Loading... Additional Content is being loaded

Windows Analysis Report
http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

Overview

General Information

Sample URL:	http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php
Analysis ID:	1521839
Tags:	openphish
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Suricata IDS alerts with low severity for network traffic

Suspicious form URL found

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Multi AV Scanner detection for domain / URL

Source: aichappraisers.com	Virustotal: Detection: 8%			Perma Link
Source: www.aichappraisers.com	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

Virustotal: Detection: 16%

HTML body contains low number of good links

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Number of links: 0

HTML title does not match URL

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Title: | does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: <input type="password" .../> found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:53854 -> 162.159.36.2:53

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2025231 - Severity 2 - ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing : 192.185.157.252:80 -> 192.168.2.4:49735

Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 29 Sep 2024 02:31:37 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingContent-Encoding: gzipContent-Length: 2575Keep-Alive: timeout=5, max=75Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 d5 52 5d 73 da 48 16 7d 0e bf 82 b0 a5 b2 3d 13 59 42 42 08 36 98 2a c0 22 b3 55 99 da 87 4c fc de a8 5b d0 b6 d4 d2 b6 ba 6d e3 5f bf b7 3f 00 c9 06 e2 6c f6 61 b7 8d 25 f5 b9 df e7 9e ce 64 23 8a 7c da 99 6c 08 c2 f0 aa 53 4e 2b d1 15 db 8a dc f4 04 79 16 de 3d 7a 44 06 ed 81 fd a3 eb 76 70 99 ca 82 30 71 fd c4 a9 20 97 92 91 3a 45 15 b9 bc 70 c2 85 a0 22 27 4e 98 38 32 8e c2 c8 91 d1 3c f2 1d 39 f6 67 80 0c 92 e5 d0 91 a3 f9 5c 59 97 c3 c4 89 17 4e a0 ac b3 d1 42 e1 8b 3e 24 f0 f6 19 fc 99 fa 85 8b 9c b2 07 f0 e3 24 77 c2 5b 27 08 68 5a 32 78 01 b4 e1 24 33 58 46 73 52 7b 14 5f 57 6c 6d 6c 35 7d 21 b5 31 f6 c3 e7 7e 68 50 35 97 cd 52 a0 35 f1 ac fb be 9a 2e e8 29 2e 2c 16 2e 56 25 de 42 64 81 f8 9a b2 0d a1 eb 8d 30 19 7c 93 d2 18 9e 28 16 9b 16 2e ca ca 98 5a e8 aa 14 a2 2c 8e 18 b8 4a 7c 04 cf 49 76 14 56 a4 68 c0 09 c2 70 19 8d 67 03 63 40 27 2d 8f 27 2c 0d aa 05 5a 01 f7 81 df 98 a6 ef 43 c5 c8 f2 dd 98 de 20 29 c9 f3 ba 42 29 05 1e 0f ed 35 33 72 75 83 37 7e 15 1f ee 08 59 a7 65 5e f2 7d 5f be 3e ed a5 8c 8f b7 b6 1f 78 6d b9 49 41 94 84 db d8 5d ed fd 62 4d 9a dd 62 f5 8d 16 6b 25 15 9e 36 55 54 20 9a 1f 74 d4 a8 37 f0 df d2 10 c4 8d 56 c7 5a bf f8 68 d5 56 a6 68 df e3 29 f7 46 c6 ac 64 02 c2 33 94 5a e9 7e 95 29 c5 08 a0 2f 1c 31 0c a4 2c e0 7b 0f 7e 43 ac 86 d7 77 46 d3 f2 84 51 41 b7 e4 1e dd c9 16 74 47 38 46 0c 99 4b 0d b0 5b 13 4e 33 33 74 4d 5f 6c 79 2b a7 f6 da 32 7d 5a 5c c8 38 0a 23 47 46 f3 c8 77 e4 d8 9f 25 8e 1c 24 cb a1 23 47 f3 39 7c c7 cb 61 83 35 3d e4 1b 1a 2f ae ae 3e 77 3c cf 75 a7 9d 89 57 a7 9c 56 62 da b1 e7 c3 44 e0 ae e6 f4 a6 37 f2 fd de 14 10 4c 1f bb 5a 0f 37 3d ae 76 a4 41 d4 dd 70 92 dd f4 7a dd 5a 6c 73 72 d3 13 e4 59 b8 98 a4 25 47 82 96 ec ef ac 64 44 7b aa 26 ba 8a e7 9b 9e 61 ac 6b 18 fe d4 b5 57 c5 55 d7 32 db 02 3f 75 0d 9f f6 62 99 fc d4 3d b0 08 d5 81 c1 9b de a0 d7 d5 cc dd f4 fe 66 38 53 95 3f 4c 34 01 aa 07 0f e9 27 4c a2 df 02 ab 81 27 66 f6 ae d8 56 b6 7f ef 1e 3d 22 83 42 82 c9 47 d7 ed e0 32 95 05 61 e2 fa 89 53 41 2e 25 23 75 8a 2a 72 79 f1 73 02 3c a3 44 a5 20 c5 e5 6e eb 2d e1 d3 62 ad 64 c2 53 63 cd 68 4e 6a 8f e2 eb 8a ad 8d 60 1a e5 83 91 81 36 44 6d a9 8d ad 4a 8e 89 15 96 ff aa 86 87 de 6a a4 d9 ae 27 f8 6e 2a b4 ca c9 c1 ba 77 de fb 1c 19 58 b9 ed 12 68 c2 9a ed 0d 7d db de ba 2d fc a5 3e af e9 3c c7 eb d9 32 ef 28 d2 5c 8f 9e b2 45 ed 30 b2 8d a2 9c ae 99 c1 52 50 05 50 aa e1 94 e4 79 5d a1 94 c2 5a de 70 bc 4b 7b e8 ae 41 b7 52 28 24 c8 50 4a 4c e4 57 99 52 ac 34 f1 85 23 86 a1 8f 05 7c ef c1 6f 88 d5 f0 fa ce 68 5a 9e 30 2a e8 96 dc a3 3b d9 82 ee 08 c7 88 21 73 a9 01 76 6b c2 69 66 fa af e9 8b 2d ff bb 25 ab 4d 55 b8 8c c6 b3 41 4b 37 32 4a fa be 23 87 41 18 3b 72 3c 1b 2d 1c 39 9a 2f

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/en.php HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/mail.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/id.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/mail.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/id.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.aichappraisers.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 53860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: classification engine

Classification label: mal64.win@16/10@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,6011880305847496289,151698508360679670,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,6011880305847496289,151698508360679670,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.68	www.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
192.185.157.252	aichappraisers.com	United States		46606	UNIFIEDLAYER-AS-1US	false
216.58.206.36	unknown	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
www.google.com	142.250.185.68	true
aichappraisers.com	192.185.157.252	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
206.23.85.13.in-addr.arpa	unknown	unknown
www.aichappraisers.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	true		unknown
http://www.aichappraisers.com/wp-admin/pilgrim/upload/files/mail.png	false		unknown
http://www.aichappraisers.com/wp-admin/pilgrim/upload/files/id.png	false		unknown

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 45	PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced	20012B70E82C499B433B37B2A98B9079	847A4AA7495440EECA16EB6211EC72C7DEA2E22B	272C9A8EE9FAF4BB46B70403CDA777CE98F24FD48B2083EE133478461261D5DD
Chrome Cache Entry: 46	gzip compressed data, from Unix, original size modulo 2^32 7878	563EBF27777132D65E6D9C262C97E8AF	7024C07F594E670A2D8A8D420B5DE31A4DED8033	19A0887942CC9E7B54CEA62951A7B73B4F441A8E80220FB0EF97EAF1362CCB74
Chrome Cache Entry: 47	PNG image data, 312 x 214, 8-bit/color RGBA, non-interlaced	23F7E3555145F8B35F9187347E80B490	30BE3577BA0615B4A350FFEDE5BAB43332B7CEDF	E11A6773A10302F1D4A38C34B58395884C4AD628FF0F7842AA03FBA5E8E50AB1
Chrome Cache Entry: 48	PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced	20012B70E82C499B433B37B2A98B9079	847A4AA7495440EECA16EB6211EC72C7DEA2E22B	272C9A8EE9FAF4BB46B70403CDA777CE98F24FD48B2083EE133478461261D5DD
Chrome Cache Entry: 49	ASCII text, with no line terminators	344EB8D19F5C0A3435EF32FD9601F1FB	E082EB1D89D91CC1A25A1D510268E576109DA07E	B44289B54959639FCA6A742F7CC2E2A5AF9C6E7B73C1B3E25227CA9790F3A587
Chrome Cache Entry: 50	PNG image data, 312 x 214, 8-bit/color RGBA, non-interlaced	23F7E3555145F8B35F9187347E80B490	30BE3577BA0615B4A350FFEDE5BAB43332B7CEDF	E11A6773A10302F1D4A38C34B58395884C4AD628FF0F7842AA03FBA5E8E50AB1

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Multi AV Scanner detection for domain / URL

Source: aichappraisers.com	Virustotal: Detection: 8%			Perma Link
Source: www.aichappraisers.com	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for submitted file

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

Virustotal: Detection: 16%

HTML body contains low number of good links

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Number of links: 0

HTML title does not match URL

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Title: | does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: Form action: post.php

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php

HTTP Parser: <input type="password" .../> found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="author".. found

Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found
Source: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:53854 -> 162.159.36.2:53

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2025231 - Severity 2 - ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing : 192.185.157.252:80 -> 192.168.2.4:49735

Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.244.127
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 29 Sep 2024 02:31:37 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingContent-Encoding: gzipContent-Length: 2575Keep-Alive: timeout=5, max=75Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 d5 52 5d 73 da 48 16 7d 0e bf 82 b0 a5 b2 3d 13 59 42 42 08 36 98 2a c0 22 b3 55 99 da 87 4c fc de a8 5b d0 b6 d4 d2 b6 ba 6d e3 5f bf b7 3f 00 c9 06 e2 6c f6 61 b7 8d 25 f5 b9 df e7 9e ce 64 23 8a 7c da 99 6c 08 c2 f0 aa 53 4e 2b d1 15 db 8a dc f4 04 79 16 de 3d 7a 44 06 ed 81 fd a3 eb 76 70 99 ca 82 30 71 fd c4 a9 20 97 92 91 3a 45 15 b9 bc 70 c2 85 a0 22 27 4e 98 38 32 8e c2 c8 91 d1 3c f2 1d 39 f6 67 80 0c 92 e5 d0 91 a3 f9 5c 59 97 c3 c4 89 17 4e a0 ac b3 d1 42 e1 8b 3e 24 f0 f6 19 fc 99 fa 85 8b 9c b2 07 f0 e3 24 77 c2 5b 27 08 68 5a 32 78 01 b4 e1 24 33 58 46 73 52 7b 14 5f 57 6c 6d 6c 35 7d 21 b5 31 f6 c3 e7 7e 68 50 35 97 cd 52 a0 35 f1 ac fb be 9a 2e e8 29 2e 2c 16 2e 56 25 de 42 64 81 f8 9a b2 0d a1 eb 8d 30 19 7c 93 d2 18 9e 28 16 9b 16 2e ca ca 98 5a e8 aa 14 a2 2c 8e 18 b8 4a 7c 04 cf 49 76 14 56 a4 68 c0 09 c2 70 19 8d 67 03 63 40 27 2d 8f 27 2c 0d aa 05 5a 01 f7 81 df 98 a6 ef 43 c5 c8 f2 dd 98 de 20 29 c9 f3 ba 42 29 05 1e 0f ed 35 33 72 75 83 37 7e 15 1f ee 08 59 a7 65 5e f2 7d 5f be 3e ed a5 8c 8f b7 b6 1f 78 6d b9 49 41 94 84 db d8 5d ed fd 62 4d 9a dd 62 f5 8d 16 6b 25 15 9e 36 55 54 20 9a 1f 74 d4 a8 37 f0 df d2 10 c4 8d 56 c7 5a bf f8 68 d5 56 a6 68 df e3 29 f7 46 c6 ac 64 02 c2 33 94 5a e9 7e 95 29 c5 08 a0 2f 1c 31 0c a4 2c e0 7b 0f 7e 43 ac 86 d7 77 46 d3 f2 84 51 41 b7 e4 1e dd c9 16 74 47 38 46 0c 99 4b 0d b0 5b 13 4e 33 33 74 4d 5f 6c 79 2b a7 f6 da 32 7d 5a 5c c8 38 0a 23 47 46 f3 c8 77 e4 d8 9f 25 8e 1c 24 cb a1 23 47 f3 39 7c c7 cb 61 83 35 3d e4 1b 1a 2f ae ae 3e 77 3c cf 75 a7 9d 89 57 a7 9c 56 62 da b1 e7 c3 44 e0 ae e6 f4 a6 37 f2 fd de 14 10 4c 1f bb 5a 0f 37 3d ae 76 a4 41 d4 dd 70 92 dd f4 7a dd 5a 6c 73 72 d3 13 e4 59 b8 98 a4 25 47 82 96 ec ef ac 64 44 7b aa 26 ba 8a e7 9b 9e 61 ac 6b 18 fe d4 b5 57 c5 55 d7 32 db 02 3f 75 0d 9f f6 62 99 fc d4 3d b0 08 d5 81 c1 9b de a0 d7 d5 cc dd f4 fe 66 38 53 95 3f 4c 34 01 aa 07 0f e9 27 4c a2 df 02 ab 81 27 66 f6 ae d8 56 b6 7f ef 1e 3d 22 83 42 82 c9 47 d7 ed e0 32 95 05 61 e2 fa 89 53 41 2e 25 23 75 8a 2a 72 79 f1 73 02 3c a3 44 a5 20 c5 e5 6e eb 2d e1 d3 62 ad 64 c2 53 63 cd 68 4e 6a 8f e2 eb 8a ad 8d 60 1a e5 83 91 81 36 44 6d a9 8d ad 4a 8e 89 15 96 ff aa 86 87 de 6a a4 d9 ae 27 f8 6e 2a b4 ca c9 c1 ba 77 de fb 1c 19 58 b9 ed 12 68 c2 9a ed 0d 7d db de ba 2d fc a5 3e af e9 3c c7 eb d9 32 ef 28 d2 5c 8f 9e b2 45 ed 30 b2 8d a2 9c ae 99 c1 52 50 05 50 aa e1 94 e4 79 5d a1 94 c2 5a de 70 bc 4b 7b e8 ae 41 b7 52 28 24 c8 50 4a 4c e4 57 99 52 ac 34 f1 85 23 86 a1 8f 05 7c ef c1 6f 88 d5 f0 fa ce 68 5a 9e 30 2a e8 96 dc a3 3b d9 82 ee 08 c7 88 21 73 a9 01 76 6b c2 69 66 fa af e9 8b 2d ff bb 25 ab 4d 55 b8 8c c6 b3 41 4b 37 32 4a fa be 23 87 41 18 3b 72 3c 1b 2d 1c 39 9a 2f

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/en.php HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/mail.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/id.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/mail.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-admin/pilgrim/upload/files/id.png HTTP/1.1Host: www.aichappraisers.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.aichappraisers.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 53860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.244.127:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: classification engine

Classification label: mal64.win@16/10@8/6

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,6011880305847496289,151698508360679670,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.aichappraisers.com/wp-admin/pilgrim/upload/en.php"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1996,i,6011880305847496289,151698508360679670,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected