Analysis Report $108,459.00.shtml

ID:	384937
Product:	CloudBasic
Start time:	13:01:26
Start date:	10.04.2021
Sample:	$108,459.00.shtml
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	244f3030958bcfe1db9bb77edd6ecaf3
SHA1:	95ebb217144ec973ce3b9c0ebaa9b4fde83be41d
SHA256:	fb2b7bf2039d05913895b5ec2ef8ea20ba02ebbc00e1596d7468074410525b2b
Filetype:	HyperText Markup Language (11501/1) 33.82%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0169C33-9A37-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	EC3382D6D37C4454712C10D8427BABD7	E102259EF2312C060D05DA5B84E6D203209DC079	1D3D833ACAB87714EA906F30AFCC66DA8423888A5523A4F4F04DFEFA5EC9947D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A0169C35-9A37-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	835BFA2857628494F1CE1A4BA072AAED	FFF318E660E8431455BC2470911896BDA63B71AB	F9AECD102A9F1AA8EF6F3A04AC34E6B0F7B5B60D9FC7402B054955CA6AFD34F9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AA46E742-9A37-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	716A6805DF408B203F382CEDCCA0B639	F5104916855A8E2170C459F5F968A7C5A0183DE9	BBD9DFD60E6785C5A4ADEA5EFE115CCA6C40488DEAEC6E5D40B7A7170F414DED
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2C08A9F20F2D95CDC1178AD470E3E513	E1133011C067888F85DB438237826E70E9862A0D	E2BCAB4F221A2865D1502AB4F42031B319EACF10B88FC5B639F5F0C653B9B066
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	23A9DA9CA253629DF663FE3B5236CD7B	38309FF2E8788C87AFAC98EC17A38B583EA13485	5D277CF6AFFF560D1C26A6626BE53605AF1F50C07A518CD3689413977EBB9D08
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E0D515B224A92B7878DE43EDA13A9EF3	1C43EE4ABBD7E315B4963A0506C038C533F88302	6C56444D5C27BFBA273DC2A18127AC95DF202FD3CA7F8BA815211B989487DECA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8761BD8BACB2BB7997884880CCB7DB97	67C4760C6A5474598C917D2FDC73BECC0FC46F53	42F4F55316EBA5F528C7B4F1E1942139C4091A8AE880F2DB42D43D616A17D6AE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	ABED19F4A0906A04B623A6A9A1F26814	56EDB3F1261A08F054229F1C244DE3925D3DAD27	4AA7B51C5B271237ACA7E02CCBC78777DB5D36F832ACB4B6DD9E2CF704D587FE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	07BDE04237EBDE78303E6AF3B91A49C5	1737A2561B2280A9398062C84F9FCB088F5C9913	AAD65279B143CD2AE8F5B733435CE4BAD6B52A3CF67E8DF43E8E2416C663670D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F8AA51FEBE8501BB8C3742D87C96B1A9	F39BEAE6DA220E738851691BE752C1B144D1931E	3A869AC411695B84B9488118182AAF15816D94D85B567FD74161CC930005246B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	76D7C4910D136D24CE97EB4D04D09988	30D4AEA1D29205AE91499BBDB190E652CAEDD26D	55C46BB0788D84C3BCAAD545BC790C53E0D4F571E476007CC4CA362A14DF7840
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8BF84A93108AA99A63E28FFACA534A8A	C8338CAC3F40D82092BD381FE6926D9394ED2997	FE14F3579B83208BAFF368C7B39ADA597F6C2FB40DE1D3BBE4CA880C40098D47
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\JTURjIg1_i6t8kCHKm45_aZA3gnD-A[1].woff	Web Open Font Format, TrueType, length 23276, version 1.1	1FC98E126A3D152549240E6244D7E669	F77707F0EEB7086952F287C45E0FBA4FC01F1C53	94221B9AB3055AB8D736B35D9D1573B89BB1EF89A37D4EDC395404E2EA5E4701
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\JTUSjIg1_i6t8kCHKm459WlhzQ[1].woff	Web Open Font Format, TrueType, length 23480, version 1.1	8102C4838F9E3D08DAD644290A9CB701	5AF1938D1327395F47C84E57B6BA7756234D2262	60CEBEA4C9183F51FBD323F14DD729E18768BE4F6395467013216AE36526CF9C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\JTURjIg1_i6t8kCHKm45_c5H3gnD-A[1].woff	Web Open Font Format, TrueType, length 23872, version 1.1	9A9BEFCF50D64F9D2D19D8B1D1984ADD	1DAD9D9EFE7BC0B3BA089BE10B8F9741A02312A3	2849C719C361F2EC1A04BF5B262BCBEDD3DF46BF35F5B4CAE8F75EA0AC500111
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\JTURjIg1_i6t8kCHKm45_cJD3gnD-A[1].woff	Web Open Font Format, TrueType, length 23256, version 1.1	8DC95FAB9CF98D02CA8D76E97D3DFF60	FA51AFC9A31F67078FAA9124BEF881655DF4317B	25F8F00A6FE95DED91A8E33E70154AEE1562760D0D969368D4BAD84BFE85F8D0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\login02-popup[1].png	PNG image data, 85 x 91, 8-bit/color RGBA, non-interlaced	4471AF82137EBFF6EA410E89494B26CD	2F096294635A945E92C04C033879558C5AEBF425	466A3C3DE2F7C452C01308B5DB8A1532FB14E8372F3EE44D9B2EE4F991249B4C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\JTUQjIg1_i6t8kCHKm45_QpRyS7g[1].woff	Web Open Font Format, TrueType, length 22500, version 1.1	370318464551D5F25B0F0A78F374FAAC	20F4EC409A5E86EA89FE26BE42FDABFD11DC867C	0B89EA33174D7ACB702309A88B66B3422189BDDC0BB5961A90116A21A98E848A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\JTURjIg1_i6t8kCHKm45_bZF3gnD-A[1].woff	Web Open Font Format, TrueType, length 23628, version 1.1	7C839D15A6F54E7025BA8C0C4B333E8F	09FC9F1CA6B859952A3641EDBFB1424E1C873F5D	46226ABFCDE5DB2598FED8FD0DE77AF9B96C8242DC0E72242971F0BBCF566A38
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\JTURjIg1_i6t8kCHKm45_ZpC3gnD-A[1].woff	Web Open Font Format, TrueType, length 23576, version 1.1	8B763220218FFC11C57C84DDB80E7B26	E85E6898C8FD8B095BD694B3F1350342C7BB3F35	299E5F2B6E651BFD7B4C74AA12B06BB10A1200757CC4EBD1FC4C0D9D1AAFA00D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\JTURjIg1_i6t8kCHKm45_dJE3gnD-A[1].woff	Web Open Font Format, TrueType, length 23836, version 1.1	80F10BD382F0DF1CD650FEC59F3C9394	46F6D60D4AC25FC1AA385513C42A58D89BAB45BA	2A5AFDAC758F2E6A3FD3709719001951708D9F27E7E55ADF9C33B69814A4CD50
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\css[1].css	ASCII text	539812A7B7DC64066B13E481FC603497	0CF448BFE27BE46DEB47A88D6C02B18703B3E0AA	BE2D1095FCBD9D62862AAA227171B2DF700A625F13226136D0C114269C01711B
C:\Users\user\AppData\Local\Temp\~DF5FEE7CA98A774557.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DF7636CA86B2B9822B.TMP	data	C8967957E0F973295681AE551741A195	EE8307C733CEC2D70EE5A4594AC0790A5789247C	C9443BA46F84DAC3476977A4E7A11CD75A3D3F84B5EA72AFB91196D4B06DF552
C:\Users\user\AppData\Local\Temp\~DFC8580DDF3DAC5A07.TMP	data	C87147D5CCE03D3492A8D2B57F6DF843	3E526E0EE77245A40122F36F502228942C2A2EE9	E4AC781A83BAF65956CB1F76B2107BFB42F5C5442499F7051CB9D9F1A5B70D03

AV Detection:

Antivirus detection for URL or domain

Source: https://cdshgvjs.ygto.com/leo/action.php	Avira URL Cloud: Label: phishing
Source: https://mayhutsuahanoi.com/wp-admin/images/bg.png	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: https://cdshgvjs.ygto.com/leo/action.php

Virustotal: Detection: 10%

Perma Link

Phishing:

Yara detected HtmlPhish10

Source: Yara match	File source: $108,459.00.html, type: SAMPLE
Source: Yara match	File source: 377142.pages.csv, type: HTML

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Title: login_popup does not match URL
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Title: login_popup does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Form action: https://cdshgvjs.ygto.com/leo/action.php
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: Form action: https://cdshgvjs.ygto.com/leo/action.php

META author tag missing

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: No <meta name="author".. found

META copyright tag missing

Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/$108,459.00.html	HTTP Parser: No <meta name="copyright".. found

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 146.59.152.166:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 146.59.152.166:443 -> 192.168.2.3:49707 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 146.59.152.166 146.59.152.166
Source: Joe Sandbox View	IP Address: 103.221.222.30 103.221.222.30

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Found strings which match to known social media urls

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7e9d5c75,0x01d72e44</date><accdate>0x7e9d5c75,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7e9d5c75,0x01d72e44</date><accdate>0x7e9d5c75,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7e9fbeda,0x01d72e44</date><accdate>0x7e9fbeda,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7e9fbeda,0x01d72e44</date><accdate>0x7e9fbeda,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7ea22123,0x01d72e44</date><accdate>0x7ea22123,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7ea22123,0x01d72e44</date><accdate>0x7ea22123,0x01d72e44</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: i.ibb.co

URLs found in memory or binary data

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: $108,459.00.html	String found in binary or memory: https://cdshgvjs.ygto.com/leo/action.php
Source: $108,459.00.html	String found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:100
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTUQjIg1_i6t8kCHKm45_QpRyS7g.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_ZpC3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_aZA3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_bZF3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_c5H3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_cJD3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTURjIg1_i6t8kCHKm45_dJE3gnD-A.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/montserrat/v15/JTUSjIg1_i6t8kCHKm459WlhzQ.woff)
Source: $108,459.00.html	String found in binary or memory: https://i.ibb.co/9nnrtWy/login02-popup.png
Source: $108,459.00.html	String found in binary or memory: https://mayhutsuahanoi.com/wp-admin/images/bg.png

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 146.59.152.166:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 146.59.152.166:443 -> 192.168.2.3:49707 version: TLS 1.2

System Summary:

Classification label

Source: classification engine

Classification label: mal64.phis.winHTML@3/25@2/2

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC8580DDF3DAC5A07.TMP

Jump to behavior

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4436 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4436 CREDAT:17410 /prefetch:2			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior