Analysis Report http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=

Overview

General Information

Sample URL:	http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=
Analysis ID:	432857
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://cgmrental.holacliente.com/ash4/OV4/authorize_client_id:chzwnd8j-qhms-5h8y-qul7-u1mfg6ywz8xl_9d2vrxyqzkhuf4n71w3pjob56ia0esg8ctml1ov9nusch3d0pekq82btyz4l5g6wmra7jfixvmhyg37nxpde2sakzql6u5bw9fojt1r4i80c?data=bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish10

Source: Yara match	File source: 414408.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\authorize_client_id_chzwnd8j-qhms-5h8y-qul7-u1mfg6ywz8xl_9d2vrxyqzkhuf4n71w3pjob56ia0esg8ctml1ov9nusch3d0pekq82btyz4l5g6wmra7jfixvmhyg37nxpde2sakzql6u5bw9fojt1r4i80c[1].htm, type: DROPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: global traffic

HTTP traffic detected: GET /negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20= HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.7638928272.i-qlab.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.7638928272.i-qlab.com

Source: ~DF45FF1EEBBA1355C4.TMP.1.dr	String found in binary or memory: http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=
Source: {77C7E403-CA6A-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=Root
Source: authorize_client_id_chzwnd8j-qhms-5h8y-qul7-u1mfg6ywz8xl_9d2vrxyqzkhuf4n71w3pjob56ia0esg8ctml1ov9nusch3d0pekq82btyz4l5g6wmra7jfixvmhyg37nxpde2sakzql6u5bw9fojt1r4i80c[1].htm.2.dr	String found in binary or memory: https://aadcdn.msauthimages.net/dbd5a2dd-xahzdxkxsnzqmxzzxchyicgv6e6hhqsxb5qphb4dwrw/logintenantbran
Source: ~DF45FF1EEBBA1355C4.TMP.1.dr	String found in binary or memory: https://cgmrental.holacliente.com/ash4/OV4/authorize_client_id:chzwnd8j-qhms-5h8y-qul7-u1mfg6ywz8xl_
Source: bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=[1].htm.2.dr	String found in binary or memory: https://cgmrental.holacliente.com/ash4/OV4/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=
Source: imagestore.dat.2.dr	String found in binary or memory: https://cgmrental.holacliente.com/ash4/OV4/images/favicon.ico~
Source: {77C7E403-CA6A-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://cgmrental.holai-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=cliente.com/ash4/OV4/au

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.win@3/22@4/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77C7E401-CA6A-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF489A48BFD53532FE.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:328 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:328 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
152.199.23.72	cs1025.wpc.upsiloncdn.net	United States	15133	EDGECASTUS	false
192.185.129.4	cgmrental.holacliente.com	United States	46606	UNIFIEDLAYER-AS-1US	false
192.249.116.82	www.7638928272.i-qlab.com	United States	22611	IMH-WESTUS	false

Contacted Domains

Name	IP	Active
www.7638928272.i-qlab.com	192.249.116.82	true
cgmrental.holacliente.com	192.185.129.4	true
cs1025.wpc.upsiloncdn.net	152.199.23.72	true
aadcdn.msauthimages.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=	true		unknown

ID:	432857
Product:	CloudBasic
Start time:	21:06:10
Start date:	10.06.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77C7E401-CA6A-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	44418098CDD36261BAC20200C285F79C	447033D035ED91E6FEA9DAEEC0DD45EAF0A3DB8F	0E189F41092919153361A3BB5424B29387F542DFF2362A99E6F5AC4C9A7F11A0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{77C7E403-CA6A-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	EED5D79ADFEC53A7775A4A4B2135FDA8	77B67B23712D1D75ADB55E52E9147A030E151CF7	10551A2DFB5ED85EB7D4B3076AF07BABB1A3E3C4C3476425AF5B4B9FAAE167A2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7F5F0021-CA6A-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	A0F613CBC4BD367E814259166936C331	C7244088833765A4344EB055B07D0B3BDC4010E9	29504FBFC3452B8163A2D093EE033B4DCA453F2802561D5362974D6A613B1458
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	2867B87E9A656858C1F52443BD6F06E0	109D55254F6991CB025921CD03A1A95BA0BDE532	4E5BFA448253F5B89E92857BC5A73D31986CC2D1BC5125601FC228E4B22102EA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\arrow_left[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\firstmsg1[1].png	PNG image data, 353 x 41, 8-bit/color RGBA, non-interlaced	B7EA3983E3C2D7E5F61B8D1B42758189	FE0817947CA4BC53152ED9378470675D9AF189FD	7B6CF23AC2454B039DDF4F51B7074636ED5B08B6A1D254A47430C4ACE2A3569D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\inv-big-background[1].png	PNG image data, 1920 x 1080, 8-bit colormap, non-interlaced	62DDD263C8A6A4C9074E205B91182D04	1B56D11B012DD79DD99212EBB54ADCFB60920A9D	A59EA699D353D00FF2999111F9FA11FB73A47EDA7800642609CA230560EA3703
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\passwrd[1].png	PNG image data, 69 x 34, 8-bit/color RGBA, non-interlaced	4F2A1D382216546E2C3BC620497FD4E3	F785EC5967B5666387304F779306F9C3E3359FF4	105C03D3360CDB953585482374B2CC953D090741037502B0609629F5BB0135B7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\sigin[1].png	PNG image data, 108 x 32, 8-bit/color RGBA, non-interlaced	681B83E88BA6AACCC72705FBF9F2257B	D69957C47026108511225160BE9BD15788D26E14	F32A760F15530284447282AF5C7D0825BABF8BC4739E073928F6128830819F7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=[1].htm	HTML document, ASCII text	58CE454957CE28AF69A4A1BAC8F9C042	A5ABED3171A8DE0E684C72391B5FCC2985EB5137	7FA1239E8F9C3C3851F9984FD4618BEBE83173916D116CC02C48452A412E4735
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\enterpass[1].png	PNG image data, 170 x 29, 8-bit/color RGB, non-interlaced	BD6E291A9A3CC17ED37605E4FF0010CC	6C1EFD74231E3D253E0F51E4656ECED2F3335D71	706DE242E7C3CFC4B16BA8174723F26FB80566C3171E9E795F057476011A5DE1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\style[1].css	ASCII text, with very long lines, with no line terminators	9F94F80A5DC09BB962778175292195BC	A7F2E32B422AC9654F39EA870E403599791FCE1C	1CF4B3AD7ABF3189E78C1B3BD07308C92A03FA795FDBC5821FCDE24030CFEAD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\ellipsis_grey[1].svg	SVG Scalable Vector Graphics image	2B5D393DB04A5E6E1F739CB266E65B4C	6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721	16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C663699313C09F5E8D6E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	7CDD5A7E87E82D145E7F82358F9EBD04	265104CAD00300E4094F8CE6A9EDC86E54812EAD	5D91563B6ACD54468AE282083CF9EE3D2C9B2DAA45A8DE9CB661C2195B9F6CBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\forgpass[1].png	PNG image data, 121 x 20, 8-bit/color RGB, non-interlaced	B19CAC60E41C79BD974C1080088C6FEF	FFE553D8CA430DD309494E910A989271648A4DDD	E29DB32031DC537AEE9CB557B408395F3324F1E0F744349C0CDF943A3AF39296
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\authorize_client_id_chzwnd8j-qhms-5h8y-qul7-u1mfg6ywz8xl_9d2vrxyqzkhuf4n71w3pjob56ia0esg8ctml1ov9nusch3d0pekq82btyz4l5g6wmra7jfixvmhyg37nxpde2sakzql6u5bw9fojt1r4i80c[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	E9DC49E688BF35F52901FFAD4E0C7FE6	1B4B4E7D18691757FEC7A89047703BB76E9C8519	A1CAA71CA89F2FBD2202117A1922903243F1F449F0219E2CCEC5A1D1F66E3C07
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bannerlogo[1]	PNG image data, 187 x 51, 8-bit/color RGBA, non-interlaced	CB6880E0BAEF052C8AC5F7719A18FACA	68C3F1658C6417F212C4C6AFA9FD0017E08D60DC	BB756FB5E8C91A67C07223EBE26DE2747B8F8D3C75550D07C0C1E7AB2A321CC6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\ellipsis_white[1].svg	SVG Scalable Vector Graphics image	5AC590EE72BFE06A7CECFD75B588AD73	DDA2CB89A241BC424746D8CF2A22A35535094611	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\illustration[1]	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1778x1211, frames 3	A4F1F245C04018469DFF830BBDE4AA0F	2B8E49BA6B8BC526FCBE422B0344A059D8DA9FBB	3AAF74C4B57853E34D460528F96424C09D125DB3BDFE4A76033F8297630FB466
C:\Users\user\AppData\Local\Temp\~DF45FF1EEBBA1355C4.TMP	data	A0E506BED948D9B30EE1C232A8367ABF	53939304845F7713EC03C778ACA401F2162FB17C	4D2B9C09E02351A033E55A7977E9C337EE0D51726C416E8CACF74CECD6D81395
C:\Users\user\AppData\Local\Temp\~DF489A48BFD53532FE.TMP	data	6F5C5D9275A0576A83B344D89C74A20E	3563133DAE66106672400AD528FE8507852D41F1	7EAC1CA62C726E7AEBAED497DB02365B040BADA611CA0505ADAA9D273A697BDC
C:\Users\user\AppData\Local\Temp\~DFC16D75A702F8D99F.TMP	data	BC55B71083DF63BB0487DF3481832701	7CF32C3806E107E472F7FD7BF0A5D5CBDE8E52C3	2C0A961B7E8DB6D88C338CEA6B3A4E14127950F7D8486BFC0C4389A0B73426F4

Analysis Report http://www.7638928272.i-qlab.com/negwtod/bWxhd3NvbkBwbGF0aW51bWVxdWl0eS5jb20=

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs