Loading ...

Play interactive tourEdit tour

Windows Analysis Report Westernunionreceipt711 ___vaw.html

Overview

General Information

Sample Name:Westernunionreceipt711 ___vaw.html
Analysis ID:452350
MD5:e43b99fcb58eef1969c8ab9b2ede9404
SHA1:3038d1bb1f1f23d2e047fe33780815cf7e62ce18
SHA256:ed68eb96911f17d8750e57133b7016efa2f4a9d2a368c47ae9ae77003af1f861
Infos:

Most interesting Screenshot:

Detection

Phisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Phisher
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5028 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Westernunionreceipt711 ___vaw.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 5624 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9784536074538328282,17911257635406631719,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Westernunionreceipt711 ___vaw.htmlJoeSecurity_Phisher_2Yara detected PhisherJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected PhisherShow sources
    Source: Yara matchFile source: Westernunionreceipt711 ___vaw.html, type: SAMPLE
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.drString found in binary or memory: https://a.nel.cloudflare.com
    Source: Reporting and NEL.2.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=k%2F4wdULC81DDeB0%2F5nx42Jv7hq%2BY0%2BcOJHRr%2F8%2FqLfxTlGo
    Source: manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://accounts.google.com
    Source: Current Session.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.drString found in binary or memory: https://advantpac.com
    Source: 6e7e5900b9b0660b_0.0.drString found in binary or memory: https://advantpac.com/
    Source: History.0.drString found in binary or memory: https://advantpac.com/office/voicemail/fetch/validate/session/3e4c-5f1a-bb7e-faff-60e1-a31b-c6d4/?em
    Source: History.0.drString found in binary or memory: https://advantpac.com/office/voicemail/fetch/validate/session/3e4c-5f1a-bb7e-faff-60e1-a31b-c6d4/val
    Source: Current Session.0.drString found in binary or memory: https://advantpac.comh
    Source: manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://apis.google.com
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://clients2.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.drString found in binary or memory: https://content-autofill.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: Reporting and NEL.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/downloads-lorry
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
    Source: 36551c3b-7e77-4e7d-8f10-70a0969c19f6.tmp.2.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.dr, 75ff1d10-9ace-40ff-8d36-0f7a88dfa848.tmp.2.drString found in binary or memory: https://dns.google
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: 8e2e4561ce876411_0.0.drString found in binary or memory: https://google.com/
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://play.google.com
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.drString found in binary or memory: https://r2---sn-h0jeener.gvt1.com
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.drString found in binary or memory: https://redirector.gvt1.com
    Source: manifest.json1.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://support.google.com/recaptcha
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://support.google.com/recaptcha#6262736
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
    Source: 000003.log5.0.dr, Current Session.0.dr, manifest.json0.0.dr, a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://www.google.com
    Source: QuotaManager.0.dr, 000003.log0.0.drString found in binary or memory: https://www.google.com/
    Source: QuotaManager.0.drString found in binary or memory: https://www.google.com//&M
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/
    Source: Current Session.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Ldy1KEbAAAAAD62_S30p43Ix4MCrtTeHW9p7edM&co=aHR0
    Source: Current Session.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=vzAt61JclNZYHl6fEWIBqLbe&k=6Ldy1KEbAAAAAD62_S30
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: Current Session.0.drString found in binary or memory: https://www.google.comh
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: a4c7b28f-062a-47cb-8bf3-049f70c324ce.tmp.2.dr, 1e6acc8c-cdf8-4207-980c-ccbe9841a06b.tmp.2.drString found in binary or memory: https://www.gstatic.com
    Source: 6e7e5900b9b0660b_0.0.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.js
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.jsa
    Source: 1c36e4712c078b87_0.0.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/vzAt61JclNZYHl6fEWIBqLbe/recaptcha__en.jsaD
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: classification engineClassification label: mal48.phis.winHTML@44/243@6/12
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60F987F6-13A4.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\09aedfaa-844a-4b09-b7f2-67bd54886fdc.tmpJump to behavior
    Source: QuotaManager.0.drBinary or memory string: CREATE TABLE HostQuotaTable(host TEXT NOT NULL, type INTEGER NOT NULL, quota INTEGER DEFAULT 0, UNIQUE(host, type));
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Westernunionreceipt711 ___vaw.html'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9784536074538328282,17911257635406631719,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,9784536074538328282,17911257635406631719,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.