Edit tour

Windows Analysis Report
https://vardhadevelco.com/365confirmation.php

Overview

General Information

Sample URL:	https://vardhadevelco.com/365confirmation.php
Analysis ID:	1643219
Infos:

Detection

HTMLPhisher, Mamba2FA

Score:	84
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Suricata IDS alerts for network traffic

Yara detected HtmlPhish10

Yara detected Mamba 2FA PaaS

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

HTML page contains suspicious onload / onerror event

Creates files inside the system directory

Deletes files inside the Windows folder

Detected hidden input values containing email addresses (often used in phishing pages)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML page contains hidden javascript code

HTML title does not match URL

Invalid 'forgot password' link found

Invalid T&C link found

No HTML title found

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1924,i,10196678198657757390,3594446482516654740,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://vardhadevelco.com/365confirmation.php" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
2.3.pages.csv	JoeSecurity_Mamba2FA	Yara detected Mamba 2FA PaaS	Joe Security
2.3.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.4.pages.csv	JoeSecurity_Mamba2FA	Yara detected Mamba 2FA PaaS	Joe Security
2.4.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.5.pages.csv	JoeSecurity_Mamba2FA	Yara detected Mamba 2FA PaaS	Joe Security
2.5.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.6.pages.csv	JoeSecurity_Mamba2FA	Yara detected Mamba 2FA PaaS	Joe Security
2.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.7.pages.csv	JoeSecurity_Mamba2FA	Yara detected Mamba 2FA PaaS	Joe Security
2.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
Click to see the 5 entries

Suricata Signatures

ET PHISHING Javascript Browser Fingerprinting POST Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T16:38:54.389259+0100	2056643	2	Possible Social Engineering Attempted	192.168.2.17	49786	162.241.203.10	443	TCP
2025-03-19T16:40:12.249211+0100	2056643	2	Possible Social Engineering Attempted	192.168.2.17	50030	162.241.203.10	443	TCP

ET PHISHING MAMBA Credential Phish Landing Page 2024-11-08

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T16:38:53.215590+0100	2057333	1	Successful Credential Theft Detected	192.168.2.17	49778	162.241.203.10	443	TCP

Joe Sandbox Signatures

• Phishing
• Compliance
• Software Vulnerabilities
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://vardhadevelco.com/365confirmation.php	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is a well-known global technology company., The URL 'vardhadevelco.com' does not match the legitimate domain 'microsoft.com'., The URL does not contain any recognizable association with Microsoft., The domain name 'vardhadevelco.com' appears unrelated to Microsoft and could be a phishing attempt., No subdomain or URL structure indicates a legitimate Microsoft service or product. DOM: 0.0.pages.csv
Source: https://x2bm.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPU5HZHVRMFU9JnVpZD1VU0VSMjQwMjIwMjVVMTkwMjI0MTA=N0123Nbillg@microsoft.com	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'x2bm.com' does not match the legitimate domain for Microsoft., The URL 'x2bm.com' does not contain any recognizable association with Microsoft., The URL is short and lacks any clear indication of being related to Microsoft, which is suspicious., No subdomains or recognizable brand elements are present in the URL. DOM: 2.4.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 2.3.pages.csv, type: HTML
Source: Yara match	File source: 2.4.pages.csv, type: HTML
Source: Yara match	File source: 2.5.pages.csv, type: HTML
Source: Yara match	File source: 2.6.pages.csv, type: HTML
Source: Yara match	File source: 2.7.pages.csv, type: HTML

Yara detected Mamba 2FA PaaS

Source: Yara match	File source: 2.3.pages.csv, type: HTML
Source: Yara match	File source: 2.4.pages.csv, type: HTML
Source: Yara match	File source: 2.5.pages.csv, type: HTML
Source: Yara match	File source: 2.6.pages.csv, type: HTML
Source: Yara match	File source: 2.7.pages.csv, type: HTML

AI detected landing page (webpage, office document or email)

Source: https://vardhadevelco.com/365confirmation.php

Joe Sandbox AI: Page contains button: 'Verify it's you' Source: '0.0.pages.csv'

AI detected suspicious Javascript

Source: 2.2..script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://x2bm.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPU5HZH... The script uses the 'Function' constructor to execute dynamic code, which is a high-risk indicator of potential malicious behavior. This allows for the execution of arbitrary JavaScript, which could be used to perform harmful actions.

HTML page contains suspicious onload / onerror event