zonomail.win - urlscan.io

Summary

This website contacted 3 IPs in 3 countries across 3 domains to perform 4 HTTP transactions. The main IP is 217.147.169.145, located in Ukraine and belongs to HOSTFORY, UA. The main domain is zonomail.win.
TLS certificate: Issued by Let's Encrypt Authority X3 on December 18th 2018. Valid for: 3 months.

This is the only time zonomail.win was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: PayPal (Financial)

Domain & IP information

	IP Address	AS Autonomous System
1 3	217.147.169.145 217.147.169.145	206638 (HOSTFORY) (HOSTFORY)
1	176.9.102.206 176.9.102.206	24940 (HETZNER-AS) (HETZNER-AS)
1	151.101.120.193 151.101.120.193	54113 (FASTLY) (FASTLY - Fastly)
4	3

3 217.147.169.145 (Ukraine) 1 redirects

ASN206638 (HOSTFORY, UA)

zonomail.win	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 176.9.102.206 (Germany)

ASN24940 (HETZNER-AS, DE)
PTR: h15.abload.de

abload.de	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 151.101.120.193 (San Francisco, United States)

ASN54113 (FASTLY - Fastly, US)

i.imgur.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
3	zonomail.win 1 redirects zonomail.win	6 KB
1	imgur.com i.imgur.com	19 KB
1	abload.de abload.de	1 KB
4	3

	Domain	Requested by
3	zonomail.win	1 redirects zonomail.win
1	i.imgur.com	zonomail.win
1	abload.de	zonomail.win
4	3

This site contains no links.

Subject Issuer	Validity	Valid
zonomail.win Let's Encrypt Authority X3	`2018-12-18` - `2019-03-18`	3 months	crt.sh
*.abload.de Thawte TLS RSA CA G1	`2018-05-22` - `2019-05-22`	a year	crt.sh
*.imgur.com DigiCert SHA2 Secure Server CA	`2018-12-14` - `2020-02-12`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://zonomail.win/index.php?s=1
Frame ID: 88249BE23AA9556433A68993C131981B
Requests: 4 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

http://zonomail.win/index.php?s=1 HTTP 301
https://zonomail.win/index.php?s=1 Page URL

Detected technologies

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

url /\.php(?:$|\?)/i

Nginx (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /nginx(?:\/([\d.]+))?/i

Page Statistics

4
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

3
Countries

26 kB
Transfer

32 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

http://zonomail.win/index.php?s=1 HTTP 301
https://zonomail.win/index.php?s=1 Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

4 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request index.php Show response zonomail.win/ Redirect Chain http://zonomail.win/index.php?s=1 https://zonomail.win/index.php?s=1	9 KB 3 KB	431ms 60ms	Document text/html	217.147.169.145 HOSTFORY
General Check archive.org Show headers Download Go to Full URL https://zonomail.win/index.php?s=1 Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 217.147.169.145 , Ukraine, ASN206638 (HOSTFORY, UA), Reverse DNS Software nginx / PleskLin Resource Hash `c5f9c53417463cf9b5f39763525db9d2b9ffc36a8f46248f003695e207e6429d` Request headers :method GET :authority zonomail.win :scheme https :path /index.php?s=1 pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 accept-encoding gzip, deflate, br Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers status 200 server nginx date Fri, 11 Jan 2019 19:23:15 GMT content-type text/html; charset=UTF-8 content-length 2446 expires Thu, 19 Nov 1981 08:52:00 GMT cache-control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma no-cache set-cookie PHPSESSID=kneu8pr9ea0l1ti64ibp9g7e17; path=/ vary Accept-Encoding content-encoding gzip ms-author-via DAV x-powered-by PleskLin Redirect headers Server nginx Date Fri, 11 Jan 2019 19:23:15 GMT Content-Type text/html Content-Length 178 Connection keep-alive Location https://zonomail.win/index.php?s=1
GET H2	200	wrongcredentials.png zonomail.win/img/	3 KB 3 KB	80ms 79ms	Image image/png	217.147.169.145 HOSTFORY
General Check archive.org Show headers Download Go to Show image Full URL https://zonomail.win/img/wrongcredentials.png Requested by Host: zonomail.win URL: https://zonomail.win/index.php?s=1 Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 217.147.169.145 , Ukraine, ASN206638 (HOSTFORY, UA), Reverse DNS Software nginx / PleskLin Resource Hash `dc8e24b85bbe78c6be2a991c11c845a909758174b6f8ea61e27af4440966f271` Request headers :path /img/wrongcredentials.png pragma no-cache cookie PHPSESSID=kneu8pr9ea0l1ti64ibp9g7e17 accept-encoding gzip, deflate, br user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 accept image/webp,image/apng,image/,/;q=0.8 cache-control* no-cache :authority zonomail.win referer https://zonomail.win/index.php?s=1 :scheme https :method GET Referer https://zonomail.win/index.php?s=1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers date Fri, 11 Jan 2019 19:23:16 GMT last-modified Sat, 17 Nov 2018 23:32:48 GMT server nginx x-powered-by PleskLin etag "5bf0a520-a45" content-type image/png status 200 accept-ranges bytes content-length 2629
GET H/1.1	200 OK	282533c2543501a361b66w4sm1.png abload.de/img/	969 B 1 KB	351ms 21ms	Image image/png	176.9.102.206 HETZNER-AS
General Check archive.org Show headers Download Go to Show image Full URL https://abload.de/img/282533c2543501a361b66w4sm1.png Requested by Host: zonomail.win URL: https://zonomail.win/index.php?s=1 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 176.9.102.206 , Germany, ASN24940 (HETZNER-AS, DE), Reverse DNS h15.abload.de Software Abload h15 / Resource Hash `4ddcb22254633a19a1524f0f5cc5b60da98bce9400dea572197338296c41c7f4` Request headers Referer https://zonomail.win/index.php?s=1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Fri, 11 Jan 2019 19:23:16 GMT Last-Modified Thu, 06 Dec 2018 23:43:49 GMT Server Abload h15 Content-Type image/png Cache-Control must-revalidate, max-age=0 Connection keep-alive Accept-Ranges bytes Content-Length 969
GET H2	200	w3FNx2D.png i.imgur.com/	19 KB 19 KB	80ms 19ms	Image image/png	151.101.120.193 Fastly
General Check archive.org Show headers Download Go to Show image Full URL https://i.imgur.com/w3FNx2D.png Requested by Host: zonomail.win URL: https://zonomail.win/index.php?s=1 Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 151.101.120.193 San Francisco, United States, ASN54113 (FASTLY - Fastly, US), Reverse DNS Software cat factory 1.0 / Resource Hash `02b341af1b5c99b22e3867c251172fed336b7599a2ee0599cdf6ade6cfb82e7c` Request headers Referer https://zonomail.win/index.php?s=1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers date Fri, 11 Jan 2019 19:23:16 GMT age 1384867 x-cache MISS, HIT status 200 content-length 19428 x-served-by cache-iad2120-IAD, cache-cdg20724-CDG last-modified Sun, 01 Oct 2017 01:44:33 GMT server cat factory 1.0 x-timer S1547234596.065298,VS0,VE2 etag "9500f67b0cd8e9622f0081b33d6a4ed9" access-control-allow-methods GET, OPTIONS content-type image/png access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes x-cache-hits 0, 1

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: PayPal (Financial)

7 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			zonomail.win/	1969-12-31 23:59:59	Name: PHPSESSID Value: kneu8pr9ea0l1ti64ibp9g7e17

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

abload.de
i.imgur.com
zonomail.win
151.101.120.193
176.9.102.206
217.147.169.145
02b341af1b5c99b22e3867c251172fed336b7599a2ee0599cdf6ade6cfb82e7c
4ddcb22254633a19a1524f0f5cc5b60da98bce9400dea572197338296c41c7f4
c5f9c53417463cf9b5f39763525db9d2b9ffc36a8f46248f003695e207e6429d
dc8e24b85bbe78c6be2a991c11c845a909758174b6f8ea61e27af4440966f271

zonomail.win Open in urlscan Pro 217.147.169.145 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

4 Requests

100 %HTTPS

0 %IPv6

3 Domains

3 Subdomains

3 IPs

3 Countries

26 kBTransfer

32 kBSize

1 Cookies

0 Outgoing links

Page URL History

Redirected requests

4 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

7 JavaScript Global Variables

1 Cookies

Indicators

zonomail.win Open in urlscan Pro
217.147.169.145 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

4
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

3
Countries

26 kB
Transfer

32 kB
Size

1
Cookies

4 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!