Loading ...

Play interactive tourEdit tour

Analysis Report http://storangegoogleapiddp.agilecrm.com

Overview

General Information

Sample URL:http://storangegoogleapiddp.agilecrm.com
Analysis ID:356207

Most interesting Screenshot:

Detection

HTMLPhisher
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish_10
Phishing site detected (based on logo template match)
Found iframes
HTML title does not match URL

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 3948 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3948 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[2].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[3].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[2].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            Phishing:

            barindex
            Yara detected HtmlPhish_10Show sources
            Source: Yara matchFile source: 610930.0.links.csv, type: HTML
            Source: Yara matchFile source: 610930.1.links.csv, type: HTML
            Source: Yara matchFile source: 610930.pages.csv, type: HTML
            Source: Yara matchFile source: 610930.3.links.csv, type: HTML
            Source: Yara matchFile source: 610930.2.links.csv, type: HTML
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[2].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[1].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[3].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[2].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[4].htm, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\login[3].htm, type: DROPPED
            Phishing site detected (based on logo template match)Show sources
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enMatcher: Template: google matched
            Source: https://storangegoogleapiddp.agilecrm.com/loginMatcher: Template: google matched
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptMatcher: Template: google matched
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frMatcher: Template: google matched
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: Iframe src: flatfull/preload-js-src-iframe.html
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: Title: Login does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-passwordHTTP Parser: Title: Esqueci a Palavra-passe does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: Title: Iniciar sesin does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: Title: Login does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: Title: Entrar does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: Title: does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-domainHTTP Parser: Title: Esqueci o Domnio does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: Title: Accedi does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: Title: Se connecter does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: Title: Login does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-passwordHTTP Parser: Title: Esqueci a Palavra-passe does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: Title: Iniciar sesin does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: Title: Login does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: Title: Entrar does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: Title: does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-domainHTTP Parser: Title: Esqueci o Domnio does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: Title: Accedi does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: Title: Se connecter does not match URL
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-passwordHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-domainHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=enHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-passwordHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=esHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/loginHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ptHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=ruHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/forgot-domainHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=itHTTP Parser: No <meta name="copyright".. found
            Source: https://storangegoogleapiddp.agilecrm.com/login?lang=frHTTP Parser: No <meta name="copyright".. found

            Compliance:

            barindex
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.226.175.122:443 -> 192.168.2.3:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.226.175.122:443 -> 192.168.2.3:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49723 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 99.86.162.148:443 -> 192.168.2.3:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 99.86.162.148:443 -> 192.168.2.3:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.12.157:443 -> 192.168.2.3:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.12.157:443 -> 192.168.2.3:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.130:443 -> 192.168.2.3:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.16.130:443 -> 192.168.2.3:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.216.76.206:443 -> 192.168.2.3:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.216.76.206:443 -> 192.168.2.3:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.23.98:443 -> 192.168.2.3:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.23.98:443 -> 192.168.2.3:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 54.246.184.51:443 -> 192.168.2.3:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 54.246.184.51:443 -> 192.168.2.3:49750 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49752 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49753 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.209.227.220:443 -> 192.168.2.3:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 52.209.227.220:443 -> 192.168.2.3:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49760 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.244.42.69:443 -> 192.168.2.3:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.244.42.69:443 -> 192.168.2.3:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.35:443 -> 192.168.2.3:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.35:443 -> 192.168.2.3:49767 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.194.76.155:443 -> 192.168.2.3:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 173.194.76.155:443 -> 192.168.2.3:49769 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.3:49772 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.3:49771 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 3.126.63.176:443 -> 192.168.2.3:49773 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 3.126.63.176:443 -> 192.168.2.3:49774 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.64.190.80:443 -> 192.168.2.3:49775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.64.190.80:443 -> 192.168.2.3:49777 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.207.148:443 -> 192.168.2.3:49780 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.98.64.218:443 -> 192.168.2.3:49783 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.207.148:443 -> 192.168.2.3:49779 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 54.93.211.166:443 -> 192.168.2.3:49789 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.98.64.218:443 -> 192.168.2.3:49784 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49778 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49776 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 54.93.211.166:443 -> 192.168.2.3:49790 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.158.74.203:443 -> 192.168.2.3:49792 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.74.194:443 -> 192.168.2.3:49786 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.158.74.203:443 -> 192.168.2.3:49791 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.74.194:443 -> 192.168.2.3:49785 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 37.252.172.45:443 -> 192.168.2.3:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 37.252.172.45:443 -> 192.168.2.3:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49793 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.3:49794 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 141.226.228.48:443 -> 192.168.2.3:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 141.226.228.48:443 -> 192.168.2.3:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49800 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.179:443 -> 192.168.2.3:49804 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49811 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49812 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49816 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49815 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49824 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49823 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49836 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.3:49835 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49833 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 64.202.112.127:443 -> 192.168.2.3:49834 version: TLS 1.2
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: storangegoogleapiddp.agilecrm.comConnection: Keep-Alive
            Source: ru[1].js.2.drString found in binary or memory: Agile.</p>\n<div class="embed-responsive embed-responsive-16by9">\n<iframe class="embed-responsive-item" src="//www.youtube.com/embed/Tr-iCAZKJVw?list=PLX-eE1qngt6GBdCEwZjxnfEIVbXPNqhWZ" frameborder="0" allowfullscreen></iframe>\n</div>\n </div>\n</div>\n</div>\n <div class="col-md-3 p-none">\n <div class="wrapper-xs">\n<h4 class="h4 m-b-sm p-b-xs b-b">\n FAQs\n </h4>\n<ul class="p-l-none" style="list-style-type:none;">\n<li><a href="#subscribe" class="text-info"> equals www.youtube.com (Youtube)
            Source: js-all-min-2[2].js0.2.drString found in binary or memory: ativa para marcar outra chamada.");$("#globalModal").modal("show")}return}}catch(c){return}}function saveNotesAndActivitiesForConference(a){resetCallLogVariables();var b={};if(a.contactId){accessUrlUsingAjax("core/api/contacts/"+a.contactId,function(e){var c=e;var d={};d.url="/core/api/widgets/twilio/";d.subject=a.noteSub;d.number=a.phoneNumber;d.callType=a.direction;d.status="answered";d.duration=a.duration;d.contId=c.id;d.contact_name=getContactName(c);d.widget="Twilio";showDynamicCallLogs(d);if(TWILIO_DIRECTION=="outbound-dial"){twilioIOSaveContactedTime(a.contactId)}})}else{b.url="/core/api/widgets/twilio/";b.subject=a.noteSub;b.number=a.phoneNumber;b.callType=a.direction;b.status="answered";b.duration=a.duration;b.widget="Twilio";b.contId=null;b.contact_name="";CallLogVariables.dynamicData=b;CallLogVariables.callWidget="Twilio";CallLogVariables.callType=a.direction;CallLogVariables.phone=a.phoneNumber;CallLogVariables.duration=a.dur