Analysis Report http://nicklaussglen.buzz/011

Overview

General Information

Sample URL: http://nicklaussglen.buzz/011
Analysis ID: 384875
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Phishing site detected (based on shot template match)
Yara detected HtmlPhish10
Yara detected HtmlPhish7
Phishing site detected (based on various OCR indicators)
HTML body contains low number of good links
HTML title does not match URL

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: http://nicklaussglen.buzz/011 SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Antivirus detection for URL or domain
Source: https://nicklaussglen.buzz/011/ SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Phishing site detected (based on shot template match)
Source: https://nicklaussglen.buzz/011/ Matcher: Template: outlook matched
Yara detected HtmlPhish10
Source: Yara match File source: 301389.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\011[1].htm, type: DROPPED
Yara detected HtmlPhish7
Source: Yara match File source: 301389.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\011[1].htm, type: DROPPED
Phishing site detected (based on various OCR indicators)
Source: Screenshots OCR Text: dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe.
Source: Screenshots OCR Text: UdLE u Edleu; yi jUt cucu otmj ^rv1 '"'qy"' <:= e https//nicklaussglen.buu/011/ G nicklaussglen.buux Hi - [I X X|Sarh...JO-Grtk@ G . e https//nicklaussglen.buzz1011/ e Share Point Onlinex [I 0 0 CSearch... ,E dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. X JO-GjCUC1 e https//nicklaussglen.buzz1011/ e Share Point Onlinex [I 0 0 CSearch... ,E dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. X JO-GjCUC1
HTML body contains low number of good links
Source: https://nicklaussglen.buzz/011/ HTTP Parser: Number of links: 0
Source: https://nicklaussglen.buzz/011/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://nicklaussglen.buzz/011/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://nicklaussglen.buzz/011/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://nicklaussglen.buzz/011/ HTTP Parser: No <meta name="author".. found
Source: https://nicklaussglen.buzz/011/ HTTP Parser: No <meta name="author".. found
Source: https://nicklaussglen.buzz/011/ HTTP Parser: No <meta name="copyright".. found
Source: https://nicklaussglen.buzz/011/ HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.95.21:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.21:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: global traffic HTTP traffic detected: GET /011 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nicklaussglen.buzzConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /011/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: nicklaussglen.buzz
Source: unknown DNS traffic detected: queries for: nicklaussglen.buzz
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: 011[1].htm.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: 011[1].htm.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: 011[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: 011[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: 011[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.2.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.2.dr String found in binary or memory: https://fontawesome.com/license/free
Source: 011[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://getbootstrap.com)
Source: hover[1].css.2.dr String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.2.dr String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.2.dr String found in binary or memory: https://kit.fontawesome.com
Source: 011[1].htm.2.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: 011[1].htm.2.dr String found in binary or memory: https://login.microsoftonline.com/common/login
Source: 011[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: 011[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: ~DF4835BC9D9DDAD3A2.TMP.1.dr String found in binary or memory: https://nicklaussglen.buzz/011/
Source: ~DF4835BC9D9DDAD3A2.TMP.1.dr String found in binary or memory: https://nicklaussglen.buzz/011/$Share
Source: {C585FDE6-99CC-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://nicklaussglen.buzz/011/Root
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 104.21.95.21:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.21:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: classification engine Classification label: mal84.phis.win@3/26@7/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF3B2F4095378D9A2A.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4600 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4600 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384875 URL: http://nicklaussglen.buzz/011 Startdate: 10/04/2021 Architecture: WINDOWS Score: 84 15 nicklaussglen.buzz 2->15 23 Antivirus detection for URL or domain 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Phishing site detected (based on shot template match) 2->27 29 3 other signatures 2->29 7 iexplore.exe 2 61 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 55 7->9         started        dnsIp6 17 nicklaussglen.buzz 104.21.95.21, 443, 49710, 49711 CLOUDFLARENETUS United States 9->17 19 cdnjs.cloudflare.com 104.16.19.94, 443, 49719, 49720 CLOUDFLARENETUS United States 9->19 21 4 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\011[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.18.11.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
104.21.95.21
 nicklaussglen.buzz United States
13335 CLOUDFLARENETUS true
104.16.19.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
nicklaussglen.buzz 104.21.95.21 true
cdnjs.cloudflare.com 104.16.19.94 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
kit.fontawesome.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://nicklaussglen.buzz/011/ true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown
http://nicklaussglen.buzz/011 true
    		unknown
    http://nicklaussglen.buzz/011/ true
    • Avira URL Cloud: safe
    		 unknown