Analysis Report Payment Report.html

Overview

General Information

Sample Name: Payment Report.html
Analysis ID: 383613
MD5: 00b8795cb028a9c742fc1c6394076d18
SHA1: 4dff056dc7d685775a61e8067b50e47d824d1843
SHA256: 89901d174c786d402fd36cd6d86c1acb3f25f249773b1a81ff230daea30d555c
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
JA3 SSL client fingerprint seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://vetplano.com/bhj/OfficeV4/authorize_client_id:auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl?data=am1hQHR1bGx5c3VnYXIuY29t SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Phishing site detected (based on favicon image match)
Source: https://vetplano.com/bhj/OfficeV4/authorize_client_id:auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl?data=am1hQHR1bGx5c3VnYXIuY29t Matcher: Template: microsoft matched with high similarity
Yara detected HtmlPhish10
Source: Yara match File source: 066656.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\authorize_client_id_auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl[1].htm, type: DROPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.43:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.43:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49718 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3e2ae78,0x01d72c11</date><accdate>0xc3e2ae78,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3e2ae78,0x01d72c11</date><accdate>0xc3e2ae78,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3e7731c,0x01d72c11</date><accdate>0xc3e7731c,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3e7731c,0x01d72c11</date><accdate>0xc3e7731c,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3e7731c,0x01d72c11</date><accdate>0xc3e7731c,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3e7731c,0x01d72c11</date><accdate>0xc3e7731c,0x01d72c11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: vetplano.com
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: authorize_client_id_auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl[1].htm.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
Source: authorize_client_id_auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl[1].htm.2.dr String found in binary or memory: https://logo.clearbit.com/tullysugar.com
Source: {EB817EBD-9804-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://vetplano.com/b/Desktop/Payment%20Report.htmlhj/OfficeV4/authorize_client_id:auik4vm0-09nb-xa
Source: ~DFF0FCE8FDE9A2DE4D.TMP.1.dr String found in binary or memory: https://vetplano.com/bhj/OfficeV4/authorize_client_id:auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4
Source: imagestore.dat.2.dr String found in binary or memory: https://vetplano.com/bhj/OfficeV4/images/favicon.ico~
Source: Payment Report.html String found in binary or memory: https://vetplano.com/bhj/OfficeV4/jma
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.43:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.43:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.195.15:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: classification engine Classification label: mal64.phis.winHTML@3/29@3/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB817EBB-9804-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF20FC4EA39C107E96.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5764 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5764 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383613 Sample: Payment Report.html Startdate: 08/04/2021 Architecture: WINDOWS Score: 64 15 vetplano.com 2->15 23 Antivirus detection for URL or domain 2->23 25 Phishing site detected (based on favicon image match) 2->25 27 Yara detected HtmlPhish10 2->27 7 iexplore.exe 1 76 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 47 7->9         started        dnsIp6 17 vetplano.com 192.185.195.15, 443, 49709, 49710 UNIFIEDLAYER-AS-1US United States 9->17 19 d26p066pn2w0s0.cloudfront.net 13.32.25.43, 443, 49711, 49712 ATT-INTERNET4US United States 9->19 21 logo.clearbit.com 9->21 13 authorize_client_i...bjim6ns4r7wl[1].htm, data 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.32.25.43
 d26p066pn2w0s0.cloudfront.net United States
7018 ATT-INTERNET4US false
192.185.195.15
 vetplano.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
d26p066pn2w0s0.cloudfront.net 13.32.25.43 true
vetplano.com 192.185.195.15 true
logo.clearbit.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://vetplano.com/bhj/OfficeV4/authorize_client_id:auik4vm0-09nb-xayu-tzj2-8b39doqy0xj4_2ujigt9r4vqcam6xhskyof581wenb37dpzl0x7cpazksi4u9jfndvor60bqwm2hgy358t1leatz8peo3dxuk1vhcq0f29gy5bjim6ns4r7wl?data=am1hQHR1bGx5c3VnYXIuY29t true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown