Analysis Report https://online.pubhtml5.com/whlz/taka/

Overview

General Information

Sample URL:	https://online.pubhtml5.com/whlz/taka/
Analysis ID:	358569
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: https://online.pubhtml5.com/whlz/taka/

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social usering

Antivirus detection for URL or domain

Source: https://online.pubhtml5.com/whlz/taka/#p=1

SlashNext: Label: Fake Login Page type: Phishing & Social usering

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49737 version: TLS 1.2

Networking:

Source: sdk[2].js.3.dr	String found in binary or memory: } }).call(global);})(window.inDapIF ? parent.window : window, window);} catch (e) {new Image().src="https:\/\/www.facebook.com\/" + 'common/scribe_endpoint.php?c=jssdk_error&m='+encodeURIComponent('{"error":"LOAD", "extra": {"name":"'+e.name+'","line":"'+(e.lineNumber\|\|e.line)+'","script":"'+(e.fileName\|\|e.sourceURL\|\|e.script)+'","stack":"'+(e.stackTrace\|\|e.stack)+'","revision":"1003360933","namespace":"FB","message":"'+e.message+'"}}');} equals www.facebook.com (Facebook)
Source: sdk[2].js.3.dr	String found in binary or memory: * License: https://www.facebook.com/legal/license/MDzNl_j9yvg/ equals www.facebook.com (Facebook)
Source: main[1].js.3.dr	String found in binary or memory: (function(){var d=getHost(window.location.href).toLowerCase();(-1<d.indexOf("fliphtml5.com")\|\|-1<d.indexOf("pubhtml5.com")\|\|-1<d.indexOf("anyflip.com")\|\|-1<d.indexOf("flipbuilder.com")\|\|bookConfig.facebookAppId)&&global.FB?(FB.init({appId:c(),status:!0,xfbml:!1,version:"v2.4"}),FB.ui({method:"feed",link:share_url.toString(),name:b.title,picture:share_url.toString()+b.screenshot,description:b.description})):window.open("http://www.facebook.com/sharer.php?u="+share_url.toString()+"&picture="+b.screenshot)})()}, equals www.facebook.com (Facebook)
Source: main[1].js.3.dr	String found in binary or memory: 3:c.lastIndexOf("/")+1,c=c.substring(g,c.length));switch(b){case "vimeo":f=d+"://player.vimeo.com/video/"+c;break;case "youtube":f=d+"://www.youtube.com/embed/"+c;break;case "dailymotion":f=d+"://www.dailymotion.com/embed/video/"+c;break;case "wistia":f=d+"://fast.wistia.net/embed/iframe/"+c;break;case "youku":f=d+"://player.youku.com/embed/"+c;break;case "qq":f=d+"://v.qq.com/iframe/player.html?vid="+c}return f},initStyle:function(){this.background.css({position:"absolute",width:"100%",height:"100%", equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: ["video gallery",BookInfo.getCurrentPages().join("-"),b.id,b.type,(new Date).getTime()]);var c,d=getProtocal();"youtube"===b.type&&(c=d+"www.youtube.com/embed/"+b.id+"?autoplay=1&wmode=transparent");"vimeo"===b.type&&(c=d+"player.vimeo.com/video/"+b.id+"?autoplay=1&wmode=transparent&portrait=0");this.video.attr("src",c);c=this.info.find(".description");this.info.find(".title").html(b.title);c.html(b.description)},initEvent:function(b){this.videoSwiper&&(isPhone()\|\|isPad()?this.videoSwiper.scroll({}, equals www.youtube.com (Youtube)
Source: sdk[2].js.3.dr	String found in binary or memory: __d("FBPixelEndpoint",["invariant","FBEventsParamList","FBEventsUtils"],(function(a,b,c,d,e,f,g){"use strict";f.sendEvent=a;var h="https://www.facebook.com/tr/",i=location.href,j=window.top!==window,k=document.referrer;function l(a,c,d,e){e===void 0&&(e={});var f=new(b("FBEventsParamList"))();f.append("id",a);f.append("ev",c);f.append("dl",i);f.append("rl",k);f.append("if",j);f.append("ts",new Date().valueOf());f.append("cd",d);f.append("sw",window.screen.width);f.append("sh",window.screen.height);for(var g in e)f.append(g,e[g]);return f}function a(a,b,c,d){a=l(a,b,c,d);b=a.toQueryString();2048>(h+"?"+b).length?m(h,b):n(h,a)}function m(a,b){var c=new Image();c.src=a+"?"+b}function n(a,c){var d="fb"+Math.random().toString().replace(".",""),e=document.createElement("form");e.method="post";e.action=a;e.target=d;e.acceptCharset="utf-8";e.style.display="none";a=!!(window.attachEvent&&!window.addEventListener);a=a?'<iframe name="'+d+'">':"iframe";var f=document.createElement(a);f instanceof HTMLIFrameElement\|\|g(0,20659);f.src="javascript:false";f.id=d;f.name=d;e.appendChild(f);b("FBEventsUtils").listenOnce(f,"load",function(){c.each(function(a,b){var c=document.createElement("input");c.name=a;c.value=b;e.appendChild(c)}),b("FBEventsUtils").listenOnce(f,"load",function(){var a;(a=e.parentNode)==null?void 0:a.removeChild(e)}),e.submit()});(a=document.body)==null?void 0:a.appendChild(e)}}),null); equals www.facebook.com (Facebook)
Source: main[1].js.3.dr	String found in binary or memory: d.lastIndexOf("?v=")+3:d.lastIndexOf("/")+1,d=d.substring(f,d.length)),d=$("<iframe class='youtube-player' type='text/html' width='"+this.videoWidth+"' height='"+this.videoHeight+"' src='"+c+"://www.youtube.com/embed/"+d+"?autoplay=1&mute=1' frameborder='0' allowfullscreen='true' style='position: absolute; opacity: "+this.config.alpha+"'></iframe>"),this.vimeoFrame=new Media(d,"youtube"));"dailymotion"==b&&(d=$("<iframe id=woiframe width='"+this.videoWidth+"' height='"+this.videoHeight+"' src='"+ equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: this.config.alpha+"'></iframe>"),this.vimeoFrame=new Media(d,"qq"))},getURL:function(b){var c=this.config.id,d="https"==(window.location.href?window.location.href.toLowerCase():"http:").substring(0,5)?"https":"http",f="";if("vimeo"==b)var g=c.lastIndexOf("/"),c=c.substring(g+1);"youtube"==b&&-1<c.indexOf("/")&&(g=-1<c.indexOf("?v=")?c.lastIndexOf("?v=")+3:c.lastIndexOf("/")+1,c=c.substring(g,c.length));switch(b){case "vimeo":f=d+"://player.vimeo.com/video/"+c;break;case "youtube":f=d+"://www.youtube.com/embed/"+ equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: this.prefix+"://www.youtube.com/embed/"+this.sVideoId,"Youtube"]),this.youtubeFrame.pause())},playVideo:function(){this.youtubeFrame&&(BookEvent.trigger("playMedia",["playYoutube",BookInfo.getCurrentPageIndex(),this.prefix+"://www.youtube.com/embed/"+this.sVideoId,"Youtube"]),this.firstTime?(this.youtubeFrame.$media.on("load",function(){this.youtubeFrame.play()}.bind(this)),this.firstTime=!1):this.youtubeFrame.play())},hide:function(){this.youtubeFrame&&(this.youtubeFrame.setCss({width:"0px",height:"0px"}), equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: this.sVideoId.substring(b,this.sVideoId.length)),this.prefix="https"==(window.location.href?window.location.href.toLowerCase():"http:").substring(0,5)?"https":"http",this.youtubeFrame=new Media($("<iframe id='player' class='youtube-player flip-action' type='text/html' width='"+this.width+"' height='"+this.height+"' src='"+this.prefix+"://www.youtube.com/embed/"+this.sVideoId+"?enablejsapi=1&rel=0' frameborder='0' allowfullscreen='1' style='position: absolute; opacity: "+this.config.alpha+"; left:"+ equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: this.vimeoFrame=new Media(d,"vimeo")}"youtube"==b&&(d=this.config.id,-1<d.indexOf("/")&&(f=-1<d.indexOf("?v=")?d.lastIndexOf("?v=")+3:d.lastIndexOf("/")+1,d=d.substring(f,d.length)),d=$("<iframe class='youtube-player' type='text/html' width='"+this.videoWidth+"' height='"+this.videoHeight+"' src='"+c+"://www.youtube.com/embed/"+d+"?autoplay=1&mute=1' frameborder='0' allowfullscreen='1' style='position: absolute; opacity: "+this.config.alpha+"'></iframe>"),this.vimeoFrame=new Media(d,"youtube"));"dailymotion"== equals www.youtube.com (Youtube)
Source: main[1].js.3.dr	String found in binary or memory: {logo:uiBaseURL+(isBelowIE9()?"twitter.png":"twitter.svg"),url:"https://twitter.com/intent/tweet?url="+this.url+"&text="+this.title,title:"Twitter",name:"twitter"},{logo:uiBaseURL+(isBelowIE9()?"email.png":"email.svg"),url:getEmailUrl(),title:"Email",name:"email"},{logo:uiBaseURL+(isBelowIE9()?"linkedin.png":"linkedin.svg"),url:"http://www.linkedin.com/shareArticle?url="+this.url+"&title="+this.title,title:"Linkedin",name:"linkedin"},{logo:uiBaseURL+(isBelowIE9()?"copy.png":"link.svg"),url:"",type:"copy", equals www.linkedin.com (Linkedin)
Source: main[1].js.3.dr	String found in binary or memory: {logo:uiBaseURL+(isBelowIE9()?"twitter.png":"twitter.svg"),url:"https://twitter.com/intent/tweet?url="+this.url+"&text="+this.title,title:"Twitter",name:"twitter"},{logo:uiBaseURL+(isBelowIE9()?"email.png":"email.svg"),url:getEmailUrl(),title:"Email",name:"email"},{logo:uiBaseURL+(isBelowIE9()?"linkedin.png":"linkedin.svg"),url:"http://www.linkedin.com/shareArticle?url="+this.url+"&title="+this.title,title:"Linkedin",name:"linkedin"},{logo:uiBaseURL+(isBelowIE9()?"copy.png":"link.svg"),url:"",type:"copy", equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: online.pubhtml5.com

Source: main[1].js.3.dr	String found in binary or memory: http://digg.com/submit?url=
Source: main[1].js.3.dr	String found in binary or memory: http://gmail.google.com
Source: main[1].js.3.dr	String found in binary or memory: http://reddit.com/submit?url=
Source: main[1].js.3.dr	String found in binary or memory: http://www.addthis.com/bookmark.php?v=300&url=
Source: main[1].js.3.dr	String found in binary or memory: http://www.fliphtml5.com
Source: main[1].js.3.dr	String found in binary or memory: http://www.linkedin.com/shareArticle?url=
Source: main[1].js.3.dr	String found in binary or memory: http://www.paypal.com/cgi-bin/webscr?cmd=_cart&upload=1
Source: main[1].js.3.dr	String found in binary or memory: http://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=
Source: config[1].js.3.dr	String found in binary or memory: https://curepumpiones.com/foldersss
Source: main[1].js.3.dr	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: sdk[2].js.3.dr	String found in binary or memory: https://itunes.apple.com/us/app/messenger/id454638411
Source: main[1].js.3.dr	String found in binary or memory: https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&su=
Source: main[1].js.3.dr	String found in binary or memory: https://mail.qq.com/
Source: imagestore.dat.3.dr	String found in binary or memory: https://online.pubhtml5.com/favicon.ico~
Source: ~DFEBD97EC9ADA788CD.TMP.2.dr, online.pubhtml5[1].xml.3.dr, taka[1].htm.3.dr	String found in binary or memory: https://online.pubhtml5.com/whlz/taka/
Source: ~DFEBD97EC9ADA788CD.TMP.2.dr	String found in binary or memory: https://online.pubhtml5.com/whlz/taka/#p=1
Source: {ACE24E76-77F0-11EB-90E5-ECF4BB2D2496}.dat.2.dr	String found in binary or memory: https://online.pubhtml5.com/whlz/taka/#p=1Root
Source: {ACE24E76-77F0-11EB-90E5-ECF4BB2D2496}.dat.2.dr	String found in binary or memory: https://online.pubhtml5.com/whlz/taka/Root
Source: taka[1].htm.3.dr	String found in binary or memory: https://online.pubhtml5.com/whlz/taka/files/shot.jpg
Source: sdk[2].js.3.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.facebook.orca
Source: main[1].js.3.dr	String found in binary or memory: https://player.vimeo.com/api/player.js
Source: main[1].js.3.dr	String found in binary or memory: https://twitter.com/intent/tweet?url=
Source: sdk[2].js.3.dr	String found in binary or memory: https://www.internalfb.com/intern/invariant/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.224.94.26:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.13.92.14:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.227.156.43:443 -> 192.168.2.6:49737 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal56.win@3/33@4/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ACE24E74-77F0-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF25960FAA17C283EF.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6560 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6560 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Malware Analysis System Evasion:

Source: main[1].js.3.dr

Binary or memory string: "arrow-left":"iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPCAYAAAA71pVKAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAACHDwAAjA8AAP1SAACBQAAAfXkAAOmLAAA85QAAGcxzPIV3AAAKOWlDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAEjHnZZ3VFTXFofPvXd6oc0w0hl6ky4wgPQuIB0EURhmBhjKAMMMTWyIqEBEEREBRZCggAGjoUisiGIhKKhgD0gQUGIwiqioZEbWSnx5ee/l5ffHvd/aZ+9z99l7n7UuACRPHy4vBZYCIJkn4Ad6ONNXhUfQsf0ABniAAaYAMFnpqb5B7sFAJC83F3q6yAn8i94MAUj8vmXo6U+ng/9P0qxUvgAAyF/E5mxOOkvE+SJOyhSkiu0zIqbGJIoZRomZL0pQxHJijlvkpZ99FtlRzOxkHlvE4pxT2clsMfeIeHuGkCNixEfEBRlcTqaIb4tYM0mYzBXxW3FsMoeZDgCKJLYLOKx4EZuImMQPDnQR8XIAcKS4LzjmCxZwsgTiQ7mkpGbzuXHxArouS49uam3NoHtyMpM4AoGhP5OVyOSz6S4pyalMXjYAi2f+LBlxbemiIluaWltaGpoZmX5RqP+6+Dcl7u0ivQr43DOI1veH7a/8UuoAYMyKarPrD1vMfgA6tgIgd/8Pm+YhACRFfWu/8cV5aOJ5iRcIUm2MjTMzM424HJaRuKC/6386/A198T0j8Xa/l4fuyollCpMEdHHdWClJKUI+PT2VyeLQDf88xP848K/zWBrIieXwOTxRRKhoyri8OFG7eWyugJvCo3N5/6mJ/zDsT1qca5Eo9Z8ANcoISN2gAuTnPoCiEAESeVDc9d/75oMPBeKbF6Y6sTj3nwX9+65wifiRzo37HOcSGExnCfkZi2viawnQgAAkARXIAxWgAXSBITADVsAWOAI3sAL4gWAQDtYCFogHyYAPMkEu2AwKQBHYBfaCSlAD6kEjaAEnQAc4DS6Ay+A6uAnugAdgBIyD52AGvAHzEARhITJEgeQhVUgLMoDMIAZkD7lBPlAgFA5FQ3EQDxJCudAWqAgqhSqhWqgR+hY6BV2ArkID0D1oFJqCfoXewwhMgqmwMqwNG8MM2An2hoPhNXAcnAbnwPnwTrgCroOPwe3wBfg6fAcegZ/DswhAiAgNUUMMEQbigvghEUgswkc2IIVIOVKHtCBdSC9yCxlBppF3KAyKgqKjDFG2KE9UCIqFSkNtQBWjKlFHUe2oHtQt1ChqBvUJTUYroQ3QNmgv9Cp0HDoTXYAuRzeg29CX0HfQ4+g3GAyGhtHBWGE8MeGYBMw6TDHmAKYVcx4zgBnDzGKxWHmsAdYO64dlYgXYAux+7DHsOewgdhz7FkfEqeLMcO64CBwPl4crxzXhzuIGcRO4ebwUXgtvg/fDs/HZ+BJ8Pb4LfwM/jp8nSBN0CHaEYEICYTOhgtBCuER4SHhFJBLVidbEACKXuIlYQTxOvEIcJb4jyZD0SS6kSJKQtJN0hHSedI/0ikwma5MdyRFkAXknuZF8kfyY/FaCImEk4SXBltgoUSXRLjEo8UISL6kl6SS5VjJHslzypOQNyWkpvJS2lIsUU2qDVJXUKalhqVlpirSptJ90snSxdJP0VelJGayMtoybDFsmX+awzEWZMQpC0aC4UFiULZR6yiXKOBVD1aF6UROoRdRvqP3UGVkZ2WWyobJZslWyZ2RHaAhNm+ZFS6KV0E7QhmjvlygvcVrCWbJjScuSwSVzcopyjnIcuUK5Vrk7cu/l6fJu8onyu+U75B8poBT0FQIUMhUOKlxSmFakKtoqshQLFU8o3leClfSVApXWKR1W6lOaVVZR9lBOVd6vfFF5WoWm4qiSoFKmclZlSpWiaq/KVS1TPaf6jC5Ld6In0SvoPfQZNSU1TzWhWq1av9q8uo56iHqeeqv6Iw2CBkMjVqNMo1tjRlNV01czV7NZ874WXouhFa+1T6tXa05bRztMe5t2h/akjpyOl06OTrPOQ12yroNumm6d7m09jB5DL1HvgN5NfVjfQj9ev0r/hgFsYGnANThgMLAUvdR6KW9p3dJhQ5Khk2GGYbPhqBHNyMcoz6jD6IWxpnGE8W7jXuNPJhYmSSb1Jg9MZUxXmOaZdpn+aqZvxjKrMrttTjZ3N99o3mn+cpnBMs6yg8vuWlAsfC22WXRbfLS0suRbtlhOWWlaRVtVWw0zqAx/RjHjijXa2tl6o/Vp63c2ljYCmxM2v9ga2ibaNtlOLtdZzllev3zMTt2OaVdrN2JPt4+2P2Q/4qDmwHSoc3jiqOHIdmxwnHDSc0pwOub0wtnEme/c5jznYuOy3uW8K+Lq4Vro2u8m4xbiVun22F3dPc692X3Gw8Jjncd5T7Snt+duz2EvZS+WV6PXzAqrFetX9HiTvIO8K72f+Oj78H26fGHfFb57fB+u1FrJW9nhB/y8/Pb4PfLX8U/z/z4AE+AfUBXwNNA0MDewN4gSFBXUFPQm2Dm4JPhBiG6IMKQ7VDI0MrQxdC7MNaw0bGSV8ar1q66HK4RzwzsjsBGhEQ0Rs6vdVu9dPR5pEVkQObRGZ03WmqtrFdYmrT0TJRnFjDoZjY4Oi26K/sD0Y9YxZ2O8YqpjZlgurH2s52xHdhl7imPHKeVMxNrFlsZOxtnF7YmbineIL4+f5rpwK7kvEzwTahLmEv0SjyQuJIUltSbjkqOTT/FkeIm8nhSVlKyUgVSD1ILUkTSbtL1pM3xvfkM6lL4mvVNAFf1M9Ql1hVuFoxn2GVUZbzNDM09mSWfxsvqy9bN3ZE/kuOd8vQ61jrWuO1ctd3Pu6Hqn9bUboA0xG7o3amzM3zi+yWPT0c2EzYmbf8gzySvNe70lbEtXvnL+pvyxrR5bmwskCvgFw9tst9VsR23nbu/fYb5j/45PhezCa0UmReVFH4pZxde+Mv2q4quFnbE7+0ssSw7uwuzi7Rra7bD7aK

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
31.13.92.14	unknown	Ireland	32934	FACEBOOKUS	false
13.227.156.43	unknown	United States	16509	AMAZON-02US	false
13.224.94.26	unknown	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
scontent.xx.fbcdn.net	31.13.92.14	true
d3rhwgcb75mtkj.cloudfront.net	13.227.156.43	true
d1cox3gain5yl8.cloudfront.net	13.224.94.26	true
connect.facebook.net	unknown	unknown
static.pubhtml5.com	unknown	unknown
online.pubhtml5.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://online.pubhtml5.com/whlz/taka/#p=1	false	SlashNext: Fake Login Page type: Phishing & Social usering	high

ID:	358569
Product:	CloudBasic
Start time:	21:07:48
Start date:	25.02.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\EQAWN5DV\online.pubhtml5[1].xml	ASCII text, with no line terminators	622CD5ADB0D2607CCB4F9B566A86B7A8	5C3037D812FC94D3544626AF40763114CFEE0BE7	5CA6557660ED80D99D25124C49D8051FCAA37A10BE34D5118815B89ADBF3E246
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ACE24E74-77F0-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	F76B6CAA408834EE77391DE276EC944A	52D2128A8D575227564EE75D837824C9D1B1456D	9A3A3DEDBADD1BA70C2309961FF0260E8A0F23088E5B58E4E539F406A577F975
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ACE24E76-77F0-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	25A3A50BFAC2D41EC4C167E5CA5E4503	DFEA281BCC039B08C3F17CCE77EF23B46B68F6FE	DA1BA672B409B3420B345FEBF47B32A61BDB3031BE93F0C7C99C8F6022ECFA72
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B38574C4-77F0-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	C73A83D71F86F39FA9F710FC84FF2E59	7FB0250CB7D6BDF125A23643BE74771A30EC9EFC	AE70E708A5DDE79773A45D7F924C781DEABCF2CEB5CA9C7D6F2893641F1F221C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat	data	1E4C2560AC8BEA75472A8696F46A7D88	842169E4CB271839465AA69092245760C625B31A	8128BE87BA1BC45D02D5210911C808BBDF629F8CC2D324F916C7E2202026980A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\LoadingJS[1].js	HTML document, ASCII text, with very long lines	DE89531BDC0CC81C596E591CF703D593	3078C95408C5655A07CDCC9392D8D617DD8178EF	DD167992A899A3286E656E86EBF1672A348E96E21E40EA669ADBE16079275676
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\hiSlider2.min[1].css	ASCII text, with very long lines	21A677B5046027915D5D176115EE35ED	4B2142E2930BF43618DC0979FBCE2B02DBFE0012	4A2410D9957AF385D10A11CB885A6E2E0B2A7E66BFACC0EE351B8FB94FB934A7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\jquery-1.9.1.min[1].js	ASCII text, with very long lines	AA987A5A07276484C5E4F7E18B16643C	B0ACF636B1AC1F3D4AF53A9BAFF19C987B87B082	CEBFBBCBA46BEB5AD1C37AAF1B034652BDF1EAAA4E0BC67906B450A26AFF37EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\slideJS[1].js	ASCII text, with no line terminators	4A36E405711B42BE8F2FF61C241FD74B	DE8E09E66A801DB0E0E156FF9D5E18BBC92DFDCE	DEB5AF9C897F2FFDCD6B1CD78AF78C2CE5EAFD8180161BF4EAC21C0E1B5CEB85
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\style[1].css	UTF-8 Unicode (with BOM) text, with very long lines	E7F5E2FABDB186B072D9E5F4D65F1C79	707C2F5ED7E396F81BC1E5E82F2548A0A5B1BCCC	EEF5FC59B321B8434B5EC529C9635ACB94519A93607CEFD61E8CFF3F4D6770C3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\template[1].css	UTF-8 Unicode (with BOM) text	36B4526F5F8360E810DDAF92C253A4FB	132E33B5DF904A706829E59479D5668D938D4666	0325B42381FC26804D51851B959C101FE9C6497C2EEF8C998987169D771198A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\1[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1391x1800, frames 3	971300FFA963B7E07B93289BED455F4A	BFF26144876AA318179691770C65233A3469F051	196F12418A0484DC586ADA2C9F2826C65FD1F3CDE906F552E8DFBAC1268D4934
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\book_config[1].js	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	5C67AF2060C51257560D3377522665D9	50D56EE2E25AB9FAF9E952073FA506D147C4C550	48557360A5FF4110F06565A93CBD4DF3F9B3F4F26EF04E75F08AB383C3865FC6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\getuserinfo[1].js	ASCII text, with no line terminators	A16DF71C7B85D91039864F1113705B63	8E502FB06E3DEC792881EA99A0006E71DCB40B36	63520714D0F15E3DF03F8E83238B95D6E313BCAD1A6CDA067D7C7C53572B3DEC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\main[1].js	ASCII text, with very long lines	F08267AB1AE4C6CF94D2CC7312BDD5E0	C67C98DFFA0508E162526AA9AFC836CF02FA8E88	B2DD0F96CA02027C814033F9CA0BC05DE35AFDCCB24C012D15951701DB994734
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\phoneTemplate[1].css	ASCII text, with very long lines	2211D38BA7AE464FE70855441AE1EC5D	FADF32E340F5C341D517F84783F964DD01B514BC	47CBE2423F52D88D9A25BBFFA7279921BB84862E3FE201DD3486F5588F4EE0C3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\slide_rightButton[1].png	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	3A8618E406DCEB7056D7C3A81D924146	ABB119C82300121886699F5943AEE347F44B2FD1	0B9853C00043A78A950436D62DA38CCDE2B4B0E1ED7E74F5B4C745FFD7B4BA67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\visitinfo[1].js	HTML document, UTF-8 Unicode text, with very long lines	4D566D9ABE44C4F570C132EBE0C5CE35	CF8F8FB4E16FA51B9029F0F7F43B31D93A213BB5	2F8618A1A16DB644DB054A86BF73B608D04E1F2C6B68853D317750F30D8FB2A2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\catalog_firstButton[1].png	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	39D07E07D49E7B5EDB6614F56433F8DE	ED623DEDF7BCF09D7609871F474D58D90CFE3B2E	CAD5FE3536CBCD430AA1B099B009C7FAFC26724F35BA7A86D34D34BC29D6618C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\catalog_lastButton[1].png	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	F4385ED32685592AEACB61687ADE2952	81F143BBD34EDD3B837627E606BEBE7FD802B19F	18F6CD6462DEB8A37505CA697B81ACFE0E49E7D07084EC589506D810FA4C7324
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\config[1].js	ASCII text, with very long lines, with CRLF line terminators	4F87EA76B01F145D3FCE122718205E53	B83EA7C41683F4AD47248570E314F26399527299	9B3FB44B5590A01ECFEA649AF4B15CAB1B1EE8C858525512045708D81680F946
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\flipHtml5.hiSlider2.min[1].js	UTF-8 Unicode text, with very long lines	6E030E52F596736C92AFE1F41D3BCA90	F583C704FE8EA78122110A253E265B8DD58CCB74	BF64AF77AE5CADA7600088EA7C6397BC637EAA7417C0EE20C08ECE8851DB13C2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\slide_leftButton[1].png	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	68DE6AD55E1E63A56F0B2D1CD52AD31E	EC470633038C2CF46CB401C78C4987DC6C3DD849	D36D1FB0349577043A6283D3848301E12CAC72D2B1D3251615F226975FB6107B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	B1203EE5864D806E11208EEC2F35F33E	6A5BC2A0FBCCD30A2FAEE597D79525208F603DEC	A4640D2FD50BB2F8E1F9D8B867B0D89081EB99527A417D5D66DCE593C8481987
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\loading[1].gif	GIF image data, version 89a, 24 x 24	1FDF9F82CA69434465BFCD33A8B2A8D1	1BA209A4901BEF611EDCAFEFB8D6564A2AD3B2B4	90932DA6AB1AC5C16794B6268F2D8F6710AB32DC5064B6A043D030DA059E3E86
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\player[1].css	ASCII text	DD2760809AB03D110009B7A1B24D0C4A	F38F7EDBF933BB44749A390EA7FF0CB668C2FE4F	EE285DECEBCD950EBDFC349736DA0E1A862AA7D553E76E6DFC65F803E00C5CF6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\sdk[1].js	ASCII text, with very long lines	59DEB94AC4446DEA80B1B44ABE79889C	7BA20A2C2CA7FF576894D55B5E4B04351074FCAE	EAAE0F942E243C4907DB7B4BC1ECB59AB46C844911A426732480A5540D393A33
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\sdk[2].js	ASCII text, with very long lines	6DF1FBA6A24156194ED59C8BE7682CD2	68CCE9BB1A3A35645EB7706B0ABAA20A828F875E	83FCD24D21B7A04AB19D75FBBE9DCD1C146A21F0C6B91037FE6FFC728FAE3425
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\taka[1].htm	HTML document, ASCII text, with CRLF, LF line terminators	21F9D79B2AA9128DDCA7BE6EB047B7CE	E7A0D141A4499D395DFD64FDED7F8008EEAD2834	D95D347765444DAF83327DBD2A0BF0ECC60500D4F079AB4DBE77E91DA8E25873
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\visitinfo[1].js	HTML document, UTF-8 Unicode text, with very long lines	4D566D9ABE44C4F570C132EBE0C5CE35	CF8F8FB4E16FA51B9029F0F7F43B31D93A213BB5	2F8618A1A16DB644DB054A86BF73B608D04E1F2C6B68853D317750F30D8FB2A2
C:\Users\user\AppData\Local\Temp\~DF25960FAA17C283EF.TMP	data	4D813E6BF91122C8F8BE2462CFDF0DC8	53653128ADB5D36F62C42B3AA1ECECFB6C7A5993	5089CF401A4CA5B92EC5D5E13772C666BA8EE525A60511F0A114088934324063
C:\Users\user\AppData\Local\Temp\~DF8D688095D3D83F40.TMP	data	4A422680CA907BC4057E39F533B0A90D	77FAD5FC8FAF65CE862E9BB9D6EAE7B49C0BFEC8	60A560CF077B48032F783C02BE14F99DB68DF467818AA709A6458BE03F78D28F
C:\Users\user\AppData\Local\Temp\~DFEBD97EC9ADA788CD.TMP	data	C44CA0BB365F0585FAD03ED174005274	E2EF753AAE396BD84C4AF302D7E013D4A7908A8E	6B998A828B3BDA0FFB37CABF0B76E25CA9915F2D3D31E8243E40927EED91B241

Analysis Report https://online.pubhtml5.com/whlz/taka/

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Malware Analysis System Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs