URL User Request GET HTTP/1.1 IP
File type gzip compressed data, from Unix\012- data
Hash 0f31f6284e17e3a3b7037ef8300608d8
1a2c2840b49558fd1c4e4e4981d6cde6bf4fcad1
867f676754ca370d6f6c9c9b60195b3d7840ca66f241e24647f821a1974ddd77
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata high ThreatFox botnet C2 traffic (url - confidence level: 100%)
suricata low ET INFO HTTP Request to a *.pw domain
GET /api7 HTTP/1.1
Host: taretool.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/2 301 Moved Permanently
date: Sun, 26 Nov 2023 03:33:49 GMT
location: http://taretool.pw/api7
cache-control: max-age=3600
expires: Sun, 26 Nov 2023 04:33:49 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fQ0BVY0IP52Y8wfvWjzkRSK3MtK6H3QxWLKXRHP3ClJIUnJFj6S3fPPnzavHJ4SegRPqSQzEv2N6QLBib7Fawsn1dJyTxwXql9UkRpF3p6wDWZqDYa5hJsuW100KQQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 82bf12793db856aa-OSL
X-Firefox-Spdy: h2
taretool.pw/cdn-cgi/styles/challenges.css
200 OK 2.6 kB URL GET HTTP/1.1 taretool.pw/cdn-cgi/styles/challenges.css
IP
File type ASCII text, with very long lines (6600), with no line terminators
Hash 2c78b7f8fa496092bf41d5edd51611e7
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /cdn-cgi/styles/challenges.css HTTP/1.1
Host: taretool.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://taretool.pw/api7
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 26 Nov 2023 03:33:50 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 16 Nov 2023 21:55:48 GMT
ETag: W/"65568fe4-19c8"
Server: cloudflare
CF-RAY: 82bf127c3f9b7128-OSL
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
Expires: Sun, 26 Nov 2023 05:33:50 GMT
Cache-Control: max-age=7200, public
Content-Encoding: gzip
taretool.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bf1279baa9b4ff
200 OK 1.9 kB URL GET HTTP/1.1 taretool.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bf1279baa9b4ff
IP
File type HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document text\012- exported SGML document, ASCII text, with very long lines (394)
Hash 81d6472c67d59bf4f07bf49cab45c380
2f38038991fb5a83016f4dd8c994188b03ad1f66
c2d0bb71bea120ec2a97c8cc1df3c3f60ae40b1c12111ba5f0801d6587a6a0f1
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bf1279baa9b4ff HTTP/1.1
Host: taretool.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://taretool.pw/api7?__cf_chl_rt_tk=62.Lm_Geff_XjTy_gXcfaiTjj2ZnlRqsGHVFgpgCd9o-1700969629-0-gaNycGzNBeU
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 26 Nov 2023 03:33:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=shNX%2FVXrZSw7Tsc0NlxcEzXw6Jm0%2BPi0%2F2LaZ%2F0gCxTkhTDMC6u1bCNMBFn9v89EEaD%2B9yaNIa0axbDni7xT27PBXoHIsW25Bfnedc7WEcRCTOMtim7v4S6HOYBlTg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bf127c8fbe7128-OSL
Content-Encoding: gzip
IP
File type HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text, with very long lines (4719), with no line terminators
Hash bd4e966f55883d2950e8f300f59f7980
ea196cb9c248b55036775a09628763712a455b57
b656b170c654a397bf94e5e65fe67c668f37053165efe93910ff1fd7131656e9
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /favicon.ico HTTP/1.1
Host: taretool.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://taretool.pw/api7
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 403 Forbidden
Date: Sun, 26 Nov 2023 03:33:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yek%2F83XOCqL5yArzGm3SLUTmGWW8WoNiLeFAbkamf3THdxcCin1JdhLQo97BElW%2BCGiK%2FNnFlYrRREtYk%2F0yUsQ250iQz47FoVKTKYFT8sP9p8jw9H59EuTefUa7NA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bf127cffde7128-OSL
Content-Encoding: gzip
104.21.21.50
172.67.196.107