URL User Request GET HTTP/1.1 IP
File type gzip compressed data, from Unix\012- data
Hash c4dd46f8a61ad4a2b31a83fac5c8d69b
7dbdfa0e61defa44b2595fc8de88777413debf22
b628faf3ddf6d48500ff84fa51ca03ada2420c9bc180a571e11d3354cd8d2567
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata high ThreatFox botnet C2 traffic (url - confidence level: 100%)
suricata low ET INFO HTTP Request to a *.pw domain
GET /api;r HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/2 301 Moved Permanently
date: Sat, 25 Nov 2023 21:37:36 GMT
location: http://killredls.pw/api;r
cache-control: max-age=3600
expires: Sat, 25 Nov 2023 22:37:36 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=T63804t6pTJpX%2Bv5eMM11VfHSVk%2By%2FnfyqbD2Fv7U47PVI18%2BzuGn9rBrzC1oLftJLu1304BSCCeIcXIVvfVJ7Z0xtp7tUWmRarMbNnwur854cCI3bwcMIIlkBNxKd0%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 82bd08a9799056af-OSL
X-Firefox-Spdy: h2
killredls.pw/cdn-cgi/styles/challenges.css
200 OK 2.6 kB URL GET HTTP/1.1 killredls.pw/cdn-cgi/styles/challenges.css
IP
Requested by http://killredls.pw/api;r
File type ASCII text, with very long lines (6600), with no line terminators
Hash 2c78b7f8fa496092bf41d5edd51611e7
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /cdn-cgi/styles/challenges.css HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/api;r
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 25 Nov 2023 21:37:36 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 16 Nov 2023 21:55:48 GMT
ETag: W/"65568fe4-19c8"
Server: cloudflare
CF-RAY: 82bd08ac3b39b51d-OSL
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
Expires: Sat, 25 Nov 2023 23:37:36 GMT
Cache-Control: max-age=7200, public
Content-Encoding: gzip
killredls.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bd08a9acad5695
200 OK 1.9 kB URL GET HTTP/1.1 killredls.pw/cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bd08a9acad5695
IP
Requested by http://killredls.pw/api;r
File type HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document text\012- exported SGML document, ASCII text, with very long lines (394)
Hash d97dfc7c60b790386f0580747cba4835
81ca70306bc11b1ced5775b562cbc560c92c050e
40860ab7358988d4d464f4b71b4eda1f1e78838bfce24face2e95a02af4a56c1
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /cdn-cgi/challenge-platform/h/g/orchestrate/chl_page/v1?ray=82bd08a9acad5695 HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/api;r?__cf_chl_rt_tk=ArrLsji2Cbj8wpz__ROnEkNpZtgz.DYCm7tOZJviGNo-1700948256-0-gaNycGzNBeU
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 25 Nov 2023 21:37:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=haaxxtXgM41PQ7zOF%2BkWD4C4ZcqHU0gkgBgdLg47poYCyz5ngGLos2Jx%2FQkxkMoWCHcA3e6VceXmCeKy9vDludNiBCwps2yC6sJLY3wwepw1%2FVqCvXw36jG%2BAh3Znog%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bd08ad4c77b51d-OSL
Content-Encoding: gzip
IP
Requested by http://killredls.pw/api;r
File type HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- HTML document text\012- exported SGML document, ASCII text, with very long lines (4723), with no line terminators
Hash bef279b15d5375bf8c1c0861c5a66304
b1f780d8f3e676a152d5be109d9f75c2465f75ac
64eeee44410f87cb166412921f8f88918782b20514be0d5fbc76e866af2b9c71
Analyzer Verdict Alert ThreatFox malicious Lumma Stealer
mnemonic secure dns malicious Sinkholed
Quad9 DNS malicious Sinkholed
NIDS Severity Alert suricata low ET INFO HTTP Request to a *.pw domain
GET /favicon.ico HTTP/1.1
Host: killredls.pw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://killredls.pw/api;r
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 403 Forbidden
Date: Sat, 25 Nov 2023 21:37:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ybYPPTsQ1g8EgATAIMNsGcFHTIW9%2BbeQ6Zka4nPw%2B2FcCavfNwbg6JTsxzBzWcR7qHPj08arrP42yJMV2Ky6HwvMB70uSdO6wXxvCHXAzdjaiDvfBDo2e%2FtKXc4uI8Y%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82bd08ad6c97b51d-OSL
Content-Encoding: gzip
172.67.209.38
104.21.53.57