Report - killredls.pw/apiVY

Report Overview

Visited public
2023-11-25 23:39:03
Tags
URL
killredls.pw/apiVY
Finishing URL
killredls.pw/apiVY
IP / ASN
172.67.209.38
#13335 CLOUDFLARENET
Title
Just a moment...

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
killredls.pw	unknown	2023-11-08	2023-11-09 02:02:19	2023-11-25 20:16:31	1.6 kB	14 kB	104.21.53.57

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	high	Client IP	104.21.53.57	ThreatFox botnet C2 traffic (url - confidence level: 100%)
2023-11-25 23:38:49	low	Client IP	104.21.53.57	ET INFO HTTP Request to a *.pw domain
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	low	Client IP	172.67.209.38	ET INFO HTTP Request to a *.pw domain
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	low	Client IP	172.67.209.38	ET INFO HTTP Request to a *.pw domain
2023-11-25 23:38:49	medium	Client IP	Internal IP	ET DNS Query to a *.pw domain - Likely Hostile
2023-11-25 23:38:49	low	Client IP	172.67.209.38	ET INFO HTTP Request to a *.pw domain

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

Scan Date	Severity	Indicator	Alert
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed
2023-11-25	medium	killredls.pw	Sinkholed

ThreatFox

Scan Date	Severity	Indicator	Alert
2023-11-17	medium	killredls.pw	Lumma Stealer
2023-11-17	medium	killredls.pw	Lumma Stealer
2023-11-17	medium	killredls.pw	Lumma Stealer
2023-11-17	medium	killredls.pw	Lumma Stealer

JavaScript (1)

	URL	From	Size	First Seen	Last Seen
	killredls.pw/apiVY	ScriptElement	3.9 kB	2024-08-20	2024-08-20
Pretty URL killredls.pw/apiVY IP 104.21.53.57 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML true Observations First Seen2024-08-20 17:55 Last Seen2024-08-20 17:55 Times Seen1 Hash 3a4d4e78b9a57ccfd9050878223818fa 9fa41da5c66ad64dce590e506294f157a2954f1c 2f4255820c448b6eea62f5c65f558e2fc34b7615e509c5d5317f0048bb95879b Loading...

HTTP Transactions (4)

URL IP Response Size

killredls.pw/apiVY

104.21.53.57

403 Forbidden

3.1 kB

URL User Request GET HTTP/1.1
killredls.pw/apiVY
IP
104.21.53.57:80
ASN
#13335 CLOUDFLARENET

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text, with very long lines (4698), with no line terminators
Size
3.1 kB (3110 bytes)
Hash
687809233405abd1db21438ec07db685
88c2b55fb21a487f65126bc4f662fe428cd3178e
c1f757ffa9fa1f5ffaa774b205aa8b3b1496fb0d1232ef319e35a1675425e76e

Detections

Analyzer	Verdict	Alert
ThreatFox	malicious	Lumma Stealer
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed

NIDS	Severity	Alert
suricata	high	ThreatFox botnet C2 traffic (url - confidence level: 100%)
suricata	low	ET INFO HTTP Request to a *.pw domain

HTTP Headers

GET /apiVY HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 403 Forbidden
Date: Sat, 25 Nov 2023 23:38:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EjbvolP%2BkJJbny6WTDCNJL1EpfU9M1Usp0bYhpCYoa3Xtjc%2FxelzF5IpuCJHksu8Quepz%2FKMX81EptwIoucEZy%2BZH7BSJ2TUEC4S6BAOAwEOAAKtYJoD7dznfnd%2Fhiw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bdba260f4f56ae-OSL
Content-Encoding: gzip

killredls.pw/cdn-cgi/styles/challenges.css

172.67.209.38

200 OK

2.6 kB

URL GET HTTP/1.1
killredls.pw/cdn-cgi/styles/challenges.css
IP
172.67.209.38:80
ASN
#13335 CLOUDFLARENET

Requested by
http://killredls.pw/apiVY

File type
ASCII text, with very long lines (6600), with no line terminators
Size
2.6 kB (2624 bytes)
Hash
2c78b7f8fa496092bf41d5edd51611e7
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2

Detections

Analyzer	Verdict	Alert
ThreatFox	malicious	Lumma Stealer
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed

NIDS	Severity	Alert
suricata	low	ET INFO HTTP Request to a *.pw domain

HTTP Headers

GET /cdn-cgi/styles/challenges.css HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/apiVY
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sat, 25 Nov 2023 23:38:46 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 16 Nov 2023 21:55:48 GMT
ETag: W/"65568fe4-19c8"
Server: cloudflare
CF-RAY: 82bdba2858b8b523-OSL
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
Expires: Sun, 26 Nov 2023 01:38:46 GMT
Cache-Control: max-age=7200, public
Content-Encoding: gzip

killredls.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bdba260f4f56ae

172.67.209.38

200 OK

1.9 kB

URL GET HTTP/1.1
killredls.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bdba260f4f56ae
IP
172.67.209.38:80
ASN
#13335 CLOUDFLARENET

Requested by
http://killredls.pw/apiVY

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document text\012- exported SGML document, ASCII text, with very long lines (394)
Size
1.9 kB (1940 bytes)
Hash
f0c80863d22e27b621ae0b957ab0c986
892dbe026a7130adae6e57ea24b1146cdf1854ae
26f16813eb9d539c77ebec5ab4cfe83ef3478544f75dd07e811cc49dd09f2d4d

Detections

Analyzer	Verdict	Alert
ThreatFox	malicious	Lumma Stealer
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed

NIDS	Severity	Alert
suricata	low	ET INFO HTTP Request to a *.pw domain

HTTP Headers

GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bdba260f4f56ae HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/apiVY?__cf_chl_rt_tk=HR4KbWmmbcxLMkTqs0JUivoQ6dN1TkJXPU6Mxa1NCPg-1700955526-0-gaNycGzNBeU
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sat, 25 Nov 2023 23:38:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yZkbu7YfJbWjO1%2B8sabwn6MYGxymly7phPP3SuGq2Hhs2HQgsb6kJp2GTXffjQx1d0NQAQZWLqpKmtMaect8SfJui0babwLnb0Yd6XgDHVFtxFbnMS1R8CAfBwnybso%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bdba2888e3b523-OSL
Content-Encoding: gzip

killredls.pw/favicon.ico

172.67.209.38

403 Forbidden

3.1 kB

URL GET HTTP/1.1
killredls.pw/favicon.ico
IP
172.67.209.38:80
ASN
#13335 CLOUDFLARENET

Requested by
http://killredls.pw/apiVY

File type
HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text, with very long lines (4724), with no line terminators
Size
3.1 kB (3121 bytes)
Hash
e898855b55e9aebfc3874f5a01d755b3
67b0d614b3d1f667bcdc2231601a37c1f50d78c6
75a5ad87d6ea2e8aa78120ebf2da38d6ff0b6d56cf2bd5d57fb27ac3f38809a9

Detections

Analyzer	Verdict	Alert
ThreatFox	malicious	Lumma Stealer
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed

NIDS	Severity	Alert
suricata	low	ET INFO HTTP Request to a *.pw domain

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/apiVY
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 403 Forbidden
Date: Sat, 25 Nov 2023 23:38:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZNHUZA7IE3rP2RV2ccSYRB7JLRiUDh%2FrOTG3S%2FD574t2xnb6CP0V5cwbtfuFG9yotxRfvNzGTgRNEw42abSiZ5lGueD12BADiFx4QOdjyZIeu0QvwJqnXA7V9y1QMbY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bdba28e93db523-OSL
Content-Encoding: gzip

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (1)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

HTTP Transactions (4)

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

File type

Size

Hash

Detections

HTTP Headers