplore.exe 2 61 2->7         started        signatures3 process4 process5 9 iexplore.exe 3 55 7->9         started        dnsIp6 17 lacecompound.com 195.181.244.134, 443, 49735, 49736 RACKRAYUABRakrejusLT Lithuania 9->17 19 17825-ipv4.farm.prod.aa-rt.sharepoint.com 104.146.245.41, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->19 21 10 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\mfile[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.177.119.132
 unknown United States
15169 GOOGLEUS false
104.146.245.41
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
195.181.244.134
 unknown Lithuania
62282 RACKRAYUABRakrejusLT false
52.201.120.251
 unknown United States
14618 AMAZON-AESUS false
104.24.104.39
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
app.8b.io 104.24.104.39 true
lacecompound.com 195.181.244.134 true
r.8b.io 104.24.104.39 true
proxy-8b-io-1762796164.us-east-1.elb.amazonaws.com 52.201.120.251 true
cdn-content.ampproject.org 108.177.119.132 true
17825-ipv4.farm.prod.aa-rt.sharepoint.com 104.146.245.41 true
vikinggenetics-my.sharepoint.com unknown unknown
cdn.ampproject.org unknown unknown
217023.8b.io unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://lacecompound.com/sm/mfile/ true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown
https://217023.8b.io/ true
    		unknown