Report - xn--statst-lwac8u.admarketlocation.com/

Report Overview

Visited public
2025-06-01 15:49:26
Tags
URL
xn--statst-lwac8u.admarketlocation.com/
Finishing URL
s.click.aliexpress.com/e/_ooXP3cN?af=8528901&dp=953069294500189151
IP / ASN
172.98.192.37
#31863 DACEN-2
Title
s.click.aliexpress.com/e/_ooXP3cN?af=8528901&dp=953069294500189151

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
xn--statst-lwac8u.admarketlocation.com	unknown	unknown	No data	No data	2.0 kB	33 kB	172.98.192.37
my.rtmark.net	9054	2014-10-29	2015-02-04	2025-05-29	541 B	768 B	172.64.146.234
lowtirtougaa.com	unknown	2024-11-15	2024-11-28	2025-05-19	3.3 kB	35 kB	139.45.197.106
s.click.aliexpress.com	23301	2006-04-16	2013-12-16	2025-05-25	534 B	872 B	23.49.27.47
click-v4.exmnclk.com	unknown	2025-04-01	2025-05-27	2025-05-27	510 B	32 kB	198.134.116.17
reyeshehadtwobri.com	unknown	2024-11-09	2025-02-21	2025-05-30	503 B	33 kB	104.21.96.1

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2025-06-01	medium	lowtirtougaa.com	Sinkholed
2025-06-01	medium	lowtirtougaa.com	Sinkholed
2025-06-01	medium	lowtirtougaa.com	Sinkholed
2025-06-01	medium	lowtirtougaa.com	Sinkholed
2025-06-01	medium	lowtirtougaa.com	Sinkholed

ThreatFox

No alerts detected

JavaScript (3)

	URL	From	Size	First Seen	Last Seen
	lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617	ScriptElement	103 B	2024-11-11	2025-06-08
Pretty URL lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617 IP 139.45.197.106 ASN #9002 RETN Limited Introduced by scriptElement Embedded in HTML true Observations First Seen2024-11-11 16:21 Last Seen2025-06-08 02:12 Times Seen1806 Hash c643cec8aff35ca004122dccbe19be84 8968e77c9e2f2364274052836c4d60ca04b71f92 6ef41764fe218809cc837c7606273f30bb317016f94fe7f687de19be85734621 Loading...

	lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617	ScriptElement	29 kB	2025-06-01	2025-06-01
Pretty URL lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617 IP 139.45.197.106 ASN #9002 RETN Limited Introduced by scriptElement Embedded in HTML true Observations First Seen2025-06-01 15:49 Last Seen2025-06-01 15:49 Times Seen1 Hash 387fdfba994b1299ca33effb0d6621ae 738c86572402e2d66210e8abd5d708f2932b0c3f 072dc4347cec74d2911a7c01f068f39d8b0eab7c56969cefbc9ea41d2bf78251 Loading...

	lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617	EventHandler	18 B	2024-09-25	2025-06-08
Pretty URL lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617 IP 139.45.197.106 ASN #9002 RETN Limited Introduced by eventHandler Embedded in HTML false Observations First Seen2024-09-25 04:33 Last Seen2025-06-08 02:12 Times Seen1861 Hash 92fdba08d68c80aceda7c428a226c832 9292a00b9a528f1cc75e7817064c22ce53fa7f92 e9f45f67d6969aa2b73619eaa29c3126d5e181d28fb4a16a39dba55fd8c42a6e Loading...

HTTP Transactions (12)

URL IP Response Size

xn--statst-lwac8u.admarketlocation.com/

172.98.192.37

200 OK

500 B

URL User Request GET
xn--statst-lwac8u.admarketlocation.com/
IP
172.98.192.37:443
ASN
#31863 DACEN-2

Certificate
IssuerLet's Encrypt
Subjectadmarketlocation.com
FingerprintB9:56:D1:22:EB:86:30:FF:F7:EA:86:C4:A2:DC:E7:5A:34:E6:08:AB
ValidityTue, 06 May 2025 09:41:34 GMT - Mon, 04 Aug 2025 09:41:33 GMT

File type
HTML document, ASCII text, with very long lines (500), with no line terminators
Size
500 B (500 bytes)
Hash
fc8fe2dac18095b83fb9a06b58fd3910
1a49282f7a6e87af189149bf9ee68565c56f103b
af66157f12a91ca66e2e20b5c13fc2b2ca5cef4f5371e3ee2aec9918fe3877f5

HTTP Headers

GET / HTTP/1.1
Host: xn--statst-lwac8u.admarketlocation.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
cache-control: max-age=0, private, must-revalidate
content-length: 500
content-type: text/html; charset=utf-8
date: Sun, 01 Jun 2025 15:49:03 GMT
server: Cowboy
set-cookie: sid=f1cf3426-3eff-11f0-b970-a2eca1951fac; path=/; domain=.admarketlocation.com; expires=Fri, 19 Jun 2093 19:03:11 GMT; max-age=2147483647; secure; HttpOnly
X-Firefox-Spdy: h2

xn--statst-lwac8u.admarketlocation.com/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0ODgwMDE0NCwiaWF0IjoxNzQ4NzkyOTQ0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMTJmYnFtbWhiamdxaDU1dGcwa2FuMDkiLCJuYmYiOjE3NDg3OTI5NDQsInRzIjoxNzQ4NzkyOTQ0Mjk3MTI4fQ.P_f-u-I7vvufOpaJudq2Q5THIKArEi16PwU3B2pKTkM&sid=f1cf3426-3eff-11f0-b970-a2eca1951fac

172.98.192.37

302 Found

32 kB

URL User Request GET
xn--statst-lwac8u.admarketlocation.com/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0ODgwMDE0NCwiaWF0IjoxNzQ4NzkyOTQ0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMTJmYnFtbWhiamdxaDU1dGcwa2FuMDkiLCJuYmYiOjE3NDg3OTI5NDQsInRzIjoxNzQ4NzkyOTQ0Mjk3MTI4fQ.P_f-u-I7vvufOpaJudq2Q5THIKArEi16PwU3B2pKTkM&sid=f1cf3426-3eff-11f0-b970-a2eca1951fac
IP
172.98.192.37:443
ASN
#31863 DACEN-2

Certificate
IssuerLet's Encrypt
Subjectadmarketlocation.com
FingerprintB9:56:D1:22:EB:86:30:FF:F7:EA:86:C4:A2:DC:E7:5A:34:E6:08:AB
ValidityTue, 06 May 2025 09:41:34 GMT - Mon, 04 Aug 2025 09:41:33 GMT

File type

Size
32 kB (31509 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0ODgwMDE0NCwiaWF0IjoxNzQ4NzkyOTQ0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMTJmYnFtbWhiamdxaDU1dGcwa2FuMDkiLCJuYmYiOjE3NDg3OTI5NDQsInRzIjoxNzQ4NzkyOTQ0Mjk3MTI4fQ.P_f-u-I7vvufOpaJudq2Q5THIKArEi16PwU3B2pKTkM&sid=f1cf3426-3eff-11f0-b970-a2eca1951fac HTTP/1.1
Host: xn--statst-lwac8u.admarketlocation.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://xn--statst-lwac8u.admarketlocation.com/
Cookie: sid=f1cf3426-3eff-11f0-b970-a2eca1951fac
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 302 Found
cache-control: max-age=0, private, must-revalidate
content-length: 11
date: Sun, 01 Jun 2025 15:49:04 GMT
location: http://click-v4.exmnclk.com/click?i=Hf9QbNq*PpQ_0
server: Cowboy
set-cookie: sid=f1cf3426-3eff-11f0-b970-a2eca1951fac; path=/; domain=.admarketlocation.com; expires=Fri, 19 Jun 2093 19:03:12 GMT; max-age=2147483647; secure; HttpOnly
X-Firefox-Spdy: h2

xn--statst-lwac8u.admarketlocation.com/favicon.ico

172.98.192.37

404 Not Found

9 B

URL GET
xn--statst-lwac8u.admarketlocation.com/favicon.ico
IP
172.98.192.37:443
ASN
#31863 DACEN-2

Requested by
https://xn--statst-lwac8u.admarketlocation.com/
Certificate
IssuerLet's Encrypt
Subjectadmarketlocation.com
FingerprintB9:56:D1:22:EB:86:30:FF:F7:EA:86:C4:A2:DC:E7:5A:34:E6:08:AB
ValidityTue, 06 May 2025 09:41:34 GMT - Mon, 04 Aug 2025 09:41:33 GMT

File type
ASCII text, with no line terminators
Size
9 B (9 bytes)
Hash
d8f4a1993546cc4b850cde3599e27aec
094b763b4cfcc0b05e5d040581cd513c3ca08067
907ba78b4545338d3539683e63ecb51cf51c10adc9dabd86e92bd52339f298b9

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: xn--statst-lwac8u.admarketlocation.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://xn--statst-lwac8u.admarketlocation.com/
Cookie: sid=f1cf3426-3eff-11f0-b970-a2eca1951fac
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 404 Not Found
cache-control: max-age=0, private, must-revalidate
content-length: 9
date: Sun, 01 Jun 2025 15:49:04 GMT
server: Cowboy
X-Firefox-Spdy: h2

my.rtmark.net/img.gif?f=merge&userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf

172.64.146.234

200 OK

43 B

URL GET
my.rtmark.net/img.gif?f=merge&userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf
IP
172.64.146.234:443
ASN
#13335 CLOUDFLARENET

Requested by
https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Certificate
IssuerGoogle Trust Services
Subjectmy.rtmark.net
Fingerprint61:93:FB:BF:25:C3:CE:7B:CB:69:5D:87:04:AA:ED:1B:35:8D:44:82
ValidityFri, 02 May 2025 11:10:51 GMT - Thu, 31 Jul 2025 12:10:47 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
b4491705564909da7f9eaf749dbbfbb1
279315d507855c6a4351e1e2c2f39dd9cd2fccd8
4e0705327480ad2323cb03d9c450ffcae4a98bf3a5382fa0c7882145ed620e49

HTTP Headers

GET /img.gif?f=merge&userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf HTTP/1.1
Host: my.rtmark.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://lowtirtougaa.com/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Sun, 01 Jun 2025 15:49:06 GMT
content-type: image/gif
content-length: 43
access-control-allow-origin: *
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE
access-control-allow-headers: Accept, Content-Type, Content-Length, Accept-Encoding, Authorization,X-CSRF-Token
access-control-expose-headers: Authorization
access-control-allow-credentials: true
set-cookie: ID=0081dbdd47ff4db3e6c4d0414dc97c67; expires=Mon, 01 Jun 2026 15:49:06 GMT; secure; SameSite=None
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 948fdbebecf456b4-OSL
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

lowtirtougaa.com/favicon.ico

139.45.197.106

204 No Content

0 B

URL GET
lowtirtougaa.com/favicon.ico
IP
139.45.197.106:443
ASN
#9002 RETN Limited

Requested by
https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Certificate
IssuerLet's Encrypt
Subjectlowtirtougaa.com
FingerprintBD:13:94:E5:3A:E7:8D:27:8B:69:09:EA:7D:1C:01:AF:AA:9A:5A:18
ValidityMon, 12 May 2025 11:44:09 GMT - Sun, 10 Aug 2025 11:44:08 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: lowtirtougaa.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 204 No Content
server: nginx
date: Sun, 01 Jun 2025 15:49:06 GMT
expires: Thu, 31 Dec 2037 23:55:55 GMT
pragma: public
cache-control: max-age=315360000, public, must-revalidate, proxy-revalidate
X-Firefox-Spdy: h2

s.click.aliexpress.com/e/_ooXP3cN?af=8528901&dp=953069294500189151

23.49.27.47

200 OK

242 B

URL User Request GET
s.click.aliexpress.com/e/_ooXP3cN?af=8528901&dp=953069294500189151
IP
23.49.27.47:443
ASN
#16625 AKAMAI-AS

Certificate
IssuerDigiCert Inc
Subjectru.aliexpress.com
FingerprintDA:5C:41:82:2B:53:17:58:AB:EB:B9:35:7E:77:FE:D0:25:60:59:04
ValidityThu, 20 Mar 2025 00:00:00 GMT - Fri, 20 Mar 2026 23:59:59 GMT

File type
HTML document, ASCII text
Size
242 B (242 bytes)
Hash
d55131d11f99af713369ce2c1ae332c4
a16fd272de392cfd9e17c7e8af038d912f1ee4a5
25ed09bf436c1149aca0b65d4367f5afb5ae24a920b0eed84dd5e97764efe8b2

HTTP Headers

GET /e/_ooXP3cN?af=8528901&dp=953069294500189151 HTTP/1.1
Host: s.click.aliexpress.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
content-type: application/json;charset=UTF-8
content-length: 242
server: Tengine/Aserver
cache-control: no-store
x5-punish-cache: hit
eagleeye-traceid: 211b876e17487929475001338e4700
strict-transport-security: max-age=31536000
timing-allow-origin: *
date: Sun, 01 Jun 2025 15:49:07 GMT
x-akamai-fwd-auth-sha: 8046F711D6C7384FCA7C90E094C06FEBAF6C7543C4E98AF03218CA21D5CF8B26
x-akamai-fwd-auth-data: 1427720244, 23.36.79.12, 1748792947, 91.90.42.154
x-akamai-fwd-auth-sign: oBZkuCsZxarz5/4x43/ml5mBTtmeiT6v8cYUoaV80jDfxnffVkyxPLBvMHyzkgCGNyz+bIrg2p43WJFzRjzpkJMKEpwKwMcpUY0DubAGz08=
X-Firefox-Spdy: h2

click-v4.exmnclk.com/click?i=Hf9QbNq*PpQ_0

198.134.116.17

302 Found

32 kB

URL User Request GET
click-v4.exmnclk.com/click?i=Hf9QbNq*PpQ_0
IP
198.134.116.17:443
ASN
#27257 WEBAIR-INTERNET

Certificate
IssuerLet's Encrypt
Subjectexmnclk.com
FingerprintDA:BF:BA:FB:D3:B2:66:68:21:E2:70:D7:D1:E9:4B:39:03:B8:14:76
ValidityFri, 04 Apr 2025 07:17:44 GMT - Thu, 03 Jul 2025 07:17:43 GMT

File type

Size
32 kB (31509 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /click?i=Hf9QbNq*PpQ_0 HTTP/1.1
Host: click-v4.exmnclk.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 302 Found
Server: nginx
Date: Sun, 01 Jun 2025 15:49:05 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: no-store
Location: https://reyeshehadtwobri.com/?LCeTN=1181303

reyeshehadtwobri.com/?LCeTN=1181303

104.21.96.1

302 Found

32 kB

URL User Request GET
reyeshehadtwobri.com/?LCeTN=1181303
IP
104.21.96.1:443
ASN
#13335 CLOUDFLARENET

Certificate
IssuerGoogle Trust Services
Subjectreyeshehadtwobri.com
FingerprintC7:B5:85:63:CA:0C:0D:08:ED:31:20:4D:01:84:73:4A:AA:0E:AB:D7
ValidityMon, 05 May 2025 08:15:29 GMT - Sun, 03 Aug 2025 09:13:50 GMT

File type

Size
32 kB (31509 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /?LCeTN=1181303 HTTP/1.1
Host: reyeshehadtwobri.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 302 Found
date: Sun, 01 Jun 2025 15:49:05 GMT
content-type: text/plain
content-length: 0
location: https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
server: cloudflare
cache-control: no-store, no-cache, must-revalidate, no-transform
pragma: no-cache
p3p: CP="NID DSP ALL COR"
accept-ch: DPR, Width, Viewport-Width, Device-Memory, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List
cf-cache-status: DYNAMIC
report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=62QGuwiyOlGOosbdE4OaxpKIgMQtmkHz%2BQyoOTI39bXDPSZE0CVqgAUnMJJD12p2BeJ54yttDu6ba3nw0n1LdHJVZkXJXzmN6haq3GEJFW08RA%3D%3D"}]}
set-cookie: AWSALB=25G37OfcVp2esgtAmjtNU8xgXtx11bBZ7zRgRpDqv2A5kaHyBFHkkeIkGNQTDZUh4dK72Q10nlupF/g27EbA1sf4Kx3kjXloW7AVWlsZgz8dPWMPGzY+yNRtUhKF; Path=/; Expires=Sun, 08 Jun 2025 15:49:05 GMT
AWSALBCORS=25G37OfcVp2esgtAmjtNU8xgXtx11bBZ7zRgRpDqv2A5kaHyBFHkkeIkGNQTDZUh4dK72Q10nlupF/g27EbA1sf4Kx3kjXloW7AVWlsZgz8dPWMPGzY+yNRtUhKF; SameSite=None; Secure; Path=/; Expires=Sun, 08 Jun 2025 15:49:05 GMT
csu=a293dab5-5ec3-4f9f-ae5c-b3b3e9f1ca9c
cf-ray: 948fdbe62e0c5689-OSL
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617

139.45.197.106

200 OK

32 kB

URL User Request GET
lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
IP
139.45.197.106:443
ASN
#9002 RETN Limited

Certificate
IssuerLet's Encrypt
Subjectlowtirtougaa.com
FingerprintBD:13:94:E5:3A:E7:8D:27:8B:69:09:EA:7D:1C:01:AF:AA:9A:5A:18
ValidityMon, 12 May 2025 11:44:09 GMT - Sun, 10 Aug 2025 11:44:08 GMT

File type
HTML document, ASCII text, with very long lines (28297)
Size
32 kB (31509 bytes)
Hash
e900737455496c88768130dc260a692a
f63109e081f792ade8f0accc55668c0a2d9ae20f
aea4c0fdfc8e97efba875e4e3bcb13f73346b84847c6e6f7a40864301a04a32c

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617 HTTP/1.1
Host: lowtirtougaa.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
date: Sun, 01 Jun 2025 15:49:06 GMT
content-type: text/html; charset=utf8
accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: Accept, Content-Type, Content-Length, Accept-Encoding, baggage, sentry-trace, favicon
access-control-max-age: 86400
pragma: no-cache
cache-control: no-transform, no-store, no-cache, must-revalidate, max-age=0
expires: Tue, 11 Jan 1994 10:00:00 GMT
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *, *
content-encoding: gzip
X-Firefox-Spdy: h2

lowtirtougaa.com/sftouch?userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf&branchId=0&rb=gwNNjx6wxyC3xxGbXIpOtgLh8YD3xtxviJy0eIOxdiAm7XFb3DQt52nVj7tQSwV8QLOB5pkjXShkLueJYB-vIHNYQjgILDd5yqadQVsfmq5rx1KteMdqvIUsy78Ly2l3b_s0nSASTcmkyzDkj4OE73oRyN-41GkLTaWyEs9QVvY4ABjwng0TH5XqpGp57Bv0z8JQwqzayzXFCl6tLcrA4v2kqVw1Be9PbaMJAh8ounh5cGNKAiuz5DfBB43BsO-sFCtyNvBCa1RdAzHt2a95_M148mekiKRaCBiybid9z9x957mg6trUbYcZqFVnXpmt&w_img=1

139.45.197.106

200 OK

43 B

URL GET
lowtirtougaa.com/sftouch?userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf&branchId=0&rb=gwNNjx6wxyC3xxGbXIpOtgLh8YD3xtxviJy0eIOxdiAm7XFb3DQt52nVj7tQSwV8QLOB5pkjXShkLueJYB-vIHNYQjgILDd5yqadQVsfmq5rx1KteMdqvIUsy78Ly2l3b_s0nSASTcmkyzDkj4OE73oRyN-41GkLTaWyEs9QVvY4ABjwng0TH5XqpGp57Bv0z8JQwqzayzXFCl6tLcrA4v2kqVw1Be9PbaMJAh8ounh5cGNKAiuz5DfBB43BsO-sFCtyNvBCa1RdAzHt2a95_M148mekiKRaCBiybid9z9x957mg6trUbYcZqFVnXpmt&w_img=1
IP
139.45.197.106:443
ASN
#9002 RETN Limited

Requested by
https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Certificate
IssuerLet's Encrypt
Subjectlowtirtougaa.com
FingerprintBD:13:94:E5:3A:E7:8D:27:8B:69:09:EA:7D:1C:01:AF:AA:9A:5A:18
ValidityMon, 12 May 2025 11:44:09 GMT - Sun, 10 Aug 2025 11:44:08 GMT

File type
GIF image data, version 89a, 1 x 1
Size
43 B (43 bytes)
Hash
df3e567d6f16d040326c7a0ea29a4f41
ea7df583983133b62712b5e73bffbcd45cc53736
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /sftouch?userId=0081dbdd47ff4db3e6c4d0414dc97c67&z=8528901&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&p_src=sf&branchId=0&rb=gwNNjx6wxyC3xxGbXIpOtgLh8YD3xtxviJy0eIOxdiAm7XFb3DQt52nVj7tQSwV8QLOB5pkjXShkLueJYB-vIHNYQjgILDd5yqadQVsfmq5rx1KteMdqvIUsy78Ly2l3b_s0nSASTcmkyzDkj4OE73oRyN-41GkLTaWyEs9QVvY4ABjwng0TH5XqpGp57Bv0z8JQwqzayzXFCl6tLcrA4v2kqVw1Be9PbaMJAh8ounh5cGNKAiuz5DfBB43BsO-sFCtyNvBCa1RdAzHt2a95_M148mekiKRaCBiybid9z9x957mg6trUbYcZqFVnXpmt&w_img=1 HTTP/1.1
Host: lowtirtougaa.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
date: Sun, 01 Jun 2025 15:49:06 GMT
content-type: image/gif
content-length: 43
x-trace-id: 411017185073cbb01bb79d40a30ef113
accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: Accept, Content-Type, Content-Length, Accept-Encoding, baggage, sentry-trace, favicon
access-control-max-age: 86400
pragma: no-cache
cache-control: no-transform, no-store, no-cache, must-revalidate, max-age=0
expires: Tue, 11 Jan 1994 10:00:00 GMT
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *, *
X-Firefox-Spdy: h2

lowtirtougaa.com/qlog/add?userId=0081dbdd47ff4db3e6c4d0414dc97c67&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&z=8528901

139.45.197.106

200 OK

0 B

URL POST
lowtirtougaa.com/qlog/add?userId=0081dbdd47ff4db3e6c4d0414dc97c67&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&z=8528901
IP
139.45.197.106:443
ASN
#9002 RETN Limited

Requested by
https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Certificate
IssuerLet's Encrypt
Subjectlowtirtougaa.com
FingerprintBD:13:94:E5:3A:E7:8D:27:8B:69:09:EA:7D:1C:01:AF:AA:9A:5A:18
ValidityMon, 12 May 2025 11:44:09 GMT - Sun, 10 Aug 2025 11:44:08 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

POST /qlog/add?userId=0081dbdd47ff4db3e6c4d0414dc97c67&p_rid=d8d7bd01-a842-4581-9876-735f1ea30d46&z=8528901 HTTP/1.1
Host: lowtirtougaa.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Length: 2594
Origin: https://lowtirtougaa.com
DNT: 1
Connection: keep-alive
Referer: https://lowtirtougaa.com/afu.php?zoneid=8528901&var=1181303&ymid=4164312235708746617
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

HTTP/2 200 OK
server: nginx
date: Sun, 01 Jun 2025 15:49:07 GMT
content-length: 0
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *
X-Firefox-Spdy: h2

lowtirtougaa.com/?z=8528901&syncedCookie=true&rhd=false

139.45.197.106

302 Found

242 B

URL User Request POST
lowtirtougaa.com/?z=8528901&syncedCookie=true&rhd=false
IP
139.45.197.106:443
ASN
#9002 RETN Limited

Certificate
IssuerLet's Encrypt
Subjectlowtirtougaa.com
FingerprintBD:13:94:E5:3A:E7:8D:27:8B:69:09:EA:7D:1C:01:AF:AA:9A:5A:18
ValidityMon, 12 May 2025 11:44:09 GMT - Sun, 10 Aug 2025 11:44:08 GMT

File type

Size
242 B (242 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

POST /?z=8528901&syncedCookie=true&rhd=false HTTP/1.1
Host: lowtirtougaa.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 3332
Origin: https://lowtirtougaa.com
DNT: 1
Connection: keep-alive
Referer: https://lowtirtougaa.com/afu.php?zoneid=8528901&var=8528901&rid=ksX-wKK1z8yLZCaWKyzJyw%3D%3D&rhd=false&ab2r=0&sf=1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 302 Found
server: nginx
date: Sun, 01 Jun 2025 15:49:07 GMT
content-length: 0
location: https://s.click.aliexpress.com/e/_ooXP3cN?af=8528901&dp=953069294500189151
x-trace-id: 2ac89573578a2d3a99a53a593219cb6f
link: <https://s.click.aliexpress.com>; rel="preconnect dns-prefetch"
referrer-policy: no-referrer
accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
access-control-allow-origin: https://lowtirtougaa.com
access-control-allow-credentials: true
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: Accept, Content-Type, Content-Length, Accept-Encoding, baggage, sentry-trace, favicon
access-control-max-age: 86400
pragma: no-cache
cache-control: no-transform, no-store, no-cache, must-revalidate, max-age=0
expires: Tue, 11 Jan 1994 10:00:00 GMT
set-cookie: OAID=0081dbe884804a70eedc3fa1d905db63; expires=Mon, 01 Jun 2026 15:49:07 GMT; path=/; secure; SameSite=None
oaidts=1748792947; expires=Mon, 01 Jun 2026 15:49:07 GMT; path=/; secure; SameSite=None
syncedCookie=; expires=Tue, 10 Nov 2009 23:00:00 GMT
strict-transport-security: max-age=1
x-content-type-options: nosniff
timing-allow-origin: *, *
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Quad9 DNS

ThreatFox

JavaScript (3)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

HTTP Transactions (12)

URL User Request GET

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers

URL User Request GET

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers

URL GET

IP

ASN

Requested by

Certificate

File type

Size

Hash

HTTP Headers

URL GET

IP

ASN

Requested by

Certificate

File type

Size

Hash

HTTP Headers

URL GET

IP

ASN

Requested by

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL User Request GET

IP