download: | index.html |
Full analysis: | https://app.any.run/tasks/2bc36026-3b10-487d-8359-c1ee767bf59e |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 16:12:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines |
MD5: | A4413181C389D97C9B4D90D1935F5EE4 |
SHA1: | B0ABD4220AA8D4A9726FAE66028E40925E76B54D |
SHA256: | 55E51F8E6ED9E5C55DFD94A21738836DF467E0972B2BA4F7D2C36C7B60D2E355 |
SSDEEP: | 768:ddcNTcpNv+r5AZpUxnHeCb4f1u0eywO0H+UJF++MBrQSfBFY2gaRh:ddv6nEBrQSfBFnh |
.html | | | HyperText Markup Language (100) |
---|
Generator: | blogger |
---|---|
msapplicationNavbuttonColor: | #eeeeee |
themeColor: | #eeeeee |
ContentType: | text/html; charset=UTF-8 |
Title: | rerevonlo1979 |
viewport: | width=device-width, initial-scale=1 |
Refresh: | 0;URL=http://atbfinance.top/de.html |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3428 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3208 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:137473 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF08C644523BEC2647.TMP | — | |
MD5:— | SHA256:— | |||
3428 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat | dat | |
MD5:97CA17F80044BA356B6E8034B1FA56E3 | SHA256:73C611819016898636B3A9F4CD8B45DF968597C8A9F09ABDFC00B38495424C3F | |||
3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\normalize[1].css | text | |
MD5:76480F1DE6C45C3D040E7DF32A06D25B | SHA256:4090F15B3A390B449AA086C2C85CFECE7DF7EDC8A20B1670F242922C68372082 | |||
3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\prl_kersotar_club[1].htm | html | |
MD5:F69B1FB7CEEF94116C88B2A6C442A41B | SHA256:74BF4BBFE2B45700A082D502C9D64663BBEECCB163ADB25EB9EE19D17AD8451D | |||
3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\comments[1].css | text | |
MD5:08E46A396D394D6FEF0C97D1000DEAFE | SHA256:19556B0E42F555478A82612D6F706C5BD3A0344507549B33A3659C702D0666A4 | |||
3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\z[1].jpg | image | |
MD5:DCE3ADB09B53F2ACF0B7B39705B2F903 | SHA256:BD23F511F35CD6FDB4513E7EA4AE8F9F8681EE84065F6BAFA8AB0DEC2DF94B63 | |||
3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\article[1].css | text | |
MD5:B62111AD8A85460B103AF07F1532D0F6 | SHA256:F93AD8150B458EE1F7041BEA76D01F50D24E6E01F9B7A80F092EB143626F831C | |||
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{328C00E0-4674-11E9-AA93-5254004A04AF}.dat | binary | |
MD5:7603D955FC1B3436EB28C4EC5B692AC5 | SHA256:0A0D3BC114A37170BB680053DD974CE2DE4B861EDBA62533FCDCFF089A8CECAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3208 | iexplore.exe | GET | 302 | 104.27.129.17:80 | http://vip.kersotar.club/tracker?offer_id=2560&aff_id=225&pl=518:100&cb=1 | US | — | — | suspicious |
3208 | iexplore.exe | GET | 200 | 49.51.152.181:80 | http://atbfinance.top/de.html | CN | html | 149 b | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/css/normalize.css | US | text | 859 b | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/css/print.css | US | text | 1.42 Kb | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/images/z.jpg | US | image | 1.17 Kb | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/css/content.css | US | text | 10.4 Kb | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/css/article.css | US | text | 2.38 Kb | suspicious |
3208 | iexplore.exe | GET | 200 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/css/gallery.css | US | text | 1.36 Kb | suspicious |
3208 | iexplore.exe | GET | 404 | 104.27.129.17:80 | http://prl.kersotar.club/prelands/518/fonts/FranziskaWebPro-Demibold.woff)%20format(%22woff%22 | US | html | 238 b | suspicious |
2980 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3428 | iexplore.exe | 172.217.21.193:443 | themes.googleusercontent.com | Google Inc. | US | whitelisted |
2980 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3428 | iexplore.exe | 172.217.16.131:443 | www.gstatic.com | Google Inc. | US | whitelisted |
3428 | iexplore.exe | 172.217.16.201:443 | resources.blogblog.com | Google Inc. | US | whitelisted |
3208 | iexplore.exe | 49.51.152.181:80 | atbfinance.top | — | CN | suspicious |
2980 | iexplore.exe | 49.51.152.181:80 | atbfinance.top | — | CN | suspicious |
3208 | iexplore.exe | 104.27.128.17:80 | vip.kersotar.club | Cloudflare Inc | US | shared |
2980 | iexplore.exe | 104.27.128.17:80 | vip.kersotar.club | Cloudflare Inc | US | shared |
3208 | iexplore.exe | 104.27.129.17:80 | vip.kersotar.club | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
themes.googleusercontent.com |
| whitelisted |
www.blogger.com |
| shared |
atbfinance.top |
| suspicious |
vip.kersotar.club |
| suspicious |
prl.kersotar.club |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
3208 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
3208 | iexplore.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |