f0828007.xsph.ru - urlscan.io

Summary

This website contacted 5 IPs in 4 countries across 5 domains to perform 7 HTTP transactions. The main IP is 141.8.192.151, located in Russian Federation and belongs to SPRINTHOST, RU. The main domain is f0828007.xsph.ru.

This is the only time f0828007.xsph.ru was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Banco de la República Oriental del Uruguay (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1	185.176.43.98 185.176.43.98	44476 (ZETTA-AS) (ZETTA-AS)
3	141.8.192.151 141.8.192.151	35278 (SPRINTHOST) (SPRINTHOST)
1	2a00:1450:400... 2a00:1450:4001:831::200a	15169 (GOOGLE) (GOOGLE)
1	2606:4700::68... 2606:4700::6812:acf	13335 (CLOUDFLAR...) (CLOUDFLARENET)
1	2a00:1450:400... 2a00:1450:4001:810::2003	15169 (GOOGLE) (GOOGLE)
7	5

1 185.176.43.98 (Bulgaria)

ASN44476 (ZETTA-AS, BG)

bic32brou3uru4guclw.myartsonline.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 141.8.192.151 (Russian Federation)

ASN35278 (SPRINTHOST, RU)
PTR: vilir.from.sh

f0828007.xsph.ru	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:831::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:4700::6812:acf (United States)

ASN13335 (CLOUDFLARENET, US)

stackpath.bootstrapcdn.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:810::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.gstatic.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
3	xsph.ru f0828007.xsph.ru	59 KB
1	gstatic.com fonts.gstatic.com	14 KB
1	bootstrapcdn.com stackpath.bootstrapcdn.com — Cisco Umbrella Rank: 2712	7 KB
1	googleapis.com fonts.googleapis.com — Cisco Umbrella Rank: 67	732 B
1	myartsonline.com bic32brou3uru4guclw.myartsonline.com	424 B
7	5

	Domain	Requested by
3	f0828007.xsph.ru	f0828007.xsph.ru
1	fonts.gstatic.com	fonts.googleapis.com
1	stackpath.bootstrapcdn.com	f0828007.xsph.ru
1	fonts.googleapis.com	f0828007.xsph.ru
1	bic32brou3uru4guclw.myartsonline.com
7	5

This site contains no links.

Subject Issuer	Validity	Valid
upload.video.google.com GTS CA 1C3	`2023-05-19` - `2023-08-11`	3 months	crt.sh
sni.cloudflaressl.com Cloudflare Inc ECC CA-3	`2022-12-30` - `2023-12-30`	a year	crt.sh
*.gstatic.com GTS CA 1C3	`2023-05-19` - `2023-08-11`	3 months	crt.sh

This page contains 1 frames:

Primary Page: http://f0828007.xsph.ru/
Frame ID: 5CB8C49F717FD2B1D05910C3BFC80072
Requests: 7 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

brou

Page URL History Show full URLs

http://bic32brou3uru4guclw.myartsonline.com/ Page URL
http://f0828007.xsph.ru/ Page URL

Detected technologies

Bootstrap (Web Frameworks) Expand

Overall confidence: 100%
Detected patterns

<link[^>]* href=[^>]*?bootstrap(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)[^>]*?(?:\.min)?\.css

Font Awesome (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

<link[^>]* href=[^>]+(?:([\d.]+)/)?(?:css/)?font-awesome(?:\.min)?\.css
<link[^>]* href=[^>]*?(?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:[^>]*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)
(?:F|f)o(?:n|r)t-?(?:A|a)wesome(?:.*?([0-9a-fA-F]{7,40}|[\d]+(?:.[\d]+(?:.[\d]+)?)?)|)

Google Font API (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

<link[^>]* href=[^>]+fonts\.(?:googleapis|google)\.com

Page Statistics

7
Requests

43 %
HTTPS

60 %
IPv6

5
Domains

5
Subdomains

5
IPs

4
Countries

82 kB
Transfer

290 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://bic32brou3uru4guclw.myartsonline.com/ Page URL
http://f0828007.xsph.ru/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

7 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1 200
OK / Show response
bic32brou3uru4guclw.myartsonline.com/ 195 B
424 B 163ms
45ms Document
text/html 185.176.43.98
ZETTA-AS

General

Check archive.org

Show headers Download Go to

Full URL: http://bic32brou3uru4guclw.myartsonline.com/
Protocol: HTTP/1.1
Server: 185.176.43.98 , Bulgaria, ASN44476 (ZETTA-AS, BG),
Reverse DNS
Software: Apache /
Resource Hash: f54a516b1cbca74c63b907da7b5f66693ff40fa512c202c18afc809d4c62af63

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1
accept-language: de-DE,de;q=0.9

Response headers

Connection: Keep-Alive
Content-Length: 195
Content-Type: text/html; charset=UTF-8
Date: Wed, 07 Jun 2023 19:02:57 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
refresh: 3;url=http://f0828007.xsph.ru

GET
H/1.1 200
OK Primary Request / Show response
f0828007.xsph.ru/ 2 KB
1 KB 182ms
78ms Document
text/html 141.8.192.151
SPRINTHOST

General

Check archive.org

Show headers Download Go to

Full URL: http://f0828007.xsph.ru/
Protocol: HTTP/1.1
Server: 141.8.192.151 , Russian Federation, ASN35278 (SPRINTHOST, RU),
Reverse DNS: vilir.from.sh
Software: openresty /
Resource Hash: f82e4e7cba09762227e6c1e2dc0f6562cbc3b1eceb0ed4cab156a300e79f8deb

Request headers

Referer: http://bic32brou3uru4guclw.myartsonline.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1
accept-language: de-DE,de;q=0.9

Response headers

Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Wed, 07 Jun 2023 19:03:00 GMT
ETag: W/"9df-5fd861af88925"
Last-Modified: Wed, 07 Jun 2023 08:41:43 GMT
Server: openresty
Transfer-Encoding: chunked
Vary: Accept-Encoding

GET
H2 200 css
fonts.googleapis.com/ 2 KB
732 B 138ms
48ms Stylesheet
text/css 2a00:1450:4001:831::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap

Requested by

Host: f0828007.xsph.ru
URL: http://f0828007.xsph.ru/

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:831::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

ESF /

Resource Hash

3dc57ad6ef050d43fc94a423c51447f6f6cb97ea5d0d4012939ec5bf7998c72c

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://f0828007.xsph.ru/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

Response headers

strict-transport-security: max-age=31536000
date: Wed, 07 Jun 2023 19:03:01 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: ESF
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: private, max-age=86400
cross-origin-resource-policy: cross-origin
timing-allow-origin: *
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-xss-protection: 0
expires: Wed, 07 Jun 2023 19:03:01 GMT

GET
H2 200 font-awesome.min.css
stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/ 30 KB
7 KB 49ms
15ms Stylesheet
text/css 2606:4700::6812:acf
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL

https://stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css

Requested by

Host: f0828007.xsph.ru
URL: http://f0828007.xsph.ru/

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2606:4700::6812:acf , United States, ASN13335 (CLOUDFLARENET, US),

Reverse DNS

Software

cloudflare /

Resource Hash

799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://f0828007.xsph.ru/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

Response headers

date: Wed, 07 Jun 2023 19:03:01 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
cf-cache-status: HIT
content-encoding: br
cdn-edgestorageid: 617
age: 12323771
cdn-cachedat: 2021-06-08 14:35:32
cdn-pullzone: 252412
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=86400
last-modified: Mon, 25 Jan 2021 22:04:55 GMT
server: cloudflare
cdn-requestpullcode: 200
vary: Accept-Encoding
content-type: text/css; charset=utf-8
cdn-cache: HIT
access-control-allow-origin: *
cdn-uid: b1941f61-b576-4f40-80de-5677acb38f74
cache-control: public, max-age=31919000
cdn-requestid: 8e03a0f40ac23c08b1fbc5b05ccb27fd
timing-allow-origin: *
cdn-requestcountrycode: US
cf-ray: 7d3b27179c89bb32-FRA
cdn-requestpullsuccess: True

GET
H/1.1 200
OK style.css
f0828007.xsph.ru/css/ 217 KB
33 KB 52ms
52ms Stylesheet
text/css 141.8.192.151
SPRINTHOST

General

Check archive.org

Show headers Download Go to

Full URL: http://f0828007.xsph.ru/css/style.css
Requested by: Host: f0828007.xsph.ru
URL: http://f0828007.xsph.ru/
Protocol: HTTP/1.1
Server: 141.8.192.151 , Russian Federation, ASN35278 (SPRINTHOST, RU),
Reverse DNS: vilir.from.sh
Software: openresty /
Resource Hash: f84164e60aeb8c58fc32a8a9ad99151860a5701f0dbab46d38d7460d7b69bd28

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://f0828007.xsph.ru/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

Response headers

Date: Wed, 07 Jun 2023 19:03:01 GMT
Content-Encoding: gzip
Last-Modified: Wed, 07 Jun 2023 08:41:48 GMT
Server: openresty
ETag: W/"648042cc-362a3"
Transfer-Encoding: chunked
Vary: Accept-Encoding
Content-Type: text/css
Cache-Control: max-age=604800
Connection: keep-alive
Expires: Wed, 14 Jun 2023 19:03:01 GMT

GET
H/1.1 200
OK m.png
f0828007.xsph.ru/css/ 24 KB
25 KB 86ms
43ms Image
image/png 141.8.192.151
SPRINTHOST

General

Check archive.org

Show headers Download Go to Show image

Full URL: http://f0828007.xsph.ru/css/m.png
Requested by: Host: f0828007.xsph.ru
URL: http://f0828007.xsph.ru/
Protocol: HTTP/1.1
Server: 141.8.192.151 , Russian Federation, ASN35278 (SPRINTHOST, RU),
Reverse DNS: vilir.from.sh
Software: openresty /
Resource Hash: 9631702e97cc0bb44eb14d9b62c1fe0c2ba71845b322012d339d1b5251d25fb1

Request headers

accept-language: de-DE,de;q=0.9
Referer: http://f0828007.xsph.ru/
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

Response headers

Date: Wed, 07 Jun 2023 19:03:01 GMT
Last-Modified: Wed, 07 Jun 2023 08:41:47 GMT
Server: openresty
ETag: "648042cb-6131"
Content-Type: image/png
Cache-Control: max-age=604800
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 24881
Expires: Wed, 14 Jun 2023 19:03:01 GMT

GET
H2 200 S6uyw4BMUTPHjx4wXiWtFCc.woff2
fonts.gstatic.com/s/lato/v24/ 14 KB
14 KB 121ms
38ms Font
font/woff2 2a00:1450:4001:810::2003
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.gstatic.com/s/lato/v24/S6uyw4BMUTPHjx4wXiWtFCc.woff2

Requested by

Host: fonts.googleapis.com
URL: https://fonts.googleapis.com/css?family=Lato:300,400,700&display=swap

Protocol

H2

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:810::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

d4ae5188a65370ecfe28f42293bbee8297cfd5712c6aadfdb270d48f2bcd88b0

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://fonts.googleapis.com/
Origin: http://f0828007.xsph.ru
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_7_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

Response headers

date: Fri, 02 Jun 2023 17:22:37 GMT
x-content-type-options: nosniff
age: 438024
content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
cross-origin-resource-policy: cross-origin
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-length: 13980
x-xss-protection: 0
last-modified: Tue, 02 May 2023 15:17:19 GMT
server: sffe
cross-origin-opener-policy: same-origin; report-to="apps-themes"
report-to: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
content-type: font/woff2
access-control-allow-origin: *
cache-control: public, max-age=31536000
accept-ranges: bytes
timing-allow-origin: *
expires: Sat, 01 Jun 2024 17:22:37 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Banco de la República Oriental del Uruguay (Banking)

3 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

boolean| credentialless object| onbeforetoggle object| onscrollend

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

bic32brou3uru4guclw.myartsonline.com
f0828007.xsph.ru
fonts.googleapis.com
fonts.gstatic.com
stackpath.bootstrapcdn.com
141.8.192.151
185.176.43.98
2606:4700::6812:acf
2a00:1450:4001:810::2003
2a00:1450:4001:831::200a
3dc57ad6ef050d43fc94a423c51447f6f6cb97ea5d0d4012939ec5bf7998c72c
799aeb25cc0373fdee0e1b1db7ad6c2f6a0e058dfadaa3379689f583213190bd
9631702e97cc0bb44eb14d9b62c1fe0c2ba71845b322012d339d1b5251d25fb1
d4ae5188a65370ecfe28f42293bbee8297cfd5712c6aadfdb270d48f2bcd88b0
f54a516b1cbca74c63b907da7b5f66693ff40fa512c202c18afc809d4c62af63
f82e4e7cba09762227e6c1e2dc0f6562cbc3b1eceb0ed4cab156a300e79f8deb
f84164e60aeb8c58fc32a8a9ad99151860a5701f0dbab46d38d7460d7b69bd28

f0828007.xsph.ru Open in urlscan Pro 141.8.192.151 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

7 Requests

43 %HTTPS

60 %IPv6

5 Domains

5 Subdomains

5 IPs

4 Countries

82 kBTransfer

290 kBSize

0 Cookies

0 Outgoing links

Page URL History

Redirected requests

7 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

3 JavaScript Global Variables

0 Cookies

Indicators

f0828007.xsph.ru Open in urlscan Pro
141.8.192.151 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

7
Requests

43 %
HTTPS

60 %
IPv6

5
Domains

5
Subdomains

5
IPs

4
Countries

82 kB
Transfer

290 kB
Size

0
Cookies

7 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!