Malware Analysis Report

2024-11-16 15:45

Sample ID 240219-1qxcvsea61
Target http://rb.gy/78xr2q
Tags
google phishing
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

Threat Level: Likely benign

The file http://rb.gy/78xr2q was found to be: Likely benign.

Malicious Activity Summary

google phishing

Detected potential entity reuse from brand google.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-19 21:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 21:51

Reported

2024-02-19 21:57

Platform

android-x86-arm-20231215-en

Max time kernel

116s

Max time network

300s

Command Line

com.android.chrome

Signatures

N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 rb.gy udp
US 52.200.15.1:80 rb.gy tcp
US 52.200.15.1:80 rb.gy tcp
US 1.1.1.1:53 www.563mg.com udp
US 104.21.91.180:443 www.563mg.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.180.10:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 46j3w.com udp
US 172.67.169.184:443 46j3w.com tcp
US 1.1.1.1:53 x.s788n.com udp
US 104.21.10.187:443 x.s788n.com tcp
US 1.1.1.1:53 predictionds.com udp
US 104.21.50.133:443 predictionds.com tcp
US 1.1.1.1:53 tracking.prtrackings.com udp
NL 34.90.81.51:443 tracking.prtrackings.com tcp
US 1.1.1.1:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 1.1.1.1:53 trk.show-waste-myself-during.run udp
US 172.67.148.225:443 trk.show-waste-myself-during.run tcp
US 1.1.1.1:53 privacymobilenewonline.autos udp
US 172.67.194.135:443 privacymobilenewonline.autos tcp
US 172.67.194.135:443 privacymobilenewonline.autos tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 cdn.privacymobilenewonline.autos udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 cdn.privacymobilenewonline.autos udp
GB 142.250.200.36:443 www.google.com tcp
US 104.21.92.137:443 cdn.privacymobilenewonline.autos tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
US 1.1.1.1:53 dbkjnaomy udp
US 1.1.1.1:53 fmdbmpgxkduo udp
US 1.1.1.1:53 mdnbbvpvxwkk udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.227:80 tcp
GB 216.58.212.228:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 tcp

Files

files/dom-0.html

MD5 18f4085c8e5746bbdc418c6eacda86b7
SHA1 4baeb13a3e1d3ad31bfe80ef2e53692983f9225a
SHA256 7bd4e2a12a5fabc6d3e0f62d39c087a96cf3c2fe4eaa3a5ec4c29bb0c5b8a700
SHA512 114d1482c59cfeb9a5172af2bb53a9d29496a8d0b54d504774405fedb81038a049f206caf6221f26ae70894d5e1352834dce9ee9b58dcb9b64bfbf4050b4d5f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 21:51

Reported

2024-02-19 21:57

Platform

android-x64-20231215-en

Max time kernel

299s

Max time network

299s

Command Line

com.android.chrome

Signatures

N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 rb.gy udp
US 52.200.15.1:80 rb.gy tcp
US 52.200.15.1:80 rb.gy tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.563mg.com udp
US 172.67.177.109:443 www.563mg.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 46j3w.com udp
US 104.21.39.64:443 46j3w.com tcp
US 1.1.1.1:53 x.s788n.com udp
US 172.67.131.176:443 x.s788n.com tcp
US 1.1.1.1:53 predictionds.com udp
US 172.67.206.138:443 predictionds.com tcp
US 1.1.1.1:53 www.thebuxfiles.com udp
US 104.21.89.19:443 www.thebuxfiles.com tcp
US 1.1.1.1:53 c.ftblltrck.com udp
US 52.6.207.239:443 c.ftblltrck.com tcp
US 52.6.207.239:443 c.ftblltrck.com tcp
US 1.1.1.1:53 nationalconsumerscenter.co.uk udp
US 172.67.173.122:443 nationalconsumerscenter.co.uk tcp
US 1.1.1.1:53 www.cdn925.com udp
US 104.18.90.64:443 www.cdn925.com tcp
US 104.18.90.64:443 www.cdn925.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 www.clicken.us udp
US 104.18.130.12:443 www.clicken.us tcp
US 1.1.1.1:53 clients1.google.com udp
GB 172.217.169.78:443 clients1.google.com tcp
US 1.1.1.1:53 fqtag.com udp
US 35.190.72.161:443 fqtag.com tcp
US 1.1.1.1:53 cdn.fqtag.com udp
US 35.190.36.172:443 cdn.fqtag.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 1.1.1.1:53 gvzpzxzh udp
US 1.1.1.1:53 bkozaqvdulyzp udp
US 1.1.1.1:53 guwotljoblenxhz udp
US 35.190.72.161:443 fqtag.com tcp
US 1.1.1.1:53 aux.fqtag.com udp
US 35.190.13.203:443 aux.fqtag.com tcp
US 1.1.1.1:53 stun.2talk.com udp
US 1.1.1.1:53 stun.botonakis.com udp
US 1.1.1.1:53 stun.budgetphone.nl udp
US 1.1.1.1:53 stun.counterpath.com udp
US 1.1.1.1:53 stun.gradwell.com udp
US 1.1.1.1:53 stun.jumblo.com udp
US 1.1.1.1:53 stun.botonakis.com udp
US 1.1.1.1:53 stun.nas.net udp
US 1.1.1.1:53 stun.node4.co.uk udp
US 27.111.12.93:3478 stun.2talk.com udp
US 1.1.1.1:53 stun.gradwell.com udp
US 27.111.12.93:3478 stun.2talk.com udp
US 216.93.246.18:3478 stun.counterpath.com udp
US 216.93.246.18:3478 stun.counterpath.com udp
US 1.1.1.1:53 stun.veoh.com udp
DE 77.72.169.210:3478 stun.jumblo.com udp
US 1.1.1.1:53 stun.budgetphone.nl udp
DE 77.72.169.210:3478 stun.jumblo.com udp
US 1.1.1.1:53 stun.voip.aebc.com udp
CA 216.145.109.98:3478 stun.nas.net udp
US 1.1.1.1:53 stun.node4.co.uk udp
CA 216.145.109.98:3478 stun.nas.net udp
US 1.1.1.1:53 stun.voipzoom.com udp
US 69.167.127.106:3478 stun.veoh.com udp
US 69.167.127.106:3478 stun.veoh.com udp
US 1.1.1.1:53 stun.voxox.com udp
US 1.1.1.1:53 stun.wwdl.net udp
US 35.190.13.203:443 aux.fqtag.com tcp
CA 66.51.128.11:3478 stun.voip.aebc.com udp
US 1.1.1.1:53 stun.voxox.com udp
CA 66.51.128.11:3478 stun.voip.aebc.com udp
US 70.85.220.74:3478 stun.wwdl.net udp
US 70.85.220.74:3478 stun.wwdl.net udp
DE 77.72.169.211:3478 stun.voipzoom.com udp
DE 77.72.169.211:3478 stun.voipzoom.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.42:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.180.3:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp

Files

files/dom-0.html

MD5 af04f76a0e2836fa81199f8fb4df15a3
SHA1 38f142854a8cf3f959b939534fdf6ed364ef48a3
SHA256 dab0ba7cf28403a25655f8d1096ad6116d86375aa65f24387255bc53510f5645
SHA512 da6ad4b969d9edabf9da5069cef7b95ee30d605448c6b317a45135daa1d8d64c95979fa94615d1e630cedc03bad23dcd437241332d24a6456ddf9e1d177413b4

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-19 21:51

Reported

2024-02-19 21:57

Platform

android-x64-arm64-20231215-en

Max time kernel

245s

Max time network

301s

Command Line

com.android.chrome

Signatures

Detected potential entity reuse from brand google.

phishing google

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 rb.gy udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
US 3.224.68.189:80 rb.gy tcp
US 3.224.68.189:80 rb.gy tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 rb.gy udp
BE 173.194.76.84:443 accounts.google.com tcp
US 54.164.199.24:80 rb.gy tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.563mg.com udp
US 172.67.177.109:443 www.563mg.com tcp
US 1.1.1.1:53 46j3w.com udp
US 172.67.169.184:443 46j3w.com tcp
US 1.1.1.1:53 x.s788n.com udp
US 104.21.10.187:443 x.s788n.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 predictionds.com udp
US 104.21.50.133:443 predictionds.com tcp
US 1.1.1.1:53 tracking.prtrackings.com udp
NL 34.147.21.42:443 tracking.prtrackings.com tcp
US 1.1.1.1:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 1.1.1.1:53 trk.show-waste-myself-during.run udp
US 104.21.47.159:443 trk.show-waste-myself-during.run tcp
US 1.1.1.1:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 1.1.1.1:53 free-private-mobile-app.autos udp
US 104.21.45.115:443 free-private-mobile-app.autos tcp
US 104.21.45.115:443 free-private-mobile-app.autos tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 cdn.free-private-mobile-app.autos udp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 atzsvroiu udp
US 1.1.1.1:53 tcfyajaknvwbvl udp
US 1.1.1.1:53 qnlvzcgtyqay udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
GB 172.217.169.34:443 tcp
GB 216.58.201.99:443 tcp

Files

files/dom-0.html

MD5 224b86cf52fd3348c5506a0d870440dc
SHA1 3e874eb06706a09a5a41bb93c96c93116c66b5ba
SHA256 80cd4dec7a27ca2add4c2ebe7f8861a0f8c615c95f0201400991c0f3b232fb20
SHA512 d68ba6b49895064aae5c0cc7548e7ad40dcfba4cffb2e9f56e1d09923a08afd0b70c16e3a3a031ba6e1342833540c29a2ea89d75d2fe4917325aa171c7cc6e5c