{"report_id":"2d52ddc3-53c8-4437-9cd1-33504978b127","version":6,"status":"done","tags":["suspicious","telegram_bot"],"date":"2026-02-21T00:24:43Z","url":{"schema":"http","addr":"mail-iogin.com","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"ip":{"addr":"45.74.47.68","port":0,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"https","addr":"mail-iogin.com/","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"title":"Sign in","dom":{"size":39,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text, with no line terminators","md5":"086707e4369f60afedcafb16050a7618","sha1":"8216b0cc6876cbd44f01c158e7dff3833ceccd41","sha256":"a7fe83ec64bb23eb28090598db3d166ed98e52e39d1afbbfd74c579553f93e4e","sha512":"aade21843813e2cab329b99185c6f61db7907a556ea974e0315dcf3ad967cab20fee66d4f10db0d0ec43a71e086ce6d700d5524103deaefa3ce5f6be74ba5737","ssdeep":"","tlshash":"6a9000fee0a2000efc303bc00cc2238a0c28c3a830028e002ac038b8c80822bcc032c8","dom_hash":"domhash1f07f384c75181c66badb60ab1ec770b","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"mail-iogin.com","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"ip":{"addr":"45.74.47.68","port":0,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-03-28T00:24:43Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":4}},"detection":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-02-21","alert":"Detects file containing Telegram Bot API","trigger":"mail-iogin.com/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}},{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null},{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"summary":[{"fqdn":"mail-iogin.com","ip":{"addr":"45.74.47.68","port":443,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"domain_registered":"2026-02-20","domain_rank":0,"first_seen":"2026-02-21T00:24:43.626377Z","last_seen":"2026-02-21T00:24:43.626377Z","alert_count":5,"request_count":1,"received_data":84925,"sent_data":483,"comment":"","tags":null,"fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Plesk","description":"Plesk is a web hosting and server data centre automation software with a control panel developed for Linux and Windows-based retail hosting service providers.","website":"https://www.plesk.com","common_platform_enumeration":"cpe:2.3:a:parallels:parallels_plesk_panel:*:*:*:*:*:*:*:*","icon":"Plesk.svg","categories":["Hosting panels"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":[{"url":{"schema":"https","addr":"mail-iogin.com/","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"ip":{"addr":"45.74.47.68","port":443,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"md5":"899a5b56e61b904dca61dced082b9363","sha1":"7dc877eb066869a8c367cc49ade4f4225c7864f5","sha256":"ed5baa29c900da5f61d973cb2c56108c99fc37dee22c03eb93622d91ba12b741","sha512":"f9cb8f5bf75a9f1c0d9772988eb2406fbc2d6b62d09386652f1accc68f3c6ef4b7869f5bdfa90b4a97ec80bd1e7c78ff3fea78548d24f432467d7f0a78342515","size":741,"token":"8260179957:AAEK6UetrqQmTB1LAJKCdaNoXQmsN6lOFd8","is_revoked":false,"bot":{"token":"8260179957:AAEK6UetrqQmTB1LAJKCdaNoXQmsN6lOFd8","user_id":"8260179957","username":"dzyllmll_bot","first_name":"dzyllmll","last_name":"","chat":{"chat_id":"-1003763772461","title":"MAILQUENTE📨","type":"supergroup","bot_is":"member","total_users":3,"active_members":null,"admins":[{"user_id":7329544535,"username":"cha0sm1nd","first_name":"ㅤ","last_name":"","is_bot":false}]},"pending_messages":1}}],"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"mail-iogin.com/","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"ip":{"addr":"45.74.47.68","port":443,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"introduction_type":"scriptElement","is_inline":true,"md5":"899a5b56e61b904dca61dced082b9363","sha1":"7dc877eb066869a8c367cc49ade4f4225c7864f5","sha256":"ed5baa29c900da5f61d973cb2c56108c99fc37dee22c03eb93622d91ba12b741","sha512":"f9cb8f5bf75a9f1c0d9772988eb2406fbc2d6b62d09386652f1accc68f3c6ef4b7869f5bdfa90b4a97ec80bd1e7c78ff3fea78548d24f432467d7f0a78342515","ssdeep":"","tlshash":"df0110ea746438e51f6e612f31af6548696f61116d26c840c92d40960f2ce8b2e7b7c4","size":741,"data":"","first_seen":"2026-02-16T02:46:41.097654Z","last_seen":"2026-03-12T21:21:06.432472Z","times_seen":11,"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-02-21","alert":"Detects file containing Telegram Bot API","trigger":"mail-iogin.com/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}}],"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"mail-iogin.com/","fqdn":"mail-iogin.com","domain":"mail-iogin.com","tld":"com"},"ip":{"addr":"45.74.47.68","port":443,"asn":9009,"as":"M247 Europe SRL","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-02-21T00:23:47.780Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail-iogin.com","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Fri, 20 Feb 2026 13:46:40 GMT","end":"Thu, 21 May 2026 13:46:39 GMT"},"fingerprint":{"sha1":"F5:EE:E7:3D:23:37:DB:6C:C7:B1:B7:63:45:76:88:4A:84:0F:F8:B7","sha256":"B4:13:08:A7:0F:E1:07:BD:CF:B0:A3:5E:E0:65:BF:9C:F6:0E:B3:4A:11:86:04:BB:B3:65:40:3E:4E:E4:EB:F9"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: mail-iogin.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nserver: nginx\r\ndate: Sat, 21 Feb 2026 00:23:48 GMT\r\ncontent-type: text/html\r\nlast-modified: Thu, 29 Jan 2026 13:16:53 GMT\r\netag: W/\"697b5dc5-14ad5\"\r\nx-powered-by: PleskLin\r\ncontent-encoding: br\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Plesk","description":"Plesk is a web hosting and server data centre automation software with a control panel developed for Linux and Windows-based retail hosting service providers.","website":"https://www.plesk.com","common_platform_enumeration":"cpe:2.3:a:parallels:parallels_plesk_panel:*:*:*:*:*:*:*:*","icon":"Plesk.svg","categories":["Hosting panels"]}],"data":{"size":84693,"size_decoded":0,"mime_type":"text/html","magic":"HTML document, ASCII text, with very long lines (65000)","md5":"0bcce827e825b31f72ee82daa169567f","sha1":"124a4a0b89cf655fa14a09ff1419d32cd17def62","sha256":"37201ecb2fd77865e075f8dda91f7565834e6421996d4c0782224062ee493c5c","sha512":"6ad06a75c5a1a4598735041b201255f79af0ca69877b810f22f380cf7521b98629cdfcccf4a5056dc9dc06be19d22c643c705232eda9ecd7497f8b2cd28382b0","ssdeep":"1536:UQVIxDqYy1xIRIWrnoombBmySLqdMAHN+pz+J3KtAFtTFFesb3:UQVIy6RGombBmySLqdMAHN+pzuFPb3","tlshash":"918373b8d20058beb31fbf3a7164bc946fe6e55399430be9bfd1a4386d895d208de101","first_seen":"2026-02-16T02:46:41.09649Z","last_seen":"2026-03-12T21:21:06.430926Z","times_seen":11,"resource_available":false,"data":null}},"time_used":685,"timings":{"blocked":243,"dns":39,"connect":99,"send":0,"wait":200,"receive":0,"ssl":102},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2026-02-21","alert":"Detects file containing Telegram Bot API","trigger":"mail-iogin.com/","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}},{"sensor_name":"cloudflare_dns","sensor_type":"DNS","title":"Cloudflare DNS","description":"Cloudflare DNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"","link":"https://www.cloudflare.com/application-services/products/dns/","meta":null},{"sensor_name":"ultradns","sensor_type":"DNS","title":"DigiCert UltraDNS","description":"DigiCert UltraDNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"","link":"https://vercara.digicert.com/ultra-dns-public","meta":null},{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2026-02-21","alert":"Sinkholed","trigger":"mail-iogin.com","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]}}]}