Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html

Overview

General Information

Sample Name:Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html
Analysis ID:756210
MD5:d21ad4851c96168de4456dea77044b9c
SHA1:bee29bccd77e6848093f899a493f1330442899da
SHA256:989f90793f02c5b623cf3830d184dba364fef0d2c2726d4636fb3b4877cafa39
Infos:

Detection

HTMLPhisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish45
JA3 SSL client fingerprint seen in connection with other malware
Yara signature match
IP address seen in connection with other malware

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 6832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 7036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1748,i,3206524124022006366,8441393421957404145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.htmlSUSP_obfuscated_JS_obfuscatorioDetects JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
  • 0x5d0e:$c8: while(!![])
  • 0x5d2c:$d1: parseInt(_0x111cb9(0x7c))/0x1*(parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(
  • 0x5d4b:$d1: parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-
  • 0x5d6b:$d1: parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(
  • 0x5d8b:$d1: parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(parseInt(_0x111cb9(0x81))/0x9)+
  • 0x5dab:$d1: parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(parseInt(_0x111cb9(0x81))/0x9)+parseInt(_0x111cb9(0x8d))/0xa+
SourceRuleDescriptionAuthorStrings
49412.0.pages.csvSUSP_obfuscated_JS_obfuscatorioDetects JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
  • 0x7807:$c8: while(!![])
  • 0x7825:$d1: parseInt(_0x111cb9(0x7c))/0x1*(parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(
  • 0x7844:$d1: parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-
  • 0x7864:$d1: parseInt(_0x111cb9(0x80))/0x3*(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(
  • 0x7884:$d1: parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(parseInt(_0x111cb9(0x81))/0x9)+
  • 0x78a4:$d1: parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6*(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8*(parseInt(_0x111cb9(0x81))/0x9)+parseInt(_0x111cb9(0x8d))/0xa+
49412.0.pages.csvJoeSecurity_HtmlPhish_45Yara detected HtmlPhish_45Joe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: Yara matchFile source: 49412.0.pages.csv, type: HTML
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
    Source: unknownHTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.3:49718 version: TLS 1.2
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Joe Sandbox ViewIP Address: 104.17.24.14 104.17.24.14
    Source: Joe Sandbox ViewIP Address: 152.199.23.72 152.199.23.72
    Source: Joe Sandbox ViewIP Address: 152.199.23.72 152.199.23.72
    Source: unknownDNS traffic detected: queries for: code.jquery.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.102Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /ajax/libs/font-awesome/4.7.0/css/font-awesome.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /shared/1.0/content/images/picker_verify_call_fe87496cc7a44412f7893a72099c120a.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /shared/1.0/content/images/picker_verify_sms_27a6d18b56f46818420e60a773c36d4e.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /shared/1.0/content/images/picker_verify_fluent_authenticator_b59c16ca9bf156438a8a96d45e33db64.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /dbd5a2dd-ttl-x9zsondwno6uogaxggczkbj5okcite29gtm-6do/logintenantbranding/0/bannerlogo?ts=636450702596912772 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-alivesec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /dbd5a2dd-ttl-x9zsondwno6uogaxggczkbj5okcite29gtm-6do/logintenantbranding/0/bannerlogo?ts=636450702596912772 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msauthimages.net
    Source: global trafficHTTP traffic detected: GET /dbd5a2dd-ttl-x9zsondwno6uogaxggczkbj5okcite29gtm-6do/logintenantbranding/0/bannerlogo?ts=636450702596912772 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msauthimages.netIf-Modified-Since: Tue, 31 Oct 2017 18:11:00 GMTIf-None-Match: 0x8D5208ABDB3B476
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E
    Source: unknownHTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.3:49718 version: TLS 1.2
    Source: Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html, type: SAMPLEMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io
    Source: 49412.0.pages.csv, type: HTMLMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io
    Source: classification engineClassification label: mal48.phis.winHTML@23/0@12/11
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1748,i,3206524124022006366,8441393421957404145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1748,i,3206524124022006366,8441393421957404145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Appl