Source: https://interface01.nsxtlmv.workers.dev/ |
Avira URL Cloud: detection malicious, Label: phishing |
Source: https://interface01.nsxtlmv.workers.dev/ |
SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering |
Source: https://interface01.nsxtlmv.workers.dev/style.css |
Avira URL Cloud: Label: phishing |
Source: https://interface01.nsxtlmv.workers.dev/favicon.ico |
Avira URL Cloud: Label: phishing |
Source: https://interface01.nsxtlmv.workers.dev/ |
Virustotal: Detection: 17% |
Perma Link |
Source: https://interface01.nsxtlmv.workers.dev/ |
LLM: Score: 9 brands: AOL Reasons: The URL 'https://interface01.nsxtlmv.workers.dev/' does not match the legitimate domain for AOL, which is typically 'aol.com'. The use of a subdomain under 'workers.dev' is suspicious and often used in phishing attacks. The page contains a login form, which is a common target for phishing. The overall design mimics a legitimate AOL login page, which is a social engineering technique to deceive users. DOM: 0.0.pages.csv |
Source: Yara match |
File source: 0.0.pages.csv, type: HTML |
Source: Yara match |
File source: dropped/chromecache_45, type: DROPPED |
Source: Yara match |
File source: dropped/chromecache_47, type: DROPPED |
Source: Yara match |
File source: dropped/chromecache_51, type: DROPPED |
Source: Yara match |
File source: dropped/chromecache_49, type: DROPPED |
Source: https://interface01.nsxtlmv.workers.dev/ |
LLM: Score: 10 Reasons: The JavaScript code captures user email and password, and sends this information to a Telegram bot. This is a clear indication of phishing or credential theft. DOM: 0.0.pages.csv |
Source: https://interface01.nsxtlmv.workers.dev/ |
LLM: Score: 8 Reasons: The JavaScript code uses 'document.write' with a heavily obfuscated string, which is a common technique used in malicious scripts to hide their true functionality. This obfuscation makes it difficult to determine the exact behavior of the code without further analysis, indicating a high risk of malicious intent. DOM: 0.0.pages.csv |
Source: https://interface01.nsxtlmv.workers.dev/ |
LLM: Score: 8 Reasons: The code uses 'document.write' with a heavily obfuscated string, which is a common technique used in malicious scripts to hide their true intent. This method can be used to inject malicious content into the webpage. The use of 'unescape' to decode the string further suggests an attempt to obscure the code's functionality. DOM: 0.0.pages.csv |
Source: https://interface01.nsxtlmv.workers.dev/ |
Matcher: Template: aol matched |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: Number of links: 0 |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: <input type="password" .../> found but no <form action="... |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: Total embedded image size: 45438 |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: Title: AOL does not match URL |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: Invalid link: Forgot password? |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: Invalid link: Help |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: <input type="password" .../> found |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: No favicon |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: No <meta name="author".. found |
Source: https://interface01.nsxtlmv.workers.dev/ |
HTTP Parser: No <meta name="copyright".. found |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2 |
Source: chrome.exe |
Memory has grown: Private usage: 0MB later: 42MB |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.46.162.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 184.28.90.27 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /style.css HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /color/50/000000/google-logo.png HTTP/1.1Host: img.icons8.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /color/50/000000/google-logo.png HTTP/1.1Host: img.icons8.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://interface01.nsxtlmv.workers.dev/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: interface01.nsxtlmv.workers.devConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
DNS traffic detected: DNS query: interface01.nsxtlmv.workers.dev |
Source: global traffic |
DNS traffic detected: DNS query: www.google.com |
Source: global traffic |
DNS traffic detected: DNS query: api.ipify.org |
Source: global traffic |
DNS traffic detected: DNS query: img.icons8.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49678 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49743 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49747 version: TLS 1.2 |
Source: classification engine |
Classification label: mal96.phis.win@16/14@12/9 |
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2360,i,9441452327642718650,10753621916115848608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
|
Source: unknown |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://interface01.nsxtlmv.workers.dev/" |
|
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2360,i,9441452327642718650,10753621916115848608,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |