a0256651.xsph.ru - urlscan.io

Summary

This website contacted 1 IPs in 1 countries across 1 domains to perform 5 HTTP transactions. The main IP is 141.8.195.39, located in Moscow, Russian Federation and belongs to SPRINTHOST, RU. The main domain is a0256651.xsph.ru.

This is the only time a0256651.xsph.ru was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: PayPal (Financial)

Domain & IP information

	IP Address		AS Autonomous System
5	141.8.195.39 141.8.195.39		35278 (SPRINTHOST) (SPRINTHOST)
5	1

5 141.8.195.39 (Moscow, Russian Federation)

ASN35278 (SPRINTHOST, RU)
PTR: lik.from.sh

a0256651.xsph.ru	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	xsph.ru a0256651.xsph.ru	56 KB
5	1

	Domain	Requested by
5	a0256651.xsph.ru	a0256651.xsph.ru
5	1

This site contains no links.

Subject Issuer	Validity	Valid

This page contains 1 frames:

Primary Page: http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr
Frame ID: BECBD8E97B8A5BC0B747A1D4C2CC4D86
Requests: 5 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

Lua (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

headers server /openresty(?:\/([\d.]+))?/i

Nginx (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /openresty(?:\/([\d.]+))?/i

OpenResty (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /openresty(?:\/([\d.]+))?/i

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

script /jquery.*\.js/i
env /^jQuery$/i

Page Statistics

5
Requests

0 %
HTTPS

0 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

56 kB
Transfer

175 kB
Size

1
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Redirected requests

There were HTTP redirect chains for the following requests:

5 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	Primary Request Cookie set / Show response a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/	4 KB 2 KB	3165ms 3113ms	Document text/html	141.8.195.39 SPRINTHOST
General Check archive.org Show headers Download Go to Full URL http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Protocol HTTP/1.1 Server 141.8.195.39 Moscow, Russian Federation, ASN35278 (SPRINTHOST, RU), Reverse DNS lik.from.sh Software openresty / Resource Hash `d1392fa12aac3ca18b4affae5bafbaf45c40ea904d3852343e58244dadfd6290` Request headers Host a0256651.xsph.ru Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding gzip, deflate Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Server openresty Date Sun, 02 Dec 2018 15:59:36 GMT Content-Type text/html; charset=UTF-8 Transfer-Encoding chunked Connection keep-alive Vary Accept-Encoding Set-Cookie PHPSESSID=kbp09qqqmprh58hjgsrsbsp401; path=/ Expires Thu, 19 Nov 1981 08:52:00 GMT Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma no-cache Content-Encoding gzip
GET H/1.1	200 OK	gs_login.css a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/css/	73 KB 15 KB	41ms 40ms	Stylesheet text/css	141.8.195.39 SPRINTHOST
General Check archive.org Show headers Download Go to Full URL http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/css/gs_login.css Requested by Host: a0256651.xsph.ru URL: http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Protocol HTTP/1.1 Server 141.8.195.39 Moscow, Russian Federation, ASN35278 (SPRINTHOST, RU), Reverse DNS lik.from.sh Software openresty / Resource Hash `80a154d4d2c0d0f52dd5e5f112c4bd4dd84a8330a06322a97024c511b4c311ff` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host a0256651.xsph.ru User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept text/css,/;q=0.1 Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Cookie PHPSESSID=kbp09qqqmprh58hjgsrsbsp401 Connection keep-alive Cache-Control no-cache Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Sun, 02 Dec 2018 15:59:36 GMT Content-Encoding gzip Last-Modified Sun, 02 Dec 2018 15:56:10 GMT Server openresty ETag W/"5c04009a-12284" Vary Accept-Encoding Content-Type text/css Cache-Control max-age=604800 Transfer-Encoding chunked Connection keep-alive Expires Sun, 09 Dec 2018 15:59:36 GMT
GET H/1.1	200 OK	jquery.js Show response a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/js/	94 KB 36 KB	89ms 40ms	Script application/x-javascript	141.8.195.39 SPRINTHOST
General Check archive.org Show headers Download Go to Full URL http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/js/jquery.js Requested by Host: a0256651.xsph.ru URL: http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Protocol HTTP/1.1 Server 141.8.195.39 Moscow, Russian Federation, ASN35278 (SPRINTHOST, RU), Reverse DNS lik.from.sh Software openresty / Resource Hash `161ddce728615bd31a9c34fbb1cd047a4fe165e30cb86f826d1c856a956016ca` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host a0256651.xsph.ru User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept / Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Cookie PHPSESSID=kbp09qqqmprh58hjgsrsbsp401 Connection keep-alive Cache-Control no-cache Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Sun, 02 Dec 2018 15:59:36 GMT Content-Encoding gzip Last-Modified Sun, 02 Dec 2018 15:56:10 GMT Server openresty ETag W/"5c04009a-17651" Vary Accept-Encoding Content-Type application/x-javascript Cache-Control max-age=604800 Transfer-Encoding chunked Connection keep-alive Expires Sun, 09 Dec 2018 15:59:36 GMT
GET H/1.1	200 OK	login.js Show response a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/js/	696 B 1017 B	107ms 57ms	Script application/x-javascript	141.8.195.39 SPRINTHOST
General Check archive.org Show headers Download Go to Full URL http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/js/login.js Requested by Host: a0256651.xsph.ru URL: http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Protocol HTTP/1.1 Server 141.8.195.39 Moscow, Russian Federation, ASN35278 (SPRINTHOST, RU), Reverse DNS lik.from.sh Software openresty / Resource Hash `e11af7d139a5662450db6a0c86ae436be08a7cf86ada8c7d038e9edb955f1ce4` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host a0256651.xsph.ru User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept / Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Cookie PHPSESSID=kbp09qqqmprh58hjgsrsbsp401 Connection keep-alive Cache-Control no-cache Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Sun, 02 Dec 2018 15:59:36 GMT Last-Modified Sun, 02 Dec 2018 15:56:10 GMT Server openresty ETag "5c04009a-2b8" Content-Type application/x-javascript Cache-Control max-age=604800 Connection keep-alive Accept-Ranges bytes Content-Length 696 Expires Sun, 09 Dec 2018 15:59:36 GMT
GET H/1.1	200 OK	paypal-logo-129x32.svg a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/images/	5 KB 2 KB	37ms 36ms	Image image/svg+xml	141.8.195.39 SPRINTHOST
General Check archive.org Show headers Download Go to Show image Full URL http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/images/paypal-logo-129x32.svg Requested by Host: a0256651.xsph.ru URL: http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/?dispatch=tG9WEPKw3LCjQWjBno7YQM3NLj1eVfSpW2mBR67VSJeIGxk4Wr Protocol HTTP/1.1 Server 141.8.195.39 Moscow, Russian Federation, ASN35278 (SPRINTHOST, RU), Reverse DNS lik.from.sh Software openresty / Resource Hash `b3cc50b9e94bbecaaeb1079b64b8ca50616d1732824964c1cc2c5422627a0ec5` Request headers Pragma no-cache Accept-Encoding gzip, deflate Host a0256651.xsph.ru User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept image/webp,image/apng,image/,/;q=0.8 Referer* http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/css/gs_login.css Cookie PHPSESSID=kbp09qqqmprh58hjgsrsbsp401 Connection keep-alive Cache-Control no-cache Referer http://a0256651.xsph.ru/paypalactivating/gs_gen/gs4875276af85b5dcbd0cbb8ab67ed6c17/css/gs_login.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Sun, 02 Dec 2018 15:59:36 GMT Content-Encoding gzip Last-Modified Sun, 02 Dec 2018 15:56:10 GMT Server openresty ETag W/"5c04009a-1351" Vary Accept-Encoding Content-Type image/svg+xml Cache-Control max-age=604800 Transfer-Encoding chunked Connection keep-alive Expires Sun, 09 Dec 2018 15:59:36 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: PayPal (Financial)

5 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

1 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			a0256651.xsph.ru/	1969-12-31 23:59:59	Name: PHPSESSID Value: kbp09qqqmprh58hjgsrsbsp401

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

a0256651.xsph.ru
141.8.195.39
161ddce728615bd31a9c34fbb1cd047a4fe165e30cb86f826d1c856a956016ca
80a154d4d2c0d0f52dd5e5f112c4bd4dd84a8330a06322a97024c511b4c311ff
b3cc50b9e94bbecaaeb1079b64b8ca50616d1732824964c1cc2c5422627a0ec5
d1392fa12aac3ca18b4affae5bafbaf45c40ea904d3852343e58244dadfd6290
e11af7d139a5662450db6a0c86ae436be08a7cf86ada8c7d038e9edb955f1ce4

a0256651.xsph.ru Open in urlscan Pro 141.8.195.39 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

5 Requests

0 %HTTPS

0 %IPv6

1 Domains

1 Subdomains

1 IPs

1 Countries

56 kBTransfer

175 kBSize

1 Cookies

0 Outgoing links

Redirected requests

5 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

5 JavaScript Global Variables

1 Cookies

Indicators

a0256651.xsph.ru Open in urlscan Pro
141.8.195.39 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

5
Requests

0 %
HTTPS

0 %
IPv6

1
Domains

1
Subdomains

1
IPs

1
Countries

56 kB
Transfer

175 kB
Size

1
Cookies

5 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!