analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/fbafd1e3-f0ea-4994-a7af-898880846ee6
Verdict: Malicious activity
Analysis date: March 14, 2019, 18:15:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

25A23FD24892D6C9D8D9A012707D2CB5

SHA1:

9ADC58FD5B5DD659EEB7866D755EBB18878A8925

SHA256:

F0F32224DB4C3E4EB82C0B1369195489D9B5ABA814FB566C0B8F63C2221A6779

SSDEEP:

24:Wn/VnshEe9yo9pdp9o9duLZHZR3G5RWUne81NEex0bZ4dKx:3FlLX+2Z5ZIwUnr9AkC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2336)
    • Application launched itself

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2336)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1396)
      • iexplore.exe (PID: 2520)
    • Creates files in the user directory

      • iexplore.exe (PID: 1396)
      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2520)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1396)
      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2520)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1396)
      • iexplore.exe (PID: 2520)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1396)
      • iexplore.exe (PID: 2520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

ContentType: text/html; charset=UTF-8
Keywords: uo829938320775.gq
Description: uo829938320775.gq
Title: uo829938320775.gq
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1396"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2924 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2336"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2520"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2336 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
842
Read events
674
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
67
Unknown types
5

Dropped files

PID
Process
Filename
Type
2924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1396iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@~~local~~[1].txt
MD5:
SHA256:
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\zimbra-spain[1].txt
MD5:
SHA256:
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\Hd7S83Q[1].pngimage
MD5:DC9675D8763C315665F38DAD3CBC5DCE
SHA256:23E7F508A5F6C5BF6032F8F4F554B56233047E73B356AE84064399D290A7BADA
1396iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@~~local~~[2].txttext
MD5:C087B577CD87F554903368A875C9901E
SHA256:5E5AF8BB33743C5B3FAB0F689547AD08E456A09193F4BEBA7BCCD8FF93A73026
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\styleSidebar_common[1].css
MD5:
SHA256:
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\newzbrt[1].htmhtml
MD5:252F066C9693EC8ECDCDE96ACA69F51E
SHA256:C3FC6E78562DA146DCBF6698DF1A55586FC607DEB511BE2548FEBFA937CEE25B
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\16ke444[1].jpgimage
MD5:9F19B04E0E0AF3DC2A10D15FEEE10B7C
SHA256:3AB50FF125CA4E53B3D063A1D86A6337F0E0033C9D0429F14DA5B650A6E22B11
1396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.datdat
MD5:8BF69EEA994704A6FD0AE2DC9293B9DA
SHA256:CBFCAED3E48849C0A2CFC0DDFAD18D5EB2710C72651E9D1882F2E197C592EADB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1396
iexplore.exe
GET
200
128.0.47.196:80
http://asystent.ro/css/newzbrt/
RO
html
1.85 Kb
suspicious
1396
iexplore.exe
POST
302
128.0.47.196:80
http://asystent.ro/css/newzbrt/me.php
RO
suspicious
1396
iexplore.exe
GET
304
128.0.47.196:80
http://asystent.ro/css/newzbrt/16ke444.jpg
RO
compressed
1.85 Kb
suspicious
1396
iexplore.exe
GET
404
128.0.47.196:80
http://asystent.ro/skins/serenity/img/DecorationLogin.png?v=140408125643
RO
html
2.81 Kb
suspicious
1396
iexplore.exe
GET
200
128.0.47.196:80
http://asystent.ro/css/newzbrt/
RO
html
1.85 Kb
suspicious
1396
iexplore.exe
GET
200
128.0.47.196:80
http://asystent.ro/css/newzbrt/16ke444.jpg
RO
image
10.2 Kb
suspicious
2520
iexplore.exe
GET
304
172.217.18.110:80
http://www.google-analytics.com/ga.js
US
whitelisted
1396
iexplore.exe
GET
404
128.0.47.196:80
http://asystent.ro/skins/serenity/img/DecorationLogin.png?v=140408125643
RO
html
2.81 Kb
suspicious
1396
iexplore.exe
GET
200
128.0.47.196:80
http://asystent.ro/css/newzbrt/finish.html
RO
html
278 b
suspicious
2520
iexplore.exe
GET
200
128.0.47.196:80
http://asystent.ro/css/newzbrt/
RO
html
1.85 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1396
iexplore.exe
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
1396
iexplore.exe
144.217.255.20:443
wallpapercave.com
OVH SAS
CA
unknown
1396
iexplore.exe
144.217.255.20:80
wallpapercave.com
OVH SAS
CA
unknown
1396
iexplore.exe
128.0.47.196:80
asystent.ro
Voxility S.R.L.
RO
suspicious
1396
iexplore.exe
23.22.223.51:443
blog.zimbra.com
Amazon.com, Inc.
US
unknown
2924
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1396
iexplore.exe
172.217.18.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
1396
iexplore.exe
172.217.21.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1396
iexplore.exe
23.21.32.152:443
www.zimbra.com
Amazon.com, Inc.
US
unknown
1396
iexplore.exe
192.0.78.9:443
wordpress.com
Automattic, Inc
US
malicious

DNS requests

Domain
IP
Reputation
asystent.ro
  • 128.0.47.196
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
wallpapercave.com
  • 144.217.255.20
whitelisted
www.google-analytics.com
  • 172.217.18.110
whitelisted
blog.zimbra.com
  • 23.22.223.51
  • 23.20.183.249
malicious
fonts.googleapis.com
  • 172.217.21.234
whitelisted
www.zimbra.com
  • 23.21.32.152
  • 34.226.251.72
suspicious
wordpress.com
  • 192.0.78.9
  • 192.0.78.17
whitelisted
fonts.gstatic.com
  • 216.58.208.35
whitelisted
d2ijs800i4ozhu.cloudfront.net
  • 13.33.96.113
  • 13.33.96.3
  • 13.33.96.174
  • 13.33.96.7
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info