Report - birdeye.cx/u3x40l#Tblah.blah@army.mil

Report Overview

Visited public
2025-03-28 20:46:32
Tags
suspicious phishing tycoon
URL
birdeye.cx/u3x40l#Tblah.blah@army.mil
Finishing URL
wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil
IP / ASN
52.72.49.79
#14618 AMAZON-AES
Title
Suspicious - Anti-debugging code
Phishing - Tycoon Phishing Kit

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
wsxg.onahcjctgyd.es	unknown	unknown	2025-03-28	2025-03-28	1.7 kB	1.1 MB	104.21.19.247
birdeye.cx	unknown	2021-04-16	2021-04-16	2025-03-25	485 B	1.1 MB	52.72.49.79
code.jquery.com	634	2005-12-10	2012-05-21	2025-03-26	427 B	90 kB	151.101.130.137

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (7)

	URL	From	Size	First Seen	Last Seen
	wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil	ScriptElement	362 kB	2025-03-28	2025-03-28
Pretty URL wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil IP 104.21.19.247 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash c681866e358196fe3ca12b2a7bbb68e7 f59da72513e15c0dff03efab8a09c08014d739be b08acf913eb10a9d056af26790e4d4e7bb3e326ade7ad767fb97bf16b0dca5de Loading...

	wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil	Eval	15 kB	2025-03-28	2025-03-28
Pretty URL wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil IP 104.21.19.247 ASN #13335 CLOUDFLARENET Introduced by eval Embedded in HTML false Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash 2dccf1441f750510e0b1c4c3a11c5e23 8bc9af709bec4d7a1d8c606c0c5f59055a89cd17 40f8050eff28371bad40136b74a384f81f2683f4bf1d476816ecf2b94ab43d89 Loading...

	wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil	ScriptElement	1.1 MB	2025-03-28	2025-03-28
Pretty URL wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil IP 104.21.19.247 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML true Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash d7b207a23148feeffc1860a9bc2c79cb fc3881ec17e8a1ba2ead20c4013ed76087a81091 41ec15fd257ee32ea190344c8dfa62a94d9f4c9eec4a7b06c425a8bcdde8d5a8 Loading...

	wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil	ScriptElement	39 kB	2025-03-28	2025-03-28
Pretty URL wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil IP 104.21.19.247 ASN #13335 CLOUDFLARENET Introduced by scriptElement Embedded in HTML false Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash bcdde28f2a5d853be68623db9d6c7a0e 3d09f2b756d26c07ef4484961e4b0263d4a11da1 534c5d5bf1c96eebe646da70e32779dd5d3dd2fc90db56b9e2bdb39e1692d192 Loading...

	wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil	Eval	1.7 kB	2025-03-28	2025-03-28
Pretty URL wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil IP 104.21.19.247 ASN #13335 CLOUDFLARENET Introduced by eval Embedded in HTML false Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash 7af1fb3cbbb10dcc4aa753b00f41927f b506fb9a337623590af476c7e8cf9e7bf104a340 b96a5f854d060b1d61a3b59388f6ba28e7a9c760204cd2c35ec051dc3ce7b8f2 Loading...

	code.jquery.com/jquery-3.6.0.min.js	ScriptElement	90 kB	2023-03-07	2025-06-13
Pretty URL code.jquery.com/jquery-3.6.0.min.js IP 151.101.130.137 ASN #54113 FASTLY Introduced by scriptElement Embedded in HTML false Observations First Seen2023-03-07 01:02 Last Seen2025-06-13 04:55 Times Seen213572 Hash 8fb8fee4fcc3cc86ff6c724154c49c42 b82d238d4e31fdf618bae8ac11a6c812c03dd0d4 ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e Loading...

		Size	First Seen	Last Seen
	#1 Write - b014366b0121526f6eb73bb8c3617d89	290 kB	2025-03-28 20:46	2025-03-28 20:46
Pretty Observations First Seen2025-03-28 20:46 Last Seen2025-03-28 20:46 Times Seen1 Hash b014366b0121526f6eb73bb8c3617d89 7c0b49e757c5a585246c4cc0b388fcf7d03027ce 3de4978dd04e37d452c20a48dc3ebb6e917de8715958f1526aff63be40a26dc1 Loading...

HTTP Transactions (4)

URL IP Response Size

wsxg.onahcjctgyd.es/favicon.ico

104.21.19.247

404 Not Found

0 B

URL GET
wsxg.onahcjctgyd.es/favicon.ico
IP
104.21.19.247:443
ASN
#13335 CLOUDFLARENET

Requested by
https://wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil
Certificate
IssuerGoogle Trust Services
Subjectonahcjctgyd.es
Fingerprint84:45:91:9E:43:DD:25:50:E0:4D:8A:B6:1B:FC:A4:8F:F9:AA:CB:35
ValiditySun, 16 Mar 2025 01:15:04 GMT - Sat, 14 Jun 2025 02:12:40 GMT

File type

Size
0 B (0 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Tycoon Phishing Kit

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: wsxg.onahcjctgyd.es
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://wsxg.onahcjctgyd.es/ottBXE/
Cookie: XSRF-TOKEN=eyJpdiI6Im40K1BPbGljODRLcmx1d2c4ZUFJTWc9PSIsInZhbHVlIjoiSXd6VW9yZEVFSUNEUzNLRFlsb3h1NFM5NFpRWGU3dWJ3Nmp4YlBKWXIrbkNRanN6bVdlUXJLRCtjclMrOVI4WFZBTUxPeXZCakpkZUl3dzZ6NEFzNUtlWko2d3NmZnAwM1NOdmdvOHBFbUl5YTBjOHM2czNROHAxLzl2Y3R1SkMiLCJtYWMiOiJkNWU4MTA2M2M5Nzc1ZDlhZWNlY2IyMTk3OGE2MjYwOGFmY2ExNjU3YTlkZjgyNmM4NWE0NWEwZmQxMjE2NDM4IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IklYV0Z2SUM2V3BRV0V6dW1qNGNzL0E9PSIsInZhbHVlIjoiV1NjWm1kUWs4TXJ1K0w3bGFuYmcyUkMvemEzOHE1OUxOa2kvc0NqNTFqa2hFV243Wi8wRkRyTDExRUhWZTBHRkRucHNJWFgveHF0WnN4YVZtZVhQV2dFRmNrV0J4M2VUT2l4bFVuYkRwenNMdDdRUnAybXM2R1BTR1hLeWJRbjkiLCJtYWMiOiJiZjMyMWExYjViYzVhOTIyYWQ1MGQyOWU4ZTlhMzc3MmFmYzZmODk0OWIyNjQ2ZWIwMmIzYTljODBhZDY4YWEzIiwidGFnIjoiIn0%3D
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 404 Not Found
date: Fri, 28 Mar 2025 20:46:12 GMT
content-type: text/html; charset=UTF-8
cf-ray: 9279f9be3e6856cc-OSL
server: cloudflare
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uLND9vZh0y71oBWUe4bDgtyanE1NqUnLxvjlb26SQ3BhS%2Fb%2FkfFvn842trnezQTujIKAIrdCjSyojj3a78MWgGYPxidSb9gQ9upbAWPePVIBgI7VQzxWpCQaR7A9"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server-timing: cfL4;desc="?proto=TCP&rtt=35108&min_rtt=34894&rtt_var=13238&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=2106&delivery_rate=81618&cwnd=147&unsent_bytes=0&cid=c3cb64c7f33392d4&ts=56&x=0"
cache-control: max-age=14400
cf-cache-status: MISS
content-encoding: br
alt-svc: h3=":443"; ma=86400

birdeye.cx/u3x40l#Tblah.blah@army.mil

52.72.49.79

301 Moved Permanently

1.1 MB

URL User Request GET
birdeye.cx/u3x40l#Tblah.blah@army.mil
IP
52.72.49.79:443
ASN
#14618 AMAZON-AES

Certificate
IssuerLet's Encrypt
Subjectbirdeye.cx
Fingerprint98:5C:0C:71:E3:E0:45:CE:68:29:2F:94:95:4F:20:BC:46:62:32:91
ValidityTue, 18 Mar 2025 14:38:42 GMT - Mon, 16 Jun 2025 14:38:41 GMT

File type

Size
1.1 MB (1093091 bytes)
Hash
d41d8cd98f00b204e9800998ecf8427e
da39a3ee5e6b4b0d3255bfef95601890afd80709
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

HTTP Headers

GET /u3x40l HTTP/1.1
Host: birdeye.cx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 301 Moved Permanently
date: Fri, 28 Mar 2025 20:46:09 GMT
cache-control: no-cache, no-store
expires: -1
location: https://wsxg.onahcjctgyd.es/ottBXE/
content-length: 0
engine: Rebrandly.redirect, version 2.1
strict-transport-security: max-age=15552000
X-Firefox-Spdy: h2

wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil

104.21.19.247

200 OK

1.1 MB

URL User Request GET
wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil
IP
104.21.19.247:443
ASN
#13335 CLOUDFLARENET

Certificate
IssuerGoogle Trust Services
Subjectonahcjctgyd.es
Fingerprint84:45:91:9E:43:DD:25:50:E0:4D:8A:B6:1B:FC:A4:8F:F9:AA:CB:35
ValiditySun, 16 Mar 2025 01:15:04 GMT - Sat, 14 Jun 2025 02:12:40 GMT

File type
HTML document, ASCII text, with very long lines (65360)
Size
1.1 MB (1093091 bytes)
Hash
3b7f7a749a8833c6167185bb1dbd0737
183dbf31b00fd85bec0cb7e74104b10586623dac
55fbf2d6234675e5e9a47bbef776e232868c4cb6ece18c16b5e1f3077372068e

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - Anti-debugging code
urlquery	phishing	Phishing - Tycoon Phishing Kit

HTTP Headers

GET /ottBXE/ HTTP/1.1
Host: wsxg.onahcjctgyd.es
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Fri, 28 Mar 2025 20:46:11 GMT
content-type: text/html; charset=UTF-8
cache-control: no-cache, private
cf-cache-status: DYNAMIC
vary: accept-encoding
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BVYX0s6QPQMVTji%2Fg0cyci8DA2VgT6BiDLLC11%2BmIH0R%2FOHioSV7p5bsJIdWX%2FGRngwtfvsIheAR%2BFr0OkJ70aKaSeURInFNeQPqumZa87t4%2B8UiGkZLALikJRt4"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
set-cookie: XSRF-TOKEN=eyJpdiI6Im40K1BPbGljODRLcmx1d2c4ZUFJTWc9PSIsInZhbHVlIjoiSXd6VW9yZEVFSUNEUzNLRFlsb3h1NFM5NFpRWGU3dWJ3Nmp4YlBKWXIrbkNRanN6bVdlUXJLRCtjclMrOVI4WFZBTUxPeXZCakpkZUl3dzZ6NEFzNUtlWko2d3NmZnAwM1NOdmdvOHBFbUl5YTBjOHM2czNROHAxLzl2Y3R1SkMiLCJtYWMiOiJkNWU4MTA2M2M5Nzc1ZDlhZWNlY2IyMTk3OGE2MjYwOGFmY2ExNjU3YTlkZjgyNmM4NWE0NWEwZmQxMjE2NDM4IiwidGFnIjoiIn0%3D; expires=Fri, 28-Mar-2025 22:46:11 GMT; Max-Age=7200; path=/; secure; samesite=none
laravel_session=eyJpdiI6IklYV0Z2SUM2V3BRV0V6dW1qNGNzL0E9PSIsInZhbHVlIjoiV1NjWm1kUWs4TXJ1K0w3bGFuYmcyUkMvemEzOHE1OUxOa2kvc0NqNTFqa2hFV243Wi8wRkRyTDExRUhWZTBHRkRucHNJWFgveHF0WnN4YVZtZVhQV2dFRmNrV0J4M2VUT2l4bFVuYkRwenNMdDdRUnAybXM2R1BTR1hLeWJRbjkiLCJtYWMiOiJiZjMyMWExYjViYzVhOTIyYWQ1MGQyOWU4ZTlhMzc3MmFmYzZmODk0OWIyNjQ2ZWIwMmIzYTljODBhZDY4YWEzIiwidGFnIjoiIn0%3D; expires=Fri, 28-Mar-2025 22:46:11 GMT; Max-Age=7200; path=/; secure; httponly; samesite=none
server: cloudflare
cf-ray: 9279f9b4be48b509-OSL
content-encoding: br
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=10112&min_rtt=9981&rtt_var=3836&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1404&delivery_rate=285342&cwnd=252&unsent_bytes=0&cid=84105a960fe74746&ts=294&x=0", cfL4;desc="?proto=TCP&rtt=6512&min_rtt=508&rtt_var=12019&sent=7&recv=11&lost=0&retrans=0&sent_bytes=3281&recv_bytes=1266&delivery_rate=6179231&cwnd=254&unsent_bytes=0&cid=f4e7bee9d49c206f&ts=669&x=0"
X-Firefox-Spdy: h2

code.jquery.com/jquery-3.6.0.min.js

151.101.130.137

200 OK

90 kB

URL GET
code.jquery.com/jquery-3.6.0.min.js
IP
151.101.130.137:443
ASN
#54113 FASTLY

Requested by
https://wsxg.onahcjctgyd.es/ottBXE/#Tblah.blah@army.mil
Certificate
IssuerSectigo Limited
Subject*.jquery.com
FingerprintCD:B5:6E:05:85:0C:5A:AE:47:12:80:2A:5B:C6:E5:8F:11:72:E2:B5
ValidityTue, 25 Jun 2024 00:00:00 GMT - Wed, 25 Jun 2025 23:59:59 GMT

File type
JavaScript source, ASCII text, with very long lines (65447)
Size
90 kB (89501 bytes)
Hash
8fb8fee4fcc3cc86ff6c724154c49c42
b82d238d4e31fdf618bae8ac11a6c812c03dd0d4
ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e

HTTP Headers

GET /jquery-3.6.0.min.js HTTP/1.1
Host: code.jquery.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://wsxg.onahcjctgyd.es/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: nginx
content-type: application/javascript; charset=utf-8
last-modified: Fri, 18 Oct 1991 12:00:00 GMT
etag: W/"28feccc0-15d9d"
cache-control: public, max-age=31536000, stale-while-revalidate=604800
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
content-encoding: gzip
via: 1.1 varnish, 1.1 varnish
accept-ranges: bytes
date: Fri, 28 Mar 2025 20:46:12 GMT
age: 1863976
x-served-by: cache-lga21931-LGA, cache-hel1410029-HEL
x-cache: HIT, HIT
x-cache-hits: 71, 654853
x-timer: S1743194772.028013,VS0,VE0
vary: Accept-Encoding
content-length: 30875
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Quad9 DNS

ThreatFox

JavaScript (7)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

Observations

Hash

HTTP Transactions (4)

URL GET

IP

ASN

Requested by

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL User Request GET

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers

URL User Request GET

IP

ASN

Certificate

File type