file-upload-debol87sgsjd64682.ngrok.io Open in urlscan Pro
2600:1f16:59e:b200:9824:7fb2:162:d476 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://bit.ly/2w28gpz
Effective URL:
https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8...
Submission: On May 15 via manual (May 15th 2019, 7:39:19 pm UTC) from US

Summary HTTP 22 Redirects Behaviour Indicators

Summary

This website contacted 3 IPs in 2 countries across 5 domains to perform 22 HTTP transactions. The main IP is 2600:1f16:59e:b200:9824:7fb2:162:d476, located in Columbus, United States and belongs to AMAZON-02 - Amazon.com, Inc., US. The main domain is file-upload-debol87sgsjd64682.ngrok.io.
TLS certificate: Issued by RapidSSL RSA CA 2018 on March 11th 2019. Valid for: a year.

This is the only time file-upload-debol87sgsjd64682.ngrok.io was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Office 365 (Online)

Domain & IP information

	IP Address	AS Autonomous System
1 1	67.199.248.11 67.199.248.11	395224 (BITLY-AS) (BITLY-AS - Bitly Inc)
1 1	34.197.0.138 34.197.0.138	14618 (AMAZON-AES) (AMAZON-AES - Amazon.com)
1 13	2600:1f16:59e... 2600:1f16:59e:b200:9824:7fb2:162:d476	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	35.157.3.192 35.157.3.192	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
22	3

1 67.199.248.11 (United States) 1 redirects

ASN395224 (BITLY-AS - Bitly Inc, US)
PTR: bit.ly

bit.ly	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 34.197.0.138 (Ashburn, United States) 1 redirects

ASN14618 (AMAZON-AES - Amazon.com, Inc., US)
PTR: ec2-34-197-0-138.compute-1.amazonaws.com

rebrand.ly	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

13 2600:1f16:59e:b200:9824:7fb2:162:d476 (Columbus, United States) 1 redirects

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)

file-upload-debol87sgsjd64682.ngrok.io	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 35.157.3.192 (Frankfurt am Main, Germany)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-35-157-3-192.eu-central-1.compute.amazonaws.com

nexus.ensighten.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
13	ngrok.io 1 redirects file-upload-debol87sgsjd64682.ngrok.io	760 KB
2	ensighten.com nexus.ensighten.com	1 KB
1	rebrand.ly 1 redirects rebrand.ly	283 B
1	bit.ly 1 redirects bit.ly	420 B
0	microsoft.com Failed cs.microsoft.com Failed
22	5

	Domain	Requested by
13	file-upload-debol87sgsjd64682.ngrok.io	1 redirects file-upload-debol87sgsjd64682.ngrok.io
2	nexus.ensighten.com	file-upload-debol87sgsjd64682.ngrok.io
1	rebrand.ly	1 redirects
1	bit.ly	1 redirects
0	cs.microsoft.com Failed	file-upload-debol87sgsjd64682.ngrok.io
22	5

This site contains no links.

Subject Issuer	Validity	Valid
*.ngrok.io RapidSSL RSA CA 2018	`2019-03-11` - `2020-03-11`	a year	crt.sh
nexus.ensighten.com DigiCert SHA2 Secure Server CA	`2018-10-17` - `2020-01-05`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0
Frame ID: 80B9D8E9FC858292642A3C89827DB4A1
Requests: 22 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

https://bit.ly/2w28gpz HTTP 301
https://rebrand.ly/openlink HTTP 301
https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Page URL
https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/ HTTP 302
https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219... Page URL

Detected technologies

Apache (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /(?:Apache(?:$|\/([\d.]+)|[^\/-])|(?:^|)HTTPD)/i

RequireJS (JavaScript Frameworks) Expand

Overall confidence: 100%
Detected patterns

env /^requirejs$/i

Page Statistics

22
Requests

64 %
HTTPS

25 %
IPv6

5
Domains

5
Subdomains

3
IPs

2
Countries

761 kB
Transfer

1150 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://bit.ly/2w28gpz HTTP 301
https://rebrand.ly/openlink HTTP 301
https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Page URL
https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/ HTTP 302
https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0

https://bit.ly/2w28gpz HTTP 301
https://rebrand.ly/openlink HTTP 301
https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid

22 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H/1.1	200 OK	/ Show response file-upload-debol87sgsjd64682.ngrok.io/ Redirect Chain https://bit.ly/2w28gpz https://rebrand.ly/openlink https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid	621 B 799 B	722ms 384ms	Document text/html	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `4934e17a953ded7a4715a767c05de07b8c97d28bd5db349ba5bed88a2888c04a` Request headers Host file-upload-debol87sgsjd64682.ngrok.io Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Encoding gzip, deflate, br Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Transfer-Encoding chunked Content-Type text/html; charset=UTF-8 Date Wed, 15 May 2019 19:39:02 GMT Refresh 3; ./user-auth/ Server Apache Redirect headers Cache-Control no-cache, no-store Date Wed, 15 May 2019 19:39:01 GMT Engine Rebrandly.redirect, version 2.0 Expires -1 Location https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Content-Length 0 Connection keep-alive
GET H/1.1	200 OK	onedrive_new.png file-upload-debol87sgsjd64682.ngrok.io/	29 KB 29 KB	378ms 377ms	Image image/png	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Show image Full URL https://file-upload-debol87sgsjd64682.ngrok.io/onedrive_new.png Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `2d075185b9030005dc328f2abd0f7311d89bddd7ac1d1fdf14eaaca177ad4623` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:02 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 29364 Content-Type image/png
GET H/1.1	200 OK	Primary Request login.php file-upload-debol87sgsjd64682.ngrok.io/user-auth/ Redirect Chain https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/ https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e072192...	392 KB 0	827ms 827ms	Document text/html	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash Request headers Host file-upload-debol87sgsjd64682.ngrok.io Connection keep-alive Pragma no-cache Cache-Control no-cache Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Referer https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Accept-Encoding gzip, deflate, br Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Referer https://file-upload-debol87sgsjd64682.ngrok.io/?authentication=valid Response headers Transfer-Encoding chunked Content-Type text/html; charset=UTF-8 Date Wed, 15 May 2019 19:39:06 GMT Server Apache Redirect headers Content-Type text/html; charset=UTF-8 Date Wed, 15 May 2019 19:39:06 GMT Location login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Server Apache Content-Length 0
GET H/1.1	200 OK	Bootstrap.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	51 KB 51 KB	733ms 528ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/Bootstrap.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `99820c5d0e52f2b5d3dba06a582fb0c0845c0f03192a9b5a65f43f7f6cea88a1` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:08 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 51749 Content-Type application/javascript
GET H/1.1	200 OK	ms.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	12 KB 12 KB	518ms 313ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/ms.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `81a5e095ee6ebe17230434d1522f47614dae9096c79fc75fa9685bcbda812380` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:08 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 12487 Content-Type application/javascript
GET H/1.1	200 OK	jsll-4.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	51 KB 52 KB	559ms 559ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/jsll-4.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `ab707f6d49ad796e97599151075e837ffd982758231ed889ccae95151557284d` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:08 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 52607 Content-Type application/javascript
GET H/1.1	200 OK	all.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	195 KB 195 KB	758ms 563ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/all.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `a8c361f69d3e9c9c9df82c90bbe540ba3c1d94d369f45f9c21fc67f7178b8c7c` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:07 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 199988 Content-Type application/javascript
GET H/1.1	200 OK	require-951f856e.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	18 KB 18 KB	942ms 746ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/require-951f856e.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `757450f70da7f796420fb8993990c043ea4120fe93d72aa55c460232ecdd1e77` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:07 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 17954 Content-Type application/javascript
GET H/1.1	200 OK	97-b6864d.css file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	126 KB 126 KB	687ms 492ms	Stylesheet text/css	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/97-b6864d.css Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `2fbc031eb7dee1d36e21a66425569e307d1ae1b345d6220ca2d89f6f6b1b8719` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:07 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 128536 Content-Type text/css
GET H/1.1	200 OK	home.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	42 KB 42 KB	385ms 384ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/home.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `669d4a1bd72957df86e0b57281b4580c48b17b946db75ffa02f16238bbac7fc6` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:08 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 43063 Content-Type application/javascript
GET H/1.1	200 OK	homeappfonts-e1a2082a.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	188 KB 188 KB	543ms 542ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/homeappfonts-e1a2082a.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `2ca170f7c96032875931f199c0cf8fb5320e232c3fbf8a1e160af6dc8c6b5ec1` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:08 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 192529 Content-Type application/javascript
GET H/1.1	200 OK	aria-4cf8a7e2.js Show response file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	45 KB 46 KB	377ms 376ms	Script application/javascript	2600:1f16:59e:b200:9824:7fb2:162:d476 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/aria-4cf8a7e2.js Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2600:1f16:59e:b200:9824:7fb2:162:d476 Columbus, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS Software Apache / Resource Hash `977d596ae10ea77c6a86e0a6687ffb03a6a348685af7dd60370b611c426792f9` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:09 GMT Last-Modified Fri, 19 Apr 2019 15:06:00 GMT Server Apache Accept-Ranges bytes Content-Length 46558 Content-Type application/javascript
GET		getid.js cs.microsoft.com/	0 0

GET H/1.1	200 OK	serverComponent.php Show response nexus.ensighten.com/msftoffice/prod/	335 B 572 B	525ms 121ms	Script text/javascript	35.157.3.192 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://nexus.ensighten.com/msftoffice/prod/serverComponent.php?r=232.77798552592088&ClientID=761&PageID=https%3A%2F%2Ffile-upload-debol87sgsjd64682.ngrok.io%2Fuser-auth%2Flogin.php%3Fcmd%3Dlogin_submit%26id%3D7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0%26session%3D7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/Bootstrap.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 35.157.3.192 Frankfurt am Main, Germany, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS ec2-35-157-3-192.eu-central-1.compute.amazonaws.com Software nginx / Resource Hash `58cf88fdcfb732b2054a1b4f0a2ef9d6bcbf70ef39d360664bc656a3f7ead394` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:10 GMT Cache-Control no-cache, no-store Expires Wed, 15 May 2019 19:39:09 GMT Server nginx Connection keep-alive Content-Length 335 Content-Type text/javascript
GET H/1.1	200 OK	f6365f75b501f300457bb7fca6bbfcab.js Show response nexus.ensighten.com/msftoffice/prod/code/	468 B 761 B	101ms 100ms	Script application/javascript	35.157.3.192 Amazon.com
General Check archive.org Show headers Download Go to Full URL https://nexus.ensighten.com/msftoffice/prod/code/f6365f75b501f300457bb7fca6bbfcab.js?conditionId0=422916 Requested by Host: file-upload-debol87sgsjd64682.ngrok.io URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/Bootstrap.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 35.157.3.192 Frankfurt am Main, Germany, ASN16509 (AMAZON-02 - Amazon.com, Inc., US), Reverse DNS ec2-35-157-3-192.eu-central-1.compute.amazonaws.com Software nginx / Resource Hash `5665ebf1feaa87bae586a1fdc6835647a0f87e1c7a5af2f23d449ee0c73ee1c3` Request headers Referer https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/login.php?cmd=login_submit&id=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0&session=7219269bf651aaec5d9c08d8fd8fe4e07219269bf651aaec5d9c08d8fd8fe4e0 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Response headers Date Wed, 15 May 2019 19:39:10 GMT Last-Modified Wed, 05 Apr 2017 17:36:00 GMT Server nginx ETag "58e52b00-1d4" Content-Type application/javascript; charset=utf-8 Cache-Control max-age=315360000 Connection keep-alive Accept-Ranges bytes Content-Length 468
GET		2523150420.js file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		t.js file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		jquery-2.js file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		5f-c2d29a file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		meversion file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		microsoft-gray.png file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

GET		down.png file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/	0 0

Failed requests

These URLs were requested, but there was no response received. You will also see them in the list above.

Domain: cs.microsoft.com
URL: https://cs.microsoft.com/getid.js?jsoncb=MscomSetFPC

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/2523150420.js

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/t.js

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/jquery-2.js

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/5f-c2d29a

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/meversion

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/microsoft-gray.png

Domain: file-upload-debol87sgsjd64682.ngrok.io
URL: https://file-upload-debol87sgsjd64682.ngrok.io/user-auth/signin_files/down.png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Office 365 (Online)

88 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

bit.ly
cs.microsoft.com
file-upload-debol87sgsjd64682.ngrok.io
nexus.ensighten.com
rebrand.ly
cs.microsoft.com
file-upload-debol87sgsjd64682.ngrok.io
2600:1f16:59e:b200:9824:7fb2:162:d476
34.197.0.138
35.157.3.192
67.199.248.11
2ca170f7c96032875931f199c0cf8fb5320e232c3fbf8a1e160af6dc8c6b5ec1
2d075185b9030005dc328f2abd0f7311d89bddd7ac1d1fdf14eaaca177ad4623
2fbc031eb7dee1d36e21a66425569e307d1ae1b345d6220ca2d89f6f6b1b8719
4934e17a953ded7a4715a767c05de07b8c97d28bd5db349ba5bed88a2888c04a
5665ebf1feaa87bae586a1fdc6835647a0f87e1c7a5af2f23d449ee0c73ee1c3
58cf88fdcfb732b2054a1b4f0a2ef9d6bcbf70ef39d360664bc656a3f7ead394
669d4a1bd72957df86e0b57281b4580c48b17b946db75ffa02f16238bbac7fc6
757450f70da7f796420fb8993990c043ea4120fe93d72aa55c460232ecdd1e77
81a5e095ee6ebe17230434d1522f47614dae9096c79fc75fa9685bcbda812380
977d596ae10ea77c6a86e0a6687ffb03a6a348685af7dd60370b611c426792f9
99820c5d0e52f2b5d3dba06a582fb0c0845c0f03192a9b5a65f43f7f6cea88a1
a8c361f69d3e9c9c9df82c90bbe540ba3c1d94d369f45f9c21fc67f7178b8c7c
ab707f6d49ad796e97599151075e837ffd982758231ed889ccae95151557284d

file-upload-debol87sgsjd64682.ngrok.io Open in urlscan Pro 2600:1f16:59e:b200:9824:7fb2:162:d476 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

22 Requests

64 %HTTPS

25 %IPv6

5 Domains

5 Subdomains

3 IPs

2 Countries

761 kBTransfer

1150 kBSize

0 Cookies

0 Outgoing links

Page URL History

Redirected requests

22 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Failed requests

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

88 JavaScript Global Variables

0 Cookies

Indicators

file-upload-debol87sgsjd64682.ngrok.io Open in urlscan Pro
2600:1f16:59e:b200:9824:7fb2:162:d476 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

22
Requests

64 %
HTTPS

25 %
IPv6

5
Domains

5
Subdomains

3
IPs

2
Countries

761 kB
Transfer

1150 kB
Size

0
Cookies

22 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!