Click to jump to signature section
| Source: Yara match | File source: IP VM_8976544568.xhtml, type: SAMPLE |
| Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll | Jump to behavior |
| Source: unknown | HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2 |
| Source: Joe Sandbox View | JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c |
| Source: Joe Sandbox View | IP Address: 151.101.12.193 151.101.12.193 |
| Source: Joe Sandbox View | IP Address: 151.101.12.193 151.101.12.193 |
| Source: unknown | DNS traffic detected: queries for: i.imgur.com |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
| Source: global traffic | HTTP traffic detected: GET /NQUpBi2.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive |
| Source: global traffic | HTTP traffic detected: GET /Jm3Kimw.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive |
| Source: msapplication.xml0.0.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeb30d7ec,0x01d88cfd</date><accdate>0xeb654bc9,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
| Source: msapplication.xml5.0.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xece9ebda,0x01d88cfd</date><accdate>0xed08e9b3,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
| Source: msapplication.xml7.0.dr | String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xed93318e,0x01d88cfd</date><accdate>0xedafce31,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
| Source: msapplication.xml.0.dr | String found in binary or memory: http://www.amazon.com/ |
| Source: msapplication.xml1.0.dr | String found in binary or memory: http://www.google.com/ |
| Source: msapplication.xml2.0.dr | String found in binary or memory: http://www.live.com/ |
| Source: msapplication.xml3.0.dr | String found in binary or memory: http://www.nytimes.com/ |
| Source: msapplication.xml4.0.dr | String found in binary or memory: http://www.reddit.com/ |
| Source: msapplication.xml5.0.dr | String found in binary or memory: http://www.twitter.com/ |
| Source: msapplication.xml6.0.dr | String found in binary or memory: http://www.wikipedia.com/ |
| Source: msapplication.xml7.0.dr | String found in binary or memory: http://www.youtube.com/ |
| Source: IP VM_8976544568.xhtml | String found in binary or memory: https://i.imgur.com/Jm3Kimw.png |
| Source: IP VM_8976544568.xhtml | String found in binary or memory: https://i.imgur.com/NQUpBi2.png |
| Source: unknown | HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2 |
| Source: unknown | HTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2 |
| Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Temp\~DFFAC2EA9305FB7CF9.TMP | Jump to behavior |
| Source: classification engine | Classification label: mal48.phis.winXHTML@3/11@1/2 |
| Source: unknown | Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\IP VM_8976544568.xhtml | |
| Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2 | |
| Source: C:\Program Files\internet explorer\iexplore.exe | Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2 | Jump to behavior |
| Source: C:\Program Files\internet explorer\iexplore.exe | File read: C:\Users\desktop.ini | Jump to behavior |
| Source: C:\Program Files\internet explorer\iexplore.exe | File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High | Jump to behavior |
| Source: Window Recorder | Window detected: More than 3 window changes detected |
| Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll | Jump to behavior |
Edit tour
iexplore.exe (PID: 6284 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet