Analysis Report https://landarch.org/hassani/index.php

Overview

General Information

Sample URL: https://landarch.org/hassani/index.php
Analysis ID: 412528
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Phishing site detected (based on shot template match)
Yara detected HtmlPhish10
Yara detected HtmlPhish7
Phishing site detected (based on various OCR indicators)
HTML body contains low number of good links
HTML title does not match URL

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: https://landarch.org/hassani/index.php SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social usering

Phishing:

barindex
Phishing site detected (based on shot template match)
Source: https://landarch.org/hassani/index.php Matcher: Template: outlook matched
Yara detected HtmlPhish10
Source: Yara match File source: 238576.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\index[1].htm, type: DROPPED
Yara detected HtmlPhish7
Source: Yara match File source: 238576.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\index[1].htm, type: DROPPED
Phishing site detected (based on various OCR indicators)
Source: Screenshots OCR Text: UdLE cjEdleu; y/ju/gugu o:cq ruvl S) ,g :}:e:,tRBNOBVSB, JSDNGYCOWY, KZWFNRXYKI, NIKHQAIQAUc ..... X S,a,,h... - [I X JO- GjCUC1 C |andarch,org ! L <:= https//landarch.org/hassani/indw.php Share Point Onlinex Hi C Search... 0 0 d'- Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. X JO-GjCUC1
Source: Screenshots OCR Text: d'- Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe.
HTML body contains low number of good links
Source: https://landarch.org/hassani/index.php HTTP Parser: Number of links: 0
Source: https://landarch.org/hassani/index.php HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://landarch.org/hassani/index.php HTTP Parser: Title: Share Point Online does not match URL
Source: https://landarch.org/hassani/index.php HTTP Parser: Title: Share Point Online does not match URL
Source: https://landarch.org/hassani/index.php HTTP Parser: No <meta name="author".. found
Source: https://landarch.org/hassani/index.php HTTP Parser: No <meta name="author".. found
Source: https://landarch.org/hassani/index.php HTTP Parser: No <meta name="copyright".. found
Source: https://landarch.org/hassani/index.php HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.6:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: landarch.org
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.2.dr String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: index[1].htm.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: index[1].htm.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: index[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: index[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: index[1].htm.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.2.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.2.dr String found in binary or memory: https://fontawesome.com/license/free
Source: index[1].htm.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[2].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://getbootstrap.com)
Source: hover[1].css.2.dr String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.2.dr String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.2.dr String found in binary or memory: https://kit.fontawesome.com
Source: index[1].htm.2.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: imagestore.dat.2.dr String found in binary or memory: https://landarch.org/favicon.ico
Source: {E0B0444A-B38D-11EB-90E5-ECF4BB2D2496}.dat.1.dr String found in binary or memory: https://landarch.org/hassani/index.php
Source: {E0B0444A-B38D-11EB-90E5-ECF4BB2D2496}.dat.1.dr String found in binary or memory: https://landarch.org/hassani/index.php$Share
Source: {E0B0444A-B38D-11EB-90E5-ECF4BB2D2496}.dat.1.dr String found in binary or memory: https://landarch.org/hassani/index.phpRoot
Source: {E0B0444A-B38D-11EB-90E5-ECF4BB2D2496}.dat.1.dr String found in binary or memory: https://landarch.org/hassani/index.phpn
Source: index[1].htm.2.dr String found in binary or memory: https://login.microsoftonline.com/common/login
Source: index[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: index[1].htm.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.6:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.87.140.26:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: classification engine Classification label: mal76.phis.win@3/26@7/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0B04448-B38D-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFC5762E6EF0DB105B.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1972 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1972 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412528 URL: https://landarch.org/hassan... Startdate: 12/05/2021 Architecture: WINDOWS Score: 76 15 landarch.org 2->15 23 Antivirus / Scanner detection for submitted sample 2->23 25 Phishing site detected (based on shot template match) 2->25 27 Yara detected HtmlPhish10 2->27 29 2 other signatures 2->29 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 50 7->9         started        dnsIp6 17 landarch.org 50.87.140.26, 443, 49694, 49695 UNIFIEDLAYER-AS-1US United States 9->17 19 cdnjs.cloudflare.com 104.16.19.94, 443, 49705, 49706 CLOUDFLARENETUS United States 9->19 21 4 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\index[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.140.26
 landarch.org United States
46606 UNIFIEDLAYER-AS-1US true
104.18.10.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
104.16.19.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdnjs.cloudflare.com 104.16.19.94 true
maxcdn.bootstrapcdn.com 104.18.10.207 true
landarch.org 50.87.140.26 true
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
kit.fontawesome.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://landarch.org/hassani/index.php true
    		unknown