Analysis Report coltTicket#513473.htm

Overview

General Information

Sample Name:	coltTicket#513473.htm
Analysis ID:	356444
MD5:	3ca789514cb60dff80297f34e6d5d8d2
SHA1:	af1d0e030396f002d3c3483bb49f4a83bfffadb5
SHA256:	38e2ad98dfd9b623e015abb651aa5e1f3ad7ff7d6631baff43dcc00626a9a967
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

Invalid T&C link found

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: 088753.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\authorize_client_id_1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m[1].htm, type: DROPPED

Phishing site detected (based on logo template match)

Matcher: Template: microsoft matched

HTML body contains low number of good links

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Number of links: 0
Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Title: verify your login does not match URL
Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Title: verify your login does not match URL

Invalid T&C link found

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Invalid link: Terms of use
Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: Invalid link: Terms of use

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: No <meta name="author".. found
Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: No <meta name="author".. found

Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: No <meta name="copyright".. found
Source: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49715 version: TLS 1.2

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7383101f,0x01d709fd</date><accdate>0x7383101f,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7383101f,0x01d709fd</date><accdate>0x7383101f,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x73857292,0x01d709fd</date><accdate>0x73857292,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x73857292,0x01d709fd</date><accdate>0x73857292,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7387d4f7,0x01d709fd</date><accdate>0x7387d4f7,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7387d4f7,0x01d709fd</date><accdate>0x7387d4f7,0x01d709fd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: meval.id

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: authorize_client_id_1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m[1].htm.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
Source: {9B717CCA-75F0-11EB-90E6-ECF4BB82F7E0}.dat.1.dr	String found in binary or memory: https://meval.id/Officdesk/Desktop/coltTicket#513473.htmeV4/authorize_client_id:1zres7px-z1ow-l78w-u
Source: ~DF4E1E16A9BC55B3B6.TMP.1.dr	String found in binary or memory: https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseoma
Source: imagestore.dat.2.dr	String found in binary or memory: https://meval.id/OfficeV4/images/favicon.ico~
Source: coltTicket#513473.htm	String found in binary or memory: https://meval.id/OfficeV4?lionel.puig

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.134.152.4:443 -> 192.168.2.7:49715 version: TLS 1.2

Source: classification engine

Classification label: mal68.phis.winHTM@3/29@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B717CC8-75F0-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF7924CC926C2A478F.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5256 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5256 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.134.152.4	unknown	Singapore		138608	CLOUDHOST-AS-APCloudHostPteLtdSG	false

Contacted Domains

Name	IP	Active
meval.id	103.134.152.4	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://meval.id/OfficeV4/authorize_client_id:1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m?data=bGlvbmVsLnB1aWdAY29sdC5uZXQ=	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

ID:	356444
Product:	CloudBasic
Start time:	08:02:17
Start date:	23.02.2021
Sample:	coltTicket#513473.htm
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3ca789514cb60dff80297f34e6d5d8d2
SHA1:	af1d0e030396f002d3c3483bb49f4a83bfffadb5
SHA256:	38e2ad98dfd9b623e015abb651aa5e1f3ad7ff7d6631baff43dcc00626a9a967
Filetype:	HyperText Markup Language (31031/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B717CC8-75F0-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	B3F24D2B739A7BE4D8A113952B49861C	AC95B1A68F48612B966B58D6D2CB1364C098B7C5	380ECA98F91373C08D414A6FFB68011F3B9BA093E4B820B1F36A6F84D9B8E070
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B717CCA-75F0-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	40A97B34F718BD56E5973C374C844F3F	3FBB52CB9EDCD27B9242FB70D234800570FB16E1	8B81A7FA61C3D159C7D56E1362ED901F17FF6259C5CD7C1A735DEAAD120C2C0C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2261881-75F0-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	E5B09CFB5427FFE3E20F0CEBD3C26F41	477947E5113C3BEE74BBC45E2F3D142958A41529	402CC9C52D99221A65405CDCBFECD04181EBA3E11C5971CF244B8363BABA6296
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	5068051B7378D314C2098F3CB62E3374	6AC816B4618C11071B2079D2C54D5550E7A40D6C	4A9074D952CA80BD7F885431ADC51F273DC1923188B81876BEC14B99788E3C9F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4C011CBC15786D92702CCAB2002FB487	984446306339A3538BD9D474E731BD7958B93B35	1EC39522FE1A1A4EAEC1ADD98A46A419AFB04BF19D984DF85783EE5DA2D998BA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3370E7C6483FB934D5035E3C58034B10	79BBAC757849F279DA5A61B0E121B0C1B33ABC01	3C8B32BEE0E7235E393929E0D53E5A83DA75C3BE4C62ACA73EF723F58DC1023D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BC83469F3A14CC511E5E2490C01966B9	105CD00D8984A7C67201A8B22DEB03A97D808823	4F0DF851E6B43D5083D323F0C9DE1AE5082C81AA6193085FEBAC9BC8B1B7BDD5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	013AE705A008500856205357367052A9	5639C4AE0E243E06E32E079FE2413A27A9D70420	A938EA4CD98EF55441266EB1913D4F4E3D3AA6F9FC84A086627981CD76B0227A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F79037A724C031B9707B749AE6A0E8D8	BCFBFB4CA9004EE3F08B52592AED625B7AFAA8A5	4AD8032B296844173C3E6375961A2000B017868ED45D3335C71A2E21EF1DDEEF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FD72066A71EA0336DE8903F2D972F94D	439C8BB5799A71129E25D844CC30DA3BFF882C5A	2703B64303A71D49C95B5AF91A99E68541DDCD8A9C1E89A0001A8FC24A33F414
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	5178EA194F27EEFED30F641D10E112F4	44389B1FF13A1BFEF36339D02BCDCCEE94A256F2	DA0DDF09274A209661644F8531885BFF31AC08506962DE8DA77194D426F6DFB4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1C279BDA437E2CA17DAD5CDE12442B0A	2C3673B4AE3810198F95DF3E0AC8BBAEF430A5D6	77E0F072FF3B4A1CA553D5BD435E838A121FB55B6B151FA9064A23CFCB3D7C70
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\po60zt0\imagestore.dat	data	DA2006B00A78B361C9B9B4A9C3FF2E94	3D867D3C6241657C2835DC231FC34CC601067626	9784AA02A068BD78CA2F542E097223ACF30AC09238BF21C6BB0A8E88DBCF3522
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\arrow_left[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\authorize_client_id_1zres7px-z1ow-l78w-uhas-vj53h0tpifmz_j8xb0quz4kdwseomaf29iy56l3nvgph7rct1w52ba18t0h6glcqn9dkuj43ozxvspmei7fryvs57pokxyhgujl8r3eaq6tnwcid09z4b1f2m[1].htm	data	0930E92656792D2DB5A9A3293EEB648D	03F2DEE0DE4DEF169FB3C0D6BFE9CD415331ABE7	B51CC2F4376A8E3B3BFCBDF8370EBBC448DECD835D06DB923E6339C067678A01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\style[1].css	ASCII text, with very long lines, with no line terminators	9F94F80A5DC09BB962778175292195BC	A7F2E32B422AC9654F39EA870E403599791FCE1C	1CF4B3AD7ABF3189E78C1B3BD07308C92A03FA795FDBC5821FCDE24030CFEAD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\ellipsis_grey[1].svg	SVG Scalable Vector Graphics image	2B5D393DB04A5E6E1F739CB266E65B4C	6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721	16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C663699313C09F5E8D6E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\ellipsis_white[1].svg	SVG Scalable Vector Graphics image	5AC590EE72BFE06A7CECFD75B588AD73	DDA2CB89A241BC424746D8CF2A22A35535094611	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\enterpass[1].png	PNG image data, 170 x 29, 8-bit/color RGB, non-interlaced	BD6E291A9A3CC17ED37605E4FF0010CC	6C1EFD74231E3D253E0F51E4656ECED2F3335D71	706DE242E7C3CFC4B16BA8174723F26FB80566C3171E9E795F057476011A5DE1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\OfficeV4[1].htm	HTML document, ASCII text, with CRLF, LF line terminators	67F3A5933C17B3AB044826D3927D0BA9	5957076D09BACAA6DB8DDC832B4FD87ED8F05F8A	97E800F4836B7030DD58FE6296294B7FF5EF1B5EB0E88353F230EA1608D2BB64
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	7CDD5A7E87E82D145E7F82358F9EBD04	265104CAD00300E4094F8CE6A9EDC86E54812EAD	5D91563B6ACD54468AE282083CF9EE3D2C9B2DAA45A8DE9CB661C2195B9F6CBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\forgpass[1].png	PNG image data, 121 x 20, 8-bit/color RGB, non-interlaced	B19CAC60E41C79BD974C1080088C6FEF	FFE553D8CA430DD309494E910A989271648A4DDD	E29DB32031DC537AEE9CB557B408395F3324F1E0F744349C0CDF943A3AF39296
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\firstmsg1[1].png	PNG image data, 353 x 41, 8-bit/color RGBA, non-interlaced	B7EA3983E3C2D7E5F61B8D1B42758189	FE0817947CA4BC53152ED9378470675D9AF189FD	7B6CF23AC2454B039DDF4F51B7074636ED5B08B6A1D254A47430C4ACE2A3569D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\inv-big-background[1].png	PNG image data, 1920 x 1080, 8-bit colormap, non-interlaced	62DDD263C8A6A4C9074E205B91182D04	1B56D11B012DD79DD99212EBB54ADCFB60920A9D	A59EA699D353D00FF2999111F9FA11FB73A47EDA7800642609CA230560EA3703
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\passwrd[1].png	PNG image data, 69 x 34, 8-bit/color RGBA, non-interlaced	4F2A1D382216546E2C3BC620497FD4E3	F785EC5967B5666387304F779306F9C3E3359FF4	105C03D3360CDB953585482374B2CC953D090741037502B0609629F5BB0135B7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\sigin[1].png	PNG image data, 108 x 32, 8-bit/color RGBA, non-interlaced	681B83E88BA6AACCC72705FBF9F2257B	D69957C47026108511225160BE9BD15788D26E14	F32A760F15530284447282AF5C7D0825BABF8BC4739E073928F6128830819F7A
C:\Users\user\AppData\Local\Temp\~DF10E1D2B49952F50F.TMP	data	FE50D5DACC81B84CC7C5860ED41AEC82	EA04699E39AF130224C3427DAF0021519C92C642	2287356A218ACDDFEE770E77F5E2BC955FFFF98F0B354C478ED541837D668786
C:\Users\user\AppData\Local\Temp\~DF4E1E16A9BC55B3B6.TMP	data	CFC264954E38DDF027A62D1DDE1A006F	1CEEF3FDF4702746D91A48DE86D5AA313F544358	2E3760E5A93D359406CE6F95F11416D855101273E9B4FD6C9410968410F9CDAA
C:\Users\user\AppData\Local\Temp\~DF7924CC926C2A478F.TMP	data	974A623B470C46B71B88D640AEEA185B	EAEF073155B11BC61F44CCCF9CF4792465A69084	9683A1C11C901C05F67B15602D05B746A5B20F1454EE5F93B72F27035EED70C1

Analysis Report coltTicket#513473.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs