Windows
Analysis Report
https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
chrome.exe (PID: 6692 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) chrome.exe (PID: 5404 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2176 --fi eld-trial- handle=195 2,i,100261 0510312316 7761,17873 1900806813 69111,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
chrome.exe (PID: 6464 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://l.ead .me/bfibh8 /?17789905 67JHGFBVDF S56678" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_9 | Yara detected HtmlPhish_9 | Joe Security |
- • Phishing
- • Compliance
- • Networking
- • System Summary
- • Boot Survival
Click to jump to signature section
Phishing |
---|
Source: | File source: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Classification label: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 1 Process Injection | 1 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
www.google.com | 142.250.186.68 | true | false | high | |
vmi2428886.contaboserver.net | 149.102.149.56 | true | false | unknown | |
l.ead.me | 3.161.119.33 | true | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.250.186.68 | www.google.com | United States | 15169 | GOOGLEUS | false | |
142.250.185.78 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.185.206 | unknown | United States | 15169 | GOOGLEUS | false | |
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
149.102.149.56 | vmi2428886.contaboserver.net | United States | 174 | COGENT-174US | false | |
216.58.212.131 | unknown | United States | 15169 | GOOGLEUS | false | |
216.58.212.132 | unknown | United States | 15169 | GOOGLEUS | false | |
142.250.185.195 | unknown | United States | 15169 | GOOGLEUS | false | |
64.233.184.84 | unknown | United States | 15169 | GOOGLEUS | false | |
3.161.119.33 | l.ead.me | United States | 16509 | AMAZON-02US | false |
IP |
---|
192.168.2.16 |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1602797 |
Start date and time: | 2025-01-30 08:52:08 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Sample URL: | https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678 |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal48.phis.win@18/7@8/112 |
- Exclude process from analysis
(whitelisted): SgrmBroker.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 199.232.214.172, 2 16.58.212.131, 142.250.185.78, 64.233.184.84, 142.250.185.20 6, 216.58.206.78, 142.250.186. 142 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, clients2.google.com, accou nts.google.com, redirector.gvt 1.com, ctldl.windowsupdate.com , clientservices.googleapis.co m, clients.l.google.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: https:
//l.ead.me/bfibh8/?1778990567J HGFBVDFS56678
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2673 |
Entropy (8bit): | 3.989737332513235 |
Encrypted: | false |
SSDEEP: | |
MD5: | 61904085BB65D6B6AA3110F3547C19D8 |
SHA1: | 253CA2B5C2F98E1D257BA403E2A64B7FDA1B18FC |
SHA-256: | 4DF148DDB630C859B5EB4E3680FD0A8CD4CF5BA37A6BC56CABFAA93531FEAEBA |
SHA-512: | 54BF1A214A439672F1D6C815DF7676EFCFB0BA0837C0977B6996BC2AEAC44C730455BD94A14448497970C24F1BD4FB5096B033597A7E1FAD1FDF4620333FFE3A |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2675 |
Entropy (8bit): | 4.004186162605104 |
Encrypted: | false |
SSDEEP: | |
MD5: | ECCF733E8B435FE95EF086347D0F4FBC |
SHA1: | 86B57D730C007C1452E2501FBCB30A851B28DABF |
SHA-256: | 6C3282AE5E447AD4428815D9772B282BB9B81362D50840449FE884055C9225D1 |
SHA-512: | BCF106119156A8DC6F5468283ACC7D5FAEA00018D1B2CF8B1637B411E8728002328A5DFD6ABBB7F65CE0A87D115A6EE1F668DB5A6A6DB4846C02DD9B290DC673 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2689 |
Entropy (8bit): | 4.014372522180708 |
Encrypted: | false |
SSDEEP: | |
MD5: | 6A9EB49CB6647DBE0C07933D83CB4F3D |
SHA1: | 467AAE95E8752146CBCFCEE997522D0B583F46DE |
SHA-256: | 5809E14EB012936B56540037229F1B8ABDFA61528666B4D1E06339C5DA47BCE1 |
SHA-512: | 2877236E94B5AE6250E87C05F89595B6C24D2CDF79E2D6F7D776AE336E08BFF988F2B0C9755CB139923AD84ECF8BC1D06967B540A89160718939A143C0300295 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 4.00350345436272 |
Encrypted: | false |
SSDEEP: | |
MD5: | 07200CDA3677E4385F94D1B572F445BA |
SHA1: | F895BCE526AF822970DB946BCB9C2CE139E9C062 |
SHA-256: | B7D199AF90AC439B566FD8BC1006A4B3626AF9D4D21F2FCD2D5722773483E8AA |
SHA-512: | 7AF613B75C32918105F225E93F89C73E2E304EC3D0C040B6100111147B62CD33108B1C20BD98100421BBA6203A87721302ABE84D24E8858BD9FFA51AB6CFC30E |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.9931479616718066 |
Encrypted: | false |
SSDEEP: | |
MD5: | A63EA936D245234839079A427D9E8378 |
SHA1: | F540FC3B7832537AE55C4C79889ABBA8F4FA06D9 |
SHA-256: | D1A69E3E33597097D80FFF05619C8FE9551ECFE949FD10CAB34DB3D3075EF084 |
SHA-512: | 8C20DA78C2272FA477C9D8DE02F087BAA2127E1D33D6DF53EA169EEF27E25E89FCCE74FC98A6246A62FE6722408F9EFB6CB478E87DA1E079217C38F2AD32B96B |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2679 |
Entropy (8bit): | 4.0026936854681 |
Encrypted: | false |
SSDEEP: | |
MD5: | 81E393D6B18676A1BB78E4F93C2C3933 |
SHA1: | D98C1D413D7835F23B96FB9F57A58D3C03F19210 |
SHA-256: | CBF8E325B9750F91FDCEEEAB67B04F113CF0BFFE49FF6F0C4FC9412CBA1B21DE |
SHA-512: | 06DCE6489024C25F337C40D0FFEFA8555FD162FA12C93B93522204D8686920A4ABB3708089819466CDA6B0AB8809759BD93C76BDB3CD437D9EB083CFE770A5B4 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 89 |
Entropy (8bit): | 4.714082730245383 |
Encrypted: | false |
SSDEEP: | |
MD5: | 196CFACAFFB725C92C6D5D4F16289E92 |
SHA1: | B6306FE94C164053882259F3D3105E6C4519BF81 |
SHA-256: | 3CD343B356E21807BA2D17E5DE1FE01756EC53BCC76699572E78B0BEFBE5AC6F |
SHA-512: | 9319817E1964ECB66FA16FC2CE02C8D140A5936A10174D7723906FC0EC99F07F88FC1B87319C345B21C36EF0243C80757ECCD4DED89767FD1466B0687722AAAB |
Malicious: | false |
Reputation: | unknown |
URL: | https://vmi2428886.contaboserver.net/close.html |
Preview: |