Windows Analysis Report
#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm

Overview

General Information

Sample Name:	#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm
Analysis ID:	830984
MD5:	e5497fd17c23a351fd4f964d04f63871
SHA1:	91f45eedfe4e06860d0c825fe4dde6f6671f4b88
SHA256:	a2148a5596c580189823a73f156ce8e05c3b61ef1a8255f7a35ca65d9d3098cd
Infos:

Detection

HTMLPhisher, ReCaptcha Phish

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish48

Yara detected Recaptcha Phish

Phishing site detected (based on favicon image match)

HTML document with suspicious title

HTML document with suspicious name

JA3 SSL client fingerprint seen in connection with other malware

Yara signature match

IP address seen in connection with other malware

Classification

Signatures

Phishing

Yara detected HtmlPhish48

Source: Yara match	File source: #Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm, type: SAMPLE
Source: Yara match	File source: 06536.0.pages.csv, type: HTML
Source: Yara match	File source: 06536.6.pages.csv, type: HTML

Yara detected Recaptcha Phish

Source: Yara match	File source: 59354.1.pages.csv, type: HTML
Source: Yara match	File source: 60877.2.pages.csv, type: HTML
Source: Yara match	File source: 06787.3.pages.csv, type: HTML
Source: Yara match	File source: 60877.4.pages.csv, type: HTML
Source: Yara match	File source: 06787.5.pages.csv, type: HTML
Source: Yara match	File source: 59354.7.pages.csv, type: HTML

Phishing site detected (based on favicon image match)

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce7%20Tax%20Statements-2-121_076_454656_3-4(4).hTm

Matcher: Template: microsoft matched with high similarity

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:57076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:51035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:62656 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 51035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52914
Source: unknown	Network traffic detected: HTTP traffic on port 60007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62315
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55590
Source: unknown	Network traffic detected: HTTP traffic on port 62656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51035
Source: unknown	Network traffic detected: HTTP traffic on port 62315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64349
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54679
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 64562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 64780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64780
Source: unknown	Network traffic detected: HTTP traffic on port 62454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62634
Source: unknown	Network traffic detected: HTTP traffic on port 60731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61669
Source: unknown	Network traffic detected: HTTP traffic on port 63338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65385 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59910
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63338
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60067
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 64349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 64781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62656
Source: unknown	Network traffic detected: HTTP traffic on port 59910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57076
Source: unknown	Network traffic detected: HTTP traffic on port 61669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65385
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62546
Source: unknown	Network traffic detected: HTTP traffic on port 62386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64562
Source: unknown	Network traffic detected: HTTP traffic on port 60067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60007

Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-94.0.4606.61Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/ HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLI HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://fuadrashid.com/su35/gtl/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/capt HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://fuadrashid.com/su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLIAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytm HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/bframe?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&k=6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/webworker.js?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979

Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19042.0.0; IDCRL-cfg 16.000.29143.3; App svchost.exe, 10.0.19041.546, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4723Host: login.live.com

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:57076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:51035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:62656 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2

System Summary

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce7%20Tax%20Statements-2-121_076_454656_3-4(4).hTm

Tab title: Verify your account

HTML document with suspicious name

Source: Name includes: #Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm

Initial sample: statement

Yara signature match

Source: 60877.2.pages.csv, type: HTML	Matched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io
Source: 60877.4.pages.csv, type: HTML	Matched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io

Source: classification engine

Classification label: mal72.phis.winHTM@45/0@4/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18324760747851478443,7253911549642704679,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18324760747851478443,7253911549642704679,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.77	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.142	clients.l.google.com	United States	15169	GOOGLEUS	false
192.185.113.229	fuadrashid.com	United States	46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.11.1
192.168.11.20
127.0.0.1

Contacted Domains

Name	IP	Active
accounts.google.com	142.250.185.77	true
www.google.com	142.250.185.196	true
clients.l.google.com	142.250.185.142	true
fuadrashid.com	192.185.113.229	true
clients2.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytm	false		high
https://www.google.com/recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytm	false		high
https://fuadrashid.com/su35/gtl/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fuadrashid.com/su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLI	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api.js	false		high
https://fuadrashid.com/su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLI#lkohanski@alkegen.com	false		unknown
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://fuadrashid.com/su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/capt	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me	false		high
https://www.google.com/recaptcha/api2/bframe?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&k=6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN	false		high
https://www.google.com/recaptcha/api2/bframe?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&k=6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN	false		high
file:///C:/Users/user/Desktop/%23Ud83d%23Udce7%20Tax%20Statements-2-121_076_454656_3-4(4).hTm	true		low

Phishing

Yara detected HtmlPhish48

Source: Yara match	File source: #Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm, type: SAMPLE
Source: Yara match	File source: 06536.0.pages.csv, type: HTML
Source: Yara match	File source: 06536.6.pages.csv, type: HTML

Yara detected Recaptcha Phish

Source: Yara match	File source: 59354.1.pages.csv, type: HTML
Source: Yara match	File source: 60877.2.pages.csv, type: HTML
Source: Yara match	File source: 06787.3.pages.csv, type: HTML
Source: Yara match	File source: 60877.4.pages.csv, type: HTML
Source: Yara match	File source: 06787.5.pages.csv, type: HTML
Source: Yara match	File source: 59354.7.pages.csv, type: HTML

Phishing site detected (based on favicon image match)

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce7%20Tax%20Statements-2-121_076_454656_3-4(4).hTm

Matcher: Template: microsoft matched with high similarity

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:57076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:51035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:62656 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: unknown

DNS traffic detected: queries for: accounts.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 51035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52914
Source: unknown	Network traffic detected: HTTP traffic on port 60007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62315
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55590
Source: unknown	Network traffic detected: HTTP traffic on port 62656 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51035
Source: unknown	Network traffic detected: HTTP traffic on port 62315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64349
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54679
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 64562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 64780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62634 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64780
Source: unknown	Network traffic detected: HTTP traffic on port 62454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62634
Source: unknown	Network traffic detected: HTTP traffic on port 60731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61669
Source: unknown	Network traffic detected: HTTP traffic on port 63338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65385 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59910
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63338
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60067
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 64349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 64781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62656
Source: unknown	Network traffic detected: HTTP traffic on port 59910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57076
Source: unknown	Network traffic detected: HTTP traffic on port 61669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65385
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62546
Source: unknown	Network traffic detected: HTTP traffic on port 62386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64562
Source: unknown	Network traffic detected: HTTP traffic on port 60067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60007

Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=94.0.4606.61&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-94.0.4606.61Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/ HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLI HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://fuadrashid.com/su35/gtl/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/capt HTTP/1.1Host: fuadrashid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://fuadrashid.com/su35/gtl/9d3844dcadd00b46e3c10b77a0a825247573748608401705203573270e089c75a6b105a2f85776e2cdd4528476e3084017052035a93c9f185932557fd997ff3a4ba3e0e124e9a338084017052035b5c58094f8174d1bce72ba953e424e3130f4df0b084017052035/gUNkRyOTOnTErUDeoDOLIAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytm HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/bframe?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&k=6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/webworker.js?hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI+2yQEIorbJAQjEtskBCKmdygEI7/LLAQin+csBCLT/ywEI54TMAQjLicwBGOWgywE=Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=%0A6Lcf2-EhAAAAAAb4lCjGZLljSQMQ9lL7LxhkWGBN&co=aHR0cHM6Ly9mdWFkcmFzaGlkLmNvbTo0NDM.&hl=en&v=Trd6gj1dhC_fx0ma_AWHc1me&size=normal&cb=eys0y7domytmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=YES+srp.gws-20210811-0-RC2.en+FX+979

Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:59968 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:60784 -> 239.255.255.250:1900

Source: unknown

Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.134:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.82.207.122:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:57076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:51035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64349 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:59911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:64781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:60068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.11.20:62656 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.11.20:62454 version: TLS 1.2

System Summary

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce7%20Tax%20Statements-2-121_076_454656_3-4(4).hTm

Tab title: Verify your account

HTML document with suspicious name

Source: Name includes: #Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm

Initial sample: statement

Yara signature match

Source: 60877.2.pages.csv, type: HTML	Matched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io
Source: 60877.4.pages.csv, type: HTML	Matched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detects JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io

Source: classification engine

Classification label: mal72.phis.winHTM@45/0@4/8

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18324760747851478443,7253911549642704679,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18324760747851478443,7253911549642704679,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

ID:	830984
Product:	CloudBasic
Start time:	22:23:18
Start date:	20.03.2023
Sample:	#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	e5497fd17c23a351fd4f964d04f63871
SHA1:	91f45eedfe4e06860d0c825fe4dde6f6671f4b88
SHA256:	a2148a5596c580189823a73f156ce8e05c3b61ef1a8255f7a35ca65d9d3098cd
Filetype:	HyperText Markup Language (11501/1) 33.82%

Windows Analysis Report
#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report #Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
#Ud83d#Udce7 Tax Statements-2-121_076_454656_3-4(4).hTm