Analysis Report HSBC_Payment_slip_for Outstanding 001005l.htm

Overview

General Information

Sample Name: HSBC_Payment_slip_for Outstanding 001005l.htm
Analysis ID: 433446
MD5: 4d490578e6d7158c55b22cf08fff6384
SHA1: 427feb280f0642dedbe05b404629be31e2790885
SHA256: e9eb31e4895d52c5e054b434c87de4ae4d3f0ff716d3b75edcf90dd270b31ee3
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found

Classification

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: HSBC_Payment_slip_for Outstanding 001005l.htm, type: SAMPLE
Source: Yara match File source: 562258.pages.csv, type: HTML
Phishing site detected (based on logo template match)
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm Matcher: Template: microsoft matched
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Title: does not match URL
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Title: does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Has password / email / username input fields
Suspicious form URL found
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Form action: http://woohaa.io/boxx/actions.php
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: Form action: http://woohaa.io/boxx/actions.php
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x24f0cea7,0x01d75f40</date><accdate>0x24f0cea7,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x24f0cea7,0x01d75f40</date><accdate>0x24f0cea7,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x24f7f5c8,0x01d75f40</date><accdate>0x24f7f5c8,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x24f7f5c8,0x01d75f40</date><accdate>0x24f7f5c8,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x24f7f5c8,0x01d75f40</date><accdate>0x24f7f5c8,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x24f7f5c8,0x01d75f40</date><accdate>0x24f7f5c8,0x01d75f40</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: HSBC_Payment_slip_for Outstanding 001005l.htm String found in binary or memory: http://woohaa.io/boxx/actions.php
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: classification engine Classification label: mal52.phis.winHTM@3/15@0/0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF3A844A3469AC02C7.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1636 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1636 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433446 Sample: HSBC_Payment_slip_for Outst... Startdate: 11/06/2021 Architecture: WINDOWS Score: 52 10 Yara detected HtmlPhish10 2->10 12 Phishing site detected (based on logo template match) 2->12 6 iexplore.exe 2 86 2->6         started        process3 process4 8 iexplore.exe 1 23 6->8         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/HSBC_Payment_slip_for%20Outstanding%20001005l.htm true
    		low