Analysis Report https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com#8236787/7b69698354072f79f8eeb523a63

Overview

General Information

Sample URL:	https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com#8236787/7b69698354072f79f8eeb523a63
Analysis ID:	433414
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected HtmlPhish10

Yara detected HtmlPhish44

HTML body contains low number of good links

HTML title does not match URL

URL contains potential PII (phishing indication)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com#8236787/7b69698354072f79f8eeb523a63

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Yara detected HtmlPhish10

Source: Yara match

File source: 377142.pages.csv, type: HTML

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\secondfile[1].HTML, type: DROPPED

HTML body contains low number of good links

Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: Number of links: 0
Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: Title: Logln does not match URL
Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: Title: Logln does not match URL

URL contains potential PII (phishing indication)

Source: https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com#8236787/7b69698354072f79f8eeb523a63

Sample URL: PII: 2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com

Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: No <meta name="author".. found
Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: No <meta name="author".. found

Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: No <meta name="copyright".. found
Source: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b11045-693b-4060-ba9c-b06b17cbfcf5#hadams@stinsons.com	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.72.98.175:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.72.98.175:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49735 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: buidlideayour.herokuapp.com

Source: popper.min[1].js.3.dr	String found in binary or memory: http://opensource.org/licenses/MIT).
Source: {F403229A-CB23-11EB-90E4-ECF4BB862DED}.dat.2.dr, ~DF7AD2B7996D24E2A7.TMP.2.dr	String found in binary or memory: https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dc
Source: ~DF7AD2B7996D24E2A7.TMP.2.dr	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/wteyrp.appspot.com/o/secondfile.HTML?alt=media&token=a1b
Source: {F403229A-CB23-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://firebasestoragherokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dc
Source: free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.3.dr	String found in binary or memory: https://fontawesome.com/license/free
Source: css[1].css.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js0.3.dr	String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.3.dr	String found in binary or memory: https://kit.fontawesome.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 52.72.98.175:443 -> 192.168.2.3:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.72.98.175:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49735 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@3/18@7/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF459A0EB644286CDD.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5252 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5252 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.72.98.175	buidlideayour.herokuapp.com	United States	14618	AMAZON-AESUS	false
104.18.10.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
104.16.18.94	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
buidlideayour.herokuapp.com	52.72.98.175	true
stackpath.bootstrapcdn.com	104.18.10.207	true
cdnjs.cloudflare.com	104.16.18.94	true
maxcdn.bootstrapcdn.com	104.18.10.207	true
ka-f.fontawesome.com	unknown	unknown
code.jquery.com	unknown	unknown
kit.fontawesome.com	unknown	unknown

ID:	433414
Product:	CloudBasic
Start time:	19:13:57
Start date:	11.06.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4032298-CB23-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	CAB5E98278DE52D83264B48B01DD8036	F774C9BEF3E4C447BE04343114AD2864AF3AE35C	DCE8873903C2A0C8E692F81D92E4C65166CE1DD1A72747E0B17CACC740C420ED
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F403229A-CB23-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	A6926E3FED5486F8818F11438D19C174	899F72C83EE2C1A97C2E2C45D1DEFEC60530083B	9DD32992FC15CC5D8CA817918F51BDF50C0F695EB6228D495982131E5478416A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FA919954-CB23-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	7138D69FAAB0689DB40F3A529CD6CD36	2520149B912A7251596FACEB8C5F6C4674B87518	5636247E72F86D81E2CD410EB4165B0FDE4FF7298B32DE1D5C3DCFA7CC41D1B8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bootstrap.min[1].css	ASCII text, with very long lines	450FC463B8B1A349DF717056FBB3E078	895125A4522A3B10EE7ADA06EE6503587CBF95C5	2C0F3DCFE93D7E380C290FE4AB838ED8CADFF1596D62697F5444BE460D1F876D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bootstrap.min[1].js	ASCII text, with very long lines	67176C242E1BDC20603C878DEE836DF3	27A71B00383D61EF3C489326B3564D698FC1227C	56C12A125B021D21A69E61D7190CEFA168D6C28CE715265CEA1B3B0112D169C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\popper.min[1].js	ASCII text, with very long lines	70D3FDA195602FE8B75E0097EED74DDE	C3B977AA4B8DFB69D651E07015031D385DED964B	A52F7AA54D7BCAAFA056EE0A050262DFC5694AE28DEE8B4CAC3429AF37FF0D66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\free-v4-shims.min[1].css	ASCII text, with very long lines	8A99CE81EC2F89FBCA03F2C8CF1A3679	58F9EF32D12A5DA52CBAB7BD518BCC998FC59EF9	362DAEAF1F7E05FEE9A609E549F148AACBE518C166FBD96EAD69057E295742AF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\free.min[1].css	ASCII text, with very long lines	390B4210E10C744C3C597500BCF0B31A	2600C7C2F25D7DBCBC668231601E426010DC6489	C2819CA1F7AD1AF7BA53C4EDFDFD395C547BCB16D29892A234D7860C689ED929
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\jquery-3.2.1.slim.min[1].js	ASCII text, with very long lines	5F48FC77CAC90C4778FA24EC9C57F37D	9E89D1515BC4C371B86F4CB1002FD8E377C1829F	9365920887B11B33A3DC4BA28A0F93951F200341263E3B9CEFD384798E4BE398
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\secondfile[1].HTML	HTML document, ASCII text, with very long lines, with CRLF line terminators	0894B3B16F6A01A8C47F686B2F4D3DED	2DECCB1C27D9C5479439CC560379F12D570A7273	B459113F479D0B87A81F62ED3DE76265C6B3781C4B45820CF90BD03AAF4F28DC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\585b051251[1].js	ASCII text, with very long lines	D8CA71772D1E86D5FB9D5E2F6CC1AE70	9B043E60997FE552D652E4474E16AFF923D7AA76	7D840153F02AD6D91D652354E35B590721916D16C33956631EEF0E7D3B5613EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bootstrap.min[1].js	ASCII text, with very long lines	14D449EB8876FA55E1EF3C2CC52B0C17	A9545831803B1359CFEED47E3B4D6BAE68E40E99	E7ED36CEEE5450B4243BBC35188AFABDFB4280C7C57597001DE0ED167299B01B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\7JDA3EJ0.htm	HTML document, ASCII text, with CRLF line terminators	5D7B9590949223CE76F323EBB46EA7AD	C2F6A223D15075765864C4072300C41C86C4E5A9	8C3C54D792DF1EB4844AF1287C2EBA79DB7584295CA09E06351BC9875868F07F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\css[1].css	ASCII text	72C5D331F2135E52DA2A95F7854049A3	572F349BB65758D377CCBAE434350507341ACD7B	C3A12D7E8F6B2B1F5E4CD0C9938DFC79532AEF90802B424EE910093F156586DA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\jquery.min[1].js	ASCII text, with very long lines	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
C:\Users\user\AppData\Local\Temp\~DF459A0EB644286CDD.TMP	data	2FF6A55F662C469D94F374A86C99DFF2	1BC7A3341F0E17725149D59D757EA247E44B7667	6814BB5E375B8E07C845F3F2B0751B5B715D90D8FCB6EE6C310FEE27F357EBF7
C:\Users\user\AppData\Local\Temp\~DF7AD2B7996D24E2A7.TMP	data	D70DCBF53188B5C4AABEA61CAC7D0F20	332D6233F6BFC04EBF8BB226C7E58DC69278A3DE	171A7EAEA71DC8A03FC9EC43545691565B23657E26EC86A2554F4FD5DEC57164
C:\Users\user\AppData\Local\Temp\~DFC8DB313E591D63E0.TMP	data	6AF2B224DF7E25A5D0C3546A8207F3B9	7F90FC489591C8ADE5E3B66B4B8DCF061D9B3978	A466BA5408CCB65583018CFEDD23A1C24566982B2356564A519549E79818A20A

Analysis Report https://buidlideayour.herokuapp.com/?2bde25e384khgvadfsgvjhdgwegwfvlyfutljgdyrtugot86u87r765968js4dcbccc16d&hadams@stinsons.com#8236787/7b69698354072f79f8eeb523a63

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains