590a77f3f1.nxcli.net Open in urlscan Pro
185.145.13.28 Malicious Activity! Public Scan

Go To Rescan
Add Verdict Report

Submitted URL:
https://www.chase.xc.languagemaster.com.pk/
Effective URL:
https://590a77f3f1.nxcli.net/scripts/info/info/
Submission: On March 31 via automatic, source certstream-suspicious (March 31st 2020, 1:29:54 pm UTC)

Summary HTTP 9 Redirects Behaviour Indicators

Summary

This website contacted 2 IPs in 2 countries across 3 domains to perform 9 HTTP transactions. The main IP is 185.145.13.28, located in Netherlands and belongs to NEXCESS-AMS01, NL. The main domain is 590a77f3f1.nxcli.net.
TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on September 4th 2019. Valid for: a year.

This is the only time 590a77f3f1.nxcli.net was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Chase (Banking)

Domain & IP information

	IP Address	AS Autonomous System
1 1	192.154.254.69 192.154.254.69	17216 (DC74-AS) (DC74-AS)
4	185.145.13.28 185.145.13.28	202521 (NEXCESS-A...) (NEXCESS-AMS01)
5	151.139.128.10 151.139.128.10	20446 (HIGHWINDS3) (HIGHWINDS3)
9	2

1 192.154.254.69 (La Jolla, United States) 1 redirects

ASN17216 (DC74-AS, US)
PTR: server9.pheservers.com

www.chase.xc.languagemaster.com.pk	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 185.145.13.28 (Netherlands)

ASN202521 (NEXCESS-AMS01, NL)
PTR: cloudhost-81930.nl-west-1.nxcli.net

590a77f3f1.nxcli.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 151.139.128.10 (Dallas, United States)

ASN20446 (HIGHWINDS3, US)

kit.fontawesome.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
kit-free.fontawesome.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
5	fontawesome.com kit.fontawesome.com kit-free.fontawesome.com	96 KB
4	nxcli.net 590a77f3f1.nxcli.net	143 KB
1	languagemaster.com.pk 1 redirects www.chase.xc.languagemaster.com.pk	268 B
9	3

	Domain	Requested by
4	kit-free.fontawesome.com	kit.fontawesome.com
4	590a77f3f1.nxcli.net	590a77f3f1.nxcli.net
1	kit.fontawesome.com	590a77f3f1.nxcli.net
1	www.chase.xc.languagemaster.com.pk	1 redirects
9	4

This site contains no links.

Subject Issuer	Validity	Valid
*.nxcli.net Sectigo RSA Domain Validation Secure Server CA	`2019-09-04` - `2020-09-03`	a year	crt.sh
*.fontawesome.com DigiCert SHA2 Secure Server CA	`2019-10-28` - `2020-12-23`	a year	crt.sh

This page contains 1 frames:

Primary Page: https://590a77f3f1.nxcli.net/scripts/info/info/
Frame ID: FEC1BDA5B8D909C3C943E80D03987FE3
Requests: 9 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Page URL History Show full URLs

https://www.chase.xc.languagemaster.com.pk/ HTTP 301
https://590a77f3f1.nxcli.net/scripts/info/info/ Page URL

Detected technologies

Nginx (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /nginx(?:\/([\d.]+))?/i

Font Awesome (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

html /<script[^>]* src=[^>]+fontawesome(?:\.js)?/i

Page Statistics

9
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

4
Subdomains

2
IPs

2
Countries

239 kB
Transfer

316 kB
Size

0
Cookies

0 Outgoing links

These are links going to different origins than the main page.

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

https://www.chase.xc.languagemaster.com.pk/ HTTP 301
https://590a77f3f1.nxcli.net/scripts/info/info/ Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

9 HTTP transactions
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request / Show response 590a77f3f1.nxcli.net/scripts/info/info/ Redirect Chain https://www.chase.xc.languagemaster.com.pk/ https://590a77f3f1.nxcli.net/scripts/info/info/	3 KB 848 B	112ms 62ms	Document text/html	185.145.13.28 NEXCESS-AMS01
General Check archive.org Show headers Download Go to Full URL https://590a77f3f1.nxcli.net/scripts/info/info/ Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.145.13.28 , Netherlands, ASN202521 (NEXCESS-AMS01, NL), Reverse DNS cloudhost-81930.nl-west-1.nxcli.net Software nginx / Resource Hash `d1b96f820417ea1b6bf8008a82397e06b7488e69bc13491df3f5de6ed3fecfc4` Request headers :method GET :authority 590a77f3f1.nxcli.net :scheme https :path /scripts/info/info/ pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 sec-fetch-dest document accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site none sec-fetch-mode navigate sec-fetch-user ?1 accept-encoding gzip, deflate, br accept-language en-US Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest document Response headers status 200 server nginx date Tue, 31 Mar 2020 13:29:33 GMT content-type text/html; charset=UTF-8 vary Accept-Encoding x-cache-nxaccel BYPASS content-encoding br Redirect headers Date Tue, 31 Mar 2020 13:29:30 GMT Server Apache Location https://590a77f3f1.nxcli.net/scripts/info/info/ Content-Length 255 Keep-Alive timeout=5, max=100 Connection Keep-Alive Content-Type text/html; charset=iso-8859-1
GET H2	200	main.css 590a77f3f1.nxcli.net/scripts/info/info/css/	4 KB 952 B	22ms 21ms	Stylesheet text/css	185.145.13.28 NEXCESS-AMS01
General Check archive.org Show headers Download Go to Full URL https://590a77f3f1.nxcli.net/scripts/info/info/css/main.css Requested by Host: 590a77f3f1.nxcli.net URL: https://590a77f3f1.nxcli.net/scripts/info/info/ Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.145.13.28 , Netherlands, ASN202521 (NEXCESS-AMS01, NL), Reverse DNS cloudhost-81930.nl-west-1.nxcli.net Software nginx / Resource Hash `fafb526c63b440eb95c293968490ce49da5c62a0b3d25623a435d0aaad530070` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/ User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest style Response headers date Tue, 31 Mar 2020 13:29:33 GMT content-encoding br last-modified Tue, 31 Mar 2020 09:43:02 GMT server nginx etag W/"fea-5a22364cc13cf" vary Accept-Encoding x-cache-nxaccel MISS content-type text/css status 200
GET H2	200	d41c77e3c5.js Show response kit.fontawesome.com/	6 KB 2 KB	476ms 476ms	Script text/javascript	151.139.128.10 HIGHWINDS3
General Check archive.org Show headers Download Go to Full URL https://kit.fontawesome.com/d41c77e3c5.js Requested by Host: 590a77f3f1.nxcli.net URL: https://590a77f3f1.nxcli.net/scripts/info/info/ Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.139.128.10 Dallas, United States, ASN20446 (HIGHWINDS3, US), Reverse DNS Software / Resource Hash `717360f1759b6925a3e40ea293d825b50fc17e8bf7e849de44d70769664bf696` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/ Origin https://590a77f3f1.nxcli.net Sec-Fetch-Dest script User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Tue, 31 Mar 2020 13:29:34 GMT content-encoding gzip last-modified Wed, 09 Oct 2019 17:17:46 GMT access-control-allow-origin * etag "a8e6a3dde655976cfaa1ae45d67d78de" vary Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding x-hw 1585661373.cds019.pa1.hc,1585661373.cds008.pa1.sc,1585661374.cds008.pa1.pr content-type text/javascript status 200 access-control-max-age 3000 cache-control max-age=60, private, must-revalidate access-control-allow-methods GET accept-ranges bytes content-length 2124
GET H2	200	background.jpeg 590a77f3f1.nxcli.net/scripts/info/info/background/	140 KB 141 KB	76ms 76ms	Image image/jpeg	185.145.13.28 NEXCESS-AMS01
General Check archive.org Show headers Download Go to Show image Full URL https://590a77f3f1.nxcli.net/scripts/info/info/background/background.jpeg Requested by Host: 590a77f3f1.nxcli.net URL: https://590a77f3f1.nxcli.net/scripts/info/info/ Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.145.13.28 , Netherlands, ASN202521 (NEXCESS-AMS01, NL), Reverse DNS cloudhost-81930.nl-west-1.nxcli.net Software nginx / Resource Hash `07cc3a5d26c5879fea01d7b82a40884f2e8bd72a82b1903cb6179cb309971107` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/css/main.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest image Response headers date Tue, 31 Mar 2020 13:29:34 GMT last-modified Tue, 31 Mar 2020 09:43:01 GMT server nginx etag "23187-5a22364bb1442" x-cache-nxaccel MISS content-type image/jpeg status 200 accept-ranges bytes content-length 143751
GET H2	200	logo.svg 590a77f3f1.nxcli.net/scripts/info/info/svg/	1 KB 711 B	76ms 76ms	Image image/svg+xml	185.145.13.28 NEXCESS-AMS01
General Check archive.org Show headers Download Go to Show image Full URL https://590a77f3f1.nxcli.net/scripts/info/info/svg/logo.svg Requested by Host: 590a77f3f1.nxcli.net URL: https://590a77f3f1.nxcli.net/scripts/info/info/ Protocol H2 Security TLS 1.3, , AES_256_GCM Server 185.145.13.28 , Netherlands, ASN202521 (NEXCESS-AMS01, NL), Reverse DNS cloudhost-81930.nl-west-1.nxcli.net Software nginx / Resource Hash `068c38babe6dd7dce91a5e922491cd00dfadd31558c4336b91bed1eaa273afb4` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/css/main.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest image Response headers date Tue, 31 Mar 2020 13:29:34 GMT content-encoding br last-modified Tue, 31 Mar 2020 09:43:14 GMT server nginx etag W/"582-5a22365805817" vary Accept-Encoding x-cache-nxaccel MISS content-type image/svg+xml status 200
GET H2	200	free-v4-shims.min.css kit-free.fontawesome.com/releases/latest/css/	26 KB 4 KB	28ms 26ms	Stylesheet text/css	151.139.128.10 HIGHWINDS3
General Check archive.org Show headers Download Go to Full URL https://kit-free.fontawesome.com/releases/latest/css/free-v4-shims.min.css Requested by Host: kit.fontawesome.com URL: https://kit.fontawesome.com/d41c77e3c5.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.139.128.10 Dallas, United States, ASN20446 (HIGHWINDS3, US), Reverse DNS Software / Resource Hash `a8f9c971cb1fdb238722b11da625491003082b87f64fa87d1a5b1057450ffd93` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/ User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest style Response headers date Tue, 31 Mar 2020 13:29:34 GMT content-encoding gzip last-modified Mon, 23 Mar 2020 16:08:32 GMT access-control-allow-origin * etag "1584979712" vary Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding x-hw 1585661374.cds032.pa1.hn,1585661374.cds022.pa1.c content-type text/css status 200 access-control-max-age 3000 cache-control max-age=60, private, must-revalidate access-control-allow-methods GET accept-ranges bytes content-length 4430
GET H2	200	free-v4-font-face.min.css kit-free.fontawesome.com/releases/latest/css/	3 KB 951 B	27ms 26ms	Stylesheet text/css	151.139.128.10 HIGHWINDS3
General Check archive.org Show headers Download Go to Full URL https://kit-free.fontawesome.com/releases/latest/css/free-v4-font-face.min.css Requested by Host: kit.fontawesome.com URL: https://kit.fontawesome.com/d41c77e3c5.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.139.128.10 Dallas, United States, ASN20446 (HIGHWINDS3, US), Reverse DNS Software / Resource Hash `856dfd74e3e0a18a8d599636ee1ce6c00fc31922114c14e4312bb91736cde9a9` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/ User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest style Response headers date Tue, 31 Mar 2020 13:29:34 GMT content-encoding gzip last-modified Mon, 23 Mar 2020 16:08:30 GMT access-control-allow-origin * etag "1584979710" vary Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding x-hw 1585661374.cds032.pa1.hn,1585661374.cds023.pa1.c content-type text/css status 200 access-control-max-age 3000 cache-control max-age=60, private, must-revalidate access-control-allow-methods GET accept-ranges bytes content-length 820
GET H2	200	free.min.css kit-free.fontawesome.com/releases/latest/css/	58 KB 13 KB	27ms 27ms	Stylesheet text/css	151.139.128.10 HIGHWINDS3
General Check archive.org Show headers Download Go to Full URL https://kit-free.fontawesome.com/releases/latest/css/free.min.css Requested by Host: kit.fontawesome.com URL: https://kit.fontawesome.com/d41c77e3c5.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.139.128.10 Dallas, United States, ASN20446 (HIGHWINDS3, US), Reverse DNS Software / Resource Hash `980a31cf37ef159fd3ff7df7f4dd98df4c6f8132a824f0dd6a48927b80e7b2e0` Request headers Referer https://590a77f3f1.nxcli.net/scripts/info/info/ User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Sec-Fetch-Dest style Response headers date Tue, 31 Mar 2020 13:29:34 GMT content-encoding gzip last-modified Mon, 23 Mar 2020 16:08:34 GMT access-control-allow-origin * etag "1584979714" vary Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding x-hw 1585661374.cds032.pa1.hn,1585661374.cds027.pa1.c content-type text/css status 200 access-control-max-age 3000 cache-control max-age=60, private, must-revalidate access-control-allow-methods GET accept-ranges bytes content-length 13514
GET H2	200	free-fa-brands-400.woff2 kit-free.fontawesome.com/releases/latest/webfonts/	75 KB 75 KB	44ms 44ms	Font font/woff2	151.139.128.10 HIGHWINDS3
General Check archive.org Show headers Download Go to Full URL https://kit-free.fontawesome.com/releases/latest/webfonts/free-fa-brands-400.woff2 Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.139.128.10 Dallas, United States, ASN20446 (HIGHWINDS3, US), Reverse DNS Software / Resource Hash `619a7a385016cba07fb6d94bbf69c94fba53abf07297f5cd212e85b55aedee15` Request headers Referer https://kit-free.fontawesome.com/releases/latest/css/free-v4-font-face.min.css Origin https://590a77f3f1.nxcli.net Sec-Fetch-Dest font User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Tue, 31 Mar 2020 13:29:34 GMT last-modified Mon, 23 Mar 2020 16:14:36 GMT access-control-allow-origin * etag "1584980076" vary Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding access-control-allow-methods GET content-type font/woff2 status 200 access-control-max-age 3000 cache-control max-age=60, private, must-revalidate accept-ranges bytes content-length 76592 x-hw 1585661374.cds019.pa1.hc,1585661374.cds009.pa1.c

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Chase (Banking)

5 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

0 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

590a77f3f1.nxcli.net
kit-free.fontawesome.com
kit.fontawesome.com
www.chase.xc.languagemaster.com.pk
151.139.128.10
185.145.13.28
192.154.254.69
068c38babe6dd7dce91a5e922491cd00dfadd31558c4336b91bed1eaa273afb4
07cc3a5d26c5879fea01d7b82a40884f2e8bd72a82b1903cb6179cb309971107
619a7a385016cba07fb6d94bbf69c94fba53abf07297f5cd212e85b55aedee15
717360f1759b6925a3e40ea293d825b50fc17e8bf7e849de44d70769664bf696
856dfd74e3e0a18a8d599636ee1ce6c00fc31922114c14e4312bb91736cde9a9
980a31cf37ef159fd3ff7df7f4dd98df4c6f8132a824f0dd6a48927b80e7b2e0
a8f9c971cb1fdb238722b11da625491003082b87f64fa87d1a5b1057450ffd93
d1b96f820417ea1b6bf8008a82397e06b7488e69bc13491df3f5de6ed3fecfc4
fafb526c63b440eb95c293968490ce49da5c62a0b3d25623a435d0aaad530070

590a77f3f1.nxcli.net Open in urlscan Pro 185.145.13.28 Malicious Activity! Public Scan

Summary

urlscan.io Verdict: Potentially Malicious

Domain & IP information

Screenshot Live screenshot Full Image

Page URL History Show full URLs

Detected technologies

Page Statistics

9 Requests

100 %HTTPS

0 %IPv6

3 Domains

4 Subdomains

2 IPs

2 Countries

239 kBTransfer

316 kBSize

0 Cookies

0 Outgoing links

Page URL History

Redirected requests

9 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

5 JavaScript Global Variables

0 Cookies

Indicators

590a77f3f1.nxcli.net Open in urlscan Pro
185.145.13.28 Malicious Activity! Public Scan

Screenshot
Live screenshot

Full Image

9
Requests

100 %
HTTPS

0 %
IPv6

3
Domains

4
Subdomains

2
IPs

2
Countries

239 kB
Transfer

316 kB
Size

0
Cookies

9 HTTP transactions
0 data transactions

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!