Analysis Report Payment Data.html

Overview

General Information

Sample Name: Payment Data.html
Analysis ID: 433128
MD5: c3334584ded66141a0c2b1c95e69086e
SHA1: d10d17599c325e85ce8a43c70d7dfa419d2590db
SHA256: 6ea0976949a655738926cbb9072e3abd0be3e3d3779a75c028dc88b888e736a1
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected HtmlPhish10
Yara detected HtmlPhish19
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Payment Data.html Virustotal: Detection: 12% Perma Link

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: Payment Data.html, type: SAMPLE
Source: Yara match File source: 783875.pages.csv, type: HTML
Yara detected HtmlPhish19
Source: Yara match File source: Payment Data.html, type: SAMPLE
Phishing site detected (based on logo template match)
Source: file:///C:/Users/user/Desktop/Payment%20Data.html Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Title: Sign in to your Microsoft account does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Has password / email / username input fields
Suspicious form URL found
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Form action: https://cristoenlinea.tv/yellow.php
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: Form action: https://cristoenlinea.tv/yellow.php
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Payment%20Data.html HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1a7d1410,0x01d75eed</date><accdate>0x1a7d1410,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1a7d1410,0x01d75eed</date><accdate>0x1a7d1410,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1a7d1410,0x01d75eed</date><accdate>0x1a7d1410,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1a7d1410,0x01d75eed</date><accdate>0x1a869d89,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1a869d89,0x01d75eed</date><accdate>0x1a869d89,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1a869d89,0x01d75eed</date><accdate>0x1a869d89,0x01d75eed</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: Payment Data.html String found in binary or memory: https://cristoenlinea.tv/yellow.php
Source: classification engine Classification label: mal68.phis.winHTML@3/15@0/0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{452781B6-CAE0-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF230B8C90068586DB.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: Payment Data.html Virustotal: Detection: 12%
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5108 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5108 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433128 Sample: Payment Data.html Startdate: 11/06/2021 Architecture: WINDOWS Score: 68 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected HtmlPhish19 2->12 14 Yara detected HtmlPhish10 2->14 16 Phishing site detected (based on logo template match) 2->16 6 iexplore.exe 1 76 2->6         started        process3 process4 8 iexplore.exe 1 22 6->8         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/Payment%20Data.html true
    		low