Analysis Report receipt-xxxx.htm

Overview

General Information

Sample Name:	receipt-xxxx.htm
Analysis ID:	383585
MD5:	2ded001890d716d7a47887df38c01102
SHA1:	ec0914e310db45e38e54728634b8c9e7f7bb6e70
SHA256:	9e0a82abb1eeacfd1b7bcb8c67bff4ad686a38de8119e71d1d187db2d350c986
Infos:
Most interesting Screenshot:
Errors URL in Office document is not reachable.

Detection

Phisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Phisher

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

Phishing:

Yara detected Phisher

Source: Yara match

File source: receipt-xxxx.htm, type: SAMPLE

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.241.124.32:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.124.32:443 -> 192.168.2.3:49725 version: TLS 1.2

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /12gfr/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: vsp.wayshop.grConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: vsp.wayshop.gr

Source: receipt-xxxx.htm	String found in binary or memory: http://Vsp.wayshop.gr/12gfr/#alec.mahmood
Source: {F12A48C6-9836-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: http://vsp.wayshop.gr/
Source: ~DF6DAB1688D85D34DD.TMP.1.dr	String found in binary or memory: http://vsp.wayshop.gr/12gfr/
Source: ~DF6DAB1688D85D34DD.TMP.1.dr	String found in binary or memory: http://vsp.wayshop.gr/12gfr/#alec.mahmood
Source: ~DF6DAB1688D85D34DD.TMP.1.dr	String found in binary or memory: http://vsp.wayshop.gr/12gfr/8
Source: 12gfr[1].htm.2.dr	String found in binary or memory: https://aimlessanimation.com/2020/?email=
Source: ~DF6DAB1688D85D34DD.TMP.1.dr	String found in binary or memory: https://aimlessanimation.com/2020/?email=alec.mahmood

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 162.241.124.32:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.124.32:443 -> 192.168.2.3:49725 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.winHTM@3/15@3/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB42B6B68F6C0AA1B.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6584 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6584 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.99.136.47	vsp.wayshop.gr	Germany		24940	HETZNER-ASDE	false
162.241.124.32	aimlessanimation.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
aimlessanimation.com	162.241.124.32	true
vsp.wayshop.gr	88.99.136.47	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vsp.wayshop.gr/12gfr/	false	Avira URL Cloud: safe	unknown

ID:	383585
Product:	CloudBasic
Start time:	23:51:25
Start date:	07.04.2021
Sample:	receipt-xxxx.htm
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2ded001890d716d7a47887df38c01102
SHA1:	ec0914e310db45e38e54728634b8c9e7f7bb6e70
SHA256:	9e0a82abb1eeacfd1b7bcb8c67bff4ad686a38de8119e71d1d187db2d350c986

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F12A48C4-9836-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	DB00A470958DA4B33F4CCE69E38F2F11	A0329F7E805100548039AF3CAC4FD3757BA35A23	0544A63F0D0F3EFFCAE57DBF0FA125B2D2361FF0FE54F41B693B5B6FA06AB4D5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F12A48C6-9836-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	79697B11C7B360585B1BF6FBC4803640	8B27655CB34748D42572D6803230497D8C6D464B	40253EC2ADA36753D9213DEC839E2588E658617E391BDCECD676AB2D5F8A6B24
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F12A48C7-9836-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	907FEBC8FDB296AA912020766FCF3DA9	098D95E4E4DCE98CEF8CEB1A7A162036AE6459D5	36F5144FCDFC39E1F5958B3E170D8E6603A1EF8EE4BCF9AB86F80079E3D1C601
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\12gfr[1].htm	HTML document, ASCII text, with CRLF line terminators	D34BBB391332F9F6F6518B00D6B112A8	CEF469F30F4B72926FF8145053EA14A575AE1308	063EA74A836342759DEE5FE46A7C5A00EC11D1E72328B977FBA1E533155FBA28
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Temp\~DF619FBCD1CCA41A1E.TMP	data	3F27870BEF06C81F1ACD19EE001A99A2	818AD2AE72CE0E290E720675F94E5A0DE2549080	8EABB8F42CC4F09EBC6639FD145AEBE3293318A183B6330C595469A69E5A9A49
C:\Users\user\AppData\Local\Temp\~DF6DAB1688D85D34DD.TMP	data	1FCC2BC91212AF2A3A05176B10FD2A16	99DC05840A3EA3430A5BD388EF95F691856633CF	2FDD17930C19937A0D18B0F1F7AFBB109C5ABA4E246535A21A14C68F5AC7D650
C:\Users\user\AppData\Local\Temp\~DFB42B6B68F6C0AA1B.TMP	data	9E5B69E9A5D69028DE64849578DCA641	E38BEFB3BAD5CF9E795480818B6CD6187C980049	5A9BB517EFBC2F4E5C0ECBE35C078F98A84AE3C4076E9BF2BCA20008F6722C86

Analysis Report receipt-xxxx.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs