cert.privatkunde.dan.20-4-34-89.cprapid.com Open in urlscan Pro
20.4.34.89 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
http://saywa.soft.pe/dp.php
Effective URL:
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1...
Submission: On October 31 via manual (October 31st 2022, 12:19:58 pm UTC) from DK — Scanned from DK

Summary HTTP 16 Redirects Behaviour Indicators

Summary

This website contacted 7 IPs in 4 countries across 5 domains to perform 16 HTTP transactions. The main IP is 20.4.34.89, located in Amsterdam, Netherlands and belongs to MICROSOFT-CORP-MSN-AS-BLOCK, US. The main domain is cert.privatkunde.dan.20-4-34-89.cprapid.com.
TLS certificate: Issued by cPanel, Inc. Certification Authority on October 25th 2022. Valid for: 3 months.

This is the only time cert.privatkunde.dan.20-4-34-89.cprapid.com was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Nordea (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1	216.119.142.131 216.119.142.131	55293 (A2HOSTING) (A2HOSTING)
1 3	20.4.34.89 20.4.34.89	8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK)
2	2606:4700:10:... 2606:4700:10::6816:4aab	13335 (CLOUDFLAR...) (CLOUDFLARENET)
2	158.69.139.226 158.69.139.226	16276 (OVH) (OVH)
1	104.18.19.39 104.18.19.39	13335 (CLOUDFLAR...) (CLOUDFLARENET)
8	67.202.105.33 67.202.105.33	32748 (STEADFAST) (STEADFAST)
16	7

1 216.119.142.131 (United States)

ASN55293 (A2HOSTING, US)
PTR: server.yanapa.com

saywa.soft.pe	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 20.4.34.89 (Amsterdam, Netherlands) 1 redirects

ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US)

cert.privatkunde.dan.20-4-34-89.cprapid.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2606:4700:10::6816:4aab (United States)

ASN13335 (CLOUDFLARENET, US)

widgets.amung.us	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
whos.amung.us	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 158.69.139.226 (Montreal, Canada)

ASN16276 (OVH, FR)
PTR: ip226.ip-158-69-139.net

t.dtscout.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 104.18.19.39 (Shahr, Iran, Islamic Republic Of)

ASN13335 (CLOUDFLARENET, US)

cdn.tynt.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

8 67.202.105.33 (Tinley Park, United States)

ASN32748 (STEADFAST, US)
PTR: ip33.67-202-105.static.steadfastdns.net

ic.tynt.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
de.tynt.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
9	tynt.com cdn.tynt.com — Cisco Umbrella Rank: 9748 ic.tynt.com — Cisco Umbrella Rank: 6219 de.tynt.com — Cisco Umbrella Rank: 1438	9 KB
3	cprapid.com 1 redirects cert.privatkunde.dan.20-4-34-89.cprapid.com	456 KB
2	dtscout.com t.dtscout.com — Cisco Umbrella Rank: 12688	3 KB
2	amung.us widgets.amung.us — Cisco Umbrella Rank: 21411 whos.amung.us — Cisco Umbrella Rank: 15062	4 KB
1	soft.pe saywa.soft.pe	588 B
16	5

	Domain	Requested by
7	ic.tynt.com
3	cert.privatkunde.dan.20-4-34-89.cprapid.com	1 redirects saywa.soft.pe cert.privatkunde.dan.20-4-34-89.cprapid.com
2	t.dtscout.com	widgets.amung.us t.dtscout.com
1	de.tynt.com	cdn.tynt.com
1	cdn.tynt.com	widgets.amung.us
1	whos.amung.us	widgets.amung.us
1	widgets.amung.us	cert.privatkunde.dan.20-4-34-89.cprapid.com
1	saywa.soft.pe
16	8

This site contains no links.

Subject Issuer	Validity	Valid
cert.privatkunde.dan.20-4-34-89.cprapid.com cPanel, Inc. Certification Authority	`2022-10-25` - `2023-01-23`	3 months	crt.sh
*.amung.us Sectigo RSA Domain Validation Secure Server CA	`2022-05-18` - `2023-06-17`	a year	crt.sh
*.dtscout.com Sectigo RSA Domain Validation Secure Server CA	`2021-10-28` - `2022-11-27`	a year	crt.sh
*.tynt.com Sectigo RSA Domain Validation Secure Server CA	`2022-09-07` - `2023-09-30`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
Frame ID: 166DB6109459AAA8087F6132BAF50C5A
Requests: 22 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Title

Nordea - identifikation

Page URL History Show full URLs

http://saywa.soft.pe/dp.php Page URL
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/ HTTP 302
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9... Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

\.php(?:$|\?)

Page Statistics

16
Requests

94 %
HTTPS

17 %
IPv6

5
Domains

8
Subdomains

7
IPs

4
Countries

524 kB
Transfer

614 kB
Size

3
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://saywa.soft.pe/dp.php Page URL
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/ HTTP 302
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

16 HTTP transactions
6 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1 200
OK dp.php
saywa.soft.pe/ 229 B
588 B 775ms
641ms Document
text/html 216.119.142.131
A2HOSTING

General

Check archive.org

Show headers Download Go to

Full URL

http://saywa.soft.pe/dp.php

Protocol

HTTP/1.1

Server

216.119.142.131 , United States, ASN55293 (A2HOSTING, US),

Reverse DNS

server.yanapa.com

Software

Apache /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=63072000; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36
accept-language: da-DK,da;q=0.9

Response headers

Connection: Upgrade, Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Mon, 31 Oct 2022 12:19:51 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Strict-Transport-Security: max-age=63072000; includeSubDomains
Transfer-Encoding: chunked
Upgrade: h2,h2c
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

GET
H/1.1

200
OK

Primary Request home.php Show response
cert.privatkunde.dan.20-4-34-89.cprapid.com/id/
Redirect Chain

https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/
https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true

28 KB
28 KB

68ms
67ms

Document
text/html

20.4.34.89
MICROSOFT-CORP-MS...

General

Check archive.org

Show headers Download Go to

Full URL: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
Requested by: Host: saywa.soft.pe
URL: http://saywa.soft.pe/dp.php
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 20.4.34.89 Amsterdam, Netherlands, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software: Apache /
Resource Hash: a39a9f4def461b78c3c76a4d853c5f56a5379e72855d5b03a54599d49442cc32

Request headers

Referer: http://saywa.soft.pe/dp.php
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36
accept-language: da-DK,da;q=0.9

Response headers

Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Mon, 31 Oct 2022 12:19:52 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Transfer-Encoding: chunked

Redirect headers

Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Mon, 31 Oct 2022 12:19:52 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Transfer-Encoding: chunked
location: home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true

GET
H/1.1 200
OK main.css
cert.privatkunde.dan.20-4-34-89.cprapid.com/id/partials/css/ 428 KB
428 KB 48ms
47ms Stylesheet
text/css 20.4.34.89
MICROSOFT-CORP-MS...

General

Check archive.org

Show headers Download Go to

Full URL: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/partials/css/main.css
Requested by: Host: cert.privatkunde.dan.20-4-34-89.cprapid.com
URL: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
Protocol: HTTP/1.1
Security: TLS 1.3, , AES_128_GCM
Server: 20.4.34.89 Amsterdam, Netherlands, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK, US),
Reverse DNS
Software: Apache /
Resource Hash: 341b6d608d346d2b16e5e710b4595379786d7e59b1c5a78b4d8fc2985bb51aea

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Pragma: no-cache
Date: Mon, 31 Oct 2022 12:19:53 GMT
Last-Modified: Mon, 07 Feb 2022 23:35:17 GMT
Server: Apache
Content-Type: text/css
Cache-Control: no-cache, no-store, must-revalidate
Connection: Keep-Alive
Accept-Ranges: bytes
Keep-Alive: timeout=5, max=99
Content-Length: 438029
Expires: 0

GET
DATA 200
OK truncated
/ 2 KB
0 Image
image/svg+xml

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 6bb27299ef7a2f71792920ae936f4f0800cf1a43ff5f8b4c835233fde4c1e387

Request headers

accept-language: da-DK,da;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: image/svg+xml

GET
DATA 200
OK truncated
/ 9 KB
0 Image
image/svg+xml

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: acc90b5255f375e13cc61f865040478454f42cde1dbdc69ae4c9f09431866417

Request headers

accept-language: da-DK,da;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: image/svg+xml

GET
H2 200 small.js Show response
widgets.amung.us/ 8 KB
4 KB 158ms
50ms Script
application/x-javascript 2606:4700:10::6816:4aab
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://widgets.amung.us/small.js
Requested by: Host: cert.privatkunde.dan.20-4-34-89.cprapid.com
URL: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:10::6816:4aab , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: eee6ef188662ab76c29c720cab899af19bad8153a9c86d548d90b3fa46886fc9

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

date: Mon, 31 Oct 2022 12:19:53 GMT
content-encoding: gzip
cf-cache-status: HIT
last-modified: Sun, 30 Oct 2022 17:30:49 GMT
server: cloudflare
age: 2095
etag: W/"635eb4c9-2142"
vary: Accept-Encoding
content-type: application/x-javascript
access-control-allow-origin: *
cache-control: max-age=86400
cf-ray: 762c57727d82bb38-FRA
expires: Tue, 01 Nov 2022 11:44:58 GMT

GET
DATA 200
OK truncated
/ 67 KB
0 Image
image/jpeg

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 836393ac52708bd75b2e1c88defb51faa58f0fdfa374d57d2529e0a6554882ff

Request headers

accept-language: da-DK,da;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: image/jpeg

GET
DATA 200
OK truncated
/ 26 KB
26 KB Font
application/font-woff2

General

Check archive.org

Show headers Download Go to

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 443bd1fde75a477eaae12ba7828c6cb67608e14bbda783027fca2540c3bb0b03

Request headers

Referer
Origin: https://cert.privatkunde.dan.20-4-34-89.cprapid.com
accept-language: da-DK,da;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: application/font-woff2

GET
DATA 200
OK truncated
/ 26 KB
26 KB Font
application/font-woff2

General

Check archive.org

Show headers Download Go to

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: a93f6086756b2a2e94db8aaf795faab950a315cd9a8e32c5b0df707636dedfff

Request headers

Referer
Origin: https://cert.privatkunde.dan.20-4-34-89.cprapid.com
accept-language: da-DK,da;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: application/font-woff2

GET
H/1.1 200
OK / Show response
t.dtscout.com/i/ 2 KB
3 KB 417ms
135ms Script
application/javascript 158.69.139.226
OVH

General

Check archive.org

Show headers Download Go to

Full URL: https://t.dtscout.com/i/?l=https%3A%2F%2Fcert.privatkunde.dan.20-4-34-89.cprapid.com%2Fid%2Fhome.php%3F%26return_url%3D0d3061a0b5b81f6ef38c0100d9ccfd58%26enrolmentID%3D85dfcc9d0010c83fe6f18b5b0a1603d0%3Fsecuressl%3Dtrue&j=http%3A%2F%2Fsaywa.soft.pe%2F
Requested by: Host: widgets.amung.us
URL: https://widgets.amung.us/small.js
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 158.69.139.226 Montreal, Canada, ASN16276 (OVH, FR),
Reverse DNS: ip226.ip-158-69-139.net
Software: nginx/1.10.3 (Ubuntu) /
Resource Hash: e5a9b257a893a1870b81dc7b661a268271d50b6e5e5f3f70bcf3ee4420ed39ff

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Date: Mon, 31 Oct 2022 12:19:53 GMT
X-T: 0.744
Server: nginx/1.10.3 (Ubuntu)
Transfer-Encoding: chunked
Content-Type: application/javascript
Cache-Control: no-cache
Connection: close
X-S: mtl1
Expires: Mon, 31 Oct 2022 12:19:52 GMT

GET
H2 200 / Show response
whos.amung.us/pingjs/ 25 B
126 B 248ms
235ms Script
text/javascript 2606:4700:10::6816:4aab
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://whos.amung.us/pingjs/?k=magua1&t=Nordea%20-%20identifikation&c=s&x=https%3A%2F%2Fcert.privatkunde.dan.20-4-34-89.cprapid.com%2Fid%2Fhome.php%3F%26return_url%3D0d3061a0b5b81f6ef38c0100d9ccfd58%26enrolmentID%3D85dfcc9d0010c83fe6f18b5b0a1603d0%3Fsecuressl%3Dtrue&y=http%3A%2F%2Fsaywa.soft.pe%2F&a=0&d=1.26&v=27&r=2866
Requested by: Host: widgets.amung.us
URL: https://widgets.amung.us/small.js
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2606:4700:10::6816:4aab , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 00b035c9f42e2f61fbd8f3d975780425d45beca0f74f1031ed6a412660955e5c

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

date: Mon, 31 Oct 2022 12:19:53 GMT
content-encoding: gzip
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 762c57731eeabb38-FRA
content-type: text/javascript;charset=UTF-8

GET
H2 200 tc.js Show response
cdn.tynt.com/ 17 KB
7 KB 957ms
54ms Script
application/javascript 104.18.19.39
CLOUDFLARENET

General

Check archive.org

Show headers Download Go to

Full URL: https://cdn.tynt.com/tc.js
Requested by: Host: widgets.amung.us
URL: https://widgets.amung.us/small.js
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 104.18.19.39 Shahr, Iran, Islamic Republic Of, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software: cloudflare /
Resource Hash: 937458495c30f567aeafe715f0164bfe061ab17aee4a34aabbf191f69a6d32ae

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

date: Mon, 31 Oct 2022 12:19:54 GMT
content-encoding: gzip
cf-cache-status: HIT
last-modified: Thu, 21 Jul 2022 14:57:21 GMT
server: cloudflare
age: 249707
etag: W/"62d96951-4599"
vary: Accept-Encoding
content-type: application/javascript
cache-control: public, max-age=259200
cf-ray: 762c577a380b690a-FRA
expires: Thu, 03 Nov 2022 12:19:54 GMT

GET
DATA 200
OK truncated
/ 439 B
0 Image
image/gif

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: f6d82f567d08ec91a1b6ef0d4abf21be7a2d3dbc0a41c122584ea3536755b3ac

Request headers

accept-language: da-DK,da;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Content-Type: image/gif

GET
H/1.1 200
OK / Show response
t.dtscout.com/pv/ 51 B
319 B 401ms
134ms Script
application/javascript 158.69.139.226
OVH

General

Check archive.org

Show headers Download Go to

Full URL: https://t.dtscout.com/pv/?_a=v&_h=cert.privatkunde.dan.20-4-34-89.cprapid.com&_ss=inrn6d6sbx&_pv=1&_ls=0&_u1=1&_u3=1&_cc=dk&_pl=d&_cbid=5hyc&_cb=_dtspv.c
Requested by: Host: t.dtscout.com
URL: https://t.dtscout.com/i/?l=https%3A%2F%2Fcert.privatkunde.dan.20-4-34-89.cprapid.com%2Fid%2Fhome.php%3F%26return_url%3D0d3061a0b5b81f6ef38c0100d9ccfd58%26enrolmentID%3D85dfcc9d0010c83fe6f18b5b0a1603d0%3Fsecuressl%3Dtrue&j=http%3A%2F%2Fsaywa.soft.pe%2F
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 158.69.139.226 Montreal, Canada, ASN16276 (OVH, FR),
Reverse DNS: ip226.ip-158-69-139.net
Software: nginx/1.10.3 (Ubuntu) /
Resource Hash: f5dcb4e84f9290ee0abcc2b7a3f60ad689c373fd73c94730e85601dd52d9e2eb

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

Date: Mon, 31 Oct 2022 12:19:54 GMT
X-T: 0.165
Server: nginx/1.10.3 (Ubuntu)
Transfer-Encoding: chunked
X-C: 0
Content-Type: application/javascript
Cache-Control: no-cache
Connection: close
Expires: Mon, 31 Oct 2022 12:19:53 GMT

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 713ms
140ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0&r=http%3A%2F%2Fsaywa.soft.pe%2F&t=Nordea%20-%20identifikation
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:55 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 200 v2 Show response
de.tynt.com/deb/ 4 B
260 B 573ms
139ms Script
application/javascript 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to

Full URL: https://de.tynt.com/deb/v2?id=w!magua1&dn=TC&cc=1&r=http%3A%2F%2Fsaywa.soft.pe%2F
Requested by: Host: cdn.tynt.com
URL: https://cdn.tynt.com/tc.js
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: /
Resource Hash: d21021784cda31eeae5c8295e047a14bda6ed5a9b5963fca9e7ceb398a9c9179

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"
date: Mon, 31 Oct 2022 12:19:54 GMT
cache-control: max-age=86400
content-type: application/javascript
accept-ch: Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
content-length: 4
expires: Tue, 01 Nov 2022 12:19:55 GMT

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 139ms
139ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0&r=http%3A%2F%2Fsaywa.soft.pe%2F&t=Nordea%20-%20identifikation
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:55 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 139ms
139ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0&r=http%3A%2F%2Fsaywa.soft.pe%2F&t=Nordea%20-%20identifikation
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:55 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 140ms
139ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0&r=http%3A%2F%2Fsaywa.soft.pe%2F
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:55 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 140ms
139ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:55 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 139ms
139ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:56 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

GET
H2 204 p
ic.tynt.com/b/ 0
227 B 140ms
140ms Image
text/plain 67.202.105.33
STEADFAST

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://ic.tynt.com/b/p?id=w!magua1&lm=0&ts=1667218794686&dn=TC&iso=0
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 67.202.105.33 Tinley Park, United States, ASN32748 (STEADFAST, US),
Reverse DNS: ip33.67-202-105.static.steadfastdns.net
Software: nginx/1.16.1 /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

accept-language: da-DK,da;q=0.9
Referer: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.87 Safari/537.36

Response headers

expires: "Sat, 26 Jul 1997 05:00:00 GMT"
date: Mon, 31 Oct 2022 12:19:56 GMT
cache-control: "no-store, no-cache, must-revalidate, post-check=0, pre-check=0, false"
server: nginx/1.16.1
p3p: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Nordea (Banking)

29 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

3 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
.dtscout.com/	1970-01-20 07:07:03	Name: m Value: 1
.dtscout.com/	1970-01-20 07:07:13	Name: oa Value: 1
.dtscout.com/	1970-01-20 09:30:58	Name: df Value: 1667218793

1 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
security	error	URL: https://cert.privatkunde.dan.20-4-34-89.cprapid.com/id/home.php?&return_url=0d3061a0b5b81f6ef38c0100d9ccfd58&enrolmentID=85dfcc9d0010c83fe6f18b5b0a1603d0?securessl=true(Line 11) Message: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Strict-Transport-Security	max-age=63072000; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

cdn.tynt.com
cert.privatkunde.dan.20-4-34-89.cprapid.com
de.tynt.com
ic.tynt.com
saywa.soft.pe
t.dtscout.com
whos.amung.us
widgets.amung.us
104.18.19.39
158.69.139.226
20.4.34.89
216.119.142.131
2606:4700:10::6816:4aab
67.202.105.33
00b035c9f42e2f61fbd8f3d975780425d45beca0f74f1031ed6a412660955e5c
341b6d608d346d2b16e5e710b4595379786d7e59b1c5a78b4d8fc2985bb51aea
443bd1fde75a477eaae12ba7828c6cb67608e14bbda783027fca2540c3bb0b03
6bb27299ef7a2f71792920ae936f4f0800cf1a43ff5f8b4c835233fde4c1e387
836393ac52708bd75b2e1c88defb51faa58f0fdfa374d57d2529e0a6554882ff
937458495c30f567aeafe715f0164bfe061ab17aee4a34aabbf191f69a6d32ae
a39a9f4def461b78c3c76a4d853c5f56a5379e72855d5b03a54599d49442cc32
a93f6086756b2a2e94db8aaf795faab950a315cd9a8e32c5b0df707636dedfff
acc90b5255f375e13cc61f865040478454f42cde1dbdc69ae4c9f09431866417
d21021784cda31eeae5c8295e047a14bda6ed5a9b5963fca9e7ceb398a9c9179
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
e5a9b257a893a1870b81dc7b661a268271d50b6e5e5f3f70bcf3ee4420ed39ff
eee6ef188662ab76c29c720cab899af19bad8153a9c86d548d90b3fa46886fc9
f5dcb4e84f9290ee0abcc2b7a3f60ad689c373fd73c94730e85601dd52d9e2eb
f6d82f567d08ec91a1b6ef0d4abf21be7a2d3dbc0a41c122584ea3536755b3ac

cert.privatkunde.dan.20-4-34-89.cprapid.com Open in urlscan Pro 20.4.34.89 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page Title

Page URL History Show full URLs

Detected technologies

Page Statistics

16 Requests

94 %HTTPS

17 %IPv6

5 Domains

8 Subdomains

7 IPs

4 Countries

524 kBTransfer

614 kBSize

3 Cookies

0 Outgoing links

Page URL History

Redirected requests

16 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 6 data transactions

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

29 JavaScript Global Variables

3 Cookies

1 Console Messages

Security Headers

Indicators

cert.privatkunde.dan.20-4-34-89.cprapid.com Open in urlscan Pro
20.4.34.89 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

16
Requests

94 %
HTTPS

17 %
IPv6

5
Domains

8
Subdomains

7
IPs

4
Countries

524 kB
Transfer

614 kB
Size

3
Cookies

16 HTTP transactions
6 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!