Loading ...

Play interactive tourEdit tour

Analysis Report smartandfinalTicket#51347303511505986.htm

Overview

General Information

Sample Name:smartandfinalTicket#51347303511505986.htm
Analysis ID:356325
MD5:5f42d465e7e680e051a74bb797bc6535
SHA1:843faae5f7d10488aed129367e8ea7ada3396942
SHA256:e4b97c79b4c90cb26a1c518bc1a6d821444436d4420d1e579b781b1c3704bb57

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6832 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6924 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\authorize_client_id_5g1afb80-7jfq-ask4-t1bx-5zw0d17rfy48_qa32ux85vsrdgt9ncpmw7ebyo4kz10fjilh6hskufelop5ya3m1i0942tcrv8znqxbwj7gd692ez0tj4dmhkufaqbo7pnvyrxl3568cs1iwg[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://sydneybuildingengineers.com.au/OfficeV4/authorize_client_id:5g1afb80-7jfq-ask4-t1bx-5zw0d17rfy48_qa32ux85vsrdgt9ncpmw7ebyo4kz10fjilh6hskufelop5ya3m1i0942tcrv8znqxbwj7gd692ez0tj4dmhkufaqbo7pnvyrxl3568cs1iwg?data=dmlzaGFsLmt1bWFyQHNtYXJ0YW5kZmluYWwuY29tSlashNext: Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: https://sydneybuildingengineers.com.au/OfficeV4/authorize_client_id:5g1afb80-7jfq-ask4-t1bx-5zw0d17rfy48_qa32ux85vsrdgt9ncpmw7ebyo4kz10fjilh6hskufelop5ya3m1i0942tcrv8znqxbwj7gd692ez0tj4dmhkufaqbo7pnvyrxl3568cs1iwg?data=dmlzaGFsLmt1bWFyQHNtYXJ0YW5kZmluYWwuY29tMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: 820094.pages.csv, type: HTML
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\authorize_client_id_5g1afb80-7jfq-ask4-t1bx-5zw0d17rfy48_qa32ux85vsrdgt9ncpmw7ebyo4kz10fjilh6hskufelop5ya3m1i0942tcrv8znqxbwj7gd692ez0tj4dmhkufaqbo7pnvyrxl3568cs1iwg[1].htm, type: DROPPED

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 208.91.198.178:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 208.91.198.178:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49752 version: TLS 1.2
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6aad3e8e,0x01d70964</date><accdate>0x6aad3e8e,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6aad3e8e,0x01d70964</date><accdate>0x6aad3e8e,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ab20340,0x01d70964</date><accdate>0x6ab20340,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ab20340,0x01d70964</date><accdate>0x6ab20340,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ab20340,0x01d70964</date><accdate>0x6ab20340,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ab20340,0x01d70964</date><accdate>0x6ab20340,0x01d70964</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: saisas.com.co
    Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
    Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
    Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
    Source: authorize_client_id_5g1afb80-7jfq-ask4-t1bx-5zw0d17rfy48_qa32ux85vsrdgt9ncpmw7ebyo4kz10fjilh6hskufelop5ya3m1i0942tcrv8znqxbwj7gd692ez0tj4dmhkufaqbo7pnvyrxl3568cs1iwg[1].htm.3.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
    Source: {920BAF37-7557-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://saisas.com.co//Desktop/smartandfinalTicket#51347303511505986.htmexrobotosv4/?vishal.kumar
    Source: ~DF0C840B5320C13C8C.TMP.1.dr, exrobotosv4[1].htm.3.drString found in binary or memory: https://saisas.com.co/exrobotosv4/?vishal.kumar
    Source: smartandfinalTicket#51347303511505986.htmString found in binary or memory: https://saisas.com.co/exrobotosv4?vishal.kumar
    Source: OfficeV4[1].htm.3.drString found in binary or memory: https://sydneybuildingengineers.com.au/OfficeV4/?/dmlzaGFsLmt1bWFyQHNtYXJ0YW5kZmluYWwuY29t
    Source: ~DF0C840B5320C13C8C.TMP.1.drString found in binary or memory: https://sydneybuildingengineers.com.au/OfficeV4/authorize_client_id:5g1afb80-7jfq-ask4-t1bx-5zw0d17r
    Source: imagestore.dat.3.drString found in binary or memory: https://sydneybuildingengineers.com.au/OfficeV4/images/favicon.ico~
    Source: exrobotosv4[1].htm0.3.drString found in binary or memory: https://sydneybuildingengineers.com.au/OfficeV4?/dmlzaGFsLmt1bWFyQHNtYXJ0YW5kZmluYWwuY29t
    Source: {920BAF37-7557-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://sydneybuildingexrobotosv4/?vishal.kumar
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownHTTPS traffic detected: 208.91.198.178:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 208.91.198.178:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.169.157.161:443 -> 192.168.2.4:49752 version: TLS 1.2
    Source: classification engineClassification label: mal64.phis.winHTM@3/31@3/3
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{920BAF35-7557-11EB-90EB-ECF4BBEA1588}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF837C423F64999335.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6832 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential Dumping