Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Remittance.html

Overview

General Information

Sample Name:Remittance.html
Analysis ID:756206
MD5:2e6a26923a22e7c63a143e11227d4161
SHA1:8f6857398dfe794b8853efc9e02d57b12a0b3da5
SHA256:6ff75a1daf291abf72a3be2bb5034b0b0002ed90f7ea9c40ea84b66151fdae7e
Infos:

Detection

Captcha Phish, HTMLPhisher
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Yara detected Captcha Phish
HTML document with suspicious name
JA3 SSL client fingerprint seen in connection with other malware
HTML body contains low number of good links
Invalid T&C link found
Suspicious form URL found
IP address seen in connection with other malware
No HTML title found

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Remittance.html MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 6968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1812,i,8274798147493147586,16206874965015421851,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
73402.1.pages.csvJoeSecurity_CaptchaPhish_1Yara detected Captcha PhishJoe Security
    39468.7.pages.csvJoeSecurity_CaptchaPhish_1Yara detected Captcha PhishJoe Security
      94194.8.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        Phishing site detected (based on favicon image match)
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpMatcher: Template: microsoft matched with high similarity
        Yara detected HtmlPhish10
        Source: Yara matchFile source: 94194.8.pages.csv, type: HTML
        Yara detected Captcha Phish
        Source: Yara matchFile source: 73402.1.pages.csv, type: HTML
        Source: Yara matchFile source: 39468.7.pages.csv, type: HTML
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: Number of links: 0
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: Invalid link: Terms of use
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: Invalid link: Privacy & cookies
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: Form action: action.php
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: HTML title missing
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: No <meta name="author".. found
        Source: https://svrciviltechnologies.com/qr/main/main/main.phpHTTP Parser: No <meta name="copyright".. found
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: unknownHTTPS traffic detected: 51.210.156.152:443 -> 192.168.2.3:49802 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 51.210.156.152:443 -> 192.168.2.3:49801 version: TLS 1.2
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
        Source: Joe Sandbox ViewIP Address: 104.18.10.207 104.18.10.207
        Source: unknownDNS traffic detected: queries for: clients2.google.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
        Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
        Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
        Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
        Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
        Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
        Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
        Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
        Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.102Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /qr/main?e=?Facilities@fsbwa.com HTTP/1.1Host: svrciviltechnologies.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /qr/main/?e=?Facilities@fsbwa.com HTTP/1.1Host: svrciviltechnologies.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /qr/main/main HTTP/1.1Host: svrciv