Loading ...

Play interactive tourEdit tour

Analysis Report Notice_Admin_Johnstoncompanies_8578.htm

Overview

General Information

Sample Name:Notice_Admin_Johnstoncompanies_8578.htm
Analysis ID:339417
MD5:0942ee7ee610cd2e73c2a0106ea1c81c
SHA1:118535f07fc2212eaa674a964fdc9457237674a7
SHA256:47674319c59632d4e62e94d984cab6809e0ea56304dffb607d3527b14aac7769

Most interesting Screenshot:

Detection

HTMLPhisher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected obfuscated html page
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
Found iframes
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

  • System is w10x64
  • chrome.exe (PID: 6988 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\Notice_Admin_Johnstoncompanies_8578.htm' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 3488 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,6654650566623360021,9724418133779178538,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1752 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Notice_Admin_Johnstoncompanies_8578.htmJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: 30509.pages.csv, type: HTML
    Yara detected obfuscated html pageShow sources
    Source: Yara matchFile source: Notice_Admin_Johnstoncompanies_8578.htm, type: SAMPLE
    Phishing site detected (based on image similarity)Show sources
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpMatcher: Found strong image similarity, brand: Microsoft image: 30509.img.2.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
    Phishing site detected (based on logo template match)Show sources
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpMatcher: Template: microsoft matched
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-365-family/cfq7ttc0k5dm?icid=mscom_marcom_H1a_M365FamilyHTTP Parser: Iframe src: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&lpsection=store-sales-de-ch&buttons=lpChatService,lpChatSales
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-365-family/cfq7ttc0k5dm?icid=mscom_marcom_H1a_M365FamilyHTTP Parser: Iframe src: https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=1e87aacc-38d0-4635-5d2f-87eb80b1c1a9&partnerId=officeproducts
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-365-family/cfq7ttc0k5dm?icid=mscom_marcom_H1a_M365FamilyHTTP Parser: Iframe src: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&lpsection=store-sales-de-ch&buttons=lpChatService,lpChatSales
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-365-family/cfq7ttc0k5dm?icid=mscom_marcom_H1a_M365FamilyHTTP Parser: Iframe src: https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=1e87aacc-38d0-4635-5d2f-87eb80b1c1a9&partnerId=officeproducts
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpHTTP Parser: Number of links: 0
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpHTTP Parser: Number of links: 0
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpHTTP Parser: Title: Sign in to your account does not match URL
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpHTTP Parser: Title: Sign in to your account does not match URL
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-365-family/cfq7ttc0k5dm?icid=mscom_marcom_H1a_M365FamilyHTTP Parser: No <meta name="author".. found
    Source: https://spanlid.cf/1e4bHpUurPshD0FEl6wSoIJfVMX9N3AqYO8yT5z7xQCv2gGtjiRBnLmkaKZc6DolWZF9jkr2aNsMxbIz1e3CVycRgXhEmAuSptfvB7KYL45TQ8HOnwUPqJ0i8w0o9l3bXGC7zmuYReK1aBtUDOTPSkVv4jLExn6QqWJfsZrIpMi2hFNy5cAHsFIpekyXgCjD56iScQHf8LJ7nZTmN4RqoBUuEr0xYhtGbKz3Wv2w9OVa1MAP/jxFXQm3WNEOuVLy1pRlJ5DnYsTzB2eScPK6M7b9foqA8vIiUC0Hk4ZtgharG.phpHTTP Parser: No <meta name="author".. found
    Source: https://www.microsoft.com/de-ch/microsoft-365/p/microsoft-36