Submitted URL: http://www.g.bw/j3UiNdb
Effective URL: http://forextech.xyz/http/Box/login.html
Submission: On March 26 via manual from GB

Summary

This website contacted 3 IPs in 3 countries across 3 domains to perform 9 HTTP transactions. The main IP is 89.163.144.68, located in Hattersheim, Germany and belongs to MYLOC-AS, DE. The main domain is forextech.xyz.
This is the only time forextech.xyz was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Box.com (Consumer)

Domain & IP information

IP Address AS Autonomous System
1 1 208.97.176.177 26347 (DREAMHOST-AS)
2 2 45.40.140.1 26496 (AS-26496-...)
2 9 89.163.144.68 24961 (MYLOC-AS)
2 134.249.116.78 15895 (KSNET-AS)
9 3
Apex Domain
Subdomains
Transfer
9 forextech.xyz
forextech.xyz
146 KB
2 x.co
x.co
299 B
1 g.bw
www.g.bw
284 B
9 3
Domain Requested by
9 forextech.xyz 2 redirects forextech.xyz
2 x.co 2 redirects
1 www.g.bw 1 redirects
9 3

This site contains links to these domains. Also see Links.

Domain
www.box.com
account.box.com
community.box.com
Subject Issuer Validity Valid

This page contains 1 frames:

Primary Page: http://forextech.xyz/http/Box/login.html
Frame ID: 6C28E7A3016E1A383B78FA273D2BBB84
Requests: 10 HTTP requests in this frame

Screenshot


Page URL History Show full URLs

  1. http://www.g.bw/j3UiNdb HTTP 302
    http://x.co/BoxMarch26 HTTP 301
    https://x.co/BoxMarch26 HTTP 302
    http://forextech.xyz/http/Box/login.html Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • headers server /nginx(?:\/([\d.]+))?/i

Overall confidence: 100%
Detected patterns
  • env /^moment$/i

Overall confidence: 100%
Detected patterns
  • env /^jQuery$/i

Page Statistics

9
Requests

0 %
HTTPS

0 %
IPv6

3
Domains

3
Subdomains

3
IPs

3
Countries

146 kB
Transfer

396 kB
Size

0
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. http://www.g.bw/j3UiNdb HTTP 302
    http://x.co/BoxMarch26 HTTP 301
    https://x.co/BoxMarch26 HTTP 302
    http://forextech.xyz/http/Box/login.html Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 5
  • http://forextech.xyz/gen204?category=boomerang&event_type=beacon&keys_and_values[current_rm]=amsterdam_login_premium&keys_and_values[datacenterTag]=unknown&keys_and_values[uri]=http%3A%2F%2Fforextech.xyz%2Fhttp%2FBox%2Flogin.html&&keys_and_values[version]=1&keys_and_values[nt_red_cnt]=0&keys_and_values[nt_nav_type]=0&keys_and_values[nt_nav_st]=1553611070257&keys_and_values[nt_fet_st]=1553611071395&keys_and_values[nt_dns_st]=1553611071397&keys_and_values[nt_dns_end]=1553611071430&keys_and_values[nt_con_st]=1553611071430&keys_and_values[nt_con_end]=1553611071444&keys_and_values[nt_req_st]=1553611071444&keys_and_values[nt_res_st]=1553611071459&keys_and_values[nt_res_end]=1553611071462&keys_and_values[nt_domloading]=1553611071479&keys_and_values[nt_domint]=1553611071655&keys_and_values[nt_domcontloaded_st]=1553611071673&keys_and_values[nt_domcontloaded_end]=1553611071674&keys_and_values[nt_domcomp]=1553611071674&keys_and_values[nt_load_st]=1553611071674&keys_and_values[nt_load_end]=1553611071674&keys_and_values[t_done]=1417&keys_and_values[t_resp]=15&keys_and_values[t_page]=215&runmode_options[splunk]=1&runmode_options[add_geo]=1 HTTP 302
  • http://134.249.116.78/index.php
Request Chain 7
  • http://forextech.xyz/index.php?rm=box_gen204_batch_record HTTP 302
  • http://134.249.116.78/index.php

9 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request login.html
forextech.xyz/http/Box/
Redirect Chain
  • http://www.g.bw/j3UiNdb
  • http://x.co/BoxMarch26
  • https://x.co/BoxMarch26
  • http://forextech.xyz/http/Box/login.html
17 KB
5 KB
Document
General
Full URL
http://forextech.xyz/http/Box/login.html
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
b3a5b6ca29a838f041bbd3b84aa117b219101c306e3a8edfa17b11f19c38f54b
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Host
forextech.xyz
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding
gzip, deflate
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Server
nginx
Date
Tue, 26 Mar 2019 14:37:51 GMT
Content-Type
text/html
Transfer-Encoding
chunked
Connection
keep-alive
Vary
Accept-Encoding
Last-Modified
Fri, 15 Feb 2019 10:23:34 GMT
X-XSS-Protection
1; mode=block
X-Content-Type-Options
nosniff
X-Nginx-Cache-Status
BYPASS
X-Server-Powered-By
Engintron
Content-Encoding
gzip

Redirect headers

status
302
server
nginx/1.12.2
date
Tue, 26 Mar 2019 14:37:51 GMT
content-type
text/html; charset=utf-8
location
http://forextech.xyz/http/Box/login.html
login-50a5721c03.css
forextech.xyz/http/Box/login_files/
107 KB
38 KB
Stylesheet
General
Full URL
http://forextech.xyz/http/Box/login_files/login-50a5721c03.css
Requested by
Host: forextech.xyz
URL: http://forextech.xyz/http/Box/login.html
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
c8dde2ecbfa02b614400d7cb315f21f6280f77b14b45bee931663ca012d6d306

Request headers

Pragma
no-cache
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
text/css,*/*;q=0.1
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Pragma
public
Date
Tue, 26 Mar 2019 14:37:51 GMT
Content-Encoding
gzip
Last-Modified
Fri, 15 Feb 2019 09:59:28 GMT
Server
nginx
Vary
Accept-Encoding
Content-Type
text/css
Cache-Control
max-age=2592000
Transfer-Encoding
chunked
Connection
keep-alive
Expires
Thu, 25 Apr 2019 14:37:51 GMT
new-office-logo.png
forextech.xyz/http/Box/
5 KB
5 KB
Image
General
Full URL
http://forextech.xyz/http/Box/new-office-logo.png
Requested by
Host: forextech.xyz
URL: http://forextech.xyz/http/Box/login.html
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
42228e99e5e7435a0ed85bdda859f5eebd2c90e055d925bd155f43f02081a712

Request headers

Pragma
no-cache
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
image/webp,image/apng,image/*,*/*;q=0.8
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Pragma
public
Date
Tue, 26 Mar 2019 14:37:51 GMT
Last-Modified
Fri, 26 Oct 2018 08:27:12 GMT
Server
nginx
Content-Type
image/png
Cache-Control
max-age=5184000
Connection
keep-alive
Accept-Ranges
bytes
Content-Length
5168
Expires
Sat, 25 May 2019 14:37:51 GMT
norton.png
forextech.xyz/http/Box/
17 KB
17 KB
Image
General
Full URL
http://forextech.xyz/http/Box/norton.png
Requested by
Host: forextech.xyz
URL: http://forextech.xyz/http/Box/login.html
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
d97c1ea26a50582393fefcd91a79e78b98c78202c5c930a38072f61537df9823

Request headers

Pragma
no-cache
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
image/webp,image/apng,image/*,*/*;q=0.8
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Pragma
public
Date
Tue, 26 Mar 2019 14:37:51 GMT
Last-Modified
Fri, 15 Feb 2019 10:03:52 GMT
Server
nginx
Content-Type
image/png
Cache-Control
max-age=5184000
Connection
keep-alive
Accept-Ranges
bytes
Content-Length
17343
Expires
Sat, 25 May 2019 14:37:51 GMT
login-3a640191e3.min.js.download
forextech.xyz/http/Box/login_files/
250 KB
80 KB
Script
General
Full URL
http://forextech.xyz/http/Box/login_files/login-3a640191e3.min.js.download
Requested by
Host: forextech.xyz
URL: http://forextech.xyz/http/Box/login.html
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
3f794c658458512e57ba6e8ce570bf166116859657e991b9e864cdd5bd5ac3ea
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Pragma
no-cache
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
*/*
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Date
Tue, 26 Mar 2019 14:37:51 GMT
Content-Encoding
gzip
X-Content-Type-Options
nosniff
Last-Modified
Fri, 15 Feb 2019 09:59:28 GMT
Server
nginx
Vary
Accept-Encoding
X-Nginx-Cache-Status
BYPASS
Transfer-Encoding
chunked
X-Server-Powered-By
Engintron
Connection
keep-alive
Content-Type
application/javascript
X-XSS-Protection
1; mode=block
truncated
/
49 B
0
Script
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
43d5dc022838b859f9754723c1c61dfc5074ebafda61a31175bdfef1cf0e2820

Request headers

Response headers

Content-Type
text/javascript
Cookie set index.php
134.249.116.78/
Redirect Chain
  • http://forextech.xyz/gen204?category=boomerang&event_type=beacon&keys_and_values[current_rm]=amsterdam_login_premium&keys_and_values[datacenterTag]=unknown&keys_and_values[uri]=http%3A%2F%2Fforexte...
  • http://134.249.116.78/index.php
0
-1 B
XHR
General
Full URL
http://134.249.116.78/index.php
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Pragma
no-cache
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept
*/*
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Date
Tue, 26 Mar 2019 14:37:51 GMT
X-Content-Type-Options
nosniff
Server
nginx
X-Nginx-Cache-Status
MISS
Location
http://134.249.116.78/index.php
Set-Cookie
htp_uid_utm=1; expires=Thu, 28-Mar-2019 14:37:51 GMT; Max-Age=172800
X-Server-Powered-By
Engintron
Connection
keep-alive
Content-Type
text/html; charset=UTF-8
Content-Length
0
X-XSS-Protection
1; mode=block

Redirect headers

Date
Tue, 26 Mar 2019 14:37:51 GMT
X-Content-Type-Options
nosniff
Server
nginx
X-Nginx-Cache-Status
MISS
Location
http://134.249.116.78/index.php
Set-Cookie
htp_uid_utm=1; expires=Thu, 28-Mar-2019 14:37:51 GMT; Max-Age=172800
X-Server-Powered-By
Engintron
Connection
keep-alive
Content-Type
text/html; charset=UTF-8
Content-Length
0
X-XSS-Protection
1; mode=block
index.php
134.249.116.78/
0
1 KB
XHR
General
Full URL
http://134.249.116.78/index.php
Protocol
HTTP/1.1
Server
134.249.116.78 Lviv, Ukraine, ASN15895 (KSNET-AS, UA),
Reverse DNS
134-249-116-78.broadband.kyivstar.net
Software
/
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Referer
http://forextech.xyz/http/Box/login.html
Origin
http://forextech.xyz

Response headers

Cookie set index.php
134.249.116.78/
Redirect Chain
  • http://forextech.xyz/index.php?rm=box_gen204_batch_record
  • http://134.249.116.78/index.php
0
-1 B
XHR
General
Full URL
http://134.249.116.78/index.php
Protocol
HTTP/1.1
Server
89.163.144.68 Hattersheim, Germany, ASN24961 (MYLOC-AS, DE),
Reverse DNS
ve068.venus.dedi.server-hosting.expert
Software
nginx /
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Pragma
no-cache
Origin
http://forextech.xyz
Accept-Encoding
gzip, deflate
Host
forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Content-Type
application/x-www-form-urlencoded; charset=UTF-8
Accept
*/*
Cache-Control
no-cache
Referer
http://forextech.xyz/http/Box/login.html
Connection
keep-alive
Content-Length
424
Referer
http://forextech.xyz/http/Box/login.html
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Response headers

Date
Tue, 26 Mar 2019 14:37:56 GMT
X-Content-Type-Options
nosniff
Server
nginx
Content-Type
text/html; charset=UTF-8
Location
http://134.249.116.78/index.php
Set-Cookie
htp_uid_utm=1; expires=Thu, 28-Mar-2019 14:37:56 GMT; Max-Age=172800
X-Server-Powered-By
Engintron
Connection
keep-alive
Content-Length
0
X-XSS-Protection
1; mode=block

Redirect headers

Date
Tue, 26 Mar 2019 14:37:56 GMT
X-Content-Type-Options
nosniff
Server
nginx
Content-Type
text/html; charset=UTF-8
Location
http://134.249.116.78/index.php
Set-Cookie
htp_uid_utm=1; expires=Thu, 28-Mar-2019 14:37:56 GMT; Max-Age=172800
X-Server-Powered-By
Engintron
Connection
keep-alive
Content-Length
0
X-XSS-Protection
1; mode=block
index.php
134.249.116.78/
0
0
XHR
General
Full URL
http://134.249.116.78/index.php
Protocol
HTTP/1.1
Server
134.249.116.78 Lviv, Ukraine, ASN15895 (KSNET-AS, UA),
Reverse DNS
134-249-116-78.broadband.kyivstar.net
Software
/
Resource Hash

Request headers

Referer
http://forextech.xyz/http/Box/login.html
Origin
http://forextech.xyz
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Content-Type
application/x-www-form-urlencoded; charset=UTF-8

Response headers

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Box.com (Consumer)

10 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onselectstart object| onselectionchange function| queueMicrotask function| $t function| $ function| jQuery function| P object| Box function| moment object| Resin

0 Cookies

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block