Analysis Report http://axpo.open-directory.be/12/#adfg.sadgfa@aasdk.com

Overview

General Information

Sample URL: http://axpo.open-directory.be/12/#adfg.sadgfa@aasdk.com
Analysis ID: 356759
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Phishing site detected (based on shot template match)
Yara detected HtmlPhish_10
Found iframes
HTML body contains low number of good links
HTML title does not match URL
Suspicious form URL found
URL contains potential PII (phishing indication)

Classification

Phishing:

barindex
Phishing site detected (based on shot template match)
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ Matcher: Template: generic matched
Yara detected HtmlPhish_10
Source: Yara match File source: 210979.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\src[1].htm, type: DROPPED
Found iframes
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Iframe src: src.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&a=0
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Iframe src: src.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&a=0
HTML body contains low number of good links
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Number of links: 0
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Title: Sign In to Update does not match URL
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Title: Sign In to Update does not match URL
Suspicious form URL found
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Form action: snd.php?c=
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: Form action: snd.php?c=
URL contains potential PII (phishing indication)
Source: http://axpo.open-directory.be/12/#adfg.sadgfa@aasdk.com Sample URL: PII: adfg.sadgfa@aasdk.com
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: No <meta name="author".. found
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: No <meta name="author".. found
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: No <meta name="copyright".. found
Source: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_ HTTP Parser: No <meta name="copyright".. found

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 162.219.250.43:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.219.250.43:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 15:06:59 GMTServer: ApacheX-Powered-By: PHP/5.6.40X-Mod-Pagespeed: 1.13.35.2-0Vary: Accept-EncodingContent-Encoding: gzipCache-Control: max-age=0, no-cache, s-maxage=10Content-Length: 211Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 35 8f dd 6a 02 31 10 85 ef 05 df 21 44 a8 8a 92 b1 78 a7 c9 fa 02 5e 48 a1 f4 a2 94 32 6c 46 32 25 dd 84 cd f8 d7 a7 ef 86 6d e7 ea f0 cd df 39 36 c8 77 6c d4 74 62 03 a1 af 42 0d 65 85 25 52 73 8a 84 85 d4 1b b2 18 63 2c 8c b4 0e 97 b6 e7 2c 4a 1e 99 9c 16 ba 0b 7c e1 15 47 aa 9b 2b f6 2a 60 09 ee c6 9d 4f 37 13 53 8b c2 a9 33 15 ee 6b f7 f5 e5 e8 74 10 c9 65 07 10 7a 89 9d 37 6d 32 3f 08 9b f3 76 7b 87 4b a1 9e 3d b4 e1 e2 1f 70 60 c7 4f 1b a7 57 75 dd 94 1c 59 16 f3 d9 7c f9 fe fc b1 ff fb 90 32 75 8b e1 e8 5a 7f 16 8a 67 bd b4 30 9a 69 a6 93 c1 2e fc 87 1b 54 cd fb 0b 08 9d 7e 86 f6 00 00 00 Data Ascii: 5j1!Dx^H2lF2%m96wltbBe%Rsc,,J|G+*`O7S3ktez7m2?v{K=p`OWuY|2uZg0i.T~
Source: global traffic HTTP traffic detected: GET /12/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: axpo.open-directory.beConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: axpo.open-directory.be
Source: 38l2tm58wl77unnx103f3o6mro[1].htm.3.dr, src[1].htm.3.dr String found in binary or memory: http:///favicon.ico
Source: ~DF94BFFBA9E3232B83.TMP.2.dr, {365F4BE9-7634-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: http://axpo.open-directory.be/12/#adfg.sadgfa
Source: background_styles[1].css.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Raleway
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/raleway/v19/1Ptxg8zYS_SKggPN4iEgvnHyvveLxVvaorCIPrc.woff)
Source: {365F4BE9-7634-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: https://hrtlnd.co.za/0
Source: ~DF94BFFBA9E3232B83.TMP.2.dr String found in binary or memory: https://hrtlnd.co.za/0f33x/userid/chudy/38l2tm58wl77unnx103f3o6mro.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29
Source: 12[1].htm.3.dr String found in binary or memory: https://hrtlnd.co.za/0f33x/userid/chudy/?i=i&0=
Source: imagestore.dat.3.dr, ~DF94BFFBA9E3232B83.TMP.2.dr String found in binary or memory: https://hrtlnd.co.za/0f33x/userid/chudy/serv/main.ico
Source: ~DF94BFFBA9E3232B83.TMP.2.dr String found in binary or memory: https://hrtlnd.co.za/0f33x/userid/chudy/src.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29t&a=0
Source: ~DF94BFFBA9E3232B83.TMP.2.dr String found in binary or memory: https://hrtlnd.co.za/0f33x/userid/chudy/z4tfj7ki6h3xkbhd0q9a755pzt.php?0=YWRmZy5zYWRnZmFAYWFzZGsuY29
Source: {365F4BE9-7634-11EB-90E4-ECF4BB862DED}.dat.2.dr String found in binary or memory: https://hrtlnd.co.za/0tory.be/12/#adfg.sadgfa
Source: imagestore.dat.3.dr String found in binary or memory: https://hrtlnd.co.za/favicon.icoF
Source: Technology-Bold[1].ttf.3.dr String found in binary or memory: https://www.coroflot.com/vladimirnikolichttps://www.coroflot.com/vladimirnikolic
Source: Technology-Bold[1].ttf.3.dr String found in binary or memory: https://www.coroflot.com/vladimirnikolichttps://www.coroflot.com/vladimirnikolicTechnology
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 162.219.250.43:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.219.250.43:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.win@3/23@2/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFC774FF1C4D3D4D33.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356759 URL: http://axpo.open-directory.... Startdate: 23/02/2021 Architecture: WINDOWS Score: 56 18 Phishing site detected (based on shot template match) 2->18 20 Yara detected HtmlPhish_10 2->20 6 iexplore.exe 2 62 2->6         started        process3 process4 8 iexplore.exe 2 52 6->8         started        dnsIp5 14 hrtlnd.co.za 162.219.250.43, 443, 49714, 49715 IHNETUS United States 8->14 16 axpo.open-directory.be 138.201.179.3, 49711, 49712, 80 HETZNER-ASDE Germany 8->16 12 C:\Users\user\AppData\Local\...\src[1].htm, HTML 8->12 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
138.201.179.3
 unknown Germany
24940 HETZNER-ASDE false
162.219.250.43
 unknown United States
33494 IHNETUS false

Contacted Domains

Name IP Active
axpo.open-directory.be 138.201.179.3 true
hrtlnd.co.za 162.219.250.43 true