Analysis Report MALWARE ACH WIRE PAYMENT ADVICE..xlsx

Overview

General Information

Sample Name: MALWARE ACH WIRE PAYMENT ADVICE..xlsx
Analysis ID: 339405
MD5: a66a202e970df086cc265cb646127bfb
SHA1: c8986173e16bb9b0703490afba594ec5eef08a4a
SHA256: e29c6206512f1f778f1af9a1ff2af2bb82107271e00c873930398b703294d75e

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish_25
Phishing site detected (based on image similarity)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Steals Internet Explorer cookies

Classification

Phishing:

barindex
Yara detected HtmlPhish_25
Source: Yara match File source: 715575.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ZlFRrg5s[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\ZlFRrg5s[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://images.typeform.com/images/nXkRcNPp6wtg/background/large Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.100:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.100:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.89:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49183 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.247.242.20 162.247.242.20
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B24727B2.jpeg Jump to behavior
Source: unknown DNS traffic detected: queries for: 24mbw17feyn.typeform.com
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.ty
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://24mbw17feyn.typeform.com/oembed?url=https%3A%2F%2F24mbw17feyn.typeform.com%2Fto%2FZlFRrg5s
Source: ZlFRrg5s[1].htm.3.dr, {0B7414B6-5634-11EB-ADCF-ECF4BBB5915B}.dat.6.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s
Source: ~DF603759FFBDDCD7CD.TMP.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s/favicon-32x32.png
Source: ~DF603759FFBDDCD7CD.TMP.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6MlCR0S0FT
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6Root
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6om/?utm_campaign=undefined&utm_sorm.com/to/ZlFRrg5s
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6peform.com/to/ZlFRrg5sRoot
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sRoot
Source: ~DF603759FFBDDCD7CD.TMP.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sz
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/CJr828dpN5yQ/image/default
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/FYUps4mFKPYK/image/default
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large);background-position:top
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/apple-touch-icon.png
Source: ~DF603759FFBDDCD7CD.TMP.2.dr, ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/browserconfig.xml
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-16x16.png
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png
Source: imagestore.dat.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png-
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon.ico
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/safari-pinned-tab.svg
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/site.webmanifest
Source: {06357C75-5634-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://www.typeform.c
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://www.typeform.com/?utm_campaign=undefined&utm_source=typeform.com-17520522-Free&utm_m
Source: ~DF603759FFBDDCD7CD.TMP.2.dr String found in binary or memory: https://www.typeform.com/?utm_campaign=undefined&utm_source=typeform.com-17520522-Free&utm_medium=ty
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.100:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.100:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.58.89:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.20:443 -> 192.168.2.22:49183 version: TLS 1.2
Source: classification engine Classification label: mal52.phis.winXLSX@8/31@12/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$MALWARE ACH WIRE PAYMENT ADVICE..xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCD6C.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2528 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://24mbw17feyn.typeform.com/to/ZlFRrg5s
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1836 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://24mbw17feyn.typeform.com/to/ZlFRrg5s Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2528 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1836 CREDAT:275457 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Stealing of Sensitive Information:

barindex
Steals Internet Explorer cookies
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BPMGT7B2.txt Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339405 Sample: MALWARE ACH WIRE PAYMENT AD... Startdate: 13/01/2021 Architecture: WINDOWS Score: 52 27 public-assets.typeform.com 2->27 29 d2p6vz8nayi9a3.cloudfront.net 2->29 51 Yara detected HtmlPhish_25 2->51 53 Phishing site detected (based on image similarity) 2->53 8 EXCEL.EXE 63 24 2->8         started        11 iexplore.exe 3 36 2->11         started        signatures3 process4 dnsIp5 37 65.9.58.89, 443, 49178 AMAZON-02US United States 8->37 39 images.typeform.com 8->39 41 2 other IPs or domains 8->41 13 iexplore.exe 1 35 8->13         started        16 iexplore.exe 3 27 11->16         started        process6 dnsIp7 43 24mbw17feyn.typeform.com 13->43 19 iexplore.exe 16 13->19         started        45 bam.nr-data.net 162.247.242.20, 443, 49173, 49174 NEWRELIC-AS-1US United States 16->45 47 d2nvsmtq2poimt.cloudfront.net 65.9.58.100, 443, 49171, 49172 AMAZON-02US United States 16->47 49 5 other IPs or domains 16->49 23 C:\Users\user\AppData\...\ZlFRrg5s[1].htm, HTML 16->23 dropped file8 process9 dnsIp10 31 js-agent.newrelic.com 19->31 33 bam.nr-data.net 19->33 35 24mbw17feyn.typeform.com 19->35 25 C:\Users\user\AppData\...\ZlFRrg5s[1].htm, HTML 19->25 dropped file11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.9.58.100
 unknown United States
16509 AMAZON-02US false
65.9.58.120
 unknown United States
16509 AMAZON-02US false
162.247.242.20
 unknown United States
23467 NEWRELIC-AS-1US false
65.9.58.89
 unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
d2nvsmtq2poimt.cloudfront.net 65.9.58.100 true
bam.nr-data.net 162.247.242.20 true
d2p6vz8nayi9a3.cloudfront.net 65.9.58.120 true
public-assets.typeform.com unknown unknown
js-agent.newrelic.com unknown unknown
images.typeform.com unknown unknown
24mbw17feyn.typeform.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.typeform.com/?utm_campaign=undefined&utm_source=typeform.com-17520522-Free&utm_medium=typeform&utm_content=typeform-closescreen&utm_term=EN false
    		high
    https://24mbw17feyn.typeform.com/to/ZlFRrg5s false
      		high