{"report_id":"d454a11c-c8a1-426d-9ed4-440ed4223351","version":6,"status":"done","tags":["suspicious"],"date":"2025-09-23T11:19:35Z","url":{"schema":"http","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"ip":{"addr":"35.157.26.135","port":0,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"https","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"title":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net"},"submit":{"url":{"schema":"http","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"ip":{"addr":"35.157.26.135","port":0,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-28T11:19:35Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":1,"urlquery":2,"analyzer":1}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T11:19:10Z","timestamp":1758626350,"ip_dst":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"ip_src":{"addr":"172.18.0.4","port":47314,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing","source":"{\"timestamp\":\"2025-09-23T11:19:10.323962+0000\",\"flow_id\":1594770785713656,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.4\",\"src_port\":47314,\"dest_ip\":\"35.157.26.135\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2032760,\"rev\":1,\"signature\":\"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing\",\"category\":\"Possible Social Engineering Attempted\",\"severity\":2,\"metadata\":{\"affected_product\":[\"Web_Browsers\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2021_04_14\"],\"deployment\":[\"Perimeter\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2021_04_14\"]}},\"tls\":{\"sni\":\"brilliant-gingersnap-b788a2.netlify.app\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"f4febc55ea12b31ae17cfb7e614afda8\",\"string\":\"771,4865,43-51\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":941,\"bytes_toclient\":3502,\"start\":\"2025-09-23T11:19:10.278008+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-09-23","alert":"Detects file containing Telegram Bot API","trigger":"javascript.write.md5:ee3ccba485456a1c57002b188f7cc6ba","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"summary":[{"fqdn":"brilliant-gingersnap-b788a2.netlify.app","ip":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"domain_registered":"2018-05-08","domain_rank":0,"first_seen":"2025-09-23T11:19:35.758719Z","last_seen":"2025-09-23T11:19:35.758719Z","alert_count":0,"request_count":1,"received_data":13472,"sent_data":538,"comment":"","tags":null,"fingerprints":[{"name":"Netlify","description":"Netlify providers hosting and server-less backend services for web applications and static websites.","website":"https://www.netlify.com/","common_platform_enumeration":"","icon":"Netlify.svg","categories":["PaaS","CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":[{"md5":"ee3ccba485456a1c57002b188f7cc6ba","sha1":"33b39f2630ba261869d46140a9e33ddd7a72cc65","sha256":"41af211fa8609ba52176a9ef03f398bb9c21d9fa2a5e6ccb63916b47acda9222","sha512":"2af26654503e8c7b74d9c679d73ed88df4a033698e92136793028d4c44e4a8049991820617237db216d100d80ff293c23a747e9b0538935e8ccaf3ac5827f3f0","size":9706,"token":"7090225341:AAGOahUT7_0U7LgR9RLc2HTTMAdPnQfFS8A","is_revoked":false,"bot":{"token":"7090225341:AAGOahUT7_0U7LgR9RLc2HTTMAdPnQfFS8A","user_id":"7090225341","username":"FreshL0g101_bot","first_name":"FreshL0g","last_name":"","chat":{"chat_id":"7077159731","title":"","type":"private","bot_is":"member","total_users":2,"active_members":null,"admins":null},"pending_messages":0}}],"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-09-23T11:19:10Z","timestamp":1758626350,"ip_dst":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"ip_src":{"addr":"172.18.0.4","port":47314,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing","source":"{\"timestamp\":\"2025-09-23T11:19:10.323962+0000\",\"flow_id\":1594770785713656,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.4\",\"src_port\":47314,\"dest_ip\":\"35.157.26.135\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2032760,\"rev\":1,\"signature\":\"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing\",\"category\":\"Possible Social Engineering Attempted\",\"severity\":2,\"metadata\":{\"affected_product\":[\"Web_Browsers\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2021_04_14\"],\"deployment\":[\"Perimeter\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2021_04_14\"]}},\"tls\":{\"sni\":\"brilliant-gingersnap-b788a2.netlify.app\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"f4febc55ea12b31ae17cfb7e614afda8\",\"string\":\"771,4865,43-51\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":941,\"bytes_toclient\":3502,\"start\":\"2025-09-23T11:19:10.278008+0000\"}}"}]}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - Suspicious Javascript code","verdict":"suspicious","severity":"medium","comment":"","tags":["suspicious"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"ip":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"introduction_type":"scriptElement","is_inline":false,"md5":"852d994d3425ed44079fbd8d3be192bf","sha1":"90a52243245da11df55e5cbe6fe04f2d8636e08e","sha256":"4bac84d57633b103f94241fdc9916e102d600e85af277d9d908334c3a719a82d","sha512":"a963dacf4597e2f4f2506c10013bad5089278b815216561b8810f2216b561c860beaf6efbc4483fff68d7fc02f00598b5381ec163ff314822d905b4d264b7101","ssdeep":"","tlshash":"d8b01248d5a4405c0b53297124d7167d71684518c0820134081c40fc51a4f5587bf609","size":94,"data":"","first_seen":"2025-05-29T13:54:23.463491Z","last_seen":"2026-04-26T23:11:57.883148Z","times_seen":473,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"ip":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"introduction_type":"scriptElement","is_inline":true,"md5":"a6e175b5d47a43dbe7ff1aea8074b357","sha1":"7192f59805a4268257843d9a492dab781eb4d111","sha256":"1c70a549a7e4971e107fb56825ad2f12c1b1467c76f6a7bdf563e238fa04d2af","sha512":"5828d0f37abadf24b9b2e240d74f2b96fed4132dbce19d0484b70d886f6e6ff505cf1f781b08e86a763aa070818961c513b7be281cab20d57e9f6539860a7ccf","ssdeep":"192:eAWXs9fnb8jZ0YHDew7Bl2kVFKFvak1vRzQrpGJ3NZsnx:eiVnbwxjn7b2kDLk1vRqpGzo","tlshash":"c2429316cf4f2c55c7604a13e2ee69ca082f97cdf8e200dc865bebcbc15ee5608d91a4","size":12988,"data":"","first_seen":"2025-08-05T10:15:21.99427Z","last_seen":"2026-04-26T23:11:57.882248Z","times_seen":193,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":[{"md5":"ee3ccba485456a1c57002b188f7cc6ba","sha1":"33b39f2630ba261869d46140a9e33ddd7a72cc65","sha256":"41af211fa8609ba52176a9ef03f398bb9c21d9fa2a5e6ccb63916b47acda9222","sha512":"2af26654503e8c7b74d9c679d73ed88df4a033698e92136793028d4c44e4a8049991820617237db216d100d80ff293c23a747e9b0538935e8ccaf3ac5827f3f0","ssdeep":"192:icWwmllheofDQlh2X808FpzicDp3CYFKTB7nv7MbaFrYTPhXxMl:3Wb8FpFqnv7ckrQI","tlshash":"2112b47654b308857a43a0a83be7a6003e25c0035b86cda97f5c97a9cf95df568b33c8","size":9706,"data":"","first_seen":"2025-08-05T10:15:22.002919Z","last_seen":"2026-04-26T23:11:57.883972Z","times_seen":193,"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-09-23","alert":"Detects file containing Telegram Bot API","trigger":"javascript.write.md5:ee3ccba485456a1c57002b188f7cc6ba","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"rectifyq","date":"2024-09-07","description":"Detects file containing Telegram Bot API","rule":"telegram_bot_api","yarahub_author_twitter":"@_rectifyq","yarahub_license":"CC0 1.0","yarahub_reference_md5":"9DA48D34DC999B4E05E0C6716A3B3B83","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"58c9e4fe-d1e9-46ed-913c-dba943ac16d6"}}],"urlquery":null}}],"console":null},"http":[{"url":{"schema":"https","addr":"brilliant-gingersnap-b788a2.netlify.app/?email=contactus@slurpmail.net","fqdn":"brilliant-gingersnap-b788a2.netlify.app","domain":"brilliant-gingersnap-b788a2.netlify.app","tld":"netlify.app"},"ip":{"addr":"35.157.26.135","port":443,"asn":16509,"as":"AMAZON-02","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-09-23T11:19:10.279Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.netlify.app","organization":"Netlify, Inc"},"issuer":{"commonName":"DigiCert Global G2 TLS RSA SHA256 2020 CA1","organization":"DigiCert Inc"},"validity":{"start":"Fri, 31 Jan 2025 00:00:00 GMT","end":"Tue, 03 Mar 2026 23:59:59 GMT"},"fingerprint":{"sha1":"04:28:C9:A3:BC:06:50:9C:6B:0B:67:72:82:27:C6:3D:99:1B:5B:71","sha256":"FA:34:6A:A0:1C:F5:9C:C7:30:CA:55:23:13:A1:3E:0F:21:8C:3A:0B:B5:CC:E5:67:09:FE:64:EC:97:4E:8D:75"}}},"request":{"raw":"GET /?email=contactus@slurpmail.net HTTP/1.1\r\nHost: brilliant-gingersnap-b788a2.netlify.app\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccept-ranges: bytes\r\nage: 0\r\ncache-control: public,max-age=0,must-revalidate\r\ncache-status: \"Netlify Edge\"; fwd=miss\r\ncontent-encoding: br\r\ncontent-type: text/html; charset=UTF-8\r\ndate: Tue, 23 Sep 2025 11:19:10 GMT\r\netag: \"00b00134c333be0c2ac69a24e03a0989-ssl-df\"\r\nserver: Netlify\r\nstrict-transport-security: max-age=31536000; includeSubDomains; preload\r\nvary: Accept-Encoding\r\nx-nf-request-id: 01K5V4S18M06P0HJXFWGYTHZWD\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Netlify","description":"Netlify providers hosting and server-less backend services for web applications and static websites.","website":"https://www.netlify.com/","common_platform_enumeration":"","icon":"Netlify.svg","categories":["PaaS","CDN"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":13010,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document, ASCII text, with very long lines (12964), with CRLF line terminators","md5":"0f68b0249d0c5c68a18a6006aa69313f","sha1":"6cb11c898357c4f4d11fd5138dec60726357e435","sha256":"abeae0403c4e5a609a5d900e9a27a11a5d583f809ee4f80678450de4ef66a058","sha512":"6670eafde7884be51ba43d0a0a8ca79afdb377712296255385234ee47573224d423a847930e0c05561566518c55c15d990e520db9b927dcf1f3eeb172f38c80e","ssdeep":"192:XAWXs9fnb8jZ0YHDew7Bl2kVFKFvak1vRzQrpGJ3NZsn1:XiVnbwxjn7b2kDLk1vRqpGz2","tlshash":"19429316cf4f2c55c7504a53e2eea9ca082f97cdf8e200dc865bebcbc15ee5608d91a4","first_seen":"2025-08-05T10:15:21.983978Z","last_seen":"2026-04-26T23:11:57.881215Z","times_seen":193,"resource_available":true,"data":null}},"time_used":433,"timings":{"blocked":67,"dns":0,"connect":22,"send":0,"wait":297,"receive":0,"ssl":44},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}