Loading ...

Play interactive tourEdit tour

Analysis Report http://microsoft346185938.wordpress.com

Overview

General Information

Sample URL:http://microsoft346185938.wordpress.com
Analysis ID:369736
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish10
Found iframes
HTML title does not match URL

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6680 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6776 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6680 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\RF08ETJE.htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://hotmaildomainkeyserviceses.weebly.com/SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\RF08ETJE.htm, type: DROPPED
    Source: https://automattic.com/cookies/HTTP Parser: Iframe src: https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9hdXRvbWF0dGljLmNvbQ%3D%3D&wpcomid=54117&time=1615937972
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: Iframe src: https://public-api.wordpress.com/wp-admin/rest-proxy/?v=2.0#https://wordpress.com
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: Iframe src: https://public-api.wordpress.com/wp-admin/rest-proxy/?v=2.0#https://wordpress.com
    Source: https://automattic.com/cookies/HTTP Parser: Iframe src: https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9hdXRvbWF0dGljLmNvbQ%3D%3D&wpcomid=54117&time=1615937972
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: Iframe src: https://public-api.wordpress.com/wp-admin/rest-proxy/?v=2.0#https://wordpress.com
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: Iframe src: https://public-api.wordpress.com/wp-admin/rest-proxy/?v=2.0#https://wordpress.com
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: Title: Log In WordPress.com does not match URL
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: Title: Log In WordPress.com does not match URL
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: Title: Log In WordPress.com does not match URL
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: Title: Log In WordPress.com does not match URL
    Source: https://automattic.com/cookies/HTTP Parser: No <meta name="author".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: No <meta name="author".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: No <meta name="author".. found
    Source: https://automattic.com/cookies/HTTP Parser: No <meta name="author".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: No <meta name="author".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: No <meta name="author".. found
    Source: https://automattic.com/cookies/HTTP Parser: No <meta name="copyright".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: No <meta name="copyright".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: No <meta name="copyright".. found
    Source: https://automattic.com/cookies/HTTP Parser: No <meta name="copyright".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2Fwp-admin%2Fcustomize.php%3Furl%3Dhttps%253A%252F%252Fmicrosoft346185938.wordpress.com%252FHTTP Parser: No <meta name="copyright".. found
    Source: https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fmicrosoft346185938.wordpress.com%2F&signup_flow=accountHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 192.0.78.12:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49737 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49735 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.72.26:443 -> 192.168.2.4:49742 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.72.26:443 -> 192.168.2.4:49743 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.73.2:443 -> 192.168.2.4:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.73.2:443 -> 192.168.2.4:49744 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.76.3:443 -> 192.168.2.4:49747 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.76.3:443 -> 192.168.2.4:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.76.3:443 -> 192.168.2.4:49753 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.76.3:443 -> 192.168.2.4:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.76.3:443 -> 192.168.2.4:49754 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.0.77.32:443 -> 192.168.2.4:49766 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.53:443 -> 192.168.2.4:49770 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.53:443 -> 192.168.2.4:49769 version: TLS 1.2
    Source: unknownHTTPS traffic