Analysis Report mfalomirm@gentalia.eu.HTM

Overview

General Information

Sample Name:	mfalomirm@gentalia.eu.HTM
Analysis ID:	385346
MD5:	ebe2a44409febe2a3347a115df136ae5
SHA1:	6cc7a3f83e3dbf63a537ffffc3ec2ef5ee8f2a66
SHA256:	8d4ef43acbf962dba319cacec0270b36df054e212d15f8de7e4eafd5dcda5d47
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish6

Yara detected obfuscated html page

Obfuscated HTML file found

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Suspicious form URL found

Classification

Signatures

Phishing:

Yara detected HtmlPhish6

Source: Yara match

File source: 048707.pages.csv, type: HTML

Yara detected obfuscated html page

Source: Yara match

File source: mfalomirm@gentalia.eu.HTM, type: SAMPLE

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Title: Sign in to Download your statement. does not match URL
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Title: Sign in to Download your statement. does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Form action: https://deportesonce.com.ar/@30/20.php
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: Form action: https://deportesonce.com.ar/@30/20.php

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 35.185.32.151:443 -> 192.168.2.3:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.185.32.151:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.19.133.58:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.19.133.58:443 -> 192.168.2.3:49708 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.19.133.58 104.19.133.58

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: msapplication.xml0.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x88571d4d,0x01d72fc6</date><accdate>0x88571d4d,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x88571d4d,0x01d72fc6</date><accdate>0x88571d4d,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x885be1ed,0x01d72fc6</date><accdate>0x885be1ed,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x885be1ed,0x01d72fc6</date><accdate>0x885be1ed,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x885e446e,0x01d72fc6</date><accdate>0x885e446e,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x885e446e,0x01d72fc6</date><accdate>0x885e446e,0x01d72fc6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ast.samanage.com

Source: index-a68f016bafb3011a49d6ef1c1a6d1f61da04b24015de7fda99497fbf4d1b8d3d[1].js.3.dr	String found in binary or memory: http://api.jqueryui.com/category/ui-core/
Source: index-a68f016bafb3011a49d6ef1c1a6d1f61da04b24015de7fda99497fbf4d1b8d3d[1].js.3.dr	String found in binary or memory: http://api.jqueryui.com/datepicker/
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Button#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Datepicker#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Dialog#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Resizable#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Slider#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Tabs#theming
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://docs.jquery.com/UI/Theming/API
Source: index-b7458e62bace5aee761c61948f390a6633709afd2adb0643cb8d250734bd25a6[1].js.3.dr	String found in binary or memory: http://jquery.com/
Source: index-b7458e62bace5aee761c61948f390a6633709afd2adb0643cb8d250734bd25a6[1].js.3.dr	String found in binary or memory: http://jquery.org/license
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://jqueryui.com
Source: index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css.3.dr	String found in binary or memory: http://jqueryui.com/themeroller/
Source: index-b7458e62bace5aee761c61948f390a6633709afd2adb0643cb8d250734bd25a6[1].js.3.dr	String found in binary or memory: http://sizzlejs.com/
Source: msapplication.xml.2.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.2.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.2.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.dr	String found in binary or memory: http://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 35.185.32.151:443 -> 192.168.2.3:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.185.32.151:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.19.133.58:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.19.133.58:443 -> 192.168.2.3:49708 version: TLS 1.2

Source: classification engine

Classification label: mal60.phis.evad.winHTM@3/19@2/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2E26229C26FB78DB.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5280 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5280 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Obfuscated HTML file found

Source: mfalomirm@gentalia.eu.HTM	Initial file: Did not found title: "Sign in to Download your statement." in HTML/HTM content
Source: mfalomirm@gentalia.eu.HTM	Initial file: Did not found title: "Sign in to Download your statement." in HTML/HTM content

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.185.32.151	ast.samanage.com	United States		15169	GOOGLEUS	false
104.19.133.58	www.apkmirror.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
www.apkmirror.com	104.19.133.58	true
ast.samanage.com	35.185.32.151	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/mfalomirm@gentalia.eu.HTM	true		low

ID:	385346
Product:	CloudBasic
Start time:	11:04:57
Start date:	12.04.2021
Sample:	mfalomirm@gentalia.eu.HTM
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ebe2a44409febe2a3347a115df136ae5
SHA1:	6cc7a3f83e3dbf63a537ffffc3ec2ef5ee8f2a66
SHA256:	8d4ef43acbf962dba319cacec0270b36df054e212d15f8de7e4eafd5dcda5d47
Filetype:	HTML Application (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B18D9DF7-9BB9-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	D79589800B057503F7BF747C54AD4D11	155FAF4EC962CD94815690AAF5331886915E5A76	05D5052D1A57BF969D893E544D3D14891E97D62D52FDC4BA457B5013690BCCDF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B18D9DF9-9BB9-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	F8F3532EA5AE62C67225C567ED21090A	D9A5CD1057890FD6413DC828D043F81358FCC4D5	D7A9F0C711C2B9D045D778A796EA428D30773F501C711102940183BD557C3E43
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B18D9DFA-9BB9-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	8C48B8A1C1BDC73DB7B3A7DACC0E0543	06ACFF656DB496C7084A513DE898920EB7B5A2A4	35E7209D3D11A452E4D7EE50B06FDB808D4590B48B17166C2E384A4244CC98A2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	657E0443F408C869722707FC08FBB34F	3666D7F39CB0A7BF4E8BE1A09D28D316F7519786	7F4B77548B2FAA8D36E1B740C5618D78C5D995AF1B1B91FEC196AA31D061AF3E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	732BFD03E54368F625DB7FA9823FAC7A	0E9E1BC2E2263A86030D31F98C5D07EBA4B2EED4	7CEFC09C66CE1DEA5D7FA9EB8B25FFF4CC034ED1436594818839281FD7E922B6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2C50CE2A478051D3E09CACDF77847F91	CFF0D4CE8E1A8ACCA3D94AD74686895BA3067CD7	87029B8E63408EA767EC5C17D6B8783CB1564FFC138DF3B937E2DD1915C7BDD9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7914236B46BCF321CB55D6C6E6A7AF44	E421E8F129F5D267C4FA9A9CD32EB6433E985900	5FE94DE5441E37383C539CCED7A616FE5C668B81BAE84251586EC147B474E8BF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	9E640962FB5CA6B84E43EA4019C21BD0	B45DBC9BD61B112D1C630E7DC1A3854F9B3D6DD4	55E0C236D1293673FC5BA49783EA8C5F75C9FFF77F336EABA70BE0174FEBFC8F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	AB1B82BA6A3EE54943B04C67251066DB	CAD391DA8BF48118E67563F74EB242E7107CB9DC	8C1564AB9F56AC6E44D3AAB49719E3CB2DCC06CE60E1B2E51F049E99078EE052
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8931E3193076EE2B4456B30DD2CC47AB	962F8F449B4E6A5EF189CF07EC602C2E0D0CFB1C	BB42A6799B1D83CE89FED971C025CC65D308DA18E85CAB473184A231A73D5194
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	24A51636BC816BD40C787050322D1D6E	FFA33BAC4B62B7DC69DCF7EA2BD5558F87AE4EFC	3E7B154056986BAB8F025C2210921D753A5DF0AA91C6D60A93B384E02CFA8668
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	39EDFEB3FC28F878334B279CB7A222C3	BB96164E815C8704192252F155AB5B258B3A125D	E056168B274BCB47DC2B7B88DF9D4F88B2D7AF615617EC575466D54865493A41
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\index-a68f016bafb3011a49d6ef1c1a6d1f61da04b24015de7fda99497fbf4d1b8d3d[1].js	C source, ASCII text, with very long lines	ECAA098D91C2F0B2B4F7F7436F1B5995	91E8D2773323CBC144D6A029746A0CAD355BE7B2	A68F016BAFB3011A49D6EF1C1A6D1F61DA04B24015DE7FDA99497FBF4D1B8D3D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\index-0242ce1e093b95352b7de17f4889d924aa964c6ed418fcb2f51a6850c69675ef[1].css	ASCII text, with very long lines	FAE557E76288CB99AC3149E777D1DC71	774CAC341365714E6CBC202ABF64816437DBBB8F	0242CE1E093B95352B7DE17F4889D924AA964C6ED418FCB2F51A6850C69675EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\5e997a02e4382[1].png	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	EBDA810CBA658560CAA0C4D9BA945DC5	4AC4F2C81084193B3B1C315E44492E919BAA2E83	0D2D4316F4EB523402C6EE72C3419EE7767BC818F969136568287728AA4FD4E2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\index-b7458e62bace5aee761c61948f390a6633709afd2adb0643cb8d250734bd25a6[1].js	ASCII text, with very long lines	59AA3A9D6D5DF2F4CADDFF969BF6E340	F280E05A179E092D99FB68800A5493C40134C6CB	B7458E62BACE5AEE761C61948F390A6633709AFD2ADB0643CB8D250734BD25A6
C:\Users\user\AppData\Local\Temp\~DF1B7ED03EDF86E566.TMP	data	BA7A86006D12FA8C5CA956CCAA421C00	5826673C9536B1B5894890D58E39AAF118F1BCBA	CB9555CA5D2EF49F515E309F47EAB8A9467DAE05FE559A483F7803ECF0122D5A
C:\Users\user\AppData\Local\Temp\~DF28746C75DF5CE9A2.TMP	data	2373D12694F06CF3440AC388A830B1D0	F7AB67E7DD87C588F7187FF6A702224229D3EFC1	74CE9E2383B04F2C3F4313CAD9CB4E10D07DAF80810911FB903F3995E1144109
C:\Users\user\AppData\Local\Temp\~DF2E26229C26FB78DB.TMP	data	CA50CD71EBDCBF16B26A2474AFA8FC48	4D8B806767BD1B407BCFB60F2AF56F2A9AACE341	C6F08CAADFEFFD015E33ABF950E29ADE00DACEEC81B9B1D54A042EE0AE0F37DF

Analysis Report mfalomirm@gentalia.eu.HTM

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs