Loading ...

Play interactive tourEdit tour

Analysis Report https://es.sonicurlprotection-sjl.com/click?PV=1&MSGID=202105211549092505692&URLID=1&ESV=10.0.9.5707&IV=E883A8665494D69666E51654A2A39188&TT=1621612156493&ESN=z1jnIrTVkkYn09KxCUei6Eq2cavioNPQClHgLUOR8BA%3D&KV=1536961729279&ENCODED_URL=http%3A%2F%2Feviromentalachforcovid.org%2F&HK=E4B2C7C59B7CB793F04CB2C26C1B812F608F409CE43CADC4C3A0B63CE2F36A29

Overview

General Information

Sample URL:https://es.sonicurlprotection-sjl.com/click?PV=1&MSGID=202105211549092505692&URLID=1&ESV=10.0.9.5707&IV=E883A8665494D69666E51654A2A39188&TT=1621612156493&ESN=z1jnIrTVkkYn09KxCUei6Eq2cavioNPQClHgLUOR8BA%3D&KV=1536961729279&ENCODED_URL=http%3A%2F%2Feviromentalachforcovid.org%2F&HK=E4B2C7C59B7CB793F04CB2C26C1B812F608F409CE43CADC4C3A0B63CE2F36A29
Analysis ID:419819
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish10
Yara detected obfuscated html page
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
Invalid 'forgot password' link found

Classification

Process Tree

  • System is w10x64
  • iexplore.exe (PID: 5424 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2236 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5424 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\______portlander_iwcbew29763869929_92727297_nunueun[1].htmJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlSlashNext: Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: 642294.0.links.csv, type: HTML
    Yara detected obfuscated html pageShow sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\______portlander_iwcbew29763869929_92727297_nunueun[1].htm, type: DROPPED
    Phishing site detected (based on logo template match)Show sources
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlMatcher: Template: microsoft matched
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Number of links: 0
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Number of links: 0
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Title: Sign in to your Microsoft account does not match URL
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Title: Sign in to your Microsoft account does not match URL
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Invalid link: Forgot my password
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: Invalid link: Forgot my password
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: No <meta name="author".. found
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: No <meta name="author".. found
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: No <meta name="copyright".. found
    Source: https://www0utl00koffice365comcginewloginapp.s3.jp-osa.cloud-object-storage.appdomain.cloud/______portlander_iwcbew29763869929_92727297_nunueun.htmlHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 4.16.47.153:443 -> 192.168.2.7:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 4.16.47.153:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49729 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.7:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.11.37.142:443 -> 192.168.2.7:49749 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.11.37.142:443 -> 192.168.2.7:49748 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 199.34.228.73:443 -> 192.168.2.7:49758 version: TLS 1.2
    Source: unknown