ct44862.tmweb.ru Open in urlscan Pro
2a03:6f00:1::5c35:60f3  Malicious Activity! Public Scan

Submitted URL: https://byrl.me/9swF7VV
Effective URL: https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Submission: On May 26 via manual from PL — Scanned from DE

Summary

This website contacted 2 IPs in 2 countries across 2 domains to perform 2 HTTP transactions. The main IP is 2a03:6f00:1::5c35:60f3, located in Russian Federation and belongs to TIMEWEB-AS, RU. The main domain is ct44862.tmweb.ru.
TLS certificate: Issued by GlobalSign GCC R3 DV TLS CA 2020 on May 5th 2022. Valid for: a year.
This is the only time ct44862.tmweb.ru was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Banque Postale (Banking)

Domain & IP information

IP Address AS Autonomous System
1 1 216.10.243.64 394695 (PUBLIC-DO...)
2 2a03:6f00:1::... 9123 (TIMEWEB-AS)
2 2
Apex Domain
Subdomains
Transfer
2 tmweb.ru
ct44862.tmweb.ru
721 KB
1 byrl.me
byrl.me
1 KB
2 2
Domain Requested by
2 ct44862.tmweb.ru ct44862.tmweb.ru
1 byrl.me 1 redirects
2 2

This site contains no links.

Subject Issuer Validity Valid
*.tmweb.ru
GlobalSign GCC R3 DV TLS CA 2020
2022-05-05 -
2023-06-06
a year crt.sh

This page contains 1 frames:

Primary Page: https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Frame ID: 8F43C125B88ABD9F4368D340F4643FC7
Requests: 8 HTTP requests in this frame

Screenshot

Page Title

Connexion à l'espace client - La Banque Postale

Page URL History Show full URLs

  1. https://byrl.me/9swF7VV HTTP 301
    https://ct44862.tmweb.ru/postaleirm/pstl-log.php Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • \.php(?:$|\?)

Overall confidence: 100%
Detected patterns
  • jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?

Page Statistics

2
Requests

100 %
HTTPS

50 %
IPv6

2
Domains

2
Subdomains

2
IPs

2
Countries

1325 kB
Transfer

1953 kB
Size

2
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. https://byrl.me/9swF7VV HTTP 301
    https://ct44862.tmweb.ru/postaleirm/pstl-log.php Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

2 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request pstl-log.php
ct44862.tmweb.ru/postaleirm/
Redirect Chain
  • https://byrl.me/9swF7VV
  • https://ct44862.tmweb.ru/postaleirm/pstl-log.php
1 MB
690 KB
Document
General
Full URL
https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2a03:6f00:1::5c35:60f3 , Russian Federation, ASN9123 (TIMEWEB-AS, RU),
Reverse DNS
Software
nginx/1.20.2 /
Resource Hash
b7e7c4371dfc5287e71640aad31420951b31a91bf4ef7361eed6a6460ba312b4

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
accept-language
de-DE,de;q=0.9

Response headers

content-encoding
gzip
content-type
text/html; charset=UTF-8
date
Thu, 26 May 2022 12:03:21 GMT
server
nginx/1.20.2
vary
Accept-Encoding

Redirect headers

Cache-Control
max-age=604800
Connection
Keep-Alive
Content-Encoding
gzip
Content-Type
text/html; charset=UTF-8
Date
Thu, 26 May 2022 12:03:19 GMT
Expires
Thu, 02 Jun 2022 12:03:19 GMT
Keep-Alive
timeout=15
Location
https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Server
Apache
Transfer-Encoding
chunked
Vary
Accept-Encoding,User-Agent
X-XSS-Protection
1; mode=block
truncated
/
6 KB
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
065712ca1db04bc11b0e5558683512d07d52b390ececc32dd5af117ed989d596

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
image/png
truncated
/
302 KB
302 KB
Font
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
0e56b17d142eb366c8007031d14e34da48c70b4a9d9a0ca492e696a7bae45e1e

Request headers

Referer
Origin
https://ct44862.tmweb.ru
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
application/x-font-woff
truncated
/
302 KB
302 KB
Font
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
5b9025dda4d7688e3311b0c17eddc501133b807def33effaef6593843cf5416e

Request headers

Referer
Origin
https://ct44862.tmweb.ru
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
application/x-font-woff
truncated
/
336 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
1a5627a97aa8d55f0866a282ca1d226bf320f6f4aed2aeb76936f84460760318

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
image/svg+xml
truncated
/
10 KB
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
a079710e67a906296308d3f4e23f6e8a1bfb326e926af1cf4feeec723c8d4674

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
image/svg+xml
jquery.min.js
ct44862.tmweb.ru/postaleirm/Pstl_files/
86 KB
30 KB
Script
General
Full URL
https://ct44862.tmweb.ru/postaleirm/Pstl_files/jquery.min.js
Requested by
Host: ct44862.tmweb.ru
URL: https://ct44862.tmweb.ru/postaleirm/pstl-log.php
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2a03:6f00:1::5c35:60f3 , Russian Federation, ASN9123 (TIMEWEB-AS, RU),
Reverse DNS
Software
nginx/1.20.2 /
Resource Hash
2b381363dda049f2d49a59037b228bc865d51ffb977c8f5c3547d5c28de48e3a

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://ct44862.tmweb.ru/postaleirm/pstl-log.php
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

date
Thu, 26 May 2022 12:03:21 GMT
content-encoding
gzip
last-modified
Tue, 24 May 2022 15:56:46 GMT
server
nginx/1.20.2
etag
W/"628d003e-15851"
vary
Accept-Encoding
content-type
application/x-javascript
cache-control
max-age=2678400
expires
Sun, 26 Jun 2022 12:03:21 GMT
truncated
/
5 KB
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
6c2ecc8d8ed497ccfd5de46495d86ec26eb29234a7b65a48cb3bb60ea1519a0a

Request headers

accept-language
de-DE,de;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36

Response headers

Content-Type
image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Banque Postale (Banking)

9 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| oncontextlost object| oncontextrestored function| structuredClone object| launchQueue object| onbeforematch function| getScreenDetails object| navigation function| $ function| jQuery

2 Cookies

Domain/Path Name / Value
byrl.me/ Name: XSRF-TOKEN
Value: eyJpdiI6InNLUmlwdDhQMVpvM3ZWSk94YXk5V3c9PSIsInZhbHVlIjoiM2x5Q09vZ3NSR1FPY2JtOXBITzdGZmYrSGcvTE50dGt4RXR2R2JOUmthMHpJMExrZEJDU2Q1akl6WjdVdGx3dW15cFgrSUFJMEFxckgvcGtndmlJOExjbWpCbDI4bUwrOHJkcUpzZHZGU2VMVzgzZnRibG9aMU1KN3VMT2QvRnoiLCJtYWMiOiJjZWU2OTBhYWYwN2Y5Y2I3YzQyMDdiZDI0MTgxZjNmOGM2MGY2NTJlMzM0YWE4ZDdkMjIxMzk2ODM5ZGFjNGQ3IiwidGFnIjoiIn0%3D
byrl.me/ Name: axlsin_session
Value: eyJpdiI6ImJla2FKU2RDdjNsMmFpMVhaampvZ1E9PSIsInZhbHVlIjoiUjRpKzlESzdpd2R6K29MYytDamsrYldObWs1RWlrOFlJZHA0Y0d1WmNaM3lTRmdvRDFDUldNa1lkbWovelNaZVV5V1hjaTR0Mk1EelpaclBXS3pnM3RMUmJNaVdoemNZazkxbTdwYjRIQXVyOEx5NFVPSHRoL3ZXVUlSajlQK1ciLCJtYWMiOiJiOWFmYTBiZThhMDI2MjcwNGFmZWIwYzRmMmE3NDU2NzM5ZDQ0MGJlODM5YjI4NjM5ZmU5NzllYzI5ZDYzODE0IiwidGFnIjoiIn0%3D