Windows
Analysis Report
https://www.oyabarista.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPU5ITnVVMmM9JnVpZD1VU0VSMDQwMzIwMjVVMjkwMzA0MDM=N0123Ninfo@kostal.com
Overview
General Information
Detection
HTMLPhisher, Mamba2FA
Score: | 96 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
AI detected phishing page
Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected HtmlPhish10
Yara detected Mamba 2FA PaaS
AI detected suspicious Javascript
HTML page contains suspicious onload / onerror event
Creates files inside the system directory
Deletes files inside the Windows folder
Detected hidden input values containing email addresses (often used in phishing pages)
HTML body contains low number of good links
HTML body contains password input but no form action
HTML page contains hidden javascript code
HTML title does not match URL
Invalid 'forgot password' link found
Invalid T&C link found
No HTML title found
Suricata IDS alerts with low severity for network traffic
URL contains potential PII (phishing indication)
Classification
- System is w10x64
chrome.exe (PID: 2956 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --s tart-maxim ized "abou t:blank" MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 6872 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=2052,i ,127258205 6271527799 3,14582703 2695138561 04,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction --va riations-s eed-versio n=20250306 -183004.42 9000 --moj o-platform -channel-h andle=2080 /prefetch :3 MD5: E81F54E6C1129887AEA47E7D092680BF) chrome.exe (PID: 7644 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= printing.m ojom.Unsan dboxedPrin tBackendHo st --lang= en-US --se rvice-sand box-type=n one --no-p re-read-ma in-dll --f ield-trial -handle=20 52,i,12725 8205627152 77993,1458 2703269513 856104,262 144 --disa ble-featur es=Optimiz ationGuide ModelDownl oading,Opt imizationH ints,Optim izationHin tsFetching ,Optimizat ionTargetP rediction --variatio ns-seed-ve rsion=2025 0306-18300 4.429000 - -mojo-plat form-chann el-handle= 5032 /pref etch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
chrome.exe (PID: 7848 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://www.o yabarista. com/n/?c3Y 9bzM2NV8xX 25vbSZyYW5 kPU5ITnVVM mM9JnVpZD1 VU0VSMDQwM zIwMjVVMjk wMzA0MDM=N 0123Ninfo@ kostal.com " MD5: E81F54E6C1129887AEA47E7D092680BF)
- cleanup
{
"sv": "o365_1_nom",
"rand": "NHNuU2c=",
"uid": "USER04032025U29030403"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Mamba2FA | Yara detected Mamba 2FA PaaS | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
JoeSecurity_Mamba2FA | Yara detected Mamba 2FA PaaS | Joe Security | ||
JoeSecurity_Mamba2FA | Yara detected Mamba 2FA PaaS | Joe Security | ||
JoeSecurity_HtmlPhish_10 | Yara detected HtmlPhish_10 | Joe Security | ||
Click to see the 1 entries |
⊘No Sigma rule has matched
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-27T14:41:19.812852+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49732 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:42.913312+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49773 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:46.737180+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49774 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:49.861428+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49785 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:53.108461+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49797 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:56.201164+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49808 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:41:59.264797+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49819 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:02.595155+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49830 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:05.820985+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49841 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:09.355526+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49852 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:13.142082+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49863 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:16.443109+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49877 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:20.259544+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49889 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:23.917746+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49907 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:27.796430+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49918 | 104.21.70.232 | 443 | TCP |
2025-03-27T14:42:31.101630+0100 | 2056643 | 2 | Possible Social Engineering Attempted | 192.168.2.5 | 49930 | 104.21.70.232 | 443 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-27T14:41:18.161651+0100 | 2057333 | 1 | Successful Credential Theft Detected | 192.168.2.5 | 49727 | 104.21.70.232 | 443 | TCP |
- • AV Detection
- • Phishing
- • Compliance
- • Networking
- • System Summary
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Phishing |
---|
Source: | Joe Sandbox AI: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox AI: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |