Report - recover-am3rican.dynnamn.ru/

Report Overview

URL

recover-am3rican.dynnamn.ru/
IP

20.127.71.214

ASN

#8075 MICROSOFT-CORP-MSN-AS-BLOCK
Submitted

2023-05-27T07:33:34Z

Access

public
Tags

dyndns
urlquery detections

Suspicious - DynDNS domain

Detections

urlquery

4
Network Intrusion Detection

5
Threat Detection Systems

6

Domain Summary

Domain	Rank	First Seen	Last Seen	Sent	Received	IP
recover-am3rican.dynnamn.ru (3)	unknown	2023-05-24 10:26:06	2023-05-26 22:22:17	1357	147545	20.127.71.214
devilsms.live (3)	unknown	2022-06-09 23:23:15	2023-05-26 08:57:49	1248	22522	199.188.200.254

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2023-05-27T07:33:05Z	low	Client IP	Internal IP	ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain
2023-05-27T07:33:05Z	low	Client IP	Internal IP	ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain
2023-05-27T07:33:05Z	low	Client IP	Internal IP	ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain
2023-05-27T07:33:07Z	low	Client IP	Internal IP	ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain
2023-05-27T07:33:07Z	low	Client IP	Internal IP	ET INFO DYNAMIC_DNS Query to dynnamn .ru Domain

Threat Detection Systems

OpenPhish

No alerts detected

PhishTank

No alerts detected

Fortinet's Web Filter

Scan Date	Severity	Indicator
2023-05-27	medium	recover-am3rican.dynnamn.ru/
2023-05-27	medium	devilsms.live/cleave.js
2023-05-27	medium	recover-am3rican.dynnamn.ru/config.json

mnemonic secure dns

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator
2023-05-27	medium	dynnamn.ru
2023-05-27	medium	dynnamn.ru
2023-05-27	medium	dynnamn.ru

ThreatFox

No alerts detected

JavaScript (6)

HTTP Transactions (6)

URL IP Response Size

recover-am3rican.dynnamn.ru/

United States MICROSOFT-CORP-MSN-AS-BLOCK

20.127.71.214

200 OK

146200

URL User Request GET HTTP/1.1

recover-am3rican.dynnamn.ru/
IP

20.127.71.214:443
ASN

#8075 MICROSOFT-CORP-MSN-AS-BLOCK

Certificate

IssuerLet's Encrypt

Subjectrecover-am3rican.dynnamn.ru

FingerprintA4:05:79:6D:A9:8A:2A:AD:D7:AD:45:9F:E1:88:23:DF:9A:64:30:74

ValidityThu, 18 May 2023 15:28:46 GMT - Wed, 16 Aug 2023 15:28:45 GMT

Magic

HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text, with very long lines (64283), with CRLF line terminators

Size

146200
Hash

d10f2fd641dcc0d8f0debaf946294e6e

6c5e4d0f607a9aba9731f3908b2b2cd07b1d5e7c

ba774d55e0f9db18c6a2c38dc146671916f3e4ec16fb127869a9dfa8a89fb247

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - DynDNS domain
fortinet	Phishing
quad9	Sinkholed

HTTP Headers

                                        GET / HTTP/1.1
Host: recover-am3rican.dynnamn.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/1.1 200 OK
Date: Sat, 27 May 2023 07:33:06 GMT
Server: Apache
Content-Encoding: gzip
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

devilsms.live/cleave.js

199.188.200.254

200 OK

21221

URL GET HTTP/2

devilsms.live/cleave.js
IP

199.188.200.254:443
ASN

#22612 NAMECHEAP-NET

Requested by

https://recover-am3rican.dynnamn.ru/
Certificate

IssuerSectigo Limited

Subjectdevilsms.live

Fingerprint72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C

ValidityThu, 18 Aug 2022 00:00:00 GMT - Sat, 16 Sep 2023 23:59:59 GMT

Magic

Unicode text, UTF-8 text, with very long lines (1712)

Size

21221
Hash

3bbc061fb0ad251028998d5a611eff8e

e02e4f2220bd63e95045a79f6cf7ee0f530ec8e5

9d490665d6b1ea2dc13de64536164ce5b8efa60f17d32610cb97b57c823a466d

Detections

Analyzer	Verdict	Alert
fortinet	Malware

HTTP Headers

                                        GET /cleave.js HTTP/1.1
Host: devilsms.live
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://recover-am3rican.dynnamn.ru/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/2 200 OK
cache-control: public, max-age=604800
expires: Sat, 03 Jun 2023 07:33:07 GMT
content-type: application/javascript
last-modified: Sun, 30 Jan 2022 13:07:42 GMT
accept-ranges: bytes
content-encoding: br
vary: Accept-Encoding
content-length: 21221
date: Sat, 27 May 2023 07:33:07 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
X-Firefox-Spdy: h2

devilsms.live/page/bsc.js

199.188.200.254

200 OK

252

URL GET HTTP/2

devilsms.live/page/bsc.js
IP

199.188.200.254:443
ASN

#22612 NAMECHEAP-NET

Requested by

https://recover-am3rican.dynnamn.ru/
Certificate

IssuerSectigo Limited

Subjectdevilsms.live

Fingerprint72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C

ValidityThu, 18 Aug 2022 00:00:00 GMT - Sat, 16 Sep 2023 23:59:59 GMT

Magic

ASCII text

Size

252
Hash

c51a63771d00b43dc487c3ac21e05422

7c75efbd4676583a24f6d5853d6a0816e187381e

d2b2efa177f6e43d960a3b401c85e6bfbab357b75a633f4b8f55e9e998992aee

HTTP Headers

                                        GET /page/bsc.js HTTP/1.1
Host: devilsms.live
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://recover-am3rican.dynnamn.ru/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/2 200 OK
cache-control: public, max-age=604800
expires: Sat, 03 Jun 2023 07:33:07 GMT
content-type: application/javascript
last-modified: Mon, 08 May 2023 06:10:18 GMT
accept-ranges: bytes
content-length: 252
date: Sat, 27 May 2023 07:33:07 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
X-Firefox-Spdy: h2

devilsms.live/page/bsc/bsc_000050.js

199.188.200.254

200 OK

URL GET HTTP/2

devilsms.live/page/bsc/bsc_000050.js
IP

199.188.200.254:443
ASN

#22612 NAMECHEAP-NET

Requested by

https://recover-am3rican.dynnamn.ru/
Certificate

IssuerSectigo Limited

Subjectdevilsms.live

Fingerprint72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C

ValidityThu, 18 Aug 2022 00:00:00 GMT - Sat, 16 Sep 2023 23:59:59 GMT

Magic

ASCII text, with no line terminators

Size

19
Hash

cac2011bb6d87bd5ad73c41ddb544205

6ccb2ec2b78292631546e84b387e100048760e7f

b4e573286c98b1ff416eb2c79580e5a386f57a4d5d024ccbc5dfbd4d90152c44

HTTP Headers

                                        GET /page/bsc/bsc_000050.js HTTP/1.1
Host: devilsms.live
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://recover-am3rican.dynnamn.ru/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/2 200 OK
cache-control: public, max-age=604800
expires: Sat, 03 Jun 2023 07:33:07 GMT
content-type: application/javascript
last-modified: Mon, 08 May 2023 06:03:46 GMT
accept-ranges: bytes
content-length: 19
date: Sat, 27 May 2023 07:33:07 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
X-Firefox-Spdy: h2

recover-am3rican.dynnamn.ru/config.json

20.127.71.214

200 OK

345

URL GET HTTP/1.1

recover-am3rican.dynnamn.ru/config.json
IP

20.127.71.214:443
ASN

#8075 MICROSOFT-CORP-MSN-AS-BLOCK

Requested by

https://recover-am3rican.dynnamn.ru/
Certificate

IssuerLet's Encrypt

Subjectrecover-am3rican.dynnamn.ru

FingerprintA4:05:79:6D:A9:8A:2A:AD:D7:AD:45:9F:E1:88:23:DF:9A:64:30:74

ValidityThu, 18 May 2023 15:28:46 GMT - Wed, 16 Aug 2023 15:28:45 GMT

Magic

JSON data\012- , ASCII text, with CRLF line terminators

Size

345
Hash

eaad0f5c4d5699ac9d9d282b4afab3d6

9e6e16a2824cda79563b0cb03b14a79f87cdea1f

ef5966985b14cdebe4299d325fb35b1669b8508aa0e38b9b02cfc6cde5bfc558

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - DynDNS domain
fortinet	Phishing
quad9	Sinkholed

HTTP Headers

                                        GET /config.json HTTP/1.1
Host: recover-am3rican.dynnamn.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://recover-am3rican.dynnamn.ru/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/1.1 200 OK
Date: Sat, 27 May 2023 07:33:07 GMT
Server: Apache
Last-Modified: Fri, 19 May 2023 13:46:39 GMT
Accept-Ranges: bytes
Content-Length: 345
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/json

recover-am3rican.dynnamn.ru/favicon.ico

20.127.71.214

404 Not Found

315

URL GET HTTP/1.1

recover-am3rican.dynnamn.ru/favicon.ico
IP

20.127.71.214:443
ASN

#8075 MICROSOFT-CORP-MSN-AS-BLOCK

Requested by

https://recover-am3rican.dynnamn.ru/
Certificate

IssuerLet's Encrypt

Subjectrecover-am3rican.dynnamn.ru

FingerprintA4:05:79:6D:A9:8A:2A:AD:D7:AD:45:9F:E1:88:23:DF:9A:64:30:74

ValidityThu, 18 May 2023 15:28:46 GMT - Wed, 16 Aug 2023 15:28:45 GMT

Magic

HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text

Size

315
Hash

a34ac19f4afae63adc5d2f7bc970c07f

a82190fc530c265aa40a045c21770d967f4767b8

d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

Detections

Analyzer	Verdict	Alert
urlquery	suspicious	Suspicious - DynDNS domain
quad9	Sinkholed

HTTP Headers

                                        GET /favicon.ico HTTP/1.1
Host: recover-am3rican.dynnamn.ru
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://recover-am3rican.dynnamn.ru/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

                                        HTTP/1.1 404 Not Found
Date: Sat, 27 May 2023 07:33:08 GMT
Server: Apache
Content-Length: 315
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Report Overview

URL

IP

ASN

Submitted

Access

Tags

urlquery detections

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (6)

#1 JS:Script (size: 34)

#2 JS:Script (size: 252)

#3 JS:Script (size: 19)

#4 JS:Script (size: 243228)

#5 JS:Script (size: 79)

#6 JS:Script (size: 37)

HTTP Transactions (6)

URL User Request GET HTTP/1.1

IP

ASN

Certificate

Magic

Size

Hash

Detections

HTTP Headers

URL GET HTTP/2

IP

ASN

Requested by

Certificate

Magic

Size

Hash

Detections

HTTP Headers

URL GET HTTP/2

IP

ASN

Requested by

Certificate

Magic

Size

Hash

HTTP Headers

URL GET HTTP/2

IP

ASN

Requested by

Certificate

Magic

Size

Hash

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

Certificate

Magic

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP