Windows Analysis Report
https://interface01.nsxtlmv.workers.dev/

Overview

General Information

Sample URL: https://interface01.nsxtlmv.workers.dev/
Analysis ID: 1447760
Infos:

Detection

HTMLPhisher
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected phishing page
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected HtmlPhish10
Yara detected HtmlPhish44
AI detected suspicious javascript
Phishing site detected (based on logo match)
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
HTML title does not match URL
Invalid 'forgot password' link found
Invalid T&C link found

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: https://interface01.nsxtlmv.workers.dev/ Avira URL Cloud: detection malicious, Label: phishing
Source: https://interface01.nsxtlmv.workers.dev/ SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering
Antivirus detection for URL or domain
Source: https://interface01.nsxtlmv.workers.dev/style.css Avira URL Cloud: Label: phishing
Source: https://interface01.nsxtlmv.workers.dev/favicon.ico Avira URL Cloud: Label: phishing
Multi AV Scanner detection for submitted file
Source: https://interface01.nsxtlmv.workers.dev/ Virustotal: Detection: 17% Perma Link

Phishing
barindex
AI detected phishing page
Source: https://interface01.nsxtlmv.workers.dev/ LLM: Score: 9 brands: AOL Reasons: The URL 'https://interface01.nsxtlmv.workers.dev/' does not match the legitimate domain for AOL, which is typically 'aol.com'. The use of a subdomain under 'workers.dev' is suspicious and often used in phishing attacks. The page contains a login form, which is a common target for phishing. The overall design mimics a legitimate AOL login page, which is a social engineering technique to deceive users. DOM: 0.0.pages.csv
Yara detected HtmlPhish10
Source: Yara match File source: 0.0.pages.csv, type: HTML
Yara detected HtmlPhish44
Source: Yara match File source: dropped/chromecache_45, type: DROPPED
Source: Yara match File source: dropped/chromecache_47, type: DROPPED
Source: Yara match File source: dropped/chromecache_51, type: DROPPED
Source: Yara match File source: dropped/chromecache_49, type: DROPPED
AI detected suspicious javascript
Source: https://interface01.nsxtlmv.workers.dev/ LLM: Score: 10 Reasons: The JavaScript code captures user email and password, and sends this information to a Telegram bot. This is a clear indication of phishing or credential theft. DOM: 0.0.pages.csv
Source: https://interface01.nsxtlmv.workers.dev/ LLM: Score: 8 Reasons: The JavaScript code uses 'document.write' with a heavily obfuscated string, which is a common technique used in malicious scripts to hide their true functionality. This obfuscation makes it difficult to determine the exact behavior of the code without further analysis, indicating a high risk of malicious intent. DOM: 0.0.pages.csv
Source: https://interface01.nsxtlmv.workers.dev/ LLM: Score: 8 Reasons: The code uses 'document.write' with a heavily obfuscated string, which is a common technique used in malicious scripts to hide their true intent. This method can be used to inject malicious content into the webpage. The use of 'unescape' to decode the string further suggests an attempt to obscure the code's functionality. DOM: 0.0.pages.csv
Phishing site detected (based on logo match)
Source: https://interface01.nsxtlmv.workers.dev/ Matcher: Template: aol matched
HTML body contains low number of good links
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: Number of links: 0
HTML body contains password input but no form action
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: <input type="password" .../> found but no <form action="...
HTML body with high number of embedded images detected
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: Total embedded image size: 45438
HTML title does not match URL
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: Title: AOL does not match URL
Invalid 'forgot password' link found
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: Invalid link: Forgot password?
Invalid T&C link found
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: Invalid link: Help
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: <input type="password" .../> found
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: No favicon
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: No <meta name="author".. found
Source: https://interface01.nsxtlmv.workers.dev/ HTTP Parser: No <meta name="copyright".. found
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: chrome.exe Memory has grown: Private usage: 0MB later: 42MB
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /style.css HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /color/50/000000/google-logo.png HTTP/1.1Host: img.icons8.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /color/50/000000/google-logo.png HTTP/1.1Host: img.icons8.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic DNS traffic detected: DNS query: interface01.nsxtlmv.workers.dev
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: img.icons8.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: classification engine Classification label: mal96.phis.win@16/14@12/9
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2360,i,9441452327642718650,10753621916115848608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://interface01.nsxtlmv.workers.dev/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2360,i,9441452327642718650,10753621916115848608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447760 URL: https://interface01.nsxtlmv... Startdate: 27/05/2024 Architecture: WINDOWS Score: 96 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 5 other signatures 2->32 6 chrome.exe 1 2->6         started        9 chrome.exe 2->9         started        process3 dnsIp4 14 192.168.2.4, 138, 443, 49263 unknown unknown 6->14 16 192.168.2.5 unknown unknown 6->16 18 239.255.255.250 unknown Reserved 6->18 11 chrome.exe 6->11         started        process5 dnsIp6 20 interface01.nsxtlmv.workers.dev 188.114.97.3, 443, 49736, 49737 CLOUDFLARENETUS European Union 11->20 22 www.google.com 142.250.184.196, 443, 49740, 49757 GOOGLEUS United States 11->22 24 5 other IPs or domains 11->24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.184.196
 www.google.com United States
15169 GOOGLEUS false
212.102.56.179
 unknown Italy
60068 CDN77GB false
195.181.175.16
 1004834818.rsc.cdn77.org United Kingdom
60068 CDN77GB false
239.255.255.250
 unknown Reserved
unknown unknown false
188.114.97.3
 interface01.nsxtlmv.workers.dev European Union
13335 CLOUDFLARENETUS true
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.4
192.168.2.5

Contacted Domains

Name IP Active
interface01.nsxtlmv.workers.dev 188.114.97.3 true
1004834818.rsc.cdn77.org 195.181.175.16 true
www.google.com 142.250.184.196 true
api.ipify.org 104.26.13.205 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
img.icons8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://interface01.nsxtlmv.workers.dev/style.css false
  • Avira URL Cloud: phishing
 unknown
https://interface01.nsxtlmv.workers.dev/favicon.ico false
  • Avira URL Cloud: phishing
 unknown
https://interface01.nsxtlmv.workers.dev/ true
    		unknown
    https://img.icons8.com/color/50/000000/google-logo.png false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://api.ipify.org/?format=jsonp&callback=getIP false
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown