Loading ...

Play interactive tourEdit tour

Windows Analysis Report randy_woodruff Fax Message.htm

Overview

General Information

Sample Name:randy_woodruff Fax Message.htm
Analysis ID:553256
MD5:d89fbcd63c9ded18f9070803e92b7143
SHA1:dff65138ac6eb6cbc03e310daab40811810c5e2b
SHA256:d9aa405bd6f9e3038aa1b41beb99b91cab663c27ca93665402d8e11db4f22ca4
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
Yara detected HtmlPhish6
Yara detected HtmlPhish44
Contains strings related to BOT control commands
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 5116 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\randy_woodruff Fax Message.htm MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 3180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,2187988796033575539,14428119858466154277,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1936 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
randy_woodruff Fax Message.htmJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    randy_woodruff Fax Message.htmJoeSecurity_HtmlPhish_6Yara detected HtmlPhish_6Joe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      Phishing:

      barindex
      Yara detected HtmlPhish10Show sources
      Source: Yara matchFile source: 98010.0.pages.csv, type: HTML
      Yara detected HtmlPhish6Show sources
      Source: Yara matchFile source: randy_woodruff Fax Message.htm, type: SAMPLE
      Source: Yara matchFile source: 98010.0.pages.csv, type: HTML
      Yara detected HtmlPhish44Show sources
      Source: Yara matchFile source: randy_woodruff Fax Message.htm, type: SAMPLE
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: Has password / email / username input fields
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: Has password / email / username input fields
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: HTML title missing
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: HTML title missing
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: No <meta name="author".. found
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: No <meta name="author".. found
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: No <meta name="copyright".. found
      Source: file:///C:/Users/user/Desktop/randy_woodruff%20Fax%20Message.htm#cmd=login_submit&id=512862308.338633&session=487f7b22f68312d2c1bbc93b1aea445b487f7b22f68312d2c1bbc93b1aea445bHTTP Parser: No <meta name="copyright".. found
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\5116_945906207\LICENSE.txtJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
      Source: unknownHTTPS traffic detected: 80.67.82.83:443 -> 192.168.2.6:49777 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.41.23:443 -> 192.168.2.6:49778 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.138.85:443 -> 192.168.2.6:49779 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.164:443 -> 192.168.2.6:49780 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.50.102.62:443 -> 192.168.2.6:49805 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.50.102.62:443 -> 192.168.2.6:49806 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.6:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.6:49816 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 80.67.82.235:443 -> 192.168.2.6:49819 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.6:49820 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 40.91.112.76:443 -> 192.168.2.6:49829 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.151:443 -> 192.168.2.6:49830 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 40.91.112.76:443 -> 192.168.2.6:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.6:49833 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.6:49834 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.6:49835 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.6:49836 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.54.110.249:443 -> 192.168.2.6:49838 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 40.112.88.60:443 -> 192.168.2.6:49839 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.211.4.86:443 -> 192.168.2.6:49860 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 80.67.82.211:443 -> 192.168.2.6:49867 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 80.67.82.211:443 -> 192.168.2.6:49868 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 80.67.82.211:443 -> 192.168.2.6:49866 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 80.67.82.211:443 -> 192.168.2.6:49869 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.6:49876 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 20.199.120.182:443 -> 192.168.2.6:49887 version: TLS 1.2
      Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
      Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
      Source: Joe Sandbox ViewIP Address: 80.67.82.83 80.67.82.83
      Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknown