Loading ...

Play interactive tourEdit tour

Windows Analysis Report V-M RTAmpcapital5EG1-TGQO2F-IOC8.htm

Overview

General Information

Sample Name:V-M RTAmpcapital5EG1-TGQO2F-IOC8.htm
Analysis ID:528475
MD5:b15f20ad4752ada34f656225c8ec9e00
SHA1:de2256499ceac7b8ff0023c618ff5d79131fd6a7
SHA256:f01981448b850021d3e8db0ec024063cf992b165b51f15fc9c2616a25bbde9bb
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6528 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\V-M RTAmpcapital5EG1-TGQO2F-IOC8.htm MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6920 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,11364372945621033108,14293702249197190821,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1932 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
V-M RTAmpcapital5EG1-TGQO2F-IOC8.htmJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish44Show sources
    Source: Yara matchFile source: V-M RTAmpcapital5EG1-TGQO2F-IOC8.htm, type: SAMPLE
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /bootstrap/4.0.0/css/bootstrap.min.css HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /ests/2.1/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: aadcdn.msftauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: Reporting and NEL.8.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=eVTOMIPjK6xJYEGnCRBvWaIG5r7LD61WaVxIhYhCjK%2Bf6Mr2EjneAH2HG
    Source: Reporting and NEL.8.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=kSrCFXl6Ev5gR6DXUZvYwp97QLx%2BeH%2BfGud7jbFuu0M3BpK6A3YiK2W
    Source: data_1.8.drString found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.s
    Source: Favicons.3.dr, data_1.8.drString found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
    Source: data_1.8.drString found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://accounts.google.com
    Source: 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://ajax.googleapis.com
    Source: data_1.8.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://apis.google.com
    Source: data_1.8.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
    Source: data_1.8.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.jskf
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://clients2.google.com
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: data_1.8.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
    Source: data_1.8.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
    Source: data_1.8.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
    Source: data_1.8.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js&
    Source: data_3.8.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
    Source: data_3.8.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushersCross-Origin-Resource-Policy:
    Source: data_3.8.dr, Reporting and NEL.8.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.dr, 82607a3f-5cb0-46f1-9026-71b61e2079e0.tmp.8.drString found in binary or memory: https://dns.google
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://fonts.googleapis.com
    Source: data_1.8.drString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
    Source: data_3.8.drString found in binary or memory: https://fonts.gstatic.com
    Source: data_2.8.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6o3ms.woff2
    Source: data_2.8.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rHmsJCQ.wo
    Source: data_2.8.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rXmsJCQ.wo
    Source: data_1.8.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
    Source: data_1.8.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
    Source: data_1.8.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.jsK
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://ogs.google.com
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://play.google.com
    Source: 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com
    Source: data_1.8.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
    Source: 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://redirector.gvt1.com
    Source: data_1.8.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://ssl.gstatic.com
    Source: data_1.8.drString found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/css/all.css
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://www.google.com
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://www.googleapis.com
    Source: bbd0fc60-3f58-4ccf-8445-7017e37fbcb0.tmp.8.dr, 13433158-ce67-4910-9c59-c8de94460c90.tmp.8.drString found in binary or memory: https://www.gstatic.com
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\chrome_BITS_6528_1532826858Jump to behavior
    Source: classification engineClassification label: mal48.phis.winHTM@12/83@8/9
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\V-M RTAmpcapital5EG1-TGQO2F-IOC8.htm
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,11364372945621033108,14293702249197190821,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1932 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,11364372945621033108,14293702249197190821,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1932 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FDCD6-1980.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Next
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Next
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.