Analysis Report https://abundant-chivalrous-hedgehog.glitch.me/

Overview

General Information

Sample URL: https://abundant-chivalrous-hedgehog.glitch.me/
Analysis ID: 356142

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_10
Form action URLs do not match main URL
HTML body contains low number of good links
Invalid 'forgot password' link found
No HTML title found
Suspicious form URL found

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://abundant-chivalrous-hedgehog.glitch.me/ SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: 767668.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\3YFB622I.htm, type: DROPPED
Form action URLs do not match main URL
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Form action: https://valvulasthermovalve.cl/wpxmp/index.php glitch valvulasthermovalve
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Form action: https://valvulasthermovalve.cl/wpxmp/index.php glitch valvulasthermovalve
HTML body contains low number of good links
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Number of links: 0
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Number of links: 0
Invalid 'forgot password' link found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Invalid link: Forgot Password?
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Invalid link: Forgot Password?
No HTML title found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: HTML title missing
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: HTML title missing
Suspicious form URL found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Form action: https://valvulasthermovalve.cl/wpxmp/index.php
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: Form action: https://valvulasthermovalve.cl/wpxmp/index.php
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: No <meta name="author".. found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: No <meta name="author".. found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: No <meta name="copyright".. found
Source: https://abundant-chivalrous-hedgehog.glitch.me/ HTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 52.22.118.126:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.22.118.126:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: abundant-chivalrous-hedgehog.glitch.me
Source: 3YFB622I.htm.3.dr String found in binary or memory: http://getbootstrap.com)
Source: popper.min[1].js.3.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: ~DFDD73DA9B157391E8.TMP.2.dr String found in binary or memory: https://abundant-chivalrous-hedgehog.glitch.me/
Source: {7DA4CA46-756E-11EB-90E5-ECF4BB570DC9}.dat.2.dr String found in binary or memory: https://abundant-chivalrous-hedgehog.glitch.me/Root
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free-fa-regular-400[1].eot.3.dr, free.min[1].css.3.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.3.dr String found in binary or memory: https://fontawesome.com/license/free
Source: free-fa-regular-400[1].eot.3.dr, free-fa-solid-900[1].eot.3.dr String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].js.3.dr String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js0.3.dr String found in binary or memory: https://getbootstrap.com/)
Source: 3YFB622I.htm.3.dr, bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.3.dr String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.3.dr String found in binary or memory: https://kit.fontawesome.com
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://valvulasthermovalve.cl/wpxmp/index.php
Source: 3YFB622I.htm.3.dr String found in binary or memory: https://www.google.com/s2/favicons?domain=
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 52.22.118.126:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.22.118.126:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.win@3/19@8/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DA4CA44-756E-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFDFF883BFB1B0276F.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356142 URL: https://abundant-chivalrous... Startdate: 22/02/2021 Architecture: WINDOWS Score: 56 15 abundant-chivalrous-hedgehog.glitch.me 2->15 23 Antivirus / Scanner detection for submitted sample 2->23 25 Yara detected HtmlPhish_10 2->25 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 46 7->9         started        dnsIp6 17 cdnjs.cloudflare.com 104.16.18.94, 443, 49722, 49723 CLOUDFLARENETUS United States 9->17 19 abundant-chivalrous-hedgehog.glitch.me 52.22.118.126, 443, 49707, 49708 AMAZON-AESUS United States 9->19 21 5 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\3YFB622I.htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.22.118.126
 unknown United States
14618 AMAZON-AESUS false
104.16.18.94
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdnjs.cloudflare.com 104.16.18.94 true
abundant-chivalrous-hedgehog.glitch.me 52.22.118.126 true
stackpath.bootstrapcdn.com unknown unknown
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
kit.fontawesome.com unknown unknown
maxcdn.bootstrapcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://abundant-chivalrous-hedgehog.glitch.me/ false
    		high