ct44862.tmweb.ru Open in urlscan Pro
2a03:6f00:1::5c35:60f3 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://byrl.me/9swF7VV
Effective URL:
https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Submission: On May 26 via manual (May 26th 2022, 12:03:25 pm UTC) from PL — Scanned from DE

Summary HTTP 2 Redirects Behaviour Indicators

Summary

This website contacted 2 IPs in 2 countries across 2 domains to perform 2 HTTP transactions. The main IP is 2a03:6f00:1::5c35:60f3, located in Russian Federation and belongs to TIMEWEB-AS, RU. The main domain is ct44862.tmweb.ru.
TLS certificate: Issued by GlobalSign GCC R3 DV TLS CA 2020 on May 5th 2022. Valid for: a year.

This is the only time ct44862.tmweb.ru was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Banque Postale (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 1	216.10.243.64 216.10.243.64	394695 (PUBLIC-DO...) (PUBLIC-DOMAIN-REGISTRY)
2	2a03:6f00:1::... 2a03:6f00:1::5c35:60f3	9123 (TIMEWEB-AS) (TIMEWEB-AS)
2	2

1 216.10.243.64 (India) 1 redirects

ASN394695 (PUBLIC-DOMAIN-REGISTRY, US)
PTR: server.sonyserialtalks.net

byrl.me	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a03:6f00:1::5c35:60f3 (Russian Federation)

ASN9123 (TIMEWEB-AS, RU)

ct44862.tmweb.ru	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
2	tmweb.ru ct44862.tmweb.ru	721 KB
1	byrl.me 1 redirects byrl.me	1 KB
2	2

	Domain	Requested by
2	ct44862.tmweb.ru	ct44862.tmweb.ru
1	byrl.me	1 redirects
2	2

This site contains no links.

Subject Issuer	Validity	Valid
*.tmweb.ru GlobalSign GCC R3 DV TLS CA 2020	`2022-05-05` - `2023-06-06`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Frame ID: 8F43C125B88ABD9F4368D340F4643FC7
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Connexion à l'espace client - La Banque Postale

Page URL History Show full URLs

https://byrl.me/9swF7VV HTTP 301
https://ct44862.tmweb.ru/postaleirm/pstl-log.php Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

2
Requests

100 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

2
IPs

2
Countries

1325 kB
Transfer

1953 kB
Size

2
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://byrl.me/9swF7VV HTTP 301
https://ct44862.tmweb.ru/postaleirm/pstl-log.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

2 HTTP transactions
6 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request pstl-log.php Show response ct44862.tmweb.ru/postaleirm/ Redirect Chain https://byrl.me/9swF7VV https://ct44862.tmweb.ru/postaleirm/pstl-log.php	1 MB 690 KB	204ms 100ms	Document text/html	2a03:6f00:1::5c35:60f3 TIMEWEB-AS
General Check archive.org Show headers Download Go to Full URL https://ct44862.tmweb.ru/postaleirm/pstl-log.php Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2a03:6f00:1::5c35:60f3 , Russian Federation, ASN9123 (TIMEWEB-AS, RU), Reverse DNS Software nginx/1.20.2 / Resource Hash `b7e7c4371dfc5287e71640aad31420951b31a91bf4ef7361eed6a6460ba312b4` Request headers Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 accept-language de-DE,de;q=0.9 Response headers content-encoding gzip content-type text/html; charset=UTF-8 date Thu, 26 May 2022 12:03:21 GMT server nginx/1.20.2 vary Accept-Encoding Redirect headers Cache-Control max-age=604800 Connection Keep-Alive Content-Encoding gzip Content-Type text/html; charset=UTF-8 Date Thu, 26 May 2022 12:03:19 GMT Expires Thu, 02 Jun 2022 12:03:19 GMT Keep-Alive timeout=15 Location https://ct44862.tmweb.ru/postaleirm/pstl-log.php Server Apache Transfer-Encoding chunked Vary Accept-Encoding,User-Agent X-XSS-Protection 1; mode=block
GET DATA	200 OK	truncated /	6 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `065712ca1db04bc11b0e5558683512d07d52b390ececc32dd5af117ed989d596` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type image/png
GET DATA	200 OK	truncated /	302 KB 302 KB		Font application/x-font-woff
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `0e56b17d142eb366c8007031d14e34da48c70b4a9d9a0ca492e696a7bae45e1e` Request headers Referer Origin https://ct44862.tmweb.ru accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type application/x-font-woff
GET DATA	200 OK	truncated /	302 KB 302 KB		Font application/x-font-woff
General Check archive.org Show headers Download Go to Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `5b9025dda4d7688e3311b0c17eddc501133b807def33effaef6593843cf5416e` Request headers Referer Origin https://ct44862.tmweb.ru accept-language de-DE,de;q=0.9 User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type application/x-font-woff
GET DATA	200 OK	truncated /	336 B 0		Image image/svg+xml
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `1a5627a97aa8d55f0866a282ca1d226bf320f6f4aed2aeb76936f84460760318` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type image/svg+xml
GET DATA	200 OK	truncated /	10 KB 0		Image image/svg+xml
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `a079710e67a906296308d3f4e23f6e8a1bfb326e926af1cf4feeec723c8d4674` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type image/svg+xml
GET H2	200	jquery.min.js Show response ct44862.tmweb.ru/postaleirm/Pstl_files/	86 KB 30 KB	55ms 55ms	Script application/x-javascript	2a03:6f00:1::5c35:60f3 TIMEWEB-AS
General Check archive.org Show headers Download Go to Full URL https://ct44862.tmweb.ru/postaleirm/Pstl_files/jquery.min.js Requested by Host: ct44862.tmweb.ru URL: https://ct44862.tmweb.ru/postaleirm/pstl-log.php Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2a03:6f00:1::5c35:60f3 , Russian Federation, ASN9123 (TIMEWEB-AS, RU), Reverse DNS Software nginx/1.20.2 / Resource Hash `2b381363dda049f2d49a59037b228bc865d51ffb977c8f5c3547d5c28de48e3a` Request headers accept-language de-DE,de;q=0.9 Referer https://ct44862.tmweb.ru/postaleirm/pstl-log.php User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers date Thu, 26 May 2022 12:03:21 GMT content-encoding gzip last-modified Tue, 24 May 2022 15:56:46 GMT server nginx/1.20.2 etag W/"628d003e-15851" vary Accept-Encoding content-type application/x-javascript cache-control max-age=2678400 expires Sun, 26 Jun 2022 12:03:21 GMT
GET DATA	200 OK	truncated /	5 KB 0		Image image/png
General Check archive.org Show headers Download Go to Show image Full URL data:truncated Protocol DATA Server -, , ASN (), Reverse DNS Software / Resource Hash `6c2ecc8d8ed497ccfd5de46495d86ec26eb29234a7b65a48cb3bb60ea1519a0a` Request headers accept-language de-DE,de;q=0.9 Referer User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 Response headers Content-Type image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Banque Postale (Banking)

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

2 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			byrl.me/	1970-01-20 03:19:33	Name: XSRF-TOKEN Value: eyJpdiI6InNLUmlwdDhQMVpvM3ZWSk94YXk5V3c9PSIsInZhbHVlIjoiM2x5Q09vZ3NSR1FPY2JtOXBITzdGZmYrSGcvTE50dGt4RXR2R2JOUmthMHpJMExrZEJDU2Q1akl6WjdVdGx3dW15cFgrSUFJMEFxckgvcGtndmlJOExjbWpCbDI4bUwrOHJkcUpzZHZGU2VMVzgzZnRibG9aMU1KN3VMT2QvRnoiLCJtYWMiOiJjZWU2OTBhYWYwN2Y5Y2I3YzQyMDdiZDI0MTgxZjNmOGM2MGY2NTJlMzM0YWE4ZDdkMjIxMzk2ODM5ZGFjNGQ3IiwidGFnIjoiIn0%3D
			byrl.me/	1970-01-20 03:19:33	Name: axlsin_session Value: eyJpdiI6ImJla2FKU2RDdjNsMmFpMVhaampvZ1E9PSIsInZhbHVlIjoiUjRpKzlESzdpd2R6K29MYytDamsrYldObWs1RWlrOFlJZHA0Y0d1WmNaM3lTRmdvRDFDUldNa1lkbWovelNaZVV5V1hjaTR0Mk1EelpaclBXS3pnM3RMUmJNaVdoemNZazkxbTdwYjRIQXVyOEx5NFVPSHRoL3ZXVUlSajlQK1ciLCJtYWMiOiJiOWFmYTBiZThhMDI2MjcwNGFmZWIwYzRmMmE3NDU2NzM5ZDQ0MGJlODM5YjI4NjM5ZmU5NzllYzI5ZDYzODE0IiwidGFnIjoiIn0%3D

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

byrl.me
ct44862.tmweb.ru
216.10.243.64
2a03:6f00:1::5c35:60f3
065712ca1db04bc11b0e5558683512d07d52b390ececc32dd5af117ed989d596
0e56b17d142eb366c8007031d14e34da48c70b4a9d9a0ca492e696a7bae45e1e
1a5627a97aa8d55f0866a282ca1d226bf320f6f4aed2aeb76936f84460760318
2b381363dda049f2d49a59037b228bc865d51ffb977c8f5c3547d5c28de48e3a
5b9025dda4d7688e3311b0c17eddc501133b807def33effaef6593843cf5416e
6c2ecc8d8ed497ccfd5de46495d86ec26eb29234a7b65a48cb3bb60ea1519a0a
a079710e67a906296308d3f4e23f6e8a1bfb326e926af1cf4feeec723c8d4674
b7e7c4371dfc5287e71640aad31420951b31a91bf4ef7361eed6a6460ba312b4

ct44862.tmweb.ru Open in urlscan Pro 2a03:6f00:1::5c35:60f3 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

2 Requests

100 %HTTPS

50 %IPv6

2 Domains

2 Subdomains

2 IPs

2 Countries

1325 kBTransfer

1953 kBSize

2 Cookies

0 Outgoing links

Page URL History

Redirected requests

2 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 6 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

9 JavaScript Global Variables

2 Cookies

Indicators

ct44862.tmweb.ru Open in urlscan Pro
2a03:6f00:1::5c35:60f3 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

2
Requests

100 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

2
IPs

2
Countries

1325 kB
Transfer

1953 kB
Size

2
Cookies

2 HTTP transactions
6 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!