Loading ...

Play interactive tourEdit tour

Analysis Report _VM0_03064853.HtM

Overview

General Information

Sample Name:_VM0_03064853.HtM
Analysis ID:432925
MD5:92e4da33dcd2719acc55db45b697e55a
SHA1:eea5adf15a8d732ef1d588dd8008db60c234d95d
SHA256:219829ff681bf8517b43528ebe319cbcd12905d41deae509c8a8c0bc5a613c2a
Infos:

Most interesting Screenshot:

Detection

Captcha Phish HTMLPhisher
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on shot template match)
Yara detected Captcha Phish
Yara detected HtmlPhish44
Performs DNS queries to domains with low reputation
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • iexplore.exe (PID: 6320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
_VM0_03064853.HtMJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Phishing site detected (based on shot template match)Show sources
    Source: https://noname.vvtl-srv.xyz/main/Matcher: Template: captcha matched
    Yara detected Captcha PhishShow sources
    Source: Yara matchFile source: 305090.pages.csv, type: HTML
    Yara detected HtmlPhish44Show sources
    Source: Yara matchFile source: _VM0_03064853.HtM, type: SAMPLE
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49714 version: TLS 1.2

    Networking:

    barindex
    Performs DNS queries to domains with low reputationShow sources
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: noname.vvtl-srv.xyz
    Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: noname.vvtl-srv.xyz
    Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
    Source: KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.2.dr, KFOmCnqEu92Fr1Mu4mxP[1].ttf.2.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
    Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#localhost_support
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
    Source: bootstrap.min[1].css.2.drString found in binary or memory: https://getbootstrap.com/)
    Source: bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
    Source: {4C644D00-CA7E-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://noname.vvtl-srs/Desktop/_VM0_03064853.HtMv.xyz/main/M0_03064853.HtMRoot
    Source: ~DF1C90FA8CEB081D8F.TMP.1.dr, main[1].htm.2.drString found in binary or memory: https://noname.vvtl-srv.xyz/main/
    Source: ~DF1C90FA8CEB081D8F.TMP.1.drString found in binary or memory: https://noname.vvtl-srv.xyz/main/Bhttps://noname.vvtl-srv.xyz/main/
    Source: ~DF1C90FA8CEB081D8F.TMP.1.drString found in binary or memory: https://noname.vvtl-srv.xyz/main/M0_03064853.HtMd
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: main[1].htm0.2.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha#6262736
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
    Source: recaptcha__en[1].js.2.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: main[1].htm0.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js
    Source: recaptcha__en[1].js.2.dr, bframe[1].htm.2.dr, anchor[1].htm.2.dr, api[1].js.2.drString found in binary or memory: https://www.google.com/recaptcha/api2/
    Source: ~DF1C90FA8CEB081D8F.TMP.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lcej-kaAAAAAL_Wy-oJMo5FTzZ65UGVugbtvlkh&co=aHR0
    Source: ~DF1C90FA8CEB081D8F.TMP.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=CdDdhZfPbLLrfYLBdThNS0-Y&k=6Lcej-kaAAAAAL_Wy-oJ
    Source: webworker[1].js.2.dr, bframe[1].htm.2.dr, anchor[1].htm.2.dr, api[1].js.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/recaptcha__en.js
    Source: bframe[1].htm.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/styles__ltr.css
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownHTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49714 version: TLS 1.2
    Source: classification engineClassification label: mal68.phis.troj.winHTM@3/29@3/2
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4C644CFE-CA7E-11EB-90E5-ECF4BB570DC9}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCA112C58FC16D456.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.