{"report_id":"76dd20b3-e77d-477c-bdbb-5836b53df054","version":6,"status":"done","tags":["coinbase","crypto","phishing"],"date":"2024-04-23T13:23:37Z","url":{"schema":"http","addr":"server9-coinbase.com/?shinylogin.phplogin.phplogin.phplogin.phplogin.phplogin.php/login.phplogin.php","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"server9-coinbase.com/login.php","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"title":"Coinbase - Sign In"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T19:38:41Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"server9-coinbase.com","ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2024-04-11","domain_rank":0,"first_seen":"2024-04-11 10:17:55","last_seen":"2024-04-17 03:49:17","alert_count":1,"request_count":3,"received_data":1362597,"sent_data":1575,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Coinbase","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Coinbase phishing","tags":["coinbase","crypto","phishing"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"server9-coinbase.com/login.php","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"5bcf882f7652aeb49e309457eab154f6","sha1":"2610b121a045eb356fa5376e5f957f61ecc39ec8","sha256":"b7660d26c85cf98a0eed8b25f89feb233775554b5cda2a3887abf482197ad1b8","sha512":"ace1a5a48a14f4b91e5bca6d0815d7dc5f0622ed6839308cc3d4a3ad1cf3433f8feedb1b05155cbc22e0f96dcbc80981060bc50b36b78fe4f7168a5810359a0e","ssdeep":"","tlshash":"d501240d717403327cab683f692b12df3a73100fd5085a103c6e66483fb1db02ac1e01","size":726,"data":"","first_seen":"2023-03-11T10:12:34Z","last_seen":"2025-04-08T11:22:10.266212Z","times_seen":249,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"server9-coinbase.com/core/js/jquery.js","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":false,"md5":"2ac898daf1837381b1264cdb792319ba","sha1":"532496df4622a43699ee57b612180a21aedad065","sha256":"84086bb634fc6fd223918894c6b74641811e06e84007937c5809942b7a02ddff","sha512":"f76767b86456a59400e0c01aca45bb8048870d3c3f345024020bdc7395e95a7dcf429a014781d1d386eef45830a8b454c51bfc1f94ea71f03d81fdfabc0186d0","ssdeep":"6144:nCfa6/j7/KDT1krl+xFbP8s+JgOO/p89lPuY1BHpkYpHeGEbM5AeQz:npbxFbPuhY89RJjHe3bM57Qz","tlshash":"6044c4d9734f115f4ba233aae43b5249ff7dd1b0520551acb58d986c24a081883fafbe","size":272153,"data":"","first_seen":"2023-03-07T01:03:28Z","last_seen":"2026-04-04T00:10:37.157307Z","times_seen":4820,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"server9-coinbase.com/login.php","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-23T13:23:12.590Z","timestamp":1713878592590,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"server9-coinbase.com","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Thu, 11 Apr 2024 07:15:11 GMT","end":"Wed, 10 Jul 2024 07:15:10 GMT"},"fingerprint":{"sha1":"D9:3C:BF:FB:3D:2C:72:BB:FE:F0:DE:70:4F:28:8F:23:1A:22:9A:EE","sha256":"A9:ED:05:13:60:7F:29:72:AA:40:14:AC:30:18:9D:E0:46:63:8D:20:9D:F2:3B:FD:92:0D:D6:5B:C2:53:61:49"}}},"request":{"raw":"GET /login.php HTTP/1.1\r\nHost: server9-coinbase.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: PHPSESSID=h69hquj4roi7cnuor1a5g1eqk2\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 23 Apr 2024 13:23:12 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nexpires: Thu, 19 Nov 1981 08:52:00 GMT\r\ncache-control: no-store, no-cache, must-revalidate\r\npragma: no-cache\r\ncf-cache-status: DYNAMIC\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=2vYsgdI7HkM2Uc4qJbrQ6YU%2FuoS2ctEOZpw0sHKaoKoA5JSUkDlnH%2FiXZhqsZO6LnSbko0OXjYGdG8W3JHbHTvYNLE86Pl0wpWcQil4%2FlQWByDqg1D%2BYCeNxPBhvqfQTeH3LKALXeQ%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 878e2ab3ae0ab51b-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":453870,"size_decoded":634452,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, ASCII text, with very long lines (54231), with CRLF line terminators","md5":"a4bac1fec973e1f79ec50a9a444a1c22","sha1":"2247f0b2f6c12faa043abca2650dcf2fe507762b","sha256":"8b3cc7c9b14f39432c27783181966b6ded36b65a1ea5ffd80a8335bb5395c47b","sha512":"9eea83e6fc933aa7f65bd0ab946e1567f5d40a9bd95980d8928df623a80e4a381619f7118a5eb15f646ac0e02cd613a697ddac45838f7c1b6051851edbe6d7a3","ssdeep":"12288:EMFT2jWOlk+bTRHf7Ql1V3eRCuHVzs9HmAdWl/a:EZWOlnT4EVzs4AdWl/a","tlshash":"fad412252340987814324b2ab3e82b5eef29e073854151cdb2ef32914ff6671c6b3f99","first_seen":"2023-04-08T20:35:50Z","last_seen":"2025-03-08T17:15:05.488061Z","times_seen":165,"resource_available":false,"data":null}},"time_used":186,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":186,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"server9-coinbase.com/?shinylogin.phplogin.phplogin.phplogin.phplogin.phplogin.php/login.phplogin.php","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-23T13:23:12.196Z","timestamp":1713878592196,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"server9-coinbase.com","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Thu, 11 Apr 2024 07:15:11 GMT","end":"Wed, 10 Jul 2024 07:15:10 GMT"},"fingerprint":{"sha1":"D9:3C:BF:FB:3D:2C:72:BB:FE:F0:DE:70:4F:28:8F:23:1A:22:9A:EE","sha256":"A9:ED:05:13:60:7F:29:72:AA:40:14:AC:30:18:9D:E0:46:63:8D:20:9D:F2:3B:FD:92:0D:D6:5B:C2:53:61:49"}}},"request":{"raw":"GET /?shinylogin.phplogin.phplogin.phplogin.phplogin.phplogin.php/login.phplogin.php HTTP/1.1\r\nHost: server9-coinbase.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\ndate: Tue, 23 Apr 2024 13:23:12 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nlocation: login.php\r\nset-cookie: PHPSESSID=h69hquj4roi7cnuor1a5g1eqk2; path=/\r\nexpires: Thu, 19 Nov 1981 08:52:00 GMT\r\ncache-control: no-store, no-cache, must-revalidate\r\npragma: no-cache\r\ncf-cache-status: DYNAMIC\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=nQtieoY4HS8zTaqcIyznknB9cQOl%2B4aJphGeECfnGRZE3clQZxQVDne8ON14xUJXkJNC8bzpb40R4EqNonoXacJZdUFlbSLOVEGFyOmRzj%2FUq%2B%2BJ415DI9Dpg%2BUh465gg698DyzBtA%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 878e2ab15be4b51b-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":634452,"size_decoded":634452,"mime_type":"text/html; charset=UTF-8","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-04T02:31:02.170255Z","times_seen":13313751,"resource_available":true,"data":null}},"time_used":400,"timings":{"blocked":17,"dns":1,"connect":1,"send":0,"wait":365,"receive":0,"ssl":13},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"server9-coinbase.com/core/js/jquery.js","fqdn":"server9-coinbase.com","domain":"server9-coinbase.com","tld":"com"},"ip":{"addr":"104.21.46.4","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://server9-coinbase.com/login.php","date":"2024-04-23T13:23:13.634Z","timestamp":1713878593634,"http_version":"HTTP/3","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"server9-coinbase.com","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Thu, 11 Apr 2024 07:15:11 GMT","end":"Wed, 10 Jul 2024 07:15:10 GMT"},"fingerprint":{"sha1":"D9:3C:BF:FB:3D:2C:72:BB:FE:F0:DE:70:4F:28:8F:23:1A:22:9A:EE","sha256":"A9:ED:05:13:60:7F:29:72:AA:40:14:AC:30:18:9D:E0:46:63:8D:20:9D:F2:3B:FD:92:0D:D6:5B:C2:53:61:49"}}},"request":{"raw":"GET /core/js/jquery.js HTTP/1.1\r\nHost: server9-coinbase.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://server9-coinbase.com/login.php\r\nCookie: PHPSESSID=h69hquj4roi7cnuor1a5g1eqk2\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\ndate: Tue, 23 Apr 2024 13:23:13 GMT\r\ncontent-type: application/javascript\r\nlast-modified: Sat, 15 Oct 2022 20:47:40 GMT\r\netag: W/\"634b1c6c-42719\"\r\ncache-control: max-age=14400\r\ncf-cache-status: HIT\r\nage: 2\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=u%2FzNnTrl8ZjSV8NjrX8HhvFtWCIrsMtNMiO1G3Nnkw6sSWUFe5ZfNPYcxmLkOLapVir00zXbs4Gr7ay%2FpN3qbfOdlMkOXkdmuNoFD2bKl2qdN4uApXd%2FtdPYyoumBAj7p64g3AkH9g%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nvary: Accept-Encoding\r\nserver: cloudflare\r\ncf-ray: 878e2aba3af27129-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":272153,"size_decoded":272153,"mime_type":"application/javascript","magic":"JavaScript source, ASCII text, with CRLF line terminators","md5":"2ac898daf1837381b1264cdb792319ba","sha1":"532496df4622a43699ee57b612180a21aedad065","sha256":"84086bb634fc6fd223918894c6b74641811e06e84007937c5809942b7a02ddff","sha512":"f76767b86456a59400e0c01aca45bb8048870d3c3f345024020bdc7395e95a7dcf429a014781d1d386eef45830a8b454c51bfc1f94ea71f03d81fdfabc0186d0","ssdeep":"6144:nCfa6/j7/KDT1krl+xFbP8s+JgOO/p89lPuY1BHpkYpHeGEbM5AeQz:npbxFbPuhY89RJjHe3bM57Qz","tlshash":"6044c4d9734f115f4ba233aae43b5249ff7dd1b0520551acb58d986c24a081883fafbe","first_seen":"2023-03-07T01:03:28Z","last_seen":"2026-04-04T00:10:37.157307Z","times_seen":4820,"resource_available":true,"data":null}},"time_used":20,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":16,"receive":4,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Coinbase","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Coinbase phishing","tags":["coinbase","crypto","phishing"],"meta":null}]}}]}