Analysis Report https://nt.embluemail.com/p/cl?data=3YZv0BlJbftfm9/Ve/nz8p/seVvfdz2Le2+1ZXk0LOjQU+QcnnZLoMMoa6mY23iqNfwKYtM500Jx312dmC8FWw==!-!5h1gq9!-!http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ=

Overview

General Information

Sample URL: https://nt.embluemail.com/p/cl?data=3YZv0BlJbftfm9/Ve/nz8p/seVvfdz2Le2+1ZXk0LOjQU+QcnnZLoMMoa6mY23iqNfwKYtM500Jx312dmC8FWw==!-!5h1gq9!-!http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ=
Analysis ID: 404271
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://nt.embluemail.com/p/cl?data=3YZv0BlJbftfm9/Ve/nz8p/seVvfdz2Le2+1ZXk0LOjQU+QcnnZLoMMoa6mY23iqNfwKYtM500Jx312dmC8FWw==!-!5h1gq9!-!http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ= SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Antivirus detection for URL or domain
Source: http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ= SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 54.94.56.139:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.94.56.139:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 19:15:28 GMTServer: Apache/2.4.29 (Ubuntu)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 1914Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 bd 59 f9 5f da 48 14 ff b9 f9 2b 46 ba 2b 89 48 22 09 45 2b 47 0f b5 dd 6e ef c3 ee b6 c6 ba 91 0c 90 36 64 68 32 48 ad 65 ff f6 9d 2b 61 72 01 da 7e 76 f4 c3 91 77 cf 7b df f7 26 41 e9 6c 1c be 3c 78 f7 e1 d5 11 18 e1 b1 df 53 3a f1 1b 74 dc 9e 02 c8 ea 60 0f fb b0 f7 0c 39 ae 17 0c f5 ec ea 18 9c ce 79 37 ea 75 f0 06 ba 5e 08 fb d8 43 01 78 78 09 1e b7 5a 4f 41 bd 2e 31 3c 39 78 bd 0f 76 9b bb 66 b3 65 de d9 65 34 85 53 a3 7e e8 4d 30 c0 97 13 d8 ad 60 f8 0d 1b 9f 9d 0b 87 5f ad 70 0d 74 19 86 8b c6 8e 17 80 08 87 c4 27 80 11 18 3b b8 3f 02 de 00 84 b1 75 7e 9d 33 26 92 17 4e 28 2e 3d a7 02 94 a9 0b aa 43 84 86 3e ac b6 89 e2 d9 08 86 10 0c 11 f9 17 1a 62 85 42 0e 04 ce 98 32 50 09 c9 21 2e 27 b3 47 7d 67 3c 71 86 10 4c 43 3f 65 3f e6 38 0e 7d 6a 7c 84 f1 24 da 37 8c 73 1f 06 7d 74 01 03 1c e9 01 c4 06 32 aa 6d c9 c0 42 ef 04 86 0e 46 21 98 a1 d0 2d 54 7c 08 7d 6f ec 61 18 52 f5 b7 53 5a 60 e0 10 3b e0 dc 89 60 ab 99 12 e6 14 4e 20 72 38 9c c2 85 60 7a ff 60 1f b9 59 ce 85 8d ad 2d 85 fc 01 f0 90 33 d0 a0 5c 08 0c 21 46 29 34 62 12 f0 6c 36 d3 67 f0 1c 23 e4 7f f1 b0 ee 05 03 64 50 d1 2d 43 a1 66 1e c6 06 ae 14 c5 30 c0 24 f4 2e 1c 0c c9 3b 22 1b 80 2f 95 b3 2f f0 f2 2d 0e c1 3e a8 3c 78 78 70 78 f4 e8 f1 1f 4f fe 7c fa ec f9 8b 97 af 5e bf 79 fb ee f8 fd 5f 7f 7f f8 e8 9c f7 5d 38 18 8e bc cf 5f fc 71 80 26 5f c3 08 4f 2f 66 df 2e bf ef 34 4c ab 79 a7 b5 bb 77 b7 66 74 2b db dc c6 f4 dc f7 fa 60 0c f1 08 b9 60 80 42 ee 3d 29 04 45 84 b1 0f 06 d3 80 97 b6 ea 05 93 29 d6 88 7b f1 c6 a0 29 26 57 88 c7 95 4a 3b b9 d8 1f 85 8d 6d fa 6a b2 57 6b 9b ea 6c b0 57 93 bd f2 2b cd 85 84 47 34 ec 88 1d 65 36 c8 77 be 19 fa d9 14 0f f6 ce b8 2f c2 be 60 9c 8d 3c 92 57 d5 03 1d 2e a3 93 6a 1a e2 11 75 2f 49 0d 75 85 e8 e2 f4 fe c8 09 0f 88 9a 07 58 f5 6a 35 ad 2d 73 99 6b 71 59 e5 5c 09 1b 8d 95 b0 31 cb bd 1e 30 db 32 85 9a 51 55 46 db 04 96 06 3a 1d d0 d4 c0 0f a0 32 17 08 7b 53 4b f1 5b 31 bf 49 f8 1b 77 98 80 19 0b 58 54 a0 95 16 68 72 d3 16 61 6f 59 92 57 a4 4d a8 5e f4 c2 79 c1 94 69 71 0e 33 a6 84 82 56 73 a1 73 0e a0 1f c1 b4 bc 55 24 9f 13 5c 18 4f aa 44 7c a8 25 14 3c f2 22 5d 94 35 db 53 b2 9f 74 03 35 50 2b a3 91 f0 57 ca 5b 4b e4 9b 71 b2 84 83 21 c4 d3 30 10 ae b5 95 79 19 2e 18 98 29 2e 38 aa 7f 01 2e 16 94 9b e0 83 d7 61 08 27 be d3 87 aa 71 f2 e9 41 fd a3 53 ff be 53 bf 6b d7 6c c3 ee 9e 1a c3 6d 62 fe 3a 68 11 a5 9b da 38 2f 70 e1 b7 97 03 75 51 f6 a2 e4 b5 5c 61 df 44 ce ba a1 5c f3 3a 72 d9 76 c0 4a 6c 01 25 e6 7e 06 7b a2 25 a8 9c 98 60 af 19 0b 30 ec 99 f9 ee a0 72 62 0c ee 16 e5 e7 b9 2c 47 03 78 cb 66 ba 3e 08 d1 f8 40 f4 15 d6 23 b4 0c 80 99 ea 0d 0a b3 2c fe d6 d6 29 bb 3c cf 2a 6f fe a4 72 4b cb c1 5f bc 25 2a 52 5d 9d 23 49 e5 44 21 ab 14 58 cc
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: bandam.feedestend.com
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: bandam.feedestend.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: bandam.feedestend.com
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xea704d80,0x01d74119</date><accdate>0xea704d80,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xea704d80,0x01d74119</date><accdate>0xea704d80,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xea72afb2,0x01d74119</date><accdate>0xea72afb2,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xea72afb2,0x01d74119</date><accdate>0xea72afb2,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xea7511fb,0x01d74119</date><accdate>0xea7511fb,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xea7511fb,0x01d74119</date><accdate>0xea7511fb,0x01d74119</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: nt.embluemail.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 19:15:29 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 283Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 62 61 6e 64 61 6d 2e 66 65 65 64 65 73 74 65 6e 64 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at bandam.feedestend.com Port 80</address></body></html>
Source: ~DF537922E49D7A1954.TMP.1.dr String found in binary or memory: http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ=
Source: {13E99110-AD0D-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ=Root
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: RBDAB6LU.htm.2.dr String found in binary or memory: http://www.webtoolkit.info/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: RBDAB6LU.htm.2.dr String found in binary or memory: https://blencovents.net/o/
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown HTTPS traffic detected: 54.94.56.139:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.94.56.139:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: classification engine Classification label: mal56.win@3/16@3/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{13E9910E-AD0D-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFF14C111DD7FF8AC8.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6464 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6464 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404271 URL: https://nt.embluemail.com/p... Startdate: 04/05/2021 Architecture: WINDOWS Score: 56 12 bandam.feedestend.com 2->12 20 Antivirus detection for URL or domain 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 7 iexplore.exe 1 73 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 30 7->9         started        dnsIp6 14 bandam.feedestend.com 20.185.236.167, 49730, 49731, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->14 16 d-9z7gan7a2h.execute-api.sa-east-1.amazonaws.com 54.94.56.139, 443, 49727, 49728 AMAZON-02US United States 9->16 18 nt.embluemail.com 9->18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.185.236.167
 bandam.feedestend.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
54.94.56.139
 d-9z7gan7a2h.execute-api.sa-east-1.amazonaws.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
bandam.feedestend.com 20.185.236.167 true
d-9z7gan7a2h.execute-api.sa-east-1.amazonaws.com 54.94.56.139 true
nt.embluemail.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bandam.feedestend.com/ false
  • Avira URL Cloud: safe
 unknown
http://bandam.feedestend.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
http://bandam.feedestend.com/#YmFuZGFtQHNhY2NvdW50eS5uZXQ= true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown