Analysis Report ensono8639844766FAXMESSAGE.HTM

Overview

General Information

Sample Name: ensono8639844766FAXMESSAGE.HTM
Analysis ID: 383640
MD5: 01606c8d7d638c0015efdbba574cf3e5
SHA1: d8860ce2a55d6840628f20c6457eefbf5187d5a1
SHA256: 785bba689dc59c67e999cbde35142a4b898c7567a8d8ea48a3a935eb8140de99
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish6
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found

Classification

Phishing:

barindex
Yara detected HtmlPhish6
Source: Yara match File source: ensono8639844766FAXMESSAGE.HTM, type: SAMPLE
Source: Yara match File source: 172892.pages.csv, type: HTML
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Title: ensono.com does not match URL
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Title: ensono.com does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Has password / email / username input fields
Suspicious form URL found
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Form action: https://casciscus.com/wp-admin/v4/pocket.php
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: Form action: https://casciscus.com/wp-admin/v4/pocket.php
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 13.32.25.69:443 -> 192.168.2.3:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.69:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.155.148.6:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.155.148.6:443 -> 192.168.2.3:49708 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 204.155.148.6 204.155.148.6
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5dfdc2a3,0x01d72c67</date><accdate>0x5dfdc2a3,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5dfdc2a3,0x01d72c67</date><accdate>0x5dfdc2a3,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5e0e732e,0x01d72c67</date><accdate>0x5e0e732e,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5e0e732e,0x01d72c67</date><accdate>0x5e0e732e,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5e0e732e,0x01d72c67</date><accdate>0x5e0e732e,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5e0e732e,0x01d72c67</date><accdate>0x5e0e732e,0x01d72c67</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: dc775.4shared.com
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: ensono8639844766FAXMESSAGE.HTM String found in binary or memory: https://dc775.4shared.com/img/5nLykkJeiq/s24/1749375d498/background?async&rand=0.707772242990717
Source: ensono8639844766FAXMESSAGE.HTM String found in binary or memory: https://images.vexels.com/media/users/3/157931/isolated/preview/604a0cadf94914c7ee6c6e552e9b4487-cur
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 13.32.25.69:443 -> 192.168.2.3:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.32.25.69:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.155.148.6:443 -> 192.168.2.3:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 204.155.148.6:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: classification engine Classification label: mal48.phis.winHTM@3/16@2/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFE0A4B5CC2F0ED04B.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5504 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5504 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383640 Sample: ensono8639844766FAXMESSAGE.HTM Startdate: 08/04/2021 Architecture: WINDOWS Score: 48 17 Yara detected HtmlPhish6 2->17 6 iexplore.exe 2 85 2->6         started        process3 process4 8 iexplore.exe 1 29 6->8         started        dnsIp5 11 dc775.4shared.com 204.155.148.6, 443, 49708, 49709 WZCOM-US United States 8->11 13 d2fw8kapvfkapu.cloudfront.net 13.32.25.69, 443, 49706, 49707 ATT-INTERNET4US United States 8->13 15 images.vexels.com 8->15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
204.155.148.6
 dc775.4shared.com United States
40824 WZCOM-US false
13.32.25.69
 d2fw8kapvfkapu.cloudfront.net United States
7018 ATT-INTERNET4US false

Contacted Domains

Name IP Active
d2fw8kapvfkapu.cloudfront.net 13.32.25.69 true
dc775.4shared.com 204.155.148.6 true
images.vexels.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/ensono8639844766FAXMESSAGE.HTM true
    		low