Analysis Report receipt319.html

Overview

General Information

Sample Name:	receipt319.html
Analysis ID:	412851
MD5:	2c2e3af2ecfca319e8848c1043b7bc35
SHA1:	3ebe21a94454b1d2704377ef0aab769be50c31d2
SHA256:	b80c548232c20ab1f8311f28661b5dba637df57e19cbb7f29a87c59fa294b635
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish44

Yara detected obfuscated html page

Obfuscated HTML file found

Phishing site detected (based on logo template match)

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

Invalid T&C link found

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing:

Yara detected HtmlPhish44

Source: Yara match

File source: receipt319.html, type: SAMPLE

Yara detected obfuscated html page

Source: Yara match

File source: receipt319.html, type: SAMPLE

Phishing site detected (based on logo template match)

Source: file:///C:/Users/user/Desktop/receipt319.html

Matcher: Template: outlook matched

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Number of links: 1
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Number of links: 1
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: Number of links: 1
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: Number of links: 1

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Title: Outlook Web App does not match URL
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Title: Outlook Web App does not match URL

Invalid T&C link found

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Invalid link: Your Privacy
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Invalid link: Your Privacy

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: No <meta name="author".. found
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: No <meta name="author".. found
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/receipt319.html	HTTP Parser: No <meta name="copyright".. found
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: No <meta name="copyright".. found
Source: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49721 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.125.72.139 188.125.72.139
Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: create[1].htm.3.dr	String found in binary or memory: <p class="ureg-sign-in txt-align-center">Already have an account? <a href="https://login.yahoo.com/?specId=yidreg&intl=us&done=https%3A%2F%2Fwww.yahoo.com&prompt=login" data-rapid-tracking="true" data-ylk="elm:link;elmt:signin;slk:signin;mKey:registration-signin" class="js-link-feedback">Sign equals www.yahoo.com (Yahoo)
Source: create[1].htm.3.dr	String found in binary or memory: <a href="https://www.yahoo.com/"> equals www.yahoo.com (Yahoo)
Source: create[1].htm.3.dr	String found in binary or memory: <input type="hidden" value="https://www.yahoo.com" name="done"> equals www.yahoo.com (Yahoo)
Source: create[1].htm.3.dr	String found in binary or memory: <form id="regform" action="https://login.yahoo.com/account/create?specId=yidreg&intl=us&altreg=0&context=reg&done=https%3A%2F%2Fwww.yahoo.com" class="pure-form pure-form-stacked oneid-form-background reg-form grid-form" method="post" novalidate > equals www.yahoo.com (Yahoo)
Source: ~DFDC14B9469AEC2819.TMP.1.dr	String found in binary or memory: https://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: create[1].htm.3.dr	String found in binary or memory: root.regdata.urls = {"actionURL":"https:\u002F\u002Flogin.yahoo.com\u002Faccount\u002Fcreate?specId=yidreg&intl=us&altreg=0&context=reg&done=https%3A%2F%2Fwww.yahoo.com","errorPage":"https:\u002F\u002Flogin.yahoo.com\u002Faccount\u002Fcreate\u002Ferror?specId=yidreg&intl=us&altreg=0&context=reg&done=https%3A%2F%2Fwww.yahoo.com","usernameRegToggleURL":"https:\u002F\u002Flogin.yahoo.com\u002Faccount\u002Fcreate?specId=0&intl=us&context=reg&done=https%3A%2F%2Fwww.yahoo.com","yidRegToggleURL":"https:\u002F\u002Flogin.yahoo.com\u002Faccount\u002Fcreate?specId=yidReg&altreg=yidreg&intl=us&context=reg&done=https%3A%2F%2Fwww.yahoo.com","tos":"https:\u002F\u002Fwww.verizonmedia.com\u002Fpolicies\u002Fus\u002Fen\u002Fverizonmedia\u002Fterms\u002Fotos\u002Findex.html","privacy":"https:\u002F\u002Fwww.verizonmedia.com\u002Fpolicies\u002Fus\u002Fen\u002Fverizonmedia\u002Fprivacy\u002Findex.html","loginURL":"https:\u002F\u002Flogin.yahoo.com\u002F?specId=yidreg&intl=us&done=https%3A%2F%2Fwww.yahoo.com&prompt=login"}; equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: eu.edit.yahoo.com

Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://github.com/yui/pure/blob/master/LICENSE.md
Source: create[1].htm.3.dr	String found in binary or memory: https://help.yahoo.com/kb/index?locale=en_US&page=product&y=PROD_ACCT
Source: {5FF79C09-B3C4-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://login.yahoo.co
Source: ~DFDC14B9469AEC2819.TMP.1.dr	String found in binary or memory: https://login.yahoo.com/
Source: create[1].htm.3.dr	String found in binary or memory: https://login.yahoo.com/?specId=yidreg&intl=us&done=https%3A%2F%2Fwww.yahoo.c
Source: create[1].htm.3.dr	String found in binary or memory: https://login.yahoo.com/account/create?specId=yidreg&intl=us&altreg=0&con
Source: ~DFDC14B9469AEC2819.TMP.1.dr	String found in binary or memory: https://login.yahoo.com/account/create?specId=yidReg&altreg=0
Source: ~DFDC14B9469AEC2819.TMP.1.dr	String found in binary or memory: https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search
Source: bundle[1].js.3.dr	String found in binary or memory: https://mobileexchange.yahoo.com/dismiss
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Black.eot);src:url(https://s.yimg.com/cv/ae/sp
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Black.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Black.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Bold.eot);src:url(https://s.yimg.com/cv/ae/spo
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Bold.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Bold.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraBold.eot);src:url(https://s.yimg.com/cv/a
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraBold.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraBold.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraLight.eot);src:url(https://s.yimg.com/cv/
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraLight.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-ExtraLight.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Italic.eot);src:url(https://s.yimg.com/cv/ae/s
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Italic.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Italic.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Light.eot);src:url(https://s.yimg.com/cv/ae/sp
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Light.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Light.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Medium.eot);src:url(https://s.yimg.com/cv/ae/s
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Medium.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Medium.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Regular.eot);src:url(https://s.yimg.com/cv/ae/
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Regular.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Regular.woff2)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Semibold.eot);src:url(https://s.yimg.com/cv/ae
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Semibold.woff)
Source: yahoo-main[1].css.3.dr	String found in binary or memory: https://s.yimg.com/cv/ae/sports/fonts/2017/Yahoo_Sans-Semibold.woff2)
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x.png
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/rz/p/yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x.png
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/52e318e4b7eb24ab3105befa60106819f8864e34/bundle.js
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/52e318e4b7eb24ab3105befa60106819f8864e34/yahoo-main.css
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-apple-touch-v0.0.2.png
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico
Source: imagestore.dat.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/images/yahoo-favicon-img-v0.0.2.ico~
Source: create[1].htm.3.dr	String found in binary or memory: https://s.yimg.com/wm/mbr/js/rapid-3.53.17.js
Source: create[1].htm.3.dr	String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html
Source: create[1].htm.3.dr	String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html
Source: create[1].htm.3.dr, ~DFDC14B9469AEC2819.TMP.1.dr	String found in binary or memory: https://www.yahoo.com
Source: create[1].htm.3.dr	String found in binary or memory: https://www.yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.82.100.140:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.125.72.139:443 -> 192.168.2.5:49721 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.evad.winHTML@3/18@5/4

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF79C07-B3C4-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFB79DB137339A7974.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4192 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4192 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: agree

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Obfuscated HTML file found

Source: receipt319.html	Initial file: Did not found title: "Outlook Web App" in HTML/HTM content
Source: receipt319.html	Initial file: Did not found title: "Outlook Web App" in HTML/HTM content

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.125.72.139	geo-atsv2.media.g03.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false
87.248.118.23	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
212.82.100.140	ds-ats.member.g02.yahoodns.net	United Kingdom	34010	YAHOO-IRDGB	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
geo-atsv2.media.g03.yahoodns.net	188.125.72.139	true
udc-ats.media.g03.yahoodns.net	188.125.72.139	true
ds-ats.member.g02.yahoodns.net	212.82.100.140	true
edge.gycpi.b.yahoodns.net	87.248.118.23	true
s.yimg.com	unknown	unknown
udc.yahoo.com	unknown	unknown
eu.edit.yahoo.com	unknown	unknown
login.yahoo.com	unknown	unknown
geo.yahoo.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/receipt319.html	true		low
https://login.yahoo.com/account/create?specId=yidReg&altreg=0#yuhead-search	false		high

ID:	412851
Product:	CloudBasic
Start time:	01:21:48
Start date:	13.05.2021
Sample:	receipt319.html
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2c2e3af2ecfca319e8848c1043b7bc35
SHA1:	3ebe21a94454b1d2704377ef0aab769be50c31d2
SHA256:	b80c548232c20ab1f8311f28661b5dba637df57e19cbb7f29a87c59fa294b635

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\login.yahoo[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5FF79C07-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	BBE0A6D475C2A4BC6C1561B9FDB780BE	6EAEB45BA1F14FAA9D6A4C170C70586E3948EE2C	D35F6795F3C6E124511B27ED580C4296398F1F56779A173D284793C2D3091640
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5FF79C09-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	34081615EAE11E51EB849510683A837B	308B4C8206309CD0AFDD1DAD7E1C4A101D985269	5A356223D2CD8EA593AE6776D47ABF34F6F1085E202AECD4809C59343D12BF5D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5FF79C0A-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	42AEE30BCC7D768AA9C3B4CBDC570876	3EDA575A8B7407EEA252762E316943000F7E32F1	B616DC6506A85D7B78D99A27A1A4AE54F838846B9B3304DB2131D86389315C3B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	47C039803EF4F928EBFD624B14FEB32D	B9C297F34E55CD1549B5C1CEC8B9471796CB4043	504A75579BD3453BD70BE666161B19C8DAD9F57A2DE79162CFF4897E81E84966
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\rapid-3.53.17[1].js	data	A554692F884A1B33A1BDC7EEBB3A7F98	66DB96F617A8DD6806646EDCF56C29B4D57FAFE1	35BD38D45EAF99465A72BB4E02BE6C310BBA85CCBA2660161F410343789A9B0E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\yahoo_frontpage_en-US_s_f_p_bestfit_frontpage_2x[1].png	PNG image data, 240 x 72, 8-bit colormap, non-interlaced	CD166981C96C6D0F4B5A7D798C25878E	09031C4013138BB8BD54AB9092AC59AA47D7C60C	0FDEFE26BAC6A6B0B06FE67984582F887AF70B7DA25D6CB1B401F9074DB58338
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\fuji-spinner-1.0.1[1].svg	SVG Scalable Vector Graphics image	1371FB7EA1D9F283B0964F6D9FEDF183	3A4AD980032FE8E6277087FCDA87C4E0A699DA97	186034DA48941B64B5F6B4D8A0176FB86E2AD6ADDA436B8EEEF521B0166D06C5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\fuji-spinner-dark-1.0.0[1].svg	SVG Scalable Vector Graphics image	14086B7195375BCCE2BDE04674B9B9B4	1E76715EEFCD39440DC1DB5C75562A5AC3D4A205	DFDFC7BDB98046A73135708556FBC93E2053A86165F76BEE2A76D99539402A46
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\jquery.min[1].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\bundle[1].js	UTF-8 Unicode text, with very long lines	DE8C59A0F142B9C87CA8C65D517FB1B0	89D6D592DEB77B048FBCDBDA3167B2A9FE576CD7	E2A2CB1B44E79B82DA9D40CA3C618E54D819B3F332511921022E77BC9C23AD58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\yahoo-favicon-img-v0.0.2[1].ico	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel	B6814AE5582D7953821ACBD76E977BB4	75A33FC706C2C6BA233E76C17337E466949F403C	4A491ACD00880C407A2B749619003716C87E9C25AC344E5934C13E8F9AA0E8B3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\create[1].htm	HTML document, UTF-8 Unicode text, with very long lines	9F77F9B640DF34F100D4601114747B87	17BC41F781C2B90AB27C2ADBD0600D5DF3471414	867AB318792CE27D5BCFCCC9E349CD2F06BB65965451230C67DA8EAAB44C27E8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\yahoo-main[1].css	ASCII text, with very long lines	D23C05BF97AF8A566967F5E485209C70	23CEC0CF2798A5E56F74C13EC3B17B1086DF8881	F24B67ABEB9533E60A8ECB516DE56DC64A360587E19707C3E368779E3FCED537
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\yahoo_frontpage_en-US_s_f_w_bestfit_frontpage_2x[1].png	PNG image data, 240 x 72, 8-bit colormap, non-interlaced	DD31F56B9E4DFF40EB87447C3DC55B84	1908B34AF2D15440D33DFC81FCB93AA9B271DC58	4F47EF8FF3DAD2A78360AB207CF35FF2905622511C0426109F6E225052CF5637
C:\Users\user\AppData\Local\Temp\~DFAC985E6BE807E211.TMP	data	CE909A43525B3843C907DCBE55E9D7DD	8B6E53CCBAAB132FF8100ECB696282F011402047	540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
C:\Users\user\AppData\Local\Temp\~DFB79DB137339A7974.TMP	data	9E1580C454D7F23C4D8C91DA7E2360C7	5E1C65FE51D535DAABECD4FA281D325011BAC6B2	E86B8038AC399EEB67E169DA32DEDE961FA5F68ACC1386768521CEA85A81F42F
C:\Users\user\AppData\Local\Temp\~DFDC14B9469AEC2819.TMP	data	2AA63CAA9C629309BC05A68A8F98D1EC	52A9AF473D8B8FF578DAFBCFA5ADB74AEC61BE66	CC5C6C84A7E3DFDD10CAA3958CBFB0958D9499DE556BE11F2D6D726284189023

Analysis Report receipt319.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs