Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IP VM_8976544568.xhtml

Overview

General Information

Sample Name:IP VM_8976544568.xhtml
Analysis ID:655277
MD5:804a9bfbd0b974b9fd8f6910d46e45ae
SHA1:74af42444e817841ef5a16ba9d055ca2f780c6f9
SHA256:ca479506434b4bef9656293b03211a5bf01e854c3dea6802c2b4b3f6ab273cfa
Infos:

Detection

HTMLPhisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware

Classification

  • System is w10x64
  • iexplore.exe (PID: 6284 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\IP VM_8976544568.xhtml MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6352 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
IP VM_8976544568.xhtmlJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: Yara matchFile source: IP VM_8976544568.xhtml, type: SAMPLE
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: Joe Sandbox ViewIP Address: 151.101.12.193 151.101.12.193
    Source: Joe Sandbox ViewIP Address: 151.101.12.193 151.101.12.193
    Source: unknownDNS traffic detected: queries for: i.imgur.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: global trafficHTTP traffic detected: GET /NQUpBi2.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /Jm3Kimw.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: i.imgur.comConnection: Keep-Alive
    Source: msapplication.xml0.0.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeb30d7ec,0x01d88cfd</date><accdate>0xeb654bc9,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.0.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xece9ebda,0x01d88cfd</date><accdate>0xed08e9b3,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.0.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xed93318e,0x01d88cfd</date><accdate>0xedafce31,0x01d88cfd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml.0.drString found in binary or memory: http://www.amazon.com/
    Source: msapplication.xml1.0.drString found in binary or memory: http://www.google.com/
    Source: msapplication.xml2.0.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.0.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.0.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.0.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.0.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.0.drString found in binary or memory: http://www.youtube.com/
    Source: IP VM_8976544568.xhtmlString found in binary or memory: https://i.imgur.com/Jm3Kimw.png
    Source: IP VM_8976544568.xhtmlString found in binary or memory: https://i.imgur.com/NQUpBi2.png
    Source: unknownHTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.12.193:443 -> 192.168.2.3:49730 version: TLS 1.2
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFAC2EA9305FB7CF9.TMPJump to behavior
    Source: classification engineClassification label: mal48.phis.winXHTML@3/11@1/2
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\IP VM_8976544568.xhtml
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6284 CREDAT:17410 /prefetch:2Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception1
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    File and Directory Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Process Injection
    LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
    Non-Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
    Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
    Ingress Tool Transfer
    SIM Card SwapCarrier Billing Fraud
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 655277