analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://viewstripo.email/template/69b6c1d6-360b-47af-bbec-994db5af551a

Full analysis: https://app.any.run/tasks/a7cb69f2-5a83-468a-bc9f-a39a49f5df70
Verdict: Malicious activity
Analysis date: May 20, 2022, 18:55:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

F628D62CE82E6AE66F3B9093B8B5075C

SHA1:

6DBB56D760CB5E3E55C379170FDE49BBF5C761DD

SHA256:

241B30A1C1E9F56FC47152EE7E89506BA34C6A1E6BC132B8A4087DCCCA7922B4

SSDEEP:

3:N8PLxUEmM2IRODhcRDMBE:2P521cRDyE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Phishing background detected

      • iexplore.exe (PID: 3396)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3396)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3396)
    • Checks supported languages

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3396)
    • Changes internet zones settings

      • iexplore.exe (PID: 3028)
    • Application launched itself

      • iexplore.exe (PID: 3028)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3396)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3396)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3028)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3396)
    • Creates files in the user directory

      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3396)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3028)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Program Files\Internet Explorer\iexplore.exe" "https://viewstripo.email/template/69b6c1d6-360b-47af-bbec-994db5af551a"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3028 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3396"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3028 CREDAT:3609877 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
20 758
Read events
20 578
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
48
Unknown types
15

Dropped files

PID
Process
Filename
Type
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:7550C345AC10D2F3A53A842FFF0C2F48
SHA256:1F007968352EB1E973C2606C4A3461C31DBF3770CD9B4E59839975D2736A71C2
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02binary
MD5:163FB111D0909AFFADEB4944D807517A
SHA256:C4DBCA1277060CE788CC8609BE2CDF33BE7B93895E5CAE87951C7E03DDFA1E3D
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9der
MD5:FB55008D5753F218C572D6845F73E063
SHA256:0FA825B66CA08110C0A45D7445A59438CDADFCAD8EAF9A9116E1993E287356B0
3480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\69b6c1d6-360b-47af-bbec-994db5af551a[1].htmhtml
MD5:E5611D2F1955589B530716ED63AD1713
SHA256:7B30BF54EB544397BE87BDD4200ED1A87CFBDC347112893EEEB344608EDA0C26
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:338FBA9A6B96A07EFBA08D548D35E2A9
SHA256:B4B8DBAF879B5189452D62474BEC7DD357093B0B4B713D4514F5181194CDCB7E
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02der
MD5:C8888F31FD1FF065E9EB8B693FA9DD91
SHA256:04EF9B7DB3CB7FDE61CC3583A5E69CEB1E2785540132E3D8B17AF476FCD3AC11
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:E1EF4891DEA6D81536BAA8B22390D515
SHA256:5A201A79D43E8DBEEDC215960FB3652069BEBB1FFCB9F07367B072223CBE741A
3480iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9binary
MD5:EBA96C811A613374EDD37C7E60731BD2
SHA256:8654D74C0EDDF371D29E2387430D49B57EC77BD5630BD384C81569AC757CDEC3
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:86134AB5B619F27A62590161561A83F0
SHA256:CD8AF04A9E273E996D9D160DBE6B0D5E7349D8DDAB0D1F67638CA15029921AA1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
84
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
iexplore.exe
GET
200
172.64.155.188:80
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
US
der
978 b
whitelisted
3480
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6973aa0a37a4c3a8
US
compressed
4.70 Kb
whitelisted
3396
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAF9LxfeRoa0ZPqxq7Z2wf0%3D
US
der
471 b
whitelisted
3396
iexplore.exe
GET
200
195.138.255.18:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNDEJw8XjLXZHnIGDjxL10YiQ%3D%3D
DE
der
503 b
shared
3396
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
3480
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3480
iexplore.exe
GET
200
172.64.155.188:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
3396
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3396
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
3028
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3480
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3480
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
3480
iexplore.exe
52.208.21.62:443
viewstripo.email
Amazon.com, Inc.
IE
suspicious
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
3028
iexplore.exe
52.208.21.62:443
viewstripo.email
Amazon.com, Inc.
IE
suspicious
3028
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3396
iexplore.exe
192.185.98.250:443
wonelect.gq
CyrusOne LLC
US
suspicious
3480
iexplore.exe
88.198.151.113:443
rqvhlz.stripocdn.email
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
viewstripo.email
  • 52.208.21.62
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
crl.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
3396
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.gq) in TLS SNI
3396
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
3396
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
3028
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
3028
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
3396
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.gq) in TLS SNI
No debug info