www.group-ib.com Open in urlscan Pro
3.72.181.255 Public Scan

Go To Rescan
Add Verdict Report

URL:
https://www.group-ib.com/blog/krasue-rat
Submission: On December 07 via api (December 7th 2023, 10:08:49 pm UTC) from US — Scanned from DE

Summary HTTP 6 Redirects Behaviour Indicators

Summary

This website contacted 3 IPs in 1 countries across 1 domains to perform 6 HTTP transactions. The main IP is 3.72.181.255, located in Frankfurt am Main, Germany and belongs to AMAZON-02, US. The main domain is www.group-ib.com.
TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on June 26th 2023. Valid for: a year.

This is the only time www.group-ib.com was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

	IP Address	AS Autonomous System
1 6	3.72.181.255 3.72.181.255	16509 (AMAZON-02) (AMAZON-02)
1	136.243.23.113 136.243.23.113	24940 (HETZNER-AS) (HETZNER-AS)
6	3

6 3.72.181.255 (Frankfurt am Main, Germany) 1 redirects

ASN16509 (AMAZON-02, US)
PTR: ec2-3-72-181-255.eu-central-1.compute.amazonaws.com

www.group-ib.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 136.243.23.113 (Falkenstein, Germany)

ASN24940 (HETZNER-AS, DE)
PTR: static.113.23.243.136.clients.your-server.de

fhp-de-js.group-ib.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
7	group-ib.com 1 redirects www.group-ib.com fhp-de-js.group-ib.com — Cisco Umbrella Rank: 405486	145 KB
6	1

	Domain	Requested by
6	www.group-ib.com	1 redirects fhp-de-js.group-ib.com www.group-ib.com
1	fhp-de-js.group-ib.com	www.group-ib.com
6	2

This site contains no links.

Subject Issuer	Validity	Valid
www.group-ib.com Sectigo RSA Domain Validation Secure Server CA	`2023-06-26` - `2024-06-28`	a year	crt.sh
*.group-ib.com Sectigo RSA Domain Validation Secure Server CA	`2023-06-30` - `2024-07-04`	a year	crt.sh

This page contains 1 frames:

Frame: https://www.group-ib.com/blog/krasue-rat/
Frame ID: 008E9742C0954CE2FBD571F0CF1FD441
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page Statistics

6
Requests

100 %
HTTPS

0 %
IPv6

1
Domains

2
Subdomains

3
IPs

1
Countries

145 kB
Transfer

356 kB
Size

8
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 5

https://www.group-ib.com/blog/krasue-rat HTTP 301
https://www.group-ib.com/blog/krasue-rat/

6 HTTP transactions
2 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 403 Primary Request krasue-rat Show response
www.group-ib.com/blog/ 7 KB
7 KB 74ms
11ms Document
text/html 3.72.181.255
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL: https://www.group-ib.com/blog/krasue-rat
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 3.72.181.255 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-3-72-181-255.eu-central-1.compute.amazonaws.com
Software: /
Resource Hash: 1fba48cb40737fc64ee1855e9530f568da4b40da32b8ace1865a15b22d54ee1e

Request headers

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

cache-control: no-cache, no-store, must-revalidate
content-type: text/html
date: Thu, 07 Dec 2023 22:08:43 GMT

GET
H/1.1 200
OK bt-autoinject.js Show response
fhp-de-js.group-ib.com/d/ 343 KB
135 KB 150ms
86ms Script
text/javascript 136.243.23.113
HETZNER-AS

General

Check archive.org

Show headers Download Go to

Full URL: https://fhp-de-js.group-ib.com/d/bt-autoinject.js
Requested by: Host: www.group-ib.com
URL: https://www.group-ib.com/blog/krasue-rat
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 136.243.23.113 Falkenstein, Germany, ASN24940 (HETZNER-AS, DE),
Reverse DNS: static.113.23.243.136.clients.your-server.de
Software: nginx /
Resource Hash: 90feab54b3acd83fa6182b1099d882d4aa602ec61b8bcdfec8c3c8f413df5fe0

Request headers

accept-language: de-DE,de;q=0.9
Referer: https://www.group-ib.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36

Response headers

Date: Thu, 07 Dec 2023 22:08:43 GMT
Content-Encoding: gzip
Server: nginx
Transfer-Encoding: chunked
Vary: Accept-Encoding
Content-Type: text/javascript; charset=UTF-8
Access-Control-Allow-Methods: GET, POST, OPTIONS
x-envoy-upstream-service-time: 0
Access-Control-Allow-Credentials: true
Connection: keep-alive
Access-Control-Allow-Headers: Accept,DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Origin,ETag,If-None-Match,X-Cfids,Authorization

GET
DATA 200
OK truncated
/ 483 B
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: ba049d6b63e2db299f12defba1f963286f70cb8bc1dc20a1878d546d46943d61

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36

Response headers

Content-Type: image/png

GET
DATA 200
OK truncated
/ 4 KB
0 Image
image/png

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: 5031af9597ee5c2b9c1e629580329f295818b0a8ad5e04c60a3ed22e320b044e

Request headers

accept-language: de-DE,de;q=0.9
Referer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36

Response headers

Content-Type: image/png

GET
H2 200 idgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Show response
www.group-ib.com/api/fl/ 205 B
670 B 59ms
58ms XHR
application/json 3.72.181.255
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL: https://www.group-ib.com/api/fl/idgib-w-61354c22-16cc-40a8-a871-6901f1a76e24
Requested by: Host: fhp-de-js.group-ib.com
URL: https://fhp-de-js.group-ib.com/d/bt-autoinject.js
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 3.72.181.255 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-3-72-181-255.eu-central-1.compute.amazonaws.com
Software: nginx /
Resource Hash: 9307e8b91d588311d5e79c434e29a5d78b8c40bf15f05c2c07cdad6c65c19799

Request headers

Referer: https://www.group-ib.com/blog/krasue-rat
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
x-cfids: -

Response headers

date: Thu, 07 Dec 2023 22:08:44 GMT
content-encoding: gzip
server: nginx
etag: W/"voCWRVh3iM4Gq2TPfA2iZDhsCPFT1jpFjqfJRajkbZWwhf/Dt3gxeakGem33z6T8aicO5wtv3MBTfKh27MvxEtwiJcMg58fazDGoT5w2Ntlpl0AEhqt0emQM5+qzmstIft1TkjgDh0iq+tXkbZVKSKUK"
vary: Accept-Encoding
content-type: application/json; charset=utf-8
cache-control: no-cache
x-envoy-upstream-service-time: 1

POST
H2 200 fl Show response
www.group-ib.com/api/ 669 B
976 B 32ms
32ms XHR
application/json 3.72.181.255
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL: https://www.group-ib.com/api/fl?u=0085cb90-831e-11ee-9493-816cec585ffa&cfidsgib-w-61354c22-16cc-40a8-a871-6901f1a76e24=voCWRVh3iM4Gq2TPfA2iZDhsCPFT1jpFjqfJRajkbZWwhf%2FDt3gxeakGem33z6T8aicO5wtv3MBTfKh27MvxEtwiJcMg58fazDGoT5w2Ntlpl0AEhqt0emQM5%2BqzmstIft1TkjgDh0iq%2BtXkbZVKSKUK
Requested by: Host: fhp-de-js.group-ib.com
URL: https://fhp-de-js.group-ib.com/d/bt-autoinject.js
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 3.72.181.255 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-3-72-181-255.eu-central-1.compute.amazonaws.com
Software: nginx /
Resource Hash: 8980c7bc7433166875f5848144719d5a112de6cf0844790e3b930060aa1853d9

Request headers

Referer: https://www.group-ib.com/blog/krasue-rat
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: text/plain;charset=UTF-8

Response headers

date: Thu, 07 Dec 2023 22:08:45 GMT
content-encoding: gzip
server: nginx
vary: Accept-Encoding
access-control-allow-methods: GET, POST, OPTIONS
content-type: application/json; charset=utf-8
access-control-allow-origin: https://www.group-ib.com
cache-control: no-store
access-control-allow-credentials: true
x-envoy-upstream-service-time: 3
access-control-allow-headers: Accept,DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Origin,ETag,If-None-Match,X-Cfids,Authorization

GET
H2

200

/
www.group-ib.com/blog/krasue-rat/
Redirect Chain

https://www.group-ib.com/blog/krasue-rat
https://www.group-ib.com/blog/krasue-rat/

0
0

32ms
32ms

Document
text/html

3.72.181.255
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL

https://www.group-ib.com/blog/krasue-rat/

Requested by

Host: www.group-ib.com
URL: https://www.group-ib.com/blog/krasue-rat

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

3.72.181.255 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US),

Reverse DNS

ec2-3-72-181-255.eu-central-1.compute.amazonaws.com

Software

nginx /

Resource Hash

Security Headers

Name	Value
Content-Security-Policy	frame-ancestors 'self';
Strict-Transport-Security	max-age=31536000; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	sameorigin
X-Xss-Protection	1; mode=block

Request headers

Referer: https://www.group-ib.com/blog/krasue-rat
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
accept-language: de-DE,de;q=0.9

Response headers

accept-ranges: bytes
access-control-allow-origin: https://www.group-ib.com
cache-control: private, max-age=3600
content-encoding: gzip
content-length: 20618
content-security-policy: frame-ancestors 'self';
content-type: text/html; charset=UTF-8
date: Thu, 07 Dec 2023 22:08:49 GMT
etag: "4fae-60bed61d65ae6"
last-modified: Thu, 07 Dec 2023 15:47:16 GMT
permissions-policy: accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(),usb=(),xr-spatial-tracking=()
referrer-policy: strict-origin-when-cross-origin
server: nginx
strict-transport-security: max-age=31536000; includeSubDomains
vary: X-Forwarded-Proto,Accept-Encoding,Cookie
x-content-type-options: nosniff
x-frame-options: sameorigin
x-xss-protection: 1; mode=block

Redirect headers

access-control-allow-origin: https://www.group-ib.com
cache-control: private, max-age=3600
content-length: 0
content-security-policy: frame-ancestors 'self';
content-type: text/html; charset=UTF-8
date: Thu, 07 Dec 2023 22:08:49 GMT
location: https://www.group-ib.com/blog/krasue-rat/
permissions-policy: accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(),usb=(),xr-spatial-tracking=()
referrer-policy: strict-origin-when-cross-origin
server: nginx
strict-transport-security: max-age=31536000; includeSubDomains
vary: X-Forwarded-Proto,Accept-Encoding
x-content-type-options: nosniff
x-frame-options: sameorigin
x-xss-protection: 1; mode=block

POST
H2 200 fl
www.group-ib.com/api/ 669 B
688 B 21ms
21ms Ping
application/json 3.72.181.255
AMAZON-02

General

Check archive.org

Show headers Download Go to

Full URL: https://www.group-ib.com/api/fl?u=0085cb90-831e-11ee-9493-816cec585ffa&cfidsgib-w-61354c22-16cc-40a8-a871-6901f1a76e24=xSMO6uuFM9S%2Bizt3t87Ydx6puYQ1qvArxEb7TZWG%2Fj%2F87hDkOO4NrTXmdU1XL5wH0dxOJd39at0FFo3MPscLcWSPruwvFn4yLMiZJ3wVSkEVzBcGtnBzQtiHG7b8kN3QjXBJRa5rIyFoMJob8TEbnhdWmtMWsMhHlI%2Fk
Requested by: Host: fhp-de-js.group-ib.com
URL: https://fhp-de-js.group-ib.com/d/bt-autoinject.js
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 3.72.181.255 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US),
Reverse DNS: ec2-3-72-181-255.eu-central-1.compute.amazonaws.com
Software: nginx /
Resource Hash

Request headers

Referer: https://www.group-ib.com/blog/krasue-rat
accept-language: de-DE,de;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: text/plain;charset=UTF-8

Response headers

date: Thu, 07 Dec 2023 22:08:45 GMT
content-encoding: gzip
server: nginx
vary: Accept-Encoding
access-control-allow-methods: GET, POST, OPTIONS
content-type: application/json; charset=utf-8
access-control-allow-origin: https://www.group-ib.com
cache-control: no-store
access-control-allow-credentials: true
x-envoy-upstream-service-time: 3
access-control-allow-headers: Accept,DNT,Keep-Alive,User-Agent,If-Modified-Since,Cache-Control,Content-Type,Origin,ETag,If-None-Match,X-Cfids,Authorization

Verdicts & Comments Add Verdict or Comment

1 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| documentPictureInPicture

8 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
.www.group-ib.com/	1970-01-21 01:32:02	Name: cfidsgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: xSMO6uuFM9S+izt3t87Ydx6puYQ1qvArxEb7TZWG/j/87hDkOO4NrTXmdU1XL5wH0dxOJd39at0FFo3MPscLcWSPruwvFn4yLMiZJ3wVSkEVzBcGtnBzQtiHG7b8kN3QjXBJRa5rIyFoMJob8TEbnhdWmtMWsMhHlI/k
.group-ib.com/	1970-01-21 01:32:02	Name: cfidsgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: xSMO6uuFM9S+izt3t87Ydx6puYQ1qvArxEb7TZWG/j/87hDkOO4NrTXmdU1XL5wH0dxOJd39at0FFo3MPscLcWSPruwvFn4yLMiZJ3wVSkEVzBcGtnBzQtiHG7b8kN3QjXBJRa5rIyFoMJob8TEbnhdWmtMWsMhHlI/k
.www.group-ib.com/	1970-01-21 01:32:02	Name: gsscgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: EvxgvDCR8xFKCalq4mNBwiiO3GP8C+IK0af/gUHRXd+33m1yabegbTmQd8CoevyLM9qLRxwBi00W3RF7KeDAG1rDTr+B+fE/cHamRhEPpZp/2XCxrMOVzy0sD/pRgHiFP+daU2X5gx1A3quBsbW5H8rtlr/6IMKJYnnVuslUGy8UOurXUbu3nIO25RiGzQ1DBJQVPz2+xxPjCI4GMgSnQfQTTPRI74GxDiGtZC7eY0wpALsASItdq3tRf2Y4sCQ2bg==
.group-ib.com/	1970-01-21 01:32:02	Name: gsscgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: EvxgvDCR8xFKCalq4mNBwiiO3GP8C+IK0af/gUHRXd+33m1yabegbTmQd8CoevyLM9qLRxwBi00W3RF7KeDAG1rDTr+B+fE/cHamRhEPpZp/2XCxrMOVzy0sD/pRgHiFP+daU2X5gx1A3quBsbW5H8rtlr/6IMKJYnnVuslUGy8UOurXUbu3nIO25RiGzQ1DBJQVPz2+xxPjCI4GMgSnQfQTTPRI74GxDiGtZC7eY0wpALsASItdq3tRf2Y4sCQ2bg==
.www.group-ib.com/	1970-01-21 01:32:02	Name: fgsscgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: 671d2e133c341e9afcfd5af25cb54cad6974a08a
.group-ib.com/	1970-01-21 01:32:02	Name: fgsscgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: 671d2e133c341e9afcfd5af25cb54cad6974a08a
.www.group-ib.com/	1970-01-21 01:32:02	Name: __zzatgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: MDA0dBA=Fz2+aQ==
.group-ib.com/	1970-01-21 01:32:02	Name: __zzatgib-w-61354c22-16cc-40a8-a871-6901f1a76e24 Value: MDA0dBA=Fz2+aQ==

1 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
network	error	URL: https://www.group-ib.com/blog/krasue-rat Message: Failed to load resource: the server responded with a status of 403 ()

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

fhp-de-js.group-ib.com
www.group-ib.com
136.243.23.113
3.72.181.255
1fba48cb40737fc64ee1855e9530f568da4b40da32b8ace1865a15b22d54ee1e
5031af9597ee5c2b9c1e629580329f295818b0a8ad5e04c60a3ed22e320b044e
8980c7bc7433166875f5848144719d5a112de6cf0844790e3b930060aa1853d9
90feab54b3acd83fa6182b1099d882d4aa602ec61b8bcdfec8c3c8f413df5fe0
9307e8b91d588311d5e79c434e29a5d78b8c40bf15f05c2c07cdad6c65c19799
ba049d6b63e2db299f12defba1f963286f70cb8bc1dc20a1878d546d46943d61

www.group-ib.com Open in urlscan Pro 3.72.181.255 Public Scan

Summary

urlscan.io Verdict: No classification

Domain & IP information

Screenshot Live screenshot Full Image

Page Statistics

6 Requests

100 %HTTPS

0 %IPv6

1 Domains

2 Subdomains

3 IPs

1 Countries

145 kBTransfer

356 kBSize

8 Cookies

0 Outgoing links

Redirected requests

6 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 2 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

1 JavaScript Global Variables

8 Cookies

1 Console Messages

Indicators

www.group-ib.com Open in urlscan Pro
3.72.181.255 Public Scan

Screenshot
Live screenshot

Full Image

6
Requests

100 %
HTTPS

0 %
IPv6

1
Domains

2
Subdomains

3
IPs

1
Countries

145 kB
Transfer

356 kB
Size

8
Cookies

6 HTTP transactions
2 data transactions