Analysis Report https://ebiclean.cl/f/xx/index.html

Overview

General Information

Sample URL:	https://ebiclean.cl/f/xx/index.html
Analysis ID:	363569
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot template match)

Yara detected HtmlPhish_10

Yara detected HtmlPhish_7

Phishing site detected (based on logo template match)

Allocates a big amount of memory (probably used for heap spraying)

HTML body contains low number of good links

HTML title does not match URL

Classification

Signatures

Phishing:

Phishing site detected (based on shot template match)

Source: https://ebiclean.cl/f/xx/index.html

Matcher: Template: office matched

Yara detected HtmlPhish_10

Source: Yara match	File source: 888683.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPED

Yara detected HtmlPhish_7

Source: Yara match	File source: 888683.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm, type: DROPPED

Phishing site detected (based on logo template match)

Source: https://ebiclean.cl/f/xx/index.html

Matcher: Template: onedrive matched

HTML body contains low number of good links

Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: Number of links: 0
Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: Title: OneDrive \| Login does not match URL
Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: Title: OneDrive \| Login does not match URL

Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: No <meta name="author".. found
Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: No <meta name="author".. found

Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: No <meta name="copyright".. found
Source: https://ebiclean.cl/f/xx/index.html	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49755 version: TLS 1.2

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: iexplore.exe

Memory has grown: Private usage: 0MB later: 117MB

Networking:

Source: unknown

DNS traffic detected: queries for: ebiclean.cl

Source: index[1].htm.3.dr	String found in binary or memory: http://gmail.com/
Source: hover[1].css.3.dr	String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.3.dr	String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: popper.min[1].js.3.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: index[1].htm.3.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: index[1].htm.3.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: index[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: index[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: index[1].htm.3.dr	String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: ~DF1469E06B57433F87.TMP.1.dr	String found in binary or memory: https://ebiclean.cl/f/xx/index.html
Source: {6AA36182-7D29-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://ebiclean.cl/f/xx/index.htmlRoot
Source: ~DF1469E06B57433F87.TMP.1.dr	String found in binary or memory: https://ebiclean.cl/f/xx/index.htmlh
Source: imagestore.dat.3.dr	String found in binary or memory: https://ebiclean.cl/favicon.ico
Source: free-fa-regular-400[1].eot.3.dr, free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: free-fa-regular-400[1].eot.3.dr, free-fa-solid-900[1].eot.3.dr	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: index[1].htm.3.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: css[1].css.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[2].js.3.dr	String found in binary or memory: https://getbootstrap.com/)
Source: hover[1].css.3.dr	String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[2].js.3.dr, bootstrap.min[1].css.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[2].js.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://kit.fontawesome.com
Source: index[1].htm.3.dr	String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: index[1].htm.3.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: index[1].htm.3.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: index[1].htm.3.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 50.87.153.169:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal68.phis.win@3/29@8/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6AA36180-7D29-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF78FAAA9CF2850A33.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.153.169	ebiclean.cl	United States		46606	UNIFIEDLAYER-AS-1US	false
104.16.18.94	cdnjs.cloudflare.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
cdnjs.cloudflare.com	104.16.18.94	true
ebiclean.cl	50.87.153.169	true
stackpath.bootstrapcdn.com	unknown	unknown
ka-f.fontawesome.com	unknown	unknown
code.jquery.com	unknown	unknown
kit.fontawesome.com	unknown	unknown
maxcdn.bootstrapcdn.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ebiclean.cl/f/xx/index.html	true	0%, Virustotal, Browse	unknown

ID:	363569
Product:	CloudBasic
Start time:	21:36:35
Start date:	04.03.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6AA36180-7D29-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	A96870D0DDA7E30A33FFCAE6B1682B66	1A3DE7362DE920DFEBDFED7A29D685C55311D7EE	F299C638609146D8B840322534515ED9D8E5F8B28D48F6486D14DC62E775386B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6AA36182-7D29-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	8C44E59E83128B1DC18A08F080C83D81	04EEABA581160896351CA8C6C1EC5D93507C0749	EA7CA689DD6F920C68CDAC39D00AC7C0133578A5DF7ACCC0FCF42333B05EEF7E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6AA36183-7D29-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	D59409549E570B3F4809405615B7B711	74CE360CF67BA75E0321F710E0BBFA9CE6264C18	8AB0E6CC5B5137012FEF1F0891D2EC91AAA86A89AB1CF3514F70134B3E110B77
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat	data	53EB9FF74543C1530E0CC8181F7802B3	2EB735CB6F56799B5B4BA9F70E79B82F27A90633	42FFD9F31CA5BBA2D1CC26CE766914C27B252F6A90CF205A105F55A3C590976A
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\mms\QI8MV030\onedrive[1].dat	data	2331196B8680902565D3082C2605396F	A1C14638F2441667D4C46A4EEDA4F566733ECC41	9C93D8B1D4F14B676E39DCA56868217CE0BA4D8461CDFC590A4CB9040364A706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\585b051251[1].js	ASCII text, with very long lines	4B900F0AF3BBDA85E1077C8EC8C83831	7E7015965195F25AFA3A47BE2108278AD6A0A4AC	7943D6D067DB8587E9FB675F0D2CC78D6C90C91B187CF8642A3F52FF91381685
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\css[1].css	ASCII text	72C5D331F2135E52DA2A95F7854049A3	572F349BB65758D377CCBAE434350507341ACD7B	C3A12D7E8F6B2B1F5E4CD0C9938DFC79532AEF90802B424EE910093F156586DA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\free-fa-regular-400[1].eot	Embedded OpenType (EOT), Font Awesome 5 Free Regular family	73570FCA80D5237954C19C20BDA58A70	E27F09071CA6B858A1B96B1CD02B2B34BCE85178	75BAC9C568E4B2DF8C25F96513A92FA4740D4B11E58FB0ADB88E2F4DADC7FFCD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\free-fa-solid-900[1].eot	Embedded OpenType (EOT), Font Awesome 5 Free Solid family	AD5381B40F2857CE48DC73585FC92294	B404BB9916EDFD272560C27CFD09C032EC9F9B96	2D45F4A3844BEFB918111DF65049A4FA71577D5E8FF009934B62E647E4702AB0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm	HTML document, ASCII text, with CRLF line terminators	90B9B5AEF0B580B439C7E47FE36550CA	696840191967AFE6CFE72DF21F9F1351B9EF8CF4	74D9357DE367B4AB1879D4D0C9831753A033E822204ED0B4AB86AB738CA7812E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\popper.min[1].js	ASCII text, with very long lines	70D3FDA195602FE8B75E0097EED74DDE	C3B977AA4B8DFB69D651E07015031D385DED964B	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cropped-favicon-32x32[1].png	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	D1A5607AB5CF0E5F707DBCA94A9D402C	07A339CB10845782DB7AD826C637B51F01D336AF	9F120398509D2B8C4821C119B96F310DEBC2F4EA8432A1A21E44E2DA6D3B169A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\jquery.min[1].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\office3651[1].png	PNG image data, 187 x 188, 8-bit/color RGBA, non-interlaced	A5CDADD60382E9AE6228121542EB1C2A	CEC15F6470D0237569E931D7D11752B41AC5D8A3	71E729939E175F4AE9D3FCC645D6B7389EC341A47A84950E047197331FDC22F1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\outlook1[1].png	PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced	C3FC46C5799C76F9107504028F39190F	519096AD3F03410CF9CE3C9B9FCCA6B439D97B23	57898461712A639D119BDF88B7145919DCC8956C7A271D2E4A1084B29EAE6785
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\bootstrap.min[1].css	ASCII text, with very long lines	450FC463B8B1A349DF717056FBB3E078	895125A4522A3B10EE7ADA06EE6503587CBF95C5	2C0F3DCFE93D7E380C290FE4AB838ED8CADFF1596D62697F5444BE460D1F876D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\bootstrap.min[1].js	ASCII text, with very long lines	14D449EB8876FA55E1EF3C2CC52B0C17	A9545831803B1359CFEED47E3B4D6BAE68E40E99	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\bootstrap.min[2].js	ASCII text, with very long lines	67176C242E1BDC20603C878DEE836DF3	27A71B00383D61EF3C489326B3564D698FC1227C	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\gmail[1].png	PNG image data, 1280 x 1280, 8-bit/color RGBA, non-interlaced	DCE2F2B0E50CB1DBB0246D152791CB46	D0A69C159304EDC08DB005163E7A0DAF5A1E98A6	ACF087C1757F08B0CFD53D59066544D7EF0BFCC50999E77C5813739CD9DC1479
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\jquery-3.1.1.min[1].js	ASCII text, with very long lines	E071ABDA8FE61194711CFC2AB99FE104	F647A6D37DC4CA055CED3CF64BBC1F490070ACBA	85556761A8800D14CED8FCD41A6B8B26BF012D44A318866C0D81A62092EFD9BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\jquery-3.2.1.slim.min[1].js	ASCII text, with very long lines	5F48FC77CAC90C4778FA24EC9C57F37D	9E89D1515BC4C371B86F4CB1002FD8E377C1829F	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\album[1].css	assembler source, ASCII text, with CRLF line terminators	944799FC98B666F3BA0ECE9304DD7DDA	0EBFD347A653629D57D6D8C135C87C390E6EBA44	A6DCBF5C0D819D82A0A8781DFCDE5BB405A4311A6B9CC088F4D4056A3E5095A8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\free-v4-shims.min[1].css	ASCII text, with very long lines	1848E71668F42835079E5FA2AF6CF4A8	6AE345E2FEB8C2A524E7CF9E22A3A87BAEE60593	D7CC3C57F9BDA4C6DCB83BB3C19F2F2AA86ECEC6274E243CD4EC315AE8E30101
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\free.min[1].css	ASCII text, with very long lines	4ECC071B77D6B1790FA9FB8A5173F972	B44FCBAAC4F3AA7381D71DE20064AC84B0B729D1	8C7BBA7DEB64FF95E98F7AC8CD0D3B675A4BCF02F302E57EDC5A1D6FA3D6CF94
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\hover[1].css	ASCII text	FAC4178C15E5A86139C662DAFC809501	EF1481841399156A880EC31B07DDA9CFAA1ACE39	BB88454962767EB6F2DDB1AABAAF844D8A57DE7E8F848D7F6928F81B54998452
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\onedrive-w[1].png	PNG image data, 242 x 167, 8-bit/color RGBA, non-interlaced	A4E9A192337B2DD72BAACE5F6BB7A7C8	88EB42C8A10E146E610C9519CAD72B0FE175A64C	D4594C50BCDB75CC4A51C77C77A089C1BC9D1860F4E50B7AC33039551C82B408
C:\Users\user\AppData\Local\Temp\~DF1469E06B57433F87.TMP	data	9C0BAAB5F62D3A1BB43E6850DBCA2F8C	59840C1F1F139DF3FFB6D292DD864AAF9E71D598	96690E1022403F40FFC8325763099AE363E0E52E221EA53A6069B69BFCBF5F12
C:\Users\user\AppData\Local\Temp\~DF3D1883CC4E238A84.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DF78FAAA9CF2850A33.TMP	data	93778D4962DFF48AB41BAD1F0DBCC6F2	A29B384E359FA2C0F35D6E467A255F43BD39044B	6F8D256869922E5E950DB7A6C821401103465DB0851E256D65675A1FD5198926

Analysis Report https://ebiclean.cl/f/xx/index.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs