qiagen-onlineapp-ru3ib3w42.vcfdi.cfd
Open in
urlscan Pro
46.101.129.110
Malicious Activity!
Public Scan
Submitted URL: https://yxk.ardsfoundation.net/VlCf0ffqtZHU9bWljJmVydD1ZMmh5YVhOMGFXRnVMbWh2ZFdSbFFIRnBZV2RsYmk1amIyMD0mbXQ9NQ==pthq
Effective URL: https://qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/6dOgat9T?wreply=/web/login?en=signin?client_id=EOKcAx&redirect_uri=https%3A%2F%2F%2FAuth%2FPostH...
Submission: On March 05 via manual from DE — Scanned from DE
Effective URL: https://qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/6dOgat9T?wreply=/web/login?en=signin?client_id=EOKcAx&redirect_uri=https%3A%2F%2F%2FAuth%2FPostH...
Submission: On March 05 via manual from DE — Scanned from DE
Summary
This website contacted 8 IPs
in 3 countries
across 8 domains to perform 14 HTTP transactions.
The main IP is 46.101.129.110, located in
Frankfurt am Main, Germany and
belongs to DIGITALOCEAN-ASN, US.
The main domain is qiagen-onlineapp-ru3ib3w42.vcfdi.cfd.
TLS certificate: Issued by ZeroSSL RSA Domain Secure Site CA on March 3rd 2022. Valid for: 3 months.
This is the only time qiagen-onlineapp-ru3ib3w42.vcfdi.cfd was scanned on urlscan.io!
TLS certificate: Issued by ZeroSSL RSA Domain Secure Site CA on March 3rd 2022. Valid for: 3 months.
This is the only time qiagen-onlineapp-ru3ib3w42.vcfdi.cfd was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: Microsoft (Consumer)Domain & IP information
| IP Address | AS Autonomous System | ||
|---|---|---|---|
| 1 1 | 165.232.74.215 165.232.74.215 | 14061 (DIGITALOC...) (DIGITALOCEAN-ASN) | |
| 6 | 46.101.129.110 46.101.129.110 | 14061 (DIGITALOC...) (DIGITALOCEAN-ASN) | |
| 2 | 2001:4de0:ac1... 2001:4de0:ac18::1:a:2b | 20446 (HIGHWINDS3) (HIGHWINDS3) | |
| 2 | 2a02:26f0:6c0... 2a02:26f0:6c00:2b4::35c1 | 20940 (AKAMAI-ASN1) (AKAMAI-ASN1) | |
| 1 | 192.229.221.185 192.229.221.185 | 15133 (EDGECAST) (EDGECAST) | |
| 1 | 2620:1ec:bdf::45 2620:1ec:bdf::45 | 8068 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK) | |
| 1 | 2606:4700:303... 2606:4700:3038::6815:ead5 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
| 1 | 152.199.23.72 152.199.23.72 | 15133 (EDGECAST) (EDGECAST) | |
| 14 | 8 |
1
165.232.74.215
(Frankfurt am Main, Germany)
ASN14061 (DIGITALOCEAN-ASN, US)
ASN14061 (DIGITALOCEAN-ASN, US)
| yxk.ardsfoundation.net |
6
46.101.129.110
(Frankfurt am Main, Germany)
ASN14061 (DIGITALOCEAN-ASN, US)
ASN14061 (DIGITALOCEAN-ASN, US)
| qiagen-onlineapp-ru3ib3w42.vcfdi.cfd | |
| tqztwn.ubarlbkuhu.cfd |
2
2a02:26f0:6c00:2b4::35c1
(Frankfurt am Main, Germany)
ASN20940 (AKAMAI-ASN1, NL)
ASN20940 (AKAMAI-ASN1, NL)
| secure.aadcdn.microsoftonline-p.com |
| Apex Domain Subdomains |
Transfer | |
|---|---|---|
| 5 |
ubarlbkuhu.cfd
tqztwn.ubarlbkuhu.cfd |
33 KB |
| 2 |
msauth.net
logincdn.msauth.net — Cisco Umbrella Rank: 2290 aadcdn.msauth.net — Cisco Umbrella Rank: 1253 |
2 KB |
| 2 |
microsoftonline-p.com
secure.aadcdn.microsoftonline-p.com — Cisco Umbrella Rank: 9244 |
2 KB |
| 2 |
jquery.com
code.jquery.com — Cisco Umbrella Rank: 588 |
162 KB |
| 1 |
msauthimages.net
aadcdn.msauthimages.net — Cisco Umbrella Rank: 3813 |
279 KB |
| 1 |
iili.io
iili.io — Cisco Umbrella Rank: 123503 |
2 KB |
| 1 |
vcfdi.cfd
qiagen-onlineapp-ru3ib3w42.vcfdi.cfd |
55 KB |
| 1 |
ardsfoundation.net
1 redirects
yxk.ardsfoundation.net |
546 B |
| 14 | 8 |
| Domain | Requested by | |
|---|---|---|
| 5 | tqztwn.ubarlbkuhu.cfd |
code.jquery.com
tqztwn.ubarlbkuhu.cfd |
| 2 | secure.aadcdn.microsoftonline-p.com |
tqztwn.ubarlbkuhu.cfd
|
| 2 | code.jquery.com |
qiagen-onlineapp-ru3ib3w42.vcfdi.cfd
tqztwn.ubarlbkuhu.cfd |
| 1 | aadcdn.msauthimages.net | |
| 1 | iili.io | |
| 1 | aadcdn.msauth.net |
tqztwn.ubarlbkuhu.cfd
|
| 1 | logincdn.msauth.net |
tqztwn.ubarlbkuhu.cfd
|
| 1 | qiagen-onlineapp-ru3ib3w42.vcfdi.cfd | |
| 1 | yxk.ardsfoundation.net | 1 redirects |
| 14 | 9 |
This site contains no links.
| Subject Issuer | Validity | Valid | |
|---|---|---|---|
| *.vcfdi.cfd ZeroSSL RSA Domain Secure Site CA |
2022-03-03 - 2022-06-01 |
3 months | crt.sh |
| *.jquery.com Sectigo RSA Domain Validation Secure Server CA |
2021-07-14 - 2022-08-14 |
a year | crt.sh |
| *.ubarlbkuhu.cfd ZeroSSL RSA Domain Secure Site CA |
2022-02-24 - 2022-05-25 |
3 months | crt.sh |
| secure.aadcdn.microsoftonline-p.com Microsoft RSA TLS CA 02 |
2021-11-18 - 2022-11-18 |
a year | crt.sh |
| identitycdn.msauth.net DigiCert SHA2 Secure Server CA |
2021-05-13 - 2022-05-13 |
a year | crt.sh |
| aadcdn.msauth.net DigiCert SHA2 Secure Server CA |
2022-02-22 - 2023-02-22 |
a year | crt.sh |
| sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2021-06-14 - 2022-06-13 |
a year | crt.sh |
| aadcdn.msauthimages.net Microsoft Azure TLS Issuing CA 02 |
2021-06-08 - 2022-06-03 |
a year | crt.sh |
This page contains 3 frames:
Primary Page:
https://qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/6dOgat9T?wreply=/web/login?en=signin?client_id=EOKcAx&redirect_uri=https%3A%2F%2F%2FAuth%2FPostHandler&state=L33CJVlk-qlgZ-7DOO-AciS-9hjT8jqbxqqI&lc=&lc&id=X37TdE&rdir=true&mkt=en-US&psi=&elld=Y2hyaXN0aWFuLmhvdWRlQHFpYWdlbi5jb20=&lw=1
Frame ID: BA386DCDAC2CA523F697D66EE5CFAE72
Requests: 2 HTTP requests in this frame
Frame:
https://tqztwn.ubarlbkuhu.cfd/common/index-m.php?ijbgtrf=Y2hyaXN0aWFuLmhvdWRlQHFpYWdlbi5jb206OjU=
Frame ID: E6ABBD548B3BCCE4BF946E27E4A13173
Requests: 12 HTTP requests in this frame
Frame:
https://tqztwn.ubarlbkuhu.cfd/common/Sign%20in%20to%20your%20account_files/prefetch(1).html
Frame ID: 1916D9E1AB75C3967A89B15E807332A6
Requests: 1 HTTP requests in this frame
Screenshot
Page Title
Sign in to your аccountPage URL History Show full URLs
-
https://yxk.ardsfoundation.net/VlCf0ffqtZHU9bWljJmVydD1ZMmh5YVhOMGFXRnVMbWh2ZFdSbFFIRnBZV2RsYmk1amIyMD0mbXQ...
HTTP 302
https://qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/6dOgat9T?wreply=/web/login?en=signin?client_id=EOKcAx&redirect_uri=https%3A%... Page URL
Detected technologies
jQuery
(JavaScript Libraries)
Expand
Overall confidence: 100%
Detected patterns
Detected patterns
- jquery[.-]([\d.]*\d)[^/]*\.js
- jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://yxk.ardsfoundation.net/VlCf0ffqtZHU9bWljJmVydD1ZMmh5YVhOMGFXRnVMbWh2ZFdSbFFIRnBZV2RsYmk1amIyMD0mbXQ9NQ==pthq
HTTP 302
https://qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/6dOgat9T?wreply=/web/login?en=signin?client_id=EOKcAx&redirect_uri=https%3A%2F%2F%2FAuth%2FPostHandler&state=L33CJVlk-qlgZ-7DOO-AciS-9hjT8jqbxqqI&lc=&lc&id=X37TdE&rdir=true&mkt=en-US&psi=&elld=Y2hyaXN0aWFuLmhvdWRlQHFpYWdlbi5jb20=&lw=1 Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
14 HTTP transactions
| Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
GET H/1.1 |
Primary Request
6dOgat9T
qiagen-onlineapp-ru3ib3w42.vcfdi.cfd/ Redirect Chain
|
55 KB 55 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
jquery-3.4.1.js
code.jquery.com/ |
274 KB 81 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
index-m.php
tqztwn.ubarlbkuhu.cfd/common/ Frame E6AB |
41 KB 13 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
jquery-3.4.1.js
code.jquery.com/ Frame E6AB |
274 KB 81 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
style.css
tqztwn.ubarlbkuhu.cfd/common/ Frame E6AB |
98 KB 18 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
microsoft_logo.svg
secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/ Frame E6AB |
4 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
arrow_left.svg
logincdn.msauth.net/16.000.28345.6/images/ Frame E6AB |
513 B 751 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
documentation_bcb4d1dc4eae64f0b2b2538209d8435a.svg
aadcdn.msauth.net/shared/1.0/content/images/ Frame E6AB |
2 KB 1 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
ellipsis_white.svg
secure.aadcdn.microsoftonline-p.com/ests/2.1.8148.16/content/images/ Frame E6AB |
915 B 641 B |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
ellipsis_grey.svg
tqztwn.ubarlbkuhu.cfd/common/Sign%20in%20to%20your%20account_files/ Frame E6AB |
0 209 B |
Image
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET DATA |
truncated
/ Frame E6AB |
5 KB 0 |
Image
image/png |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H/1.1 |
prefetch(1).html
tqztwn.ubarlbkuhu.cfd/common/Sign%20in%20to%20your%20account_files/ Frame 1916 |
0 209 B |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
POST H/1.1 |
bck.php
tqztwn.ubarlbkuhu.cfd/tools/ Frame E6AB |
255 B 515 B |
XHR
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
1WNx5X.jpg
iili.io/ Frame E6AB |
901 B 2 KB |
Image
image/jpeg |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GET H2 |
illustration
aadcdn.msauthimages.net/c1c6b6c8-zleyxpyuc5zeamcpso66oqhohzw2uewcdxzmb2faz0u/logintenantbranding/0/ Frame E6AB |
278 KB 279 KB |
Image
image/* |
||||||||||||||||||||||||||||||||||||||||||||||||||
|
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: Microsoft (Consumer)8 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| 0 function| structuredClone object| oncontextlost object| oncontextrestored function| $ function| jQuery function| makeid function| action0 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
4 Console Messages
A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.
| Source | Level | URL Text |
|---|
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
aadcdn.msauth.net
aadcdn.msauthimages.net
code.jquery.com
iili.io
logincdn.msauth.net
qiagen-onlineapp-ru3ib3w42.vcfdi.cfd
secure.aadcdn.microsoftonline-p.com
tqztwn.ubarlbkuhu.cfd
yxk.ardsfoundation.net
152.199.23.72
165.232.74.215
192.229.221.185
2001:4de0:ac18::1:a:2b
2606:4700:3038::6815:ead5
2620:1ec:bdf::45
2a02:26f0:6c00:2b4::35c1
46.101.129.110
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
0584503f3faad982c47e2ea163cf4798f030e8057a9a641b4f1a6b387580780f
34f9db946e89f031a80dfca7b16b2b686469c9886441261ae70a44da1dfa2d58
42a6cb9cc26f70e3fa78a5ebf7d67a80ed1ae4c8d3e1bfaae71a55cae12e825a
4917d1042d6b94b6839a7b22750181b8ba8d76fe5607581d094c121ea648e01b
5a93a88493aa32aab228bf4571c01207d3b42b0002409a454d404b4d8395bd55
6075736ea9c281d69c4a3d78ff97bb61b9416a5809919babe5a0c5596f99aaea
90eccbac25baa71d1242cda2b6cf02581e6d1ee4e9c4d425f048fae284ba56cd
9dd254f7263118ecf4f83030e36c3f95a728d3eabfe708f8c423243a9cb9a765
a433a4f7b50f670f4d2ec4f9813cc4216265a3104d6dd4e256eefb7fcb87518e
a76c08e9cdc3bb87bfb57627ad8f6b46f0e5ef826cc7f046dfbaf25d7b7958ea
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
f47f03ee0e67aff8f795556d4b5e7724375fa1c25907e2e120677f4b512c5486