Analysis Report https://protect-au.mimecast.com/s/0cIYC2xZY3ho5XqGtgUIfa?domain=securemailcenter.citigroup.com

Overview

General Information

Sample URL: https://protect-au.mimecast.com/s/0cIYC2xZY3ho5XqGtgUIfa?domain=securemailcenter.citigroup.com
Analysis ID: 433024
Infos:

Most interesting Screenshot:

Detection

Score: 0
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

No high impact signatures.

Classification

There are no high impact signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.5:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: protect-au.mimecast.com
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://developer.yahoo.net/yui/license.txt
Source: jquery-ui.min-0b5729a931d113be34b6fac13bcf5b29[1].css.2.dr String found in binary or memory: http://jqueryui.com
Source: jquery-ui.min-0b5729a931d113be34b6fac13bcf5b29[1].css.2.dr String found in binary or memory: http://jqueryui.com/themeroller/?bgShadowXPos=&bgOverlayXPos=&bgErrorXPos=&bgHighlightXPos=&bgConten
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/assets/skins/sam/sprite.png)
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/menu-button-arrow-disabled.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/menu-button-arrow.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/split-button-arrow-active.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/split-button-arrow-disabled.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/split-button-arrow-focus.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/split-button-arrow-hover.png);
Source: button-f601f344cd1fe72eb18eb9d46d2eaeae[1].css.2.dr String found in binary or memory: http://yui.yahooapis.com/2.7.0/build/button/assets/skins/sam/split-button-arrow.png);
Source: fa-solid-900-a0369ea57eb6d3843d6474c035111f29[1].eot.2.dr, all.min-76cb46c10b6c0293433b371bae2414b2[1].css.2.dr String found in binary or memory: https://fontawesome.com
Source: all.min-76cb46c10b6c0293433b371bae2414b2[1].css.2.dr String found in binary or memory: https://fontawesome.com/license/free
Source: fa-solid-900-a0369ea57eb6d3843d6474c035111f29[1].eot.2.dr, fa-regular-400-261d666b0147c6c5cda07265f98b8f8c[1].eot.2.dr String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://pr.ssm.echowor
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://pr.ssm.echoworer.citigroup.com/login.html?questionId=797493ef0b040cb9&locale=en_USx.net/bran
Source: brand[2].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=/emx/cu
Source: brand[2].htm.2.dr, brand[1].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=/emx/he
Source: brand[2].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=/emx/im
Source: brand[2].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=/emx/sc
Source: brand[1].css0.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=Images/
Source: brand[2].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=emx/hel
Source: login[1].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net/brand?act=download&entp=citi&locale=en_US&cat=Resource_Cente
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://pr.ssm.echoworx.net/brand?act=download&enRoot
Source: ~DFFD565B6E1FBCC1BC.TMP.1.dr, login[1].htm.2.dr String found in binary or memory: https://pr.ssm.echoworx.net/brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=emx/help
Source: imagestore.dat.2.dr String found in binary or memory: https://securemailcenter.citigroup.com/branding/citi/en_US/images/favicon.ico
Source: imagestore.dat.2.dr String found in binary or memory: https://securemailcenter.citigroup.com/branding/citi/en_US/images/favicon.ico~
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://securemailcenter.citigroup.com/login.hRoot
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr, ~DFFD565B6E1FBCC1BC.TMP.1.dr String found in binary or memory: https://securemailcenter.citigroup.com/login.html?questionId=797493ef0b040cb9&locale=en_US
Source: {E5BD9987-CABB-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://securemailcenter.citigroup.com/login.html?questionId=797493ef0b040cb9&locale=en_USRoot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.5:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.193.154.4:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: classification engine Classification label: clean0.win@3/40@4/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E5BD9985-CABB-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFA46A22FA4A4C0DF7.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5972 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5972 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs