URL: https://web.ryen.org/
Submission Tags: krdtest
Submission: On December 17 via api from JP — Scanned from JP

Summary

This website contacted 3 IPs in 2 countries across 3 domains to perform 7 HTTP transactions. The main IP is 94.16.110.241, located in Austria and belongs to NETCUP-AS netcup GmbH, DE. The main domain is web.ryen.org.
TLS certificate: Issued by R3 on December 16th 2021. Valid for: 3 months.
This is the only time web.ryen.org was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Telegram (Instant Messenger)

Domain & IP information

IP Address AS Autonomous System
5 94.16.110.241 197540 (NETCUP-AS...)
2 2001:67c:4e8:... 62041 (TELEGRAM)
7 3
Apex Domain
Subdomains
Transfer
5 ryen.org
web.ryen.org
165 KB
1 telegram.me
telegram.me
359 B
1 t.me
t.me
359 B
7 3
Domain Requested by
5 web.ryen.org web.ryen.org
1 telegram.me web.ryen.org
1 t.me web.ryen.org
7 3

This site contains no links.

Subject Issuer Validity Valid
web.ryen.org
R3
2021-12-16 -
2022-03-16
3 months crt.sh
*.t.me
Go Daddy Secure Certificate Authority - G2
2021-10-06 -
2022-11-07
a year crt.sh
*.telegram.me
Go Daddy Secure Certificate Authority - G2
2021-09-21 -
2022-10-23
a year crt.sh

This page contains 1 frames:

Primary Page: https://web.ryen.org/
Frame ID: A2BC62A948C764C7020D8794955CCFE9
Requests: 9 HTTP requests in this frame

Screenshot

Page Title

Ryen

Page Statistics

7
Requests

100 %
HTTPS

50 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

166 kB
Transfer

605 kB
Size

0
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

7 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request /
web.ryen.org/
2 KB
731 B
Document
General
Full URL
https://web.ryen.org/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
94.16.110.241 , Austria, ASN197540 (NETCUP-AS netcup GmbH, DE),
Reverse DNS
srv.uperox.com
Software
nginx /
Resource Hash
69e1a618a15dc727c1c8d101c14b65b5ea15f0602b8d651dcf65d1a34aa1fb1d

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Accept-Language
jp-JP,jp;q=0.9

Response headers

server
nginx
date
Fri, 17 Dec 2021 07:56:34 GMT
content-type
text/html
last-modified
Thu, 16 Dec 2021 14:50:28 GMT
etag
W/"61bb5234-8d2"
content-encoding
br
main.672a2048719211213a92.js
web.ryen.org/
198 KB
62 KB
Script
General
Full URL
https://web.ryen.org/main.672a2048719211213a92.js
Requested by
Host: web.ryen.org
URL: https://web.ryen.org/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
94.16.110.241 , Austria, ASN197540 (NETCUP-AS netcup GmbH, DE),
Reverse DNS
srv.uperox.com
Software
nginx /
Resource Hash
822b97271f2079f7f37e52663c0b6403e6519c260489afc01d3d1bf37eaf8f13

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

date
Fri, 17 Dec 2021 07:56:35 GMT
content-encoding
br
last-modified
Thu, 16 Dec 2021 14:50:28 GMT
server
nginx
etag
W/"61bb5234-317cb"
content-type
application/javascript
main.4842bc3dd57f5c122046.css
web.ryen.org/
56 KB
12 KB
Stylesheet
General
Full URL
https://web.ryen.org/main.4842bc3dd57f5c122046.css
Requested by
Host: web.ryen.org
URL: https://web.ryen.org/
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
94.16.110.241 , Austria, ASN197540 (NETCUP-AS netcup GmbH, DE),
Reverse DNS
srv.uperox.com
Software
nginx /
Resource Hash
14455fe57ba7934b91ee60f09a1a0259f1a480c652bbc6dbfddc340825efb990

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

date
Fri, 17 Dec 2021 07:56:35 GMT
content-encoding
br
last-modified
Tue, 14 Dec 2021 18:44:44 GMT
server
nginx
etag
W/"61b8e61c-df7e"
content-type
text/css
truncated
/
66 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
b71c20271d9c80d1a71aa0ab9935281c4fa8ac404533f1a0747d7fb03fc68e79

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

Content-Type
image/webp
truncated
/
307 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
1e253d3f513bbf831c7e7da3e513cf8d4177f7f398c1fad87809d393a58c1697

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

Content-Type
image/svg+xml
_websync_
t.me/
4 B
359 B
Script
General
Full URL
https://t.me/_websync_?authed=0&version=dev+Z
Requested by
Host: web.ryen.org
URL: https://web.ryen.org/main.672a2048719211213a92.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2001:67c:4e8:1033:4:100:0:a , Virgin Islands (British), ASN62041 (TELEGRAM, VG),
Reverse DNS
Software
nginx/1.18.0 /
Resource Hash
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
Security Headers
Name Value
Strict-Transport-Security max-age=35768000

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

pragma
no-cache
date
Fri, 17 Dec 2021 07:56:36 GMT
content-encoding
gzip
server
nginx/1.18.0
strict-transport-security
max-age=35768000
content-type
application/json; charset=utf-8
cache-control
no-store
content-length
24
_websync_
telegram.me/
4 B
359 B
Script
General
Full URL
https://telegram.me/_websync_?authed=0&version=dev+Z
Requested by
Host: web.ryen.org
URL: https://web.ryen.org/main.672a2048719211213a92.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
2001:67c:4e8:1033:4:100:0:a , Virgin Islands (British), ASN62041 (TELEGRAM, VG),
Reverse DNS
Software
nginx/1.18.0 /
Resource Hash
b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
Security Headers
Name Value
Strict-Transport-Security max-age=35768000

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

pragma
no-cache
date
Fri, 17 Dec 2021 07:56:36 GMT
content-encoding
gzip
server
nginx/1.18.0
strict-transport-security
max-age=35768000
content-type
application/json; charset=utf-8
cache-control
no-store
content-length
24
927.0bf5b9b4792554dd7b86.js
web.ryen.org/
317 KB
82 KB
Other
General
Full URL
https://web.ryen.org/927.0bf5b9b4792554dd7b86.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
94.16.110.241 , Austria, ASN197540 (NETCUP-AS netcup GmbH, DE),
Reverse DNS
srv.uperox.com
Software
nginx /
Resource Hash
6fce8d9d5a0d07a645edc9fb023e8d0d4f6f1d51961fb58a28bebfbd32ff3d53

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

date
Fri, 17 Dec 2021 07:56:36 GMT
content-encoding
br
last-modified
Thu, 16 Dec 2021 14:50:28 GMT
server
nginx
etag
W/"61bb5234-4f358"
content-type
application/javascript
915.1250d328f7ab7f94b36e.js
web.ryen.org/
32 KB
8 KB
Script
General
Full URL
https://web.ryen.org/915.1250d328f7ab7f94b36e.js
Requested by
Host: web.ryen.org
URL: https://web.ryen.org/main.672a2048719211213a92.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
94.16.110.241 , Austria, ASN197540 (NETCUP-AS netcup GmbH, DE),
Reverse DNS
srv.uperox.com
Software
nginx /
Resource Hash
9b7febf2e892c67c7297a261e9143d6b6ea7374d5d7e1d5ac6ef751c0e216295

Request headers

Accept-Language
jp-JP,jp;q=0.9
Referer
https://web.ryen.org/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

Response headers

date
Fri, 17 Dec 2021 07:56:36 GMT
content-encoding
br
last-modified
Thu, 16 Dec 2021 14:50:28 GMT
server
nginx
etag
W/"61bb5234-7ed2"
content-type
application/javascript

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Telegram (Instant Messenger)

2 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| webpackChunktelegram_t function| QrCreator

0 Cookies