Analysis Report https://atendiendochagas.mundosano.org//kcontrol-inti/continue/new

Overview

General Information

Sample URL:	https://atendiendochagas.mundosano.org//kcontrol-inti/continue/new
Analysis ID:	383547
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected HtmlPhish6

Phishing site detected (based on image similarity)

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: https://atendiendochagas.mundosano.org//kcontrol-inti/continue/new

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Yara detected HtmlPhish6

Source: Yara match	File source: 445817.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\s[1].htm, type: DROPPED

Phishing site detected (based on image similarity)

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/files/logo.png

Matcher: Found strong image similarity, brand: Microsoft

Jump to dropped file

Phishing site detected (based on logo template match)

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b

Matcher: Template: microsoft matched

HTML body contains low number of good links

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: Number of links: 0
Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: Title: Validation does not match URL
Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: Title: Validation does not match URL

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: No <meta name="author".. found
Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: No <meta name="author".. found

Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: No <meta name="copyright".. found
Source: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x99404761,0x01d72c37</date><accdate>0x99404761,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x99404761,0x01d72c37</date><accdate>0x99404761,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9942a99c,0x01d72c37</date><accdate>0x9942a99c,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9942a99c,0x01d72c37</date><accdate>0x9942a99c,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x99476e5c,0x01d72c37</date><accdate>0x99476e5c,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x99476e5c,0x01d72c37</date><accdate>0x9949d0d8,0x01d72c37</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: atendiendochagas.mundosano.org

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: new[1].htm.2.dr	String found in binary or memory: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/
Source: {C3606EEE-982A-11EB-90E6-ECF4BB82F7E0}.dat.1.dr	String found in binary or memory: https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998
Source: css[1].css0.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UNirkOUuhv.woff)

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.246.16.250:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@3/22@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3606EEC-982A-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF0C8A3AED52636A93.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5380 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5380 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.246.16.250	atendiendochagas.mundosano.org	United States		19318	IS-AS-1US	false

Contacted Domains

Name	IP	Active
atendiendochagas.mundosano.org	162.246.16.250	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://atendiendochagas.mundosano.org/kcontrol-inti/continue/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=dac088a708ae6303fab42af7ef5531da1c58854508a7ef4c78411292b1e75356777ff42b	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

ID:	383547
Product:	CloudBasic
Start time:	22:24:10
Start date:	07.04.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3606EEC-982A-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	DE8E5BFA31693771634DE34C26AEDCC2	A3EA0A9F30B2A9D87F0213D4445BC1532D843C72	2D1181E7AE41B2007798E0C4CDDF1052625ABED89C0ED207B994BEBE9419F3A7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C3606EEE-982A-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	5A40838FCC1C1ED205118F1718317B54	112E5FC8241AFA4E829A8A945B87314A4ED772F0	AC715092E0A48A4C0BFA35D333EE243184B89DD9BD724A7540199F62DC2608CA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C3606EEF-982A-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	68D1743871C58D66B83ECCC6366D31D2	53A656634D873573EDDCE0132D110F40B510B079	B66FA17BA3F7D98FC4EE706C9A6A69CB17F14AC2C1167727E0B3C61E64F2A3EA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7159783FD49F666D917B9B3D1B670CAB	F14B110853A3F4FA4E4590B719835B2C0E0D509E	DD23553C1D042DE026FAD0E786C5737CF6CCD492B6E4D1240887C3C2230C63D7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E31BA8E817FBB57DB944AAB6CA17CC56	427A12479D7AFBC207F5F167034CF9BEFD8A6F6E	9D8E8E9DC795AE6FF5FD366DBD2DD62E54F0E7CC8875DE1A09C8207255604CF5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C2EDCC1FDD3652033D90B2040C793DAB	B7CA8AF01ABED3B2F99F2272E487E2985C019366	23F68CE9A8052959F678B1E672573E28740058EBDA801DEC2DE36ED6CA2224CC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	52738D1D8965733D37D3A0CBEFE8E1B1	BC272D16E79CAA0DF9271E3D5CAB95EFC9F7FF69	3AD45CD5D69F8FB692510CC89C808F0F6239A24CF5219A204A81A0CB3A365580
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F44A48C75D35C1D3F920248D554DF54D	97FD55B983DD17E3C6AAE535A4E14A3CB2812B4C	F4B392BD81FF38852708BCC3F07E9DC4D8FAB680366887757D6117EC91DE43F9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2EED03FFEE6DDC439450957F74197100	63694536E30996DA484D87193B66DB6CB9A6BC2B	9DBCD871DB6AE369EA6ED38F7D86404A034539EEDFD3888DB58D228CFF27433A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	37D9F354275B04CEA1D6D8E30C5FE4D0	87B5F08522C8632107E1702856AE3BCA6965930B	2DCBB0F2257CF746AADEB99C116884FA332111BF151D900E2B47DD3C88E38655
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	75BF8AB533CFC2B93CFD1433C032CF8A	B0DA5A93B7C48D227830A006D1CECDD271F0F0B2	EBF203DA7123207BB9E495D2F86C28CE3667A3F1348BADC8B4F8A9C57AD0AE1C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BD05CF669BF6BB1F4E4216C3B6D0C652	C59056EB6E450C0CAD2F159334D0CE968C0117C6	D96D6DC3A94EE87C74687C63B793026D2C0D64252B6079ABC4BDF8CA36A0140E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\css[1].css	ASCII text, with very long lines, with CRLF line terminators	63DF83784CADD3A339B776520600C21A	69BB829612F3E3CB2F521323945C9284A2B0DCDE	2EE69AEF3AFB10B368BDE9FEA7E97CC75C030C890E3D2B8DC4AD19D498234DBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\logo[1].png	PNG image data, 226 x 48, 8-bit/color RGBA, non-interlaced	EF884BDEDEF280DF97A4C5604058D8DB	6F04244B51AD2409659E267D308B97E09CE9062B	825DE044D5AC6442A094FF95099F9F67E9249A8110A2FBD57128285776632ADB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\s[1].htm	HTML document, ASCII text, with very long lines, with CRLF line terminators	474A9980C4D204E7D4B593832B226BEA	DBDB72D920A55C1AB76FDA122271C9986C8F9389	163589FCFF3F5D67836D8DF3EC13D11E561E93C25B9679D3BA92B98F9D34EABF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\css[1].css	ASCII text	4CFC4658F748E1FC67D2EA27F9B3692F	82C520D112F48E337E99DF00067BFAA75D0F9CA2	ABC5A61E85F95E54C925FE9589099AD680912480E7C97052AF0496CBC6D111B8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\new[1].htm	HTML document, ASCII text	0E241B8D33B2AE011B112941747BA154	1F027D10066871A789A960053D74B17B81843920	2F3D726E8D6811D028A298E3BF49D01FBC0D12AD6D91993EE16CA5BDEC111295
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\pdf[1].png	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	F1E3F187F7C23FA8D1555004F3800356	E71E52A142E754399AE39EF38584789B66E9EA00	DB307FCEF7F95139689007D7A623B340EC21282BD421C4E4B2BA09078F230545
C:\Users\user\AppData\Local\Temp\datADBF.tmp	Web Open Font Format, TrueType, length 2532, version 2.24904	10600F6B3D9C9BE2D2B2CE58D2C6508B	421CA4369738433E33348785FE776A0C839605D5	29B7A9358ABDC68C51DB5A5AF4A4F4E2E041A67527ADEE2366B1F84F116FE9A5
C:\Users\user\AppData\Local\Temp\~DF0C8A3AED52636A93.TMP	data	5C0AC0636250073CE93D9DD787D58D00	A7CA31F2BD2B48D5E49CBF969E3B59C9EE17F850	396A9E268D9B27823597EC611B129B01462A815336F1CABE4B715AD07F264E96
C:\Users\user\AppData\Local\Temp\~DF84AE2014754A9AC1.TMP	data	74EFD3E9D2C6FE4B058DC72E76896418	F68BA38663D6181285AF24C71275D117817F3D5C	488BA42393D6DA61E5FE32BDA072FA1F898763F0F58146FDB8B0B7562CDE4CDA
C:\Users\user\AppData\Local\Temp\~DFC00841A423CB62E8.TMP	data	092D7E610A7D2444D86C2A03D1A6BE1F	ABA23AFB83C08D3E9EDCC9D96B647D1DA79E7147	6189650B5A12FD42AB6F092BAA8186F865F5FA3834262CA09D85479C0AE797DD

Analysis Report https://atendiendochagas.mundosano.org//kcontrol-inti/continue/new

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs