Windows Analysis Report https://meet.google.com/linkredirect?dest=http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t

Overview

General Information

Sample URL: https://meet.google.com/linkredirect?dest=http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t
Analysis ID: 435314
Infos:

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: http://1384752.releasedmsmessagesportal3267749276424.com/ Avira URL Cloud: Label: phishing
Source: http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t24.com/&sa=D&s Avira URL Cloud: Label: phishing
Source: http://1384752.releasedmsmessagesportal3267749276424.com/favicon.ico Avira URL Cloud: Label: phishing
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:05:00 GMTServer: Apache/2.4.41 (Ubuntu)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 1907Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 bd 59 6b 7b d2 48 14 fe 2c bf 62 8a 6e 49 4a 49 84 60 ad e5 52 b5 ad bb ee ae 97 ad 56 57 9b ea a6 64 80 68 c8 60 18 8a b5 b2 bf 7d cf 5c 12 26 37 a0 d5 67 a7 7d b8 cc 9c eb 9c f3 9e 33 19 4a ed 8d c3 17 07 af df bd 3c 42 43 3a f2 bb a5 76 f4 86 1d b7 5b 42 30 da d4 a3 3e ee be c5 e8 19 b9 f0 82 41 db 14 13 62 71 a3 56 43 c7 18 d5 6a ca f7 a7 07 fc 7b 49 cc 4c 7a a1 37 a6 88 5e 8e 71 a7 4c f1 57 6a 7e 72 2e 1c 31 5b 16 5c 6c 98 a6 4b 46 8e 17 a0 09 0d 41 0b a2 04 8d 1c da 1b 22 af 8f 42 ec 7a 21 ee 51 39 2f 08 63 ce 0b 27 94 53 cf 18 03 23 ea a0 ca 80 90 81 8f 2b 2d 10 3c 1b e2 10 a3 01 81 7f 29 21 12 28 f9 50 e0 8c 18 01 e3 50 0c 12 7c 2a f9 a4 e7 8c c6 ce 00 a3 69 e8 27 f4 47 14 27 a1 cf 94 0f 29 1d 4f f6 c0 25 27 70 c6 38 9c 1a 3d 32 32 43 6c 7a 81 8b bf 1a e3 e1 78 1f 83 5e bf 53 69 29 ea 16 5a 80 c5 a1 24 44 33 12 ba b9 6a 0e b1 ef 8d 3c 8a 43 a6 ec 76 42 0a 0e 9c 73 1f a3 73 67 82 77 9a 09 66 b1 22 16 80 8f 86 53 bc 60 4c ee 26 ee 11 37 4d b9 d0 b1 b5 55 82 3f 84 1e 0b 02 1c 30 6a 64 4a 36 b6 c2 fc 07 f7 67 b3 99 31 c3 e7 94 10 ff b3 47 0d 2f e8 13 93 b1 6e 99 25 a6 e6 71 a4 e0 aa 54 32 4d 34 0e bd 0b 87 62 78 27 b0 01 f4 b2 f4 f1 33 be 7c 45 43 b4 87 ca 8f 1e 1f 1c 1e 3d f9 f5 b7 a7 bf ff f1 e7 b3 e7 2f 5e fe 75 fc ea f5 c9 9b b7 7f bf 7b ef 9c f7 5c dc 1f 0c bd 4f 9f fd 51 40 c6 5f c2 09 9d 5e cc be 5e 7e bb 5b 6f 58 cd 7b 3b f7 77 1f 54 cd 4e 79 5b e8 98 9e fb 5e 0f 8d 30 1d 12 17 f5 49 28 ac 87 b4 28 49 37 f6 50 7f 1a 40 aa 91 00 69 5e 30 9e 52 1d cc 8b 36 86 4c 29 cc 80 c5 e5 72 2b 9e ec 0d c3 fa 36 7b 6d f0 57 6b 9b c9 ac f3 d7 06 7f 15 33 cd 05 87 07 12 ee ca 1d e5 3a e0 bb d8 0c e3 e3 94 f6 77 3f 0a 5b a4 7e 49 38 1b 7a 10 57 cd 43 6d c1 63 f8 38 18 d0 21 33 2f 0e 0d 33 05 64 89 f5 de d0 09 0f 40 cc 23 aa 79 d5 aa de 52 a9 1a 6b 51 59 c5 54 31 19 f3 15 c8 b8 e6 6e 17 35 5a ea 0a 53 a3 69 7c 6d 13 59 3a 6a b7 51 53 47 df 91 c6 4d 00 f2 a6 9e a0 b7 22 fa 06 d0 d7 ef 71 86 46 c4 60 31 86 9d 24 43 53 a8 b6 80 7c c7 52 ac 82 a2 a1 79 93 e7 ce 73 2e 4c 8f 62 98 52 25 05 ec 34 17 32 e7 08 fb 13 9c e4 b7 f2 f8 33 8c 0b e5 71 96 c8 0f d5 78 85 0e bd 89 21 d3 9a ef 29 ec 27 db 40 1d 55 8b d6 c0 fd 95 fc d6 12 fe 66 14 2c 69 60 88 e9 34 0c a4 69 ad d2 bc 08 17 1c cc 0c 17 02 d5 3f 01 17 8b 95 9b e0 43 e4 61 88 c7 be d3 c3 9a 79 fa e1 51 ed bd 53 fb 76 b7 f6 c0 ae da a6 dd 39 33 07 db a0 fe 3a 68 91 a9 9b d8 38 5e a1 5f f4 b5 45 da cb 94 d7 33 89 7d 13 3e eb 86 7c cd eb f0 a5 cb 01 4f b1 05 94 b8 f9 29 ec c9 92 a0 89 c5 18 7b cd 88 81 63 af 91 ad 0e 9a 58 8c c0 bd c3 e8 45 2c 8b d1 80 5e f1 0e 6f f4 43 32 3a 90 75 85 d7 08 3d 05 60 2e 7a 83 c1 2c 8d bf b5 65 aa 26 cf d3 c2 9b 3f 28 dc d2 33 f0 97 6f b1 88 44 55 17 48 d2 c4 a2 e4 2d e5 68 cc 66 39 82 34 47 b6
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 1384752.releasedmsmessagesportal3267749276424.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 1384752.releasedmsmessagesportal3267749276424.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: 1384752.releasedmsmessagesportal3267749276424.com
Source: unknown DNS traffic detected: queries for: 1384752.releasedmsmessagesportal3267749276424.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:05:00 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 311Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 33 38 34 37 35 32 2e 72 65 6c 65 61 73 65 64 6d 73 6d 65 73 73 61 67 65 73 70 6f 72 74 61 6c 33 32 36 37 37 34 39 32 37 36 34 32 34 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 1384752.releasedmsmessagesportal3267749276424.com Port 80</address></body></html>
Source: {BCA30B33-CED5-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: http://1384752.release/url?hl=en-US&q=http://1384752.releasedmsmessagesportal3267749276424.com/&sa=D
Source: url[1].htm.2.dr String found in binary or memory: http://1384752.releasedmsmessagesportal3267749276424.com/
Source: ~DF9F20198EAD5A1B08.TMP.1.dr String found in binary or memory: http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t24.com/&sa=D&s
Source: 1IR7VDHG.htm.2.dr String found in binary or memory: http://www.webtoolkit.info/
Source: 1IR7VDHG.htm.2.dr String found in binary or memory: https://danaperu.com/re/index.php?email=
Source: imagestore.dat.2.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: imagestore.dat.2.dr String found in binary or memory: https://www.google.com/favicon.ico~
Source: ~DF9F20198EAD5A1B08.TMP.1.dr, {BCA30B33-CED5-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://www.google.com/url?hl=en-US&q=http://1384752.releasedmsmessagesportal3267749276424.com/&sa=D
Source: classification engine Classification label: mal48.win@3/10@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF5D90A928440E4261.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4816 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4816 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435314 URL: https://meet.google.com/lin... Startdate: 16/06/2021 Architecture: WINDOWS Score: 48 12 1384752.releasedmsmessagesportal3267749276424.com 2->12 16 Antivirus detection for URL or domain 2->16 7 iexplore.exe 2 62 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 35 7->9         started        dnsIp6 14 1384752.releasedmsmessagesportal3267749276424.com 46.17.96.24, 49714, 49715, 49726 HOSTKEY-ASNL Netherlands 9->14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.17.96.24
 1384752.releasedmsmessagesportal3267749276424.com Netherlands
57043 HOSTKEY-ASNL false

Contacted Domains

Name IP Active
1384752.releasedmsmessagesportal3267749276424.com 46.17.96.24 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://1384752.releasedmsmessagesportal3267749276424.com/#bWVtYmVyQHRoZS1leGV0ZXIuY29t true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown
http://1384752.releasedmsmessagesportal3267749276424.com/ false
  • Avira URL Cloud: phishing
 unknown
http://1384752.releasedmsmessagesportal3267749276424.com/favicon.ico false
  • Avira URL Cloud: phishing
 unknown