Edit tour

Windows Analysis Report
Markelcorp Pay Application November 29, 2022_11725512247820161423.html

Overview

General Information

Sample Name:	Markelcorp Pay Application November 29, 2022_11725512247820161423.html
Analysis ID:	756249
MD5:	397547503a0f979f55d246022dd70ddf
SHA1:	3953830b316290a8f8a4f4f8e8040a9d0231038b
SHA256:	57cbed8d8d5433b7e12c7838a6a458adaf27bea086602bf666ecf4276df62fd5
Infos:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish45

JA3 SSL client fingerprint seen in connection with other malware

Yara signature match

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Markelcorp Pay Application November 29, 2022_11725512247820161423.html MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 2864 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1800,i,1373531813002401801,16495176252513405895,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Markelcorp Pay Application November 29, 2022_11725512247820161423.html	SUSP_obfuscated_JS_obfuscatorio	Detects JS obfuscation done by the js obfuscator (often malicious)	@imp0rtp3	0x5d06:$c8: while(!![]) 0x5d24:$d1: parseInt(_0x111cb9(0x7c))/0x1(parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6( 0x5d43:$d1: parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+- 0x5d63:$d1: parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8( 0x5d83:$d1: parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+ 0x5da3:$d1: parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+parseInt(_0x111cb9(0x8d))/0xa+

HTML

Source	Rule	Description	Author	Strings
22653.0.pages.csv	SUSP_obfuscated_JS_obfuscatorio	Detects JS obfuscation done by the js obfuscator (often malicious)	@imp0rtp3	0x77e8:$c8: while(!![]) 0x7806:$d1: parseInt(_0x111cb9(0x7c))/0x1(parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6( 0x7825:$d1: parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+- 0x7845:$d1: parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8( 0x7865:$d1: parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+ 0x7885:$d1: parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+parseInt(_0x111cb9(0x8d))/0xa+
22653.0.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security
22275.2.pages.csv	SUSP_obfuscated_JS_obfuscatorio	Detects JS obfuscation done by the js obfuscator (often malicious)	@imp0rtp3	0x77ea:$c8: while(!![]) 0x7808:$d1: parseInt(_0x111cb9(0x7c))/0x1(parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6( 0x7827:$d1: parseInt(_0x111cb9(0x75))/0x2)+-parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+- 0x7847:$d1: parseInt(_0x111cb9(0x80))/0x3(-parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8( 0x7867:$d1: parseInt(_0x111cb9(0x7b))/0x4)+-parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+ 0x7887:$d1: parseInt(_0x111cb9(0x6e))/0x5+-parseInt(_0x111cb9(0x83))/0x6(parseInt(_0x111cb9(0x86))/0x7)+-parseInt(_0x111cb9(0x6f))/0x8(parseInt(_0x111cb9(0x81))/0x9)+parseInt(_0x111cb9(0x8d))/0xa+
22275.2.pages.csv	JoeSecurity_HtmlPhish_45	Yara detected HtmlPhish_45	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish45

Source: Yara match	File source: 22653.0.pages.csv, type: HTML
Source: Yara match	File source: 22275.2.pages.csv, type: HTML

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: unknown

HTTPS traffic detected: 152.199.23.72:443 -> 192.168.2.2:49740 version: TLS 1.2

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Markelcorp Pay Application November 29, 2022_11725512247820161423.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Markelcorp Pay Application November 29, 2022_11725512247820161423.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

Windows Analysis Report
Markelcorp Pay Application November 29, 2022_11725512247820161423.html