Windows Analysis Report
IP VM_8976544568.xhtml

Overview

General Information

Sample Name: IP VM_8976544568.xhtml
Analysis ID: 655277
MD5: 804a9bfbd0b974b9fd8f6910d46e45ae
SHA1: 74af42444e817841ef5a16ba9d055ca2f780c6f9
SHA256: ca479506434b4bef9656293b03211a5bf01e854c3dea6802c2b4b3f6ab273cfa
Infos:

Detection

HTMLPhisher
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware

Classification

Phishing
barindex
Yara detected HtmlPhish10
Source: Yara match File source: IP VM_8976544568.xhtml, type: SAMPLE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 151.101.12.193 151.101.12.193
Source: Joe Sandbox View IP Address: 151.101.12.193 151.101.12.193
Source: unknown DNS traffic detected: queries for: i.imgur.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: global traffic HTTP traffic detected: GET /NQUpBi2.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Jm3Kimw.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive
Source: msapplication.xml0.0.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeb30d7ec,0x01d88cfd</date><accdate>0xeb654bc9,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.0.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xece9ebda,0x01d88cfd</date><accdate>0xed08e9b3,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.0.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xed93318e,0x01d88cfd</date><accdate>0xedafce31,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml.0.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.0.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.0.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.0.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.0.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.0.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.0.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.0.dr String found in binary or memory: http://www.youtube.com/
Source: IP VM_8976544568.xhtml String found in binary or memory: https://i.imgur.com/Jm3Kimw.png
Source: IP VM_8976544568.xhtml String found in binary or memory: https://i.imgur.com/NQUpBi2.png
Source: unknown HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFFAC2EA9305FB7CF9.TMP Jump to behavior
Source: classification engine Classification label: mal48.phis.winXHTML@3/11@1/2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\IP VM_8976544568.xhtml
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 655277 Sample: IP VM_8976544568.xhtml Startdate: 30/06/2022 Architecture: WINDOWS Score: 48 17 Yara detected HtmlPhish10 2->17 6 iexplore.exe 2 89 2->6         started        process3 process4 8 iexplore.exe 31 6->8         started        dnsIp5 11 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49730, 49731 FASTLYUS United States 8->11 13 192.168.2.1 unknown unknown 8->13 15 i.imgur.com 8->15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.101.12.193
 ipv4.imgur.map.fastly.net United States
54113 FASTLYUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
ipv4.imgur.map.fastly.net 151.101.12.193 true
i.imgur.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://i.imgur.com/Jm3Kimw.png false
    		high
    https://i.imgur.com/NQUpBi2.png false
      		high