IOC Report
https://cloud.rs-karnobat.org/index.php/s/L3Ss49AjjxwFWSA

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 12:03:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 12:03:18 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 12:03:18 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 12:03:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 12:03:18 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 175

ASCII text, with very long lines (3225)

downloaded

Chrome Cache Entry: 176

HTML document, Unicode text, UTF-8 text, with very long lines (1136)

dropped

Chrome Cache Entry: 178

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 179

JSON data

downloaded

Chrome Cache Entry: 182

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 184

ASCII text, with very long lines (65325)

downloaded

Chrome Cache Entry: 186

MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

dropped

Chrome Cache Entry: 187

TrueType Font data, digitally signed, 19 tables, 1st "DSIG", 28 names, Macintosh, Digitized data copyright \251 2010-2011, Google Corporation.Open SansLight1.10;1ASC;OpenSans-Lig

downloaded

Chrome Cache Entry: 192

TrueType Font data, digitally signed, 19 tables, 1st "DSIG", 26 names, Macintosh, Digitized data copyright \251 2010-2011, Google Corporation.Open SansBold1.10;1ASC;OpenSans-Bold

downloaded

Chrome Cache Entry: 194

ASCII text

downloaded

Chrome Cache Entry: 198

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 200

ASCII text

downloaded

Chrome Cache Entry: 201

ASCII text

downloaded

Chrome Cache Entry: 207

ASCII text

dropped

Chrome Cache Entry: 209

ASCII text

downloaded

Chrome Cache Entry: 212

ASCII text, with very long lines (1612)

downloaded

Chrome Cache Entry: 214

Unicode text, UTF-8 text, with CRLF line terminators

downloaded

Chrome Cache Entry: 217

MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

downloaded

Chrome Cache Entry: 219

ASCII text

downloaded

Chrome Cache Entry: 220

ASCII text, with very long lines (22367), with no line terminators

downloaded

Chrome Cache Entry: 223

PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 225

ASCII text, with very long lines (3344), with no line terminators

downloaded

Chrome Cache Entry: 226

HTML document, Unicode text, UTF-8 text, with very long lines (617), with CRLF, LF line terminators

downloaded

Chrome Cache Entry: 227

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 228

PNG image data, 90 x 90, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 229

ASCII text

dropped

There are 23 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://cloud.rs-karnobat.org/index.php/s/L3Ss49AjjxwFWSA

Details

Filetype:	URL
Filename:	https://cloud.rs-karnobat.org/index.php/s/L3Ss49AjjxwFWSA

Signature Hits	Behavior Group	Mitre Attack
Form action URLs do not match main URL	Phishing
HTML body contains low number of good links	Phishing
HTML body contains password input but no form action	Phishing
HTML body with high number of large embedded background images detected	Phishing
HTML title does not match URL	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
HTML body contains password input	Phishing
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://cloud.rs-karnobat.org/index.php/s/L3Ss49AjjxwFWSA/authenticate/showshare

Details

Name:	https://cloud.rs-karnobat.org/index.php/s/L3Ss49AjjxwFWSA/authenticate/showshare
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Form action URLs do not match main URL	Phishing
HTML body contains low number of good links	Phishing
HTML body contains password input but no form action	Phishing
HTML body with high number of large embedded background images detected	Phishing
HTML title does not match URL	Phishing
HTML body contains password input	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://karnobat-rs.justice.bg/bg/7536

https://karnobat-rs.justice.bg/

Domains

Name

IP

Malicious

karnobat-rs.justice.bg

212.122.184.119

Details

Name:	karnobat-rs.justice.bg
IP:	212.122.184.119
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

cloud.rs-karnobat.org

83.228.101.169

Details

Name:	cloud.rs-karnobat.org
IP:	83.228.101.169
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

www3.l.google.com

172.217.16.206

maxcdn.bootstrapcdn.com

104.18.10.207

Details

Name:	maxcdn.bootstrapcdn.com
IP:	104.18.10.207
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.250.186.132

Details

Name:	www.google.com
IP:	142.250.186.132
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

translate.google.com

unknown

IPs

IP

Domain

Country

Malicious

142.250.186.35

unknown

United States

142.250.186.46

unknown

United States

104.18.10.207

maxcdn.bootstrapcdn.com

United States

216.58.212.138

unknown

United States

172.217.16.206

www3.l.google.com

United States

192.168.2.16

unknown

unknown

142.250.185.234

unknown

United States

216.58.206.42

unknown

United States

142.250.185.238

unknown

United States

142.250.181.234

unknown

United States

142.250.185.106

unknown

United States

216.58.206.35

unknown

United States

142.251.168.84

unknown

United States

142.250.181.227

unknown

United States

83.228.101.169

cloud.rs-karnobat.org

Bulgaria

239.255.255.250

unknown

Reserved

142.250.185.131

unknown

United States

212.122.184.119

karnobat-rs.justice.bg

Bulgaria

142.250.186.131

unknown

United States

142.250.186.132

www.google.com

United States

172.217.18.10

unknown

United States

142.250.184.234

unknown

United States

172.217.16.132

unknown

United States

There are 13 hidden IPs, click here to show them.