Loading ...

Play interactive tourEdit tour

Analysis Report https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.html

Overview

General Information

Sample URL:https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.html
Analysis ID:404148
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
Invalid 'forgot password' link found
Yara signature match

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 3940 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3940 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\index[1].htmSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
  • 0x8c91:$x1: 78 34 4E 7A 42 63 65 44 63 31 58 48 67
  • 0x8cb1:$x1: 78 34 4E 6A 5A 63 65 44 59 32 58 48 67
  • 0x8cc1:$x1: 78 34 4E 7A 4A 63 65 44 49 77 58 48 67
  • 0x8cd1:$x1: 78 34 4E 7A 4E 63 65 44 49 77 58 48 67
  • 0x8ce1:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
  • 0x8d05:$x1: 78 34 4E 6A 46 63 65 44 64 68 58 48 67
  • 0x8d19:$x1: 78 34 4E 7A 42 63 65 44 63 31 58 48 67
  • 0x8d3d:$x1: 78 34 4E 6D 56 63 65 44 59 35 58 48 67
  • 0x8d61:$x1: 78 34 4E 6A 6C 63 65 44 59 79 58 48 67
  • 0x8d71:$x1: 78 34 4E 44 52 63 65 44 59 31 58 48 67
  • 0x8d81:$x1: 78 34 4E 6D 4E 63 65 44 59 78 58 48 67
  • 0x8da5:$x1: 78 34 4E 7A 56 63 65 44 5A 6C 58 48 67
  • 0x8db5:$x1: 78 34 4E 7A 52 63 65 44 59 35 58 48 67
  • 0x8dc5:$x1: 78 34 4E 6D 56 63 65 44 49 34 58 48 67
  • 0x8e15:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
  • 0x8e25:$x1: 78 34 4E 6D 5A 63 65 44 63 33 58 48 67
  • 0x8e35:$x1: 78 34 4E 6A 52 63 65 44 5A 6D 58 48 67
  • 0x8e45:$x1: 78 34 4E 7A 56 63 65 44 5A 6B 58 48 67
  • 0x8e55:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
  • 0x8e65:$x1: 78 34 4E 6A 52 63 65 44 59 35 58 48 67
  • 0x8e75:$x1: 78 34 4E 7A 42 63 65 44 59 78 58 48 67

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlAvira URL Cloud: detection malicious, Label: phishing
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlSlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish10Show sources
Source: Yara matchFile source: 364339.pages.csv, type: HTML
Phishing site detected (based on logo template match)Show sources
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlMatcher: Template: outlook matched
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Number of links: 0
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Number of links: 0
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Title: Outlook Web App does not match URL
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Title: Outlook Web App does not match URL
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Invalid link: Forgot password?
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: Invalid link: Forgot password?
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: No <meta name="author".. found
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: No <meta name="author".. found
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: No <meta name="copyright".. found
Source: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlHTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: unknownHTTPS traffic detected: 145.239.131.55:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 145.239.131.55:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x37c7e012,0x01d74151</date><accdate>0x37c7e012,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x37c7e012,0x01d74151</date><accdate>0x37c7e012,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x37cf072f,0x01d74151</date><accdate>0x37cf072f,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x37cf072f,0x01d74151</date><accdate>0x37cf072f,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x37d16940,0x01d74151</date><accdate>0x37d16940,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x37d16940,0x01d74151</date><accdate>0x37d16940,0x01d74151</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: http://outlook.com
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.3.1.min.js
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.html
Source: {68C402A0-AD44-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/index.htmlRoot
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/ndex.html
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://balasbucket12.s3.eu-de.cloud-object-storage.appdomain.cloud/rehouses/ndex.htmlZ87FM
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://getbootstrap.com/)
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: imagestore.dat.2.dr, ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://i.ibb.co/0ZX4cC1/outlook-trouble-march-technology-services-3.png
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://i.ibb.co/dPwrPyv/2.png
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://i.ibb.co/mR6q2PS/1.png
Source: ~DFB6609A5A606A795E.TMP.1.drString found in binary or memory: https://smtptemp.site/email-list/otlk55/finish.php
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 145.239.131.55:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 145.239.131.55:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\index[1].htm, type: DROPPEDMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: classification engineClassification label: mal60.phis.win@3/22@4/2
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{68C4029E-AD44-11EB-90E5-ECF4BB570DC9}.dat