Loading ...

Play interactive tourEdit tour

Windows Analysis Report TxIDbatch#7809.htm

Overview

General Information

Sample Name:TxIDbatch#7809.htm
Analysis ID:528697
MD5:63dbe77cf39e42cc607165db7cedc6a4
SHA1:ac52012b1950f33530d9049cfc97823014c1937a
SHA256:d931d00f6f66f7e6fdfcfb85129c905b2488f2b41dac3eeca75f463109831831
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Misleading page title found
Yara detected HtmlPhish10
HTML document with suspicious title
Phishing site detected (based on logo template match)
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
HTML body contains low number of good links
Invalid T&C link found
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5816 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\TxIDbatch#7809.htm MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 1624 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,1339798014619223461,1528903278145705779,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1924 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Phishing:

barindex
Misleading page title foundShow sources
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comPage Title: Microsoft | Login
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comPage Title: Microsoft | Login
Yara detected HtmlPhish10Show sources
Source: Yara matchFile source: 89955.0.pages.csv, type: HTML
Phishing site detected (based on logo template match)Show sources
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comMatcher: Template: microsoft matched
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: HTML title missing
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Invalid link: Privacy statement
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: Invalid link: Privacy statement
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/TxIDbatch%237809.htm#garth.brooks@tetratech.comHTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5816_651979994\LICENSE.txtJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Source: Joe Sandbox ViewIP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewIP Address: 104.21.78.148 104.21.78.148
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.0.dr, Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.0.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
Source: angular.js.0.drString found in binary or memory: http://angularjs.org
Source: angular.js.0.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: http://llvm.org/):
Source: mirroring_hangouts.js.0.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Reporting and NEL.1.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=T%2FPpfK%2FWzjbIf90tUrmni3uuwhAJBOXK%2F8R2cytiPE1kkzs6dLNun
Source: Reporting and NEL.1.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=xZUq1LAIKOqlOyVtvplvkp0rzDK7ol5FAU5B2TESCEQKlSt0cR%2BzweXJj
Source: Reporting and NEL.1.drString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=zpixM%2BUGODgTIG9rptNTC0Z5IbmQK3gklBFTUGglBnblzPbSaHLXUmr4A
Source: data_1.1.drString found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: data_1.1.drString found in binary or memory: https://aadcdn.msauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.icop
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, manifest.json2.0.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
Source: ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://ajax.googleapis.com
Source: data_1.1.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, manifest.json2.0.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://apis.google.com
Source: data_1.1.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: data_1.1.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.jskf
Source: pnacl_public_x86_64_libcrt_platform_a.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.0.dr, mirroring_cast_streaming.js.0.drString found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json1.0.dr, manifest.json3.0.dr, manifest.json6.0.dr, manifest.json2.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: data_1.1.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: data_1.1.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: data_1.1.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: manifest.json2.0.drString found in binary or memory: https://content.googleapis.com
Source: mirroring_cast_streaming.js.0.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushersCross-Origin-Resource-Policy:
Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: data_3.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, f4689082-390c-460f-9441-3655a1e9fca5.tmp.1.dr, fbe56958-8d69-4f25-b5ae-051dca5b4c18.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://dns.google
Source: LICENSE.txt.0.drString found in binary or memory: https://easylist.to/)
Source: manifest.json2.0.drString found in binary or memory: https://feedback.googleusercontent.com
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
Source: data_1.1.drString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: manifest.json2.0.drString found in binary or memory: https://fonts.googleapis.com;
Source: data_3.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
Source: data_2.1.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6o3ms.woff2
Source: data_2.1.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rHmsJCQ.wo
Source: data_2.1.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v18/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rXmsJCQ.wo
Source: manifest.json2.0.drString found in binary or memory: https://fonts.gstatic.com;
Source: material_css_min.css.0.dr, angular.js.0.drString found in binary or memory: https://github.com/angular/material
Source: LICENSE.txt.0.drString found in binary or memory: https://github.com/easylist)
Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json2.0.drString found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: data_1.1.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://meetings.clients6.google.com
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://ogs.google.com
Source: craw_window.js.0.dr, manifest.json3.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com
Source: data_3.1.drString found in binary or memory: https://r2---sn-4g5e6nz7.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
Source: data_1.1.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: data_1.1.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdicM
Source: craw_window.js.0.dr, manifest.json3.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json37.0.dr, feedback.html.0.dr, messages.json23.0.dr, messages.json83.0.dr, messages.json82.0.dr, messages.json54.0.dr, messages.json39.0.dr, messages.json33.0.dr, messages.json35.0.dr, messages.json0.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json18.0.dr, messages.json.0.dr, messages.json51.0.dr, messages.json36.0.dr, messages.json10.0.dr, messages.json9.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json52.0.dr, messages.json55.0.dr, messages.json77.0.dr, messages.json11.0.dr, messages.json64.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json22.0.dr, messages.json12.0.dr, messages.json4.0.dr, messages.json19.0.dr, messages.json40.0.dr, messages.json16.0.dr, messages.json65.0.dr, messages.json20.0.dr, messages.json17.0.dr, messages.json38.0.dr, messages.json3.0.dr, messages.json13.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json15.0.dr, messages.json66.0.dr, messages.json5.0.dr, messages.json7.0.dr, messages.json37.0.dr, feedback.html.0.dr, messages.json23.0.dr, messages.json83.0.dr, messages.json82.0.dr, messages.json54.0.dr, messages.json39.0.dr, messages.json33.0.dr, messages.json35.0.dr, messages.json0.0.dr, messages.json85.0.dr, messages.json88.0.dr, messages.json14.0.dr, messages.json87.0.dr, messages.json18.0.dr, messages.json.0.dr, messages.json51.0.dr, messages.json36.0.dr, messages.json10.0.dr, messages.json9.0.dr, messages.json8.0.dr, messages.json2.0.dr, messages.json52.0.dr, messages.json55.0.dr, messages.json77.0.dr, messages.json11.0.dr, messages.json64.0.dr, messages.json6.0.dr, messages.json34.0.dr, messages.json1.0.dr, messages.json86.0.dr, messages.json22.0.dr, messages.json12.0.dr, messages.json4.0.dr, messages.json19.0.dr, messages.json40.0.dr, messages.json16.0.dr, messages.json65.0.dr, messages.json20.0.dr, messages.json17.0.dr, messages.json38.0.dr, messages.json3.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: data_1.1.drString found in binary or memory: https://todosec.org/images/bg.jpg
Source: data_1.1.drString found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/css/all.css
Source: data_1.1.drString found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/webfonts/fa-solid-900.woff2
Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, manifest.json2.0.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://www.google.com
Source: manifest.json3.0.drString found in binary or memory: https://www.google.com/
Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.drString found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.0.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.0.drString found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json2.0.drString found in binary or memory: https://www.google.com;
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json3.0.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json3.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json3.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json3.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json3.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json2.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 163f5da4-a1d3-49fb-8fcd-518441ee46bf.tmp.1.dr, ea0d8b59-cbbe-41cc-8c76-37c181f68e6a.tmp.1.drString found in binary or memory: https://www.gstatic.com
Source: manifest.json2.0.drString found in binary or memory: https://www.gstatic.com;
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknownDNS traffic detected: queries for: clients2.google.com
Source: global traffic