Analysis Report One Note shergott@vivaldicap.com.html

Overview

General Information

Sample Name: One Note shergott@vivaldicap.com.html
Analysis ID: 356261
MD5: 6b9c5e9bfcf2518f66e80e941257ad09
SHA1: 85c854dfc0e3ef1a85aaeb17d7a2b5ccd5b8dbaa
SHA256: ffb4ba9437ffe8c45168b3ab63006d1c7a2e38815f6da1ca37875c5855b6f5e9

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish_10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Phishing:

barindex
Yara detected HtmlPhish_10
Source: Yara match File source: One Note shergott@vivaldicap.com.html, type: SAMPLE
Source: Yara match File source: 648351.pages.csv, type: HTML
Phishing site detected (based on logo template match)
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Title: Sign in to your account does not match URL
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Title: Sign in to your account does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html HTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49719 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.18.94 104.16.18.94
Source: Joe Sandbox View IP Address: 104.16.18.94 104.16.18.94
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcaa2e129,0x01d7099b</date><accdate>0xcaa2e129,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcaa2e129,0x01d7099b</date><accdate>0xcaa2e129,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcaa7a5f8,0x01d7099b</date><accdate>0xcaa7a5f8,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcaa7a5f8,0x01d7099b</date><accdate>0xcaa7a5f8,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcaaa0833,0x01d7099b</date><accdate>0xcaaa0833,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcaaa0833,0x01d7099b</date><accdate>0xcaaa0833,0x01d7099b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: maxcdn.bootstrapcdn.com
Source: fontawesome-webfont[1].eot.2.dr, font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.2.dr String found in binary or memory: http://fontawesome.io/license
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.io/license/
Source: fontawesome-webfont[1].eot.2.dr String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: bootstrap.min[1].js.2.dr String found in binary or memory: http://getbootstrap.com)
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://code.jquery.com/jquery-3.3.1.slim.min.js
Source: bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://login.microsoftonline.com/jsdisabled
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Source: One Note shergott@vivaldicap.com.html String found in binary or memory: https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: classification engine Classification label: mal52.phis.winHTML@3/23@4/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF21DEBDFF8AE13ED9.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356261 Sample: One Note shergott@vivaldica... Startdate: 22/02/2021 Architecture: WINDOWS Score: 52 17 Yara detected HtmlPhish_10 2->17 19 Phishing site detected (based on logo template match) 2->19 6 iexplore.exe 2 86 2->6         started        process3 process4 8 iexplore.exe 6 42 6->8         started        dnsIp5 11 cdnjs.cloudflare.com 104.16.18.94, 443, 49718, 49719 CLOUDFLARENETUS United States 8->11 13 stackpath.bootstrapcdn.com 8->13 15 2 other IPs or domains 8->15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.18.94
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdnjs.cloudflare.com 104.16.18.94 true
stackpath.bootstrapcdn.com unknown unknown
code.jquery.com unknown unknown
maxcdn.bootstrapcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/One%20Note%20shergott@vivaldicap.com.html true
    		low