Analysis Report https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.ptcul.org%2fQUICKENLOANPayoffST.html&c=E,1,cZ4it7vUwwU40xP49hVIDZK5zOpWEgKMytxlbf_fzHhDG3IqiFWUNMvV6eqmKn6vwO6xqwRYpRL0NHQwJYVrLrUcxE9Wn2XjCcsSWt4750g-TU3V0KQw&typo=1

Overview

General Information

Sample URL: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.ptcul.org%2fQUICKENLOANPayoffST.html&c=E,1,cZ4it7vUwwU40xP49hVIDZK5zOpWEgKMytxlbf_fzHhDG3IqiFWUNMvV6eqmKn6vwO6xqwRYpRL0NHQwJYVrLrUcxE9Wn2XjCcsSWt4750g-TU3V0KQw&typo=1
Analysis ID: 433337
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Phishing site detected (based on image similarity)
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL

Classification

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: 506407.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\wap[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://itmddn.com/QUICKENFILE/micro.svg Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
Phishing site detected (based on logo template match)
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: Number of links: 0
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: Title: 0auth does not match URL
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: Title: 0auth does not match URL
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: No <meta name="author".. found
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: No <meta name="author".. found
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: No <meta name="copyright".. found
Source: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 52.58.148.216:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.58.148.216:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: favicon[1].htm.3.dr String found in binary or memory: <li class="top_bar_contact_item"><a href="https://www.facebook.com/ITMddn" target="_blank" class="tooltip-bottom"> <i class="fa fa-facebook"></i></a></li> <li class="top_bar_contact_item"><a href="https://www.youtube.com/channel/UC0udGRFOTR-QX1c9ezgB6HQ" target="_blank" class="tooltip-bottom" ><i class="fa fa-youtube"></i></a></li> equals www.facebook.com (Facebook)
Source: favicon[1].htm.3.dr String found in binary or memory: <li class="top_bar_contact_item"><a href="https://www.facebook.com/ITMddn" target="_blank" class="tooltip-bottom"> <i class="fa fa-facebook"></i></a></li> <li class="top_bar_contact_item"><a href="https://www.youtube.com/channel/UC0udGRFOTR-QX1c9ezgB6HQ" target="_blank" class="tooltip-bottom" ><i class="fa fa-youtube"></i></a></li> equals www.youtube.com (Youtube)
Source: favicon[1].htm.3.dr String found in binary or memory: <p class="pb-10 pr-30 res-575-pr-0" align="justify"><iframe allow="autoplay; clipboard-write; encrypted-media; picture-in-picture; web-share" allowfullscreen="true" frameborder="0" height="300" scrolling="no" src="https://www.facebook.com/plugins/page.php?href=https%3A%2F%2Fwww.facebook.com%2FITMddn&amp;tabs=timeline&amp;width=340&amp;height=300&amp;small_header=false&amp;adapt_container_width=true&amp;hide_cover=false&amp;show_facepile=true&amp;appId" style="border:none;overflow:hidden" width="100%"></iframe> equals www.facebook.com (Facebook)
Source: favicon[1].htm.3.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" ><i class="fa fa-facebook"></i> </a> <i class="fa fa-angle-double-up scroll-top"></i> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: linkprotect.cudasvc.com
Source: favicon[1].htm.3.dr String found in binary or memory: http://cm.uk.gov.in/
Source: favicon[1].htm.3.dr String found in binary or memory: http://hitwebcounter.com/counter/counter.php?page=7055334&style=0007&nbdigits=9&type=ip&initCount=10
Source: favicon[1].htm.3.dr String found in binary or memory: http://itmddn.com/itm-prospectus-2021-final.pdf
Source: favicon[1].htm.3.dr String found in binary or memory: http://mail.ptcul.org/
Source: favicon[1].htm.3.dr String found in binary or memory: http://uktenders.gov.in/nicgep/app
Source: favicon[1].htm.3.dr String found in binary or memory: http://webline.co.in/itm/document/application-form-itm.pdf
Source: favicon[1].htm.3.dr String found in binary or memory: http://www.governoruk.gov.in/
Source: favicon[1].htm.3.dr String found in binary or memory: http://www.hitwebcounter.com
Source: favicon[1].htm.3.dr String found in binary or memory: http://www.ptcul.org.
Source: favicon[1].htm.3.dr String found in binary or memory: http://www.ptcul.org/noc/
Source: favicon[1].htm.3.dr String found in binary or memory: https://code.jquery.com/ui/1.12.1/jquery-ui.js
Source: QUICKENLOANPayoffST[1].htm.3.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTvJ9LhHlll4c4Y8v0G3PBpvTXnyhiRdLTsXT7Jtk3ZR7YL
Source: favicon[1].htm.3.dr String found in binary or memory: https://forms.eduqfix.com/insttechmgt/add
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr String found in binary or memory: https://itmddn.com/QUI
Source: QUICKENLOANPayoffST[1].htm.3.dr String found in binary or memory: https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr String found in binary or memory: https://itmddn.com/QUIQUICKENLOANPayoffST.htmlCKENFILE/wap.php?wap=4UY432Root
Source: favicon[1].htm.3.dr String found in binary or memory: https://noc.uksldc.in/
Source: data[1].js.3.dr String found in binary or memory: https://outlook.live.com/owa/
Source: favicon[1].htm.3.dr String found in binary or memory: https://webline.in/
Source: favicon[1].htm.3.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-127582903-1
Source: favicon[1].htm.3.dr String found in binary or memory: https://www.itmddn.com/itm-prospectus-2020-final.pdf
Source: favicon[1].htm.3.dr String found in binary or memory: https://www.itmddn.online
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr, ~DF74B79FAF2663A557.TMP.2.dr String found in binary or memory: https://www.ptcul.org/QUICKENLOANPayoffST.html
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr String found in binary or memory: https://www.ptcul.org/QUICKENLOANPayoffST.html.Quicken
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr String found in binary or memory: https://www.ptcul.org/QUICKENLOANPayoffST.htmlRoot
Source: ~DF74B79FAF2663A557.TMP.2.dr String found in binary or memory: https://www.ptcul.org/QUICKENLOANPayoffST.html~
Source: favicon[1].htm.3.dr String found in binary or memory: https://www.tenderwizard.com/ROOTAPP/PTCUL.jsp?enc%3DkphSKaWwsq080wYCvjz4XVKhb65%2B2glBBqQTdlDr%2BwA
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown HTTPS traffic detected: 52.58.148.216:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.58.148.216:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.205.64.138:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.win@3/14@4/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F25EFFC0-CB0F-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF25C900E5007E33CB.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5784 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5784 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr Binary or memory string: 1vv9apFA3TyTspd+VZIqEmUlPOUXEVmiNn9WsRkRDqbyXyWMFIRjrnyCIG6pMXbSLa0U1FF6ow86
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr Binary or memory string: VMohuekjNZ9GBlrdhCpr0hIFes3+pllsRaI5IlXqeMUZqPX1UuLc8ok8TR6JsAjnlXI2L9YX0TYQ
Source: {F25EFFC2-CB0F-11EB-90E5-ECF4BB570DC9}.dat.2.dr Binary or memory string: /5NSUs3Zob/IovMCijIQWknCwq500z4BsK8+DnxH+7pk/enZQZJCwJdh5VC6d3iod8lRWhdl3yNK
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433337 URL: https://linkprotect.cudasvc... Startdate: 11/06/2021 Architecture: WINDOWS Score: 56 15 www.ptcul.org 2->15 17 ptcul.org 2->17 25 Yara detected HtmlPhish10 2->25 27 Phishing site detected (based on image similarity) 2->27 29 Phishing site detected (based on logo template match) 2->29 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 42 7->9         started        dnsIp6 19 ptcul.org 103.205.64.138, 443, 49721, 49722 NETMAGIC-APNetmagicDatacenterMumbaiIN India 9->19 21 linkprotect.cudasvc.com 52.58.148.216, 443, 49719, 49720 AMAZON-02US United States 9->21 23 2 other IPs or domains 9->23 13 C:\Users\user\AppData\Local\...\wap[1].htm, PHP 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.148.216
 linkprotect.cudasvc.com United States
16509 AMAZON-02US false
103.205.64.138
 itmddn.com India
17439 NETMAGIC-APNetmagicDatacenterMumbaiIN false

Contacted Domains

Name IP Active
itmddn.com 103.205.64.138 true
linkprotect.cudasvc.com 52.58.148.216 true
ptcul.org 103.205.64.138 true
www.ptcul.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.ptcul.org/QUICKENLOANPayoffST.html true
    		unknown
    https://itmddn.com/QUICKENFILE/wap.php?wap=4UY432 true
      		unknown