Analysis Report http://hallowed-glory-diabloceratops.glitch.me

Overview

General Information

Sample URL:	http://hallowed-glory-diabloceratops.glitch.me
Analysis ID:	356678
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Yara detected HtmlPhish_7

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Unusual large HTML page

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: http://hallowed-glory-diabloceratops.glitch.me

UrlScan: detection malicious, Label: phishing brand: onedrive generic

Perma Link

Antivirus detection for URL or domain

Source: http://hallowed-glory-diabloceratops.glitch.me/	SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: http://hallowed-glory-diabloceratops.glitch.me/	UrlScan: Label: phishing brand: onedrive generic			Perma Link

Phishing:

Phishing site detected (based on favicon image match)

Source: http://hallowed-glory-diabloceratops.glitch.me/

Matcher: Template: office matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match

File source: 103386.pages.csv, type: HTML

Yara detected HtmlPhish_7

Source: Yara match

File source: 103386.pages.csv, type: HTML

Phishing site detected (based on logo template match)

Source: http://hallowed-glory-diabloceratops.glitch.me/

Matcher: Template: onedrive matched

HTML body contains low number of good links

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Number of links: 0
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Title: Onedrive does not match URL
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Title: Onedrive does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Has password / email / username input fields
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Has password / email / username input fields

Unusual large HTML page

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Total size: 1600486
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: Total size: 1600486

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: No <meta name="author".. found
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: No <meta name="author".. found

Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: No <meta name="copyright".. found
Source: http://hallowed-glory-diabloceratops.glitch.me/	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49726 version: TLS 1.2

Networking:

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: hallowed-glory-diabloceratops.glitch.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /css/hover.css HTTP/1.1Accept: text/css, /Referer: http://hallowed-glory-diabloceratops.glitch.me/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: hallowed-glory-diabloceratops.glitch.meConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: hallowed-glory-diabloceratops.glitch.me

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 13:54:25 GMTContent-Length: 3538Connection: keep-aliveCache-Control: max-age=0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 6c 6c 2c 20 79 6f 75 20 66 6f 75 6e 64 20 61 20 67 6c 69 74 63 68 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6c 6f 75 64 2e 77 65 62 74 79 70 65 2e 63 6f 6d 2f 63 73 73 2f 33 61 38 65 35 35 63 36 2d 62 31 66 33 2d 34 36 35 39 2d 39 39 65 62 2d 31 32 35 61 65 37 32 62 64 30 38 34 2e 63 73 73 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 42 65 6e 74 6f 6e 20 53 61 6e 73 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 53 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 36 30 25 3b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 33 37 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 33 30 25 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 3

Source: ~DF5D450624F6D4AA94.TMP.1.dr	String found in binary or memory: http://hallowed-glory-diabloceratops.glitch.me/
Source: {0F0DF446-762A-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: http://hallowed-glory-diabloceratops.glitch.me/Root
Source: popper.min[1].js.2.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: imagestore.dat.2.dr	String found in binary or memory: https://blobs.officehome.msocdn.com/images/content/images/favicon-8f211ea639.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://blobs.officehome.msocdn.com/images/content/images/favicon-8f211ea639.ico~
Source: free.min[1].css.2.dr	String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.2.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.2.dr	String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.2.dr	String found in binary or memory: https://kit.fontawesome.com

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49726 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal84.phis.win@3/21@8/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9A8E2E2BC12913AE.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6096 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6096 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.237.41.217	unknown	United States		14618	AMAZON-AESUS	false
104.16.18.94	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
hallowed-glory-diabloceratops.glitch.me	54.237.41.217	true
cdnjs.cloudflare.com	104.16.18.94	true
blobs.officehome.msocdn.com	unknown	unknown
ka-f.fontawesome.com	unknown	unknown
code.jquery.com	unknown	unknown
kit.fontawesome.com	unknown	unknown
maxcdn.bootstrapcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hallowed-glory-diabloceratops.glitch.me/	false	100%, UrlScan, Browse SlashNext: Fake Login Page type: Phishing & Social Engineering	high
http://hallowed-glory-diabloceratops.glitch.me/css/hover.css	false		high
http://hallowed-glory-diabloceratops.glitch.me/	false	100%, UrlScan, Browse SlashNext: Fake Login Page type: Phishing & Social Engineering	high

ID:	356678
Product:	CloudBasic
Start time:	14:53:26
Start date:	23.02.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F0DF444-762A-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	6AC2EDA4A5213E2FF3181FD4A77D64CE	C368FCA1D0499C0CEC713D7B272FD28AD74C504C	2196A53451516AB5E266F94C1D08ACA9950A9AF02365C98107A8B40B8A2238DC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0F0DF446-762A-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	4B71A34E89CBD3D7D06596F87F2649DA	9C15CF1E21E61C3B8FF288227C9483549E3B7D2B	3648AC250B800D3B57D658E63B13E5943119E234FA05110C871E3C6FF9BB86FC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{165545D7-762A-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	98F5C20FAC753372D8C33C40FA7B253C	3C966D6852DCBDA4EC47E290DED168DD7F6151C8	B9BFE3CF6FA921E22DEA4F6E8E37ED98920C079AB0478988817ADEB879A28E96
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat	data	9CEB045DC01D2A19B88CB7BF06B6506F	BB789F474C1B03B814E985741E399E04CF952722	C35284CE339AC8569C45A3581DFE0E408610722796BC912CBAE7D04A114478B4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\free-v4-shims.min[1].css	ASCII text, with very long lines	1848E71668F42835079E5FA2AF6CF4A8	6AE345E2FEB8C2A524E7CF9E22A3A87BAEE60593	D7CC3C57F9BDA4C6DCB83BB3C19F2F2AA86ECEC6274E243CD4EC315AE8E30101
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\jquery-3.1.1.min[1].js	ASCII text, with very long lines	E071ABDA8FE61194711CFC2AB99FE104	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\popper.min[1].js	ASCII text, with very long lines	70D3FDA195602FE8B75E0097EED74DDE	C3B977AA4B8DFB69D651E07015031D385DED964B	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\585b051251[1].js	ASCII text, with very long lines	4B900F0AF3BBDA85E1077C8EC8C83831	7E7015965195F25AFA3A47BE2108278AD6A0A4AC	7943D6D067DB8587E9FB675F0D2CC78D6C90C91B187CF8642A3F52FF91381685
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\favicon-8f211ea639[1].ico	MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel	8F211EA639E8777ABEB1AB7A8871580C	D6427CE52782D6B07118817E71A7E5192CA72F8C	E588BDE3EB80B349B069BCBB10520E49F9AA6F38001CE651F396269DE3499549
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\jquery-3.2.1.slim.min[1].js	ASCII text, with very long lines	5F48FC77CAC90C4778FA24EC9C57F37D	9E89D1515BC4C371B86F4CB1002FD8E377C1829F	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\jquery.min[1].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bootstrap.min[1].css	ASCII text, with very long lines	450FC463B8B1A349DF717056FBB3E078	895125A4522A3B10EE7ADA06EE6503587CBF95C5	2C0F3DCFE93D7E380C290FE4AB838ED8CADFF1596D62697F5444BE460D1F876D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bootstrap.min[1].js	ASCII text, with very long lines	14D449EB8876FA55E1EF3C2CC52B0C17	A9545831803B1359CFEED47E3B4D6BAE68E40E99	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\free.min[1].css	ASCII text, with very long lines	4ECC071B77D6B1790FA9FB8A5173F972	B44FCBAAC4F3AA7381D71DE20064AC84B0B729D1	8C7BBA7DEB64FF95E98F7AC8CD0D3B675A4BCF02F302E57EDC5A1D6FA3D6CF94
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\D3X1D35M.htm	HTML document, ASCII text, with very long lines, with no line terminators	2760601BA027CEBDE89E5E799177976B	C2DAE268297E206B141CF6321D2F7C8D42290C26	E63E6F86FD2C3266320578005DA1B7764FCE23AE2ED1869DA72D8E89D1354D62
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\css[1].css	ASCII text	72C5D331F2135E52DA2A95F7854049A3	572F349BB65758D377CCBAE434350507341ACD7B	C3A12D7E8F6B2B1F5E4CD0C9938DFC79532AEF90802B424EE910093F156586DA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery.min[1].js	ASCII text, with very long lines	E0E0559014B222245DEB26B6AE8BD940	E2F3603E23711F6446F278A411D905623D65201E	89A15E9C40BC6B14809F236EE8CD3ED1EA42393C1F6CA55C7855CD779B3F922E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery.min[2].js	ASCII text, with very long lines	C9F5AEECA3AD37BF2AA006139B935F0A	1055018C28AB41087EF9CCEFE411606893DABEA2	87083882CC6015984EB0411A99D3981817F5DC5C90BA24F0940420C5548D82DE
C:\Users\user\AppData\Local\Temp\~DF5D086807AE3AB7AD.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DF5D450624F6D4AA94.TMP	data	A428416BA1E2728D674E474AF5D03F6A	9766DBE67BEE3F69F35F7264D929F72DC0F4EAE8	116C18EEEA6E22F734A58A963E373518BE853A7E639E07E44B8440FE46C30912
C:\Users\user\AppData\Local\Temp\~DF9A8E2E2BC12913AE.TMP	data	E882C1C92591C2D9F34F43F7C35134CE	9184BFDEE5D7A319608BDDB9999B10D3AA8BE2BD	453D5F33727AD578A3FF86AB1990E7CA1EFB03C5089CF6AA09EDAB79503568F8

Analysis Report http://hallowed-glory-diabloceratops.glitch.me

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs