{"report_id":"9f76cc99-62c3-4b50-9cce-ff4459a1965a","version":6,"status":"done","tags":["phishing","tycoon","aitm"],"date":"2025-09-30T13:50:44Z","url":{"schema":"http","addr":"picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"ip":{"addr":"172.67.189.134","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"title":"​"},"submit":{"url":{"schema":"http","addr":"picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"ip":{"addr":"172.67.189.134","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-11-04T13:50:44Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":1}},"detection":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"picture.sostiosai.sa.com","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]},"summary":[{"fqdn":"picture.sostiosai.sa.com","ip":{"addr":"172.67.189.134","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2025-09-07","domain_rank":0,"first_seen":"2025-09-25T19:11:12.788899Z","last_seen":"2025-09-25T19:11:12.788899Z","alert_count":4,"request_count":2,"received_data":30312,"sent_data":1703,"comment":"","tags":null,"fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"ip":{"addr":"172.67.189.134","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"f3c6e7137eb0801f906c043cfd530b34","sha1":"e45d85ad63ad8f1c5765318917a13542a73760ed","sha256":"7bead8e87f713329c3ee3f8a474c0fb677ec04861abfb9582fa4d45cccc34985","sha512":"4bc29e1e1ff09570f634b4e3c40d695738b97d8990287ebd3975b8720d211c4fdcef57b193298703220facc62bab4f5c3831f2f31f51acce89790480ee844582","ssdeep":"","tlshash":"1d01d077311b1d7a0cce9dbfd4e5fa68781000813d40e881207c8c2dae27c82967f5d8","size":754,"data":"","first_seen":"2025-09-30T13:50:44.71163Z","last_seen":"2025-09-30T13:50:44.71163Z","times_seen":1,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"ip":{"addr":"172.67.189.134","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-09-30T13:50:19.292Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"sostiosai.sa.com","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sun, 07 Sep 2025 21:44:07 GMT","end":"Sat, 06 Dec 2025 22:42:45 GMT"},"fingerprint":{"sha1":"30:C8:64:C3:F8:0C:B1:AA:D8:D7:88:36:76:FF:34:50:5A:2B:E3:CC","sha256":"8D:4B:87:D5:3E:A1:F7:71:02:3A:A6:92:2E:2F:3E:B9:DE:44:53:A3:02:5A:C2:37:F4:CF:F9:ED:CD:F0:6A:38"}}},"request":{"raw":"GET /DkN4t!40oaI7Gu/$ HTTP/1.1\r\nHost: picture.sostiosai.sa.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 30 Sep 2025 13:50:20 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: cloudflare\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncache-control: no-cache, private\r\nvary: accept-encoding\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=IqtertAG5LUYq%2BXkfrsnJAGb014ge8RSiAktr0NtxUdqQ%2B3XpH16RKh6sX2HmXA5j2MnqW4APKY6l1zDJNCl3%2BLGFtBfECwb8ZI%3D\"}]}\r\ncf-cache-status: DYNAMIC\r\ncontent-encoding: br\r\nset-cookie: XSRF-TOKEN=eyJpdiI6IlpaSEhvZmVkWlBlN0ZpcUM5YWN4L1E9PSIsInZhbHVlIjoiaElZR0JpalhyUFJRLysxaCtOWWZWWWhWK09CRU1qSjRIc1QraFJnMmFSdFVWZDIrbHNkTGR4V2EyYjNObGgwT2FhMHpnTGo5WTR0djFwRndrU1QxRWtWcCtaL3BlcWdvcUt4T1h2Vys0VE5BbmpBa1pobXB5aWRkTmJPeTRuWUsiLCJtYWMiOiJjZDc3OWE4YjQ5Y2U5YmJlMzg0ZTFhMzc2NjIzZWRiNWUyMmFhZjk4NTc0MDJiYmMxYTE2NWQ1ODFhZjI0OTM2IiwidGFnIjoiIn0%3D; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 15:50:20 GMT\nlaravel_session=eyJpdiI6IjlDdnhpRi9YamtpckxNdGtSdkRQNVE9PSIsInZhbHVlIjoiZWVDWVB2QlVvcmtLTlU2RXZHMFlocEhwT09PWDQ5bXhtZXlDbEJiTGphYVdZeFVNOTFERkY5WTBBMEFkZ0QzTFEwTUJGVFZKUGlod29QeVEwOHFWUEN1NXZxbGlXYUdrVGxUTHBpS2UvUVZNdWs5aFRqNEJXVDhvMWx0Z2ppUjYiLCJtYWMiOiIyZmYzNDQ1MjFiMTIxNzNjNGJlNzA1OWFkMjUyOWYzNjdjMTMwMjUyOGFmZmY4MDFmMzlhYTczMDk0MTg4MTkyIiwidGFnIjoiIn0%3D; HttpOnly; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 15:50:20 GMT\r\ncf-ray: 9874304b7da9c272-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":7232,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (7230), with no line terminators","md5":"480906263b78233e0484cb09b8e0eed4","sha1":"1efceae46dd5e567ef5bd0882e7698e600b2fd2e","sha256":"dd0ffad39502fa487d91a1306f3a48a13acd483c7172df0c18e5a10634f30afd","sha512":"cb0147358a6a99b6094cbb42058a225aec57a9c68e9f0bcb6b4ab2dfa8170a02027a8c3b1debaf88d6b05f4a5a88776d23819e753ec1a9b3ee331e194be27c91","ssdeep":"192:NikLI/tfH/vWqWFx2fBJeOOk+9TWKWPd4eagcuUbvZN:ED+9yFVaP","tlshash":"4ce1752322001039aa13d3d9abe5975d2158804af7926cbfa3ac037d8bdddedd66b5d0","first_seen":"2025-09-30T13:50:44.709312Z","last_seen":"2025-09-30T13:50:44.709312Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1048,"timings":{"blocked":138,"dns":0,"connect":1,"send":0,"wait":772,"receive":0,"ssl":136},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"picture.sostiosai.sa.com","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]}},{"url":{"schema":"https","addr":"picture.sostiosai.sa.com/favicon.ico","fqdn":"picture.sostiosai.sa.com","domain":"sostiosai.sa.com","tld":"sa.com"},"ip":{"addr":"172.67.189.134","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$","date":"2025-09-30T13:50:20.283Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"sostiosai.sa.com","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sun, 07 Sep 2025 21:44:07 GMT","end":"Sat, 06 Dec 2025 22:42:45 GMT"},"fingerprint":{"sha1":"30:C8:64:C3:F8:0C:B1:AA:D8:D7:88:36:76:FF:34:50:5A:2B:E3:CC","sha256":"8D:4B:87:D5:3E:A1:F7:71:02:3A:A6:92:2E:2F:3E:B9:DE:44:53:A3:02:5A:C2:37:F4:CF:F9:ED:CD:F0:6A:38"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: picture.sostiosai.sa.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://picture.sostiosai.sa.com/DkN4t!40oaI7Gu/$\r\nCookie: XSRF-TOKEN=eyJpdiI6IlpaSEhvZmVkWlBlN0ZpcUM5YWN4L1E9PSIsInZhbHVlIjoiaElZR0JpalhyUFJRLysxaCtOWWZWWWhWK09CRU1qSjRIc1QraFJnMmFSdFVWZDIrbHNkTGR4V2EyYjNObGgwT2FhMHpnTGo5WTR0djFwRndrU1QxRWtWcCtaL3BlcWdvcUt4T1h2Vys0VE5BbmpBa1pobXB5aWRkTmJPeTRuWUsiLCJtYWMiOiJjZDc3OWE4YjQ5Y2U5YmJlMzg0ZTFhMzc2NjIzZWRiNWUyMmFhZjk4NTc0MDJiYmMxYTE2NWQ1ODFhZjI0OTM2IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IjlDdnhpRi9YamtpckxNdGtSdkRQNVE9PSIsInZhbHVlIjoiZWVDWVB2QlVvcmtLTlU2RXZHMFlocEhwT09PWDQ5bXhtZXlDbEJiTGphYVdZeFVNOTFERkY5WTBBMEFkZ0QzTFEwTUJGVFZKUGlod29QeVEwOHFWUEN1NXZxbGlXYUdrVGxUTHBpS2UvUVZNdWs5aFRqNEJXVDhvMWx0Z2ppUjYiLCJtYWMiOiIyZmYzNDQ1MjFiMTIxNzNjNGJlNzA1OWFkMjUyOWYzNjdjMTMwMjUyOGFmZmY4MDFmMzlhYTczMDk0MTg4MTkyIiwidGFnIjoiIn0%3D\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 30 Sep 2025 13:50:21 GMT\r\ncontent-type: text/html; charset=UTF-8\r\nserver: cloudflare\r\nnel: {\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}\r\ncache-control: no-cache, private\r\nvary: accept-encoding\r\nreport-to: {\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=JQoFm%2BXxaCpWVTjkgbuGlJqfOSlFpKsu25JrZVEID2ErFY26wdYqBVMljCVpM6Rsua0HhaT9GEVEr%2Fuyh8XYRsJqtnN0PEigl00%3D\"}]}\r\ncf-cache-status: BYPASS\r\ncontent-encoding: br\r\nset-cookie: XSRF-TOKEN=eyJpdiI6ImtiUFZPMnNaQjdJTzZCRVZ3b0JFMEE9PSIsInZhbHVlIjoiWGxVOUcvVHB5RlhETnRLYjQwY2dqN1gyM2Q5R0NJdGZUbXlSSFRaNzM3WTlxbTFEMU5TSmhBQVk4TllwbCtXL0lNTmtMMm5NeFBQZ3hEZDJsZnFleUxSVnd2YjQzdjJ2TnlQY0Q3OTZpNDQ5Q3BLUGxRRFEvRmp0QWU3Z3lVdE0iLCJtYWMiOiI5ODlhY2Q5YWRhMmZmZmJlNmVkYWIwYjllMDE3YjdhMjc5MDIyNGVmZGI4ODA5ZDE4NGVlOWE1ODdiMzUzNGFiIiwidGFnIjoiIn0%3D; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 15:50:20 GMT\nlaravel_session=eyJpdiI6IlM2OXd3TzVCMTZnSnFBcFkvMWFKd2c9PSIsInZhbHVlIjoiU1lIRFpQQkxFdkpWVHQvd1A2dmtHRHBsSmNoM2N6V0J2T3BRSDVJSkwyR3cya0NkTjh1RFpxdUU0elgvRXJTQ0hBZWtIVjRvTUw4UThOczRCV3poTkxyRjlEZ2FwNjlxdWd6TDRnTlM5ajdLbzl2VlZLVW5PYjdvYTF5TEJtdWUiLCJtYWMiOiIwZmE3OTE2N2Y3NTg1ODRmMDc1Yjc2YTVhMzE5NzQwY2NmOTk4ZGU0NmE4NjdhZWU3YzJkYzgyMTM4M2E3YzBmIiwidGFnIjoiIn0%3D; HttpOnly; SameSite=None; Secure; Path=/; Max-Age=7200; Expires=Tue, 30 Sep 2025 15:50:20 GMT\r\ncf-ray: 98743050cc09c272-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Cloudflare","description":"Cloudflare is a web-infrastructure and website-security company, providing content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services.","website":"https://www.cloudflare.com","common_platform_enumeration":"","icon":"CloudFlare.svg","categories":["CDN"]}],"data":{"size":20095,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, Unicode text, UTF-8 text","md5":"ce0e74469cdc286745dc58a7885f51d5","sha1":"0094e7c86045bd12d113314a9cf65e828fd5e4f7","sha256":"b236fdb1f851f1f249202018aaa76ed7591fa4f9c23975b3e5fbf745d0816029","sha512":"1e60c79d97e7e4bea38a01d77d9c9c95737142cea1cc07a9d22d226bc9530664aac4777393062b1592e53ed30086c0d8cc856313950175968c3b5ec3a60539ac","ssdeep":"384:3PlIwYcd0N+mwhLnDq4KgMOLhCuJCurH5Q:/lIwYcd0N+phLn+4KgMO7K","tlshash":"8a92a66b51e22436e06ac262bee29b0b7671c347cb0d01547dac0a94cfcded6dc971ad","first_seen":"2025-09-22T00:50:52.260894Z","last_seen":"2025-10-14T15:39:53.249719Z","times_seen":969,"resource_available":false,"data":null}},"time_used":723,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":723,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-09-30","alert":"Sinkholed","trigger":"picture.sostiosai.sa.com","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Tycoon Phishing Kit","verdict":"phishing","severity":"high","comment":"","tags":["phishing","tycoon","aitm"],"meta":null}]}}]}