Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ATT00053210.htm

Overview

General Information

Sample Name:ATT00053210.htm
Analysis ID:617931
MD5:aedd647ef0001c606b42212abf5b8092
SHA1:77e8f3fc2d3a283e469bd2feacaa6b8f5f8bd176
SHA256:eac1f4278517c23c704089a51d14798896229b3b55d2cab7403f93687ed13920
Infos:

Detection

Captcha Phish Phisher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Phisher
Yara detected Captcha Phish
IP address seen in connection with other malware

Classification

  • System is w10x64
  • chrome.exe (PID: 7096 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "C:\Users\user\Desktop\ATT00053210.htm MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 4656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,1685520055285512714,4439271110268370502,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1588 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
ATT00053210.htmJoeSecurity_Phisher_3Yara detected PhisherJoe Security
    ATT00053210.htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security
      SourceRuleDescriptionAuthorStrings
      27858.1.pages.csvJoeSecurity_CaptchaPhish_1Yara detected Captcha PhishJoe Security
        27858.1.pages.csvJoeSecurity_CaptchaPhishYara detected Captcha PhishJoe Security
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          Phishing

          barindex
          Source: Yara matchFile source: ATT00053210.htm, type: SAMPLE
          Source: Yara matchFile source: 27858.1.pages.csv, type: HTML
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\7096_321821255\LICENSE.txtJump to behavior
          Source: Joe Sandbox ViewIP Address: 104.18.11.207 104.18.11.207
          Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
          Source: unknownDNS traffic detected: queries for: vde-et.online
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /1/3/?e=jlopez@hispasat.es HTTP/1.1Host: vde-et.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /1/3/main/ HTTP/1.1Host: vde-et.onlineConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ecii7iknfibsff25p30art55k3
          Source: global trafficHTTP traffic detected: GET /bootstrap/4.3.1/css/bootstrap.min.css HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveOrigin: https://vde-et.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://vde-et.online/1/3/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://vde-et.online/1/3/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-aliveOrigin: https://www.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcCaLAeAAAAAN5PIvMlMs5oPfhUj3ysjjq3oKIk&co=aHR0cHM6Ly92ZGUtZXQub25saW5lOjQ0Mw..&hl=en&v=2W_gRz39xX8G13fM-OdyQPlc&size=normal&cb=a95eoj491nmwAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: vde-et.onlineConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://vde-et.online/1/3/main/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=ecii7iknfibsff25p30art55k3
          Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
          Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
          Source: Filtering Rules.0.dr, Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
          Source: Filtering Rules.0.drString found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Apr 2022 12:15:23 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: angular.js.0.drString found in binary or memory: http://angularjs.org
          Source: angular.js.0.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
          Source: pnacl_public_x86_64_pnacl_sz_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: http://llvm.org/):
          Source: mirroring_hangouts.js.0.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
          Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
          Source: mirroring_hangouts.js.0.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.dr, manifest.json.0.drString found in binary or memory: https://accounts.google.com
          Source: craw_window.js.0.drString found in binary or memory: https://accounts.google.com/MergeSession
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.dr, manifest.json.0.drString found in binary or memory: https://apis.google.com
          Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
          Source: pnacl_public_x86_64_crtend_o.0.dr, pnacl_public_x86_64_ld_nexe.0.dr, pnacl_public_x86_64_pnacl_llc_nexe.0.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://clients2.google.com
          Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients2.google.com/cr/report
          Source: manifest.json1.0.dr, manifest.json3.0.dr, manifest.json.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
          Source: mirroring_hangouts.js.0.drString found in binary or memory: https://clients6.google.com
          Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
          Source: pnacl_public_x86_64_ld_nexe.0.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
          Source: 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://content-autofill.googleapis.com
          Source: manifest.json.0.drString found in binary or memory: https://content.googleapis.com
          Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/.
          Source: LICENSE.txt.0.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
          Source: mirroring_hangouts.js.0.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, f46573d3-6dd1-4f2e-a529-5d290c5bf902.tmp.1.dr, d3b2d623-59d4-410c-8dbb-51965d2a262c.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://dns.google
          Source: LICENSE.txt.0.drString found in binary or memory: https://easylist.to/)
          Source: manifest.json.0.drString found in binary or memory: https://feedback.googleusercontent.com
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
          Source: manifest.json.0.drString found in binary or memory: https://fonts.googleapis.com;
          Source: b23aa838-3274-4631-8789-9ae7e0b2cb82.tmp.1.dr, 76fae4a0-8741-4342-8edf-cf0220c0dfb7.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
          Source: manifest.json.0.drString found in binary or memory: https://fonts.gstatic.com;
          Source: material_css_min.css.0.dr, angular.js.0.drString found in binary or memory: https://github.com/angular/material
          Source: LICENSE.txt.0.drString found in binary or memory: https://github.com/easylist)
          Source: craw_window.js.0.dr, craw_background.js.0.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
          Source: mirroring_hangouts.js.0.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
          Source: mirroring_hangouts.js.0.drString found in binary or memory: https://hangouts.clients6.google.com
          Source: manifest.json.0.drString found in binary or memory: https://hangouts.google.com/
          Source: mirroring_hang