Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Encrypted Closing docs and Payoff statements.html

Overview

General Information

Sample Name:Encrypted Closing docs and Payoff statements.html
Analysis ID:829695
MD5:efcf66d12ae1f08b75733510e69b6d5a
SHA1:ba27c7875d5ed2fb690f5e5d027e0a352ddc2a87
SHA256:d395fbfd2c398c5ae4ab37d84fb8f00a3eab794744a75c3d29d0a175188501a6
Infos:

Detection

HTMLPhisher
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected Phisher
Yara detected HtmlPhish54
HTML document with suspicious name
Phishing site detected (based on image similarity)
HTML body contains low number of good links
Found iframes
IP address seen in connection with other malware
No HTML title found

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 3108 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 2424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1816,i,6220061778104809602,11437118113149743191,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • chrome.exe (PID: 1780 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Encrypted Closing docs and Payoff statements.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Encrypted Closing docs and Payoff statements.htmlJoeSecurity_Phisher_3Yara detected PhisherJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    15420.3.pages.csvJoeSecurity_HtmlPhish_54Yara detected HtmlPhish_54Joe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      Phishing site detected (based on favicon image match)
      Source: https://gatemail.infoMatcher: Template: microsoft matched with high similarity
      Yara detected Phisher
      Source: Yara matchFile source: Encrypted Closing docs and Payoff statements.html, type: SAMPLE
      Yara detected HtmlPhish54
      Source: Yara matchFile source: 15420.3.pages.csv, type: HTML
      Phishing site detected (based on image similarity)
      Source: https://gatemail.infoMatcher: Found strong image similarity, brand: Microsoft cache file: chromecache_207.1.drJump to dropped file
      Source: https://gatemail.infoMatcher: Found strong image similarity, brand: Microsoft cache file: chromecache_226.1.drJump to dropped file
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueMatcher: Found strong image similarity, brand: Microsoft image: 15420.img.1.gfk.csv EE5C8D9FB6248C938FD0DC19370E90BD
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: Number of links: 0
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: Number of links: 0
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: Iframe src: https://b11b496a-fa3adaac.gatemail.info/Prefetch/Prefetch.aspx
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: Iframe src: https://b11b496a-fa3adaac.gatemail.info/Prefetch/Prefetch.aspx
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: HTML title missing
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: HTML title missing
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: No <meta name="author".. found
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: No <meta name="author".. found
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: No <meta name="copyright".. found
      Source: https://lmo.gatemail.info/?username=rbown@industrialinvestments.com&sso_reload=trueHTTP Parser: No <meta name="copyright".. found
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
      Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
      Source: unknownDNS traffic detected: queries for: clients2.google.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
      Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: <