{"report_id":"399df39b-a096-4c3c-9863-67e56d918d1f","version":6,"status":"done","tags":["phishing","tycoon","aitm"],"date":"2025-09-30T05:02:30Z","url":{"schema":"http","addr":"object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"ip":{"addr":"104.21.5.4","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"title":"​"},"submit":{"url":{"schema":"http","addr":"object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"ip":{"addr":"104.21.5.4","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-11-04T05:02:30Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":1}},"detection":{"ids":null,"analyzer":[{"sensor_name":"dns0","sensor_type":"DNS","title":"DNS0 Zero","description":"DNS0 Zero","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"object.zoocreatre.ru","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS (SOA: negative-caching.dns0.eu)","link":"https://www.dns0.eu/zero","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]},"summary":[{"fqdn":"object.zoocreatre.ru","ip":{"addr":"104.21.5.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2025-09-19","domain_rank":0,"first_seen":"2025-09-30T03:26:45.43704Z","last_seen":"2025-09-30T03:26:45.43704Z","alert_count":4,"request_count":2,"received_data":18615,"sent_data":1745,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"ip":{"addr":"104.21.5.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"f52de940d592467787a8ab4d7de92d2e","sha1":"d80049a5369d1b15210eca00383a2a571322e2ee","sha256":"b653a5e9c3643b5c29df4afb6b66c4d1be4b27e1c8d98659b425efd66cc70765","sha512":"fb7e992a923867a57ee3ff180973b38973378856903d1b491175d49fde9b3e2618fd22c9b0682fa08aa901da198fadc2faafc84cbaa448366bc3187ebdde2d68","ssdeep":"","tlshash":"6a01d077311b1d7a0cce9dbf94e5fa68791000813d40e881207c8c2dae27c82967f5d8","size":754,"data":"","first_seen":"2025-09-30T05:02:31.530986Z","last_seen":"2025-09-30T05:02:31.530986Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"ip":{"addr":"104.21.5.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-09-30T05:02:05.370Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"zoocreatre.ru","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Fri, 19 Sep 2025 20:36:23 GMT","end":"Thu, 18 Dec 2025 21:34:53 GMT"},"fingerprint":{"sha1":"58:BC:83:6E:75:97:C8:A2:62:B0:5D:FE:FC:AA:A9:CF:9F:5A:79:79","sha256":"D5:29:BD:DE:87:BC:06:08:C0:95:C2:D5:BE:26:FD:D4:BB:84:B0:D2:12:E7:3B:25:DD:B1:73:99:F2:FB:07:AE"}}},"request":{"raw":"GET /W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ= HTTP/1.1\r\nHost: object.zoocreatre.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 30 Sep 2025 05:02:06 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: cloudflare\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=wen%2BntV4xbwJGwcaR4Ge%2BvP8bM2BKA2iJLYUXNonFiYRH4D3GNT04O%2FAKLJJW5oavfXPfEHiahRh0J3oxlvJHwchSiAfgPBJBLY09HIxr2M%3D\"}]}\r\ncache-control: no-cache, private\r\nvary: accept-encoding\r\ncf-cache-status: DYNAMIC\r\ncontent-encoding: br\r\nset-cookie: XSRF-TOKEN=eyJpdiI6InNtWm9lSittM2xScTk2QkE5ZTh5UEE9PSIsInZhbHVlIjoid3hjRU9iWm5JcHF2WlB1d0J2T0JyaTkweWs0ZEozUHJaWk5sN20rM0xhSU9aWmNGaE5TcE1ObnRKbDhpbjZKUEczREF2RU9MWS9tQWVGMjhsWnEvYmpTaUl0c29XV0VJUG8rdW9RVmhyZFB4bForL1ZqR1JRdWgzbm15cWErWmUiLCJtYWMiOiI4Y2EwYTVjYTE3YTBmN2RlMDQxNDc5YTc5ZmVjMjU4ZDVkMmI3OTE2OTM1Yjk0MGFlNzc1OGEzMDEwZDYwZjYxIiwidGFnIjoiIn0%3D; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 07:02:06 GMT\nlaravel_session=eyJpdiI6IktYWi90cnNSMG5KdkJXb0xEbVJXN2c9PSIsInZhbHVlIjoiR0pjSHVYQ2pTRzlCeVUzVUlaRlVYOWpMUlJWV3Q0S0UzTUtXUVMvalBvM2FqWi9NY1dxTXBuL3hubHZ5d3RWN1d3eGluRGxvaWlubVJIYXVQVDZPUGR5d0lhTWNUbXB0MWdjanhiQmtHcmp6MkFzazZCM1gzT0NvVytwOHE1dXUiLCJtYWMiOiI4MWE3ZTRjNDM0OTMzODQ3ZmVhYjEzYjg4MDZhNDlmYTgxOWRkZWI0ZTkxYTk5YzlmNzlkNWJjOTA5NjA0MDgwIiwidGFnIjoiIn0%3D; HttpOnly; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 07:02:06 GMT\r\ncf-ray: 98712a853c5e7127-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":7225,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (7223), with no line terminators","md5":"449d07a67b63fcc467249f1df952735a","sha1":"91ec3993973a763922cc1b45019be698c6905979","sha256":"74a65a13fd1ba9835daf4aa1abfeca1527b6e957d59bd36b47b40c24096c00e4","sha512":"189afadfc885b0587c961f930b02d4761d29b1aa1d06a2339c75168d5b182002263242c57de8f4bec1a1ac55254b2d1c57a63d41b168201d4a742ccca6a7f67e","ssdeep":"192:NikLZ/tfH/vWqWFx2fBJeOOk+1TWKWS4eagcuXbvZS:Ee+1VVjs","tlshash":"eee1752322001039aa13d3d9abe5975d2158804af7826cbfa3ac037d4bdddedd76b590","first_seen":"2025-09-30T05:02:31.528532Z","last_seen":"2025-09-30T05:02:31.528532Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1171,"timings":{"blocked":265,"dns":0,"connect":1,"send":0,"wait":641,"receive":0,"ssl":262},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns0","sensor_type":"DNS","title":"DNS0 Zero","description":"DNS0 Zero","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"object.zoocreatre.ru","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS (SOA: negative-caching.dns0.eu)","link":"https://www.dns0.eu/zero","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]}},{"url":{"schema":"https","addr":"object.zoocreatre.ru/favicon.ico","fqdn":"object.zoocreatre.ru","domain":"zoocreatre.ru","tld":"ru"},"ip":{"addr":"104.21.5.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=","date":"2025-09-30T05:02:06.336Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"zoocreatre.ru","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Fri, 19 Sep 2025 20:36:23 GMT","end":"Thu, 18 Dec 2025 21:34:53 GMT"},"fingerprint":{"sha1":"58:BC:83:6E:75:97:C8:A2:62:B0:5D:FE:FC:AA:A9:CF:9F:5A:79:79","sha256":"D5:29:BD:DE:87:BC:06:08:C0:95:C2:D5:BE:26:FD:D4:BB:84:B0:D2:12:E7:3B:25:DD:B1:73:99:F2:FB:07:AE"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: object.zoocreatre.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://object.zoocreatre.ru/W6ySisw@S/*c3Voby5rYW5nQHNsdXJwbWFpbC5uZXQ=\r\nCookie: XSRF-TOKEN=eyJpdiI6InNtWm9lSittM2xScTk2QkE5ZTh5UEE9PSIsInZhbHVlIjoid3hjRU9iWm5JcHF2WlB1d0J2T0JyaTkweWs0ZEozUHJaWk5sN20rM0xhSU9aWmNGaE5TcE1ObnRKbDhpbjZKUEczREF2RU9MWS9tQWVGMjhsWnEvYmpTaUl0c29XV0VJUG8rdW9RVmhyZFB4bForL1ZqR1JRdWgzbm15cWErWmUiLCJtYWMiOiI4Y2EwYTVjYTE3YTBmN2RlMDQxNDc5YTc5ZmVjMjU4ZDVkMmI3OTE2OTM1Yjk0MGFlNzc1OGEzMDEwZDYwZjYxIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IktYWi90cnNSMG5KdkJXb0xEbVJXN2c9PSIsInZhbHVlIjoiR0pjSHVYQ2pTRzlCeVUzVUlaRlVYOWpMUlJWV3Q0S0UzTUtXUVMvalBvM2FqWi9NY1dxTXBuL3hubHZ5d3RWN1d3eGluRGxvaWlubVJIYXVQVDZPUGR5d0lhTWNUbXB0MWdjanhiQmtHcmp6MkFzazZCM1gzT0NvVytwOHE1dXUiLCJtYWMiOiI4MWE3ZTRjNDM0OTMzODQ3ZmVhYjEzYjg4MDZhNDlmYTgxOWRkZWI0ZTkxYTk5YzlmNzlkNWJjOTA5NjA0MDgwIiwidGFnIjoiIn0%3D\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 30 Sep 2025 05:02:06 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: cloudflare\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncache-control: no-cache, private\r\nvary: accept-encoding\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=GqNqYya9k1J%2BW2%2B2t1Bzvio1GYBUKYe%2B%2FUH271Uze45fHutU%2FPhHsrQqdOsJ0lE%2BWKwZrj%2BvAc62GRaTv8FGP%2Bf0HKaPBUi3s8mylttmP5Y%3D\"}]}\r\ncf-cache-status: BYPASS\r\ncontent-encoding: br\r\nset-cookie: XSRF-TOKEN=eyJpdiI6IlZpRjRFOWUwQXluWWVKMElJZjg0UGc9PSIsInZhbHVlIjoiMC9EY2l2bUpiK1AwdG1rQ2lyalVpWTFKVHNuVDZXa0FPcTZrVG1QTnp1SFRpUStQLzNqNS9XbzE1eWlxWXBheDkvWTdDdXJOOFgwUVpnei9SRUVlSXFxTW9mUk1PNzU5V2EwV29rS2xhY0tHYTczR0VCUVhNN1plOEwyMkFIWngiLCJtYWMiOiIyYzVhYWFjZDAyYmYxNWZkZjBlMTBkNTA4MjQxOTQzMTI5NmIzNjFkOWJkNmY4MmJjNzM5MTVjOGEzNmY3OWVmIiwidGFnIjoiIn0%3D; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 07:02:06 GMT\nlaravel_session=eyJpdiI6IkRWcjRZYTR5anRaaFQxQnRWL0x6S1E9PSIsInZhbHVlIjoieHhzZEVEbmJmcDdQZkdWVnYxV0FUdnRKeDByVFc4ejJacUtqbExQV2ZHOE1FdW9PS3ViVzJNeWtBdXJLSGVXQ0VZS2VydzM0U3ViU0lCNGZONlp5YjlFanh4cXBZSWErNDFLWWhWTjd6L3BvTjVvTmZTVnF2SWd6eXNMZHdpbkwiLCJtYWMiOiI1ODgxMjZhYWI5ZjkwMmMyZjcxMGUyMzVlMzRiZTg1YTQ1NTIzMGNjOTIzOTNmMDdiM2IwNGZjYWNmMTFiNmUyIiwidGFnIjoiIn0%3D; HttpOnly; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 07:02:06 GMT\r\ncf-ray: 98712a899ef37127-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":8377,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, ASCII text, with very long lines (317)","md5":"a9c530e2c5a14b9a586ee9419a9d40aa","sha1":"a2496e730ab3a4202ead3e5d36daeb1dc6100ca6","sha256":"89b7bcfe4a3df577e9b269fc601361a40a3f6f04463e548ed0f337fe159cbad9","sha512":"621f6baeb80b5cadcf043207d99de6cec65de78fb089d6f3bf34547f6fc7e92efa4a9e35c1e2854ccf155b9f6f6773a561c1654bea38e005ad663cb8931732d8","ssdeep":"96:uaTh/yOBJjRN3KJ2PO4u3Bnr94xccYp6UNNfvPlYf+lc2:uaThqOBJjzI2P0pcoUfA","tlshash":"a602526112f224bb10ab89e3b5611f72ace1c107ca6bc10571bd42a63feac42adc331d","first_seen":"2025-09-22T02:30:39.560105Z","last_seen":"2025-10-14T15:18:58.000163Z","times_seen":693,"resource_available":false,"data":null}},"time_used":599,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":599,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"dns0","sensor_type":"DNS","title":"DNS0 Zero","description":"DNS0 Zero","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"object.zoocreatre.ru","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS (SOA: negative-caching.dns0.eu)","link":"https://www.dns0.eu/zero","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]}}]}