Windows Analysis Report Westernunionreceipt711 ___vaw.html

Overview

General Information

Sample Name: Westernunionreceipt711 ___vaw.html
Analysis ID: 452350
MD5: e43b99fcb58eef1969c8ab9b2ede9404
SHA1: 3038d1bb1f1f23d2e047fe33780815cf7e62ce18
SHA256: ed68eb96911f17d8750e57133b7016efa2f4a9d2a368c47ae9ae77003af1f861
Infos:

Most interesting Screenshot:

Detection

Phisher
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Phisher
IP address seen in connection with other malware

Classification

Phishing:

barindex
Yara detected Phisher
Source: Yara match File source: Westernunionreceipt711 ___vaw.html, type: SAMPLE
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr String found in binary or memory: https://a.nel.cloudflare.com
Source: Reporting and NEL.2.dr String found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=k%2F4wdULC81DDeB0%2F5nx42Jv7hq%2BY0%2BcOJHRr%2F8%2FqLfxTlGo
Source: manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://accounts.google.com
Source: Current Session.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr String found in binary or memory: https://advantpac.com
Source: 6e7e5900b9b0660b_0.0.dr String found in binary or memory: https://advantpac.com/
Source: History.0.dr String found in binary or memory: https://advantpac.com/office/voicemail/fetch/validate/session/3e4c-5f1a-bb7e-faff-60e1-a31b-c6d4/?em
Source: History.0.dr String found in binary or memory: https://advantpac.com/office/voicemail/fetch/validate/session/3e4c-5f1a-bb7e-faff-60e1-a31b-c6d4/val
Source: Current Session.0.dr String found in binary or memory: https://advantpac.comh
Source: manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://apis.google.com
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr String found in binary or memory: https://content-autofill.googleapis.com
Source: manifest.json0.0.dr String found in binary or memory: https://content.googleapis.com
Source: Reporting and NEL.2.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/downloads-lorry
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
Source: 36551c3b-7e77-4e7d-8f10-70a0969c19f6.tmp.2.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr, 75ff1d10-9ace-40ff-8d36-0f7a88dfa848.tmp.2.dr String found in binary or memory: https://dns.google
Source: manifest.json0.0.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.googleapis.com;
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.gstatic.com;
Source: 8e2e4561ce876411_0.0.dr String found in binary or memory: https://google.com/
Source: manifest.json0.0.dr String found in binary or memory: https://hangouts.google.com/
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://play.google.com
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr String found in binary or memory: https://r2---sn-h0jeener.gvt1.com
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json1.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json41.0.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json41.0.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://support.google.com/recaptcha
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://support.google.com/recaptcha#6262736
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: 000003.log5.0.dr, Current Session.0.dr, manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://www.google.com
Source: QuotaManager.0.dr, 000003.log0.0.dr String found in binary or memory: https://www.google.com/
Source: QuotaManager.0.dr String found in binary or memory: https://www.google.com//&M
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://www.google.com/recaptcha/api2/
Source: Current Session.0.dr String found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Ldy1KEbAAAAAD62_S30p43Ix4MCrtTeHW9p7edM&co=aHR0
Source: Current Session.0.dr String found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=vzAt61JclNZYHl6fEWIBqLbe&k=6Ldy1KEbAAAAAD62_S30
Source: manifest.json0.0.dr String found in binary or memory: https://www.google.com;
Source: Current Session.0.dr String found in binary or memory: https://www.google.comh
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr String found in binary or memory: https://www.gstatic.com
Source: 6e7e5900b9b0660b_0.0.dr String found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.js
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.jsa
Source: 1c36e4712c078b87_0.0.dr String found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.jsaD
Source: manifest.json0.0.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: classification engine Classification label: mal48.phis.winHTML@44/243@6/12
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60F987F6-13A4.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\09aedfaa-844a-4b09-b7f2-67bd54886fdc.tmp Jump to behavior
Source: QuotaManager.0.dr Binary or memory string: CREATE TABLE HostQuotaTable(host TEXT NOT NULL, type INTEGER NOT NULL, quota INTEGER DEFAULT 0, UNIQUE(host, type));
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Westernunionreceipt711 ___vaw.html'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9784536074538328282,17911257635406631719,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9784536074538328282,17911257635406631719,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs