Windows Analysis Report
https://gallery.bel-photo.com/EU/

Overview

General Information

Sample URL:	https://gallery.bel-photo.com/EU/
Analysis ID:	1446160
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Antivirus / Scanner detection for submitted sample

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

AI detected suspicious javascript

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Submit button contains javascript call

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://gallery.bel-photo.com/EU/	Avira URL Cloud: detection malicious, Label: phishing
Source: https://gallery.bel-photo.com/EU/	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social usering

Phishing

AI detected phishing page

Source: https://gallery.bel-photo.com/EU/

LLM: Score: 8 brands: DocuSign Reasons: The URL 'gallery.bel-photo.com' does not match the legitimate domain associated with DocuSign, which is 'docusign.com'. The page asks for an email password to view a document, which is a common phishing technique to steal credentials. The domain name is suspicious and does not align with the brand's official domain. DOM: 0.0.pages.csv

Phishing site detected (based on favicon image match)

Source: https://gallery.bel-photo.com/EU/

Matcher: Template: docusign matched with high similarity

Yara detected HtmlPhish10

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_50, type: DROPPED

AI detected suspicious javascript

Source: https://gallery.bel-photo.com/EU/	LLM: Score: 10 Reasons: The JavaScript code captures the user's email and password, then sends this sensitive information to a Telegram bot. This behavior is indicative of phishing and credential theft. DOM: 0.0.pages.csv
Source: https://gallery.bel-photo.com/EU/	LLM: Score: 7 Reasons: The code extracts an email address from the URL hash and uses it to populate form fields and an image source. This behavior is typical of phishing attempts to personalize the page based on the user's email. Additionally, the use of external resources (e.g., logo.clearbit.com) could be used to track or identify the user. DOM: 0.0.pages.csv

HTML body contains low number of good links

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: Title: View Secure Document - Sign in does not match URL

Submit button contains javascript call

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: On click: sendEmail()

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: <input type="password" .../> found

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: No <meta name="author".. found

Source: https://gallery.bel-photo.com/EU/

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.97.153
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /EU/ HTTP/1.1Host: gallery.bel-photo.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /data/icons/logos-and-brands/512/27_Pdf_File_Type_Adobe_logo_logos-512.png HTTP/1.1Host: cdn4.iconfinder.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /C8yD9g5/US-payment-terms-1.jpg HTTP/1.1Host: i.ibb.coConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /data/icons/logos-and-brands/512/27_Pdf_File_Type_Adobe_logo_logos-512.png HTTP/1.1Host: cdn4.iconfinder.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: logo.clearbit.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /C8yD9g5/US-payment-terms-1.jpg HTTP/1.1Host: i.ibb.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: gallery.bel-photo.com
Source: global traffic	DNS traffic detected: DNS query: cdn4.iconfinder.com
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co
Source: global traffic	DNS traffic detected: DNS query: logo.clearbit.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_50.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: chromecache_50.2.dr	String found in binary or memory: https://api.telegram.org/bot$
Source: chromecache_50.2.dr	String found in binary or memory: https://cdn4.iconfinder.com/data/icons/logos-and-brands/512/27_Pdf_File_Type_Adobe_logo_logos-512.pn
Source: chromecache_50.2.dr	String found in binary or memory: https://i.ibb.co/C8yD9g5/US-payment-terms-1.jpg
Source: chromecache_50.2.dr	String found in binary or memory: https://logo.clearbit.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.97.153:443 -> 192.168.2.6:49717 version: TLS 1.2

Source: classification engine

Classification label: mal76.phis.win@16/12@14/10

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1904,i,7118842407287733611,2763941164702306614,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://gallery.bel-photo.com/EU/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1904,i,7118842407287733611,2763941164702306614,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.204.248.174	gallery.bel-photo.com	United States	17054	AS17054US	true
13.32.27.14	d26p066pn2w0s0.cloudfront.net	United States	7018	ATT-INTERNET4US	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
162.19.58.156	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
162.19.58.158	i.ibb.co	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
172.66.41.45	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.66.42.211	cdn4.iconfinder.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.7
192.168.2.6

Contacted Domains

Name	IP	Active
d26p066pn2w0s0.cloudfront.net	13.32.27.14	true
www.google.com	142.250.185.132	true
cdn4.iconfinder.com	172.66.42.211	true
gallery.bel-photo.com	199.204.248.174	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
i.ibb.co	162.19.58.158	true
windowsupdatebg.s.llnwi.net	87.248.204.0	true
logo.clearbit.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://i.ibb.co/C8yD9g5/US-payment-terms-1.jpg	false	Avira URL Cloud: safe	unknown
https://cdn4.iconfinder.com/data/icons/logos-and-brands/512/27_Pdf_File_Type_Adobe_logo_logos-512.png	false	Avira URL Cloud: safe	unknown
https://logo.clearbit.com/	false	Avira URL Cloud: safe	unknown
https://gallery.bel-photo.com/EU/	true		unknown

ID:	1446160
Product:	CloudBasic
Start time:	00:13:15
Start date:	23.05.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 45	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1415x2000, components 3	B62CB0558B9B24F73AF92BB53F3B8F90	72F901C26EE58C0A94042DD309BBF5869ADBE84F	BA4964EB4B09ED1902D533C34657F99D8D2F1BDBBB6101AFE3095DB527D105D9
Chrome Cache Entry: 46	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	8B5D07FB91DE8C5ABD0582DC405D0718	17B47C393EFD89A9044691A3D4953A7E5458DF81	4D54727D94F74E894C1B1D9DCBF11C9B533A6547FF15BD608AF5D0C0AB65DDFD
Chrome Cache Entry: 47	RIFF (little-endian) data, Web/P image	BF1BBBFFFEE93051B82B1853CC2C307B	1CA204EDC35F49301F7C4BA8C838EE6F1C2CB8CD	BD6E9CD6C3DF8755EEB517DF1E0A2276245F42633FE1036E0193A47DD367CBA6
Chrome Cache Entry: 48	ASCII text, with very long lines (32065)	2F6B11A7E914718E0290410E85366FE9	69BB69E25CA7D5EF0935317584E6153F3FD9A88C	05B85D96F41FFF14D8F608DAD03AB71E2C1017C2DA0914D7C59291BAD7A54F8E
Chrome Cache Entry: 49	ASCII text, with no line terminators	344EB8D19F5C0A3435EF32FD9601F1FB	E082EB1D89D91CC1A25A1D510268E576109DA07E	B44289B54959639FCA6A742F7CC2E2A5AF9C6E7B73C1B3E25227CA9790F3A587
Chrome Cache Entry: 50	HTML document, ASCII text, with very long lines (65360), with CRLF line terminators	DFB8E33413778991447AD2134C4BEAEB	BCA0374F6ABAFD66EE729B75F263FC213B71BE5C	FE05303F64E0273C889704681071916193C3AD369DE64F3E13E9206B1022C18E
Chrome Cache Entry: 51	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1415x2000, components 3	B62CB0558B9B24F73AF92BB53F3B8F90	72F901C26EE58C0A94042DD309BBF5869ADBE84F	BA4964EB4B09ED1902D533C34657F99D8D2F1BDBBB6101AFE3095DB527D105D9

Windows Analysis Report
https://gallery.bel-photo.com/EU/

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report https://gallery.bel-photo.com/EU/

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://gallery.bel-photo.com/EU/