Report - webmail.blackfoot.net/

Report Overview

Visited public
2024-07-29 08:37:45
Tags
zimbra phishing
Submit Tags
URL
webmail.blackfoot.net/
Finishing URL
webmail.blackfoot.net/
IP / ASN
129.159.110.135
#31898 ORACLE-BMC-31898
Title
Zimbra Web Client Sign In
Phishing - Zimbra Web Client

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
r10.o.lencr.org	unknown	2020-06-29	2024-06-06 21:45:11	2024-07-28 18:17:42	2.3 kB	6.2 kB	23.36.77.32
webmail.blackfoot.net	unknown	1996-10-04	2015-01-02 01:41:11	2024-03-14 23:25:36	1.5 kB	19 kB	129.159.110.135
cas.neonova.net	571223	1998-06-19	2012-07-13 17:31:12	2020-03-20 06:42:28	406 B	9.9 kB	137.118.7.42

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (4)

	URL	From	Size	First Seen	Last Seen
	webmail.blackfoot.net/	ScriptElement	223 B	2023-04-05	2025-07-15
Pretty URL webmail.blackfoot.net/ IP 129.159.110.135 ASN #31898 ORACLE-BMC-31898 Introduced by scriptElement Embedded in HTML true Observations First Seen2023-04-05 17:34 Last Seen2025-07-15 01:52 Times Seen273 Hash 2d4c69404ed9a738196892bf2cce846a 468c116700a65c6cdf01b66b64e6fe75f14d5963 6280a45d769b5ccf3eadea71f466744386ef91e6068a5df5f6e3c4bdb9067143 Loading...

	webmail.blackfoot.net/	ScriptElement	5.9 kB	2024-07-29	2024-08-29
Pretty URL webmail.blackfoot.net/ IP 129.159.110.135 ASN #31898 ORACLE-BMC-31898 Introduced by scriptElement Embedded in HTML true Observations First Seen2024-07-29 10:37 Last Seen2024-08-29 17:29 Times Seen2 Hash e436fc4e57478de5baccd5f7d8e2fa8e 4d6455d57ccebcec95abe2fb300d123796c66caf cd4b4fce85366a70feff3ff67e30d5d5005ad5a1036cb6321990d660abace0f0 Loading...

	unknown	EventHandler	9 B	2023-04-11	2025-07-15
Pretty Introduced by eventHandler Embedded in HTML false Observations First Seen2023-04-11 04:37 Last Seen2025-07-15 10:53 Times Seen2568 Hash 8330d67045d053b17fa969ef2bdb5e54 041174325b27a7b4d2d1b1a0e353fa82d1cb6431 ceecf99c8bd1f6e5f89a26d3b40e009d48860d674231297254ff75d817b9a883 Loading...

		Size	First Seen	Last Seen
	#1 Write - 3050ae2abb1cd3f35953b5103fa3954a	136 B	2023-03-07 01:34	2025-07-15 10:53
Pretty Observations First Seen2023-03-07 01:34 Last Seen2025-07-15 10:53 Times Seen532 Hash 3050ae2abb1cd3f35953b5103fa3954a 1ed99d798e4fccce033962261830aa361a8e0c74 5f5bd55e3dc0ffc7f8c75f07f64be080f6513b37ab2628d0420f3668a9899412 Loading...

HTTP Transactions (11)

URL IP Response Size

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
1923cde36555abe065c52a358521a6f5
1cfff065ff7d9706aa7142cc99855769a50f642e
9bdc1a9c47d76dc96134b04996050573491d15a2d8b6be4157791b9d6f0766c9

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "9BDC1A9C47D76DC96134B04996050573491D15A2D8B6BE4157791B9D6F0766C9"
Last-Modified: Sat, 27 Jul 2024 06:56:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10512
Expires: Mon, 29 Jul 2024 11:32:32 GMT
Date: Mon, 29 Jul 2024 08:37:20 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
2d61bb5b56bc4df48e399a14ebeea8ca
60814ad62b84875481a3fc851280f608dbc0b4f6
504effa12a1ca53eac798bf38ea5a9edde08ec398b53c8de2885a94f133ea845

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "504EFFA12A1CA53EAC798BF38EA5A9EDDE08EC398B53C8DE2885A94F133EA845"
Last-Modified: Sat, 27 Jul 2024 06:27:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10451
Expires: Mon, 29 Jul 2024 11:31:31 GMT
Date: Mon, 29 Jul 2024 08:37:20 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
182b9c01b864c7d116c3fc28cbb58d6e
644efdd1cd6ee4e5d5ec976387b3dbf47ed51dc1
5d2cc1a96f886c04483d570f2fba83b9b430796d2faf9d6d115cca98bc6b713f

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "5D2CC1A96F886C04483D570F2FBA83B9B430796D2FAF9D6D115CCA98BC6B713F"
Last-Modified: Sat, 27 Jul 2024 06:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6205
Expires: Mon, 29 Jul 2024 10:20:45 GMT
Date: Mon, 29 Jul 2024 08:37:20 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
81824d7fe3586f45f4b9de236d1c9ea6
5027c81d077b62345c80560922f2d6cd51c42efb
8fdc10e4c15083f0f547cf016657e65e77beb95ca9ed87c0aa820ae2054a9a99

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8FDC10E4C15083F0F547CF016657E65E77BEB95CA9ED87C0AA820AE2054A9A99"
Last-Modified: Sat, 27 Jul 2024 06:57:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=20604
Expires: Mon, 29 Jul 2024 14:20:45 GMT
Date: Mon, 29 Jul 2024 08:37:21 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
30ac3d03d4a05f71adc9d3d5e1ef1f01
e4283d695f624f362fa3267c2419e136b5c4ac82
90158f7866d49c88eb5e19e6782a32e411893db783dacbdc1d11568addbe3979

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "90158F7866D49C88EB5E19E6782A32E411893DB783DACBDC1D11568ADDBE3979"
Last-Modified: Sat, 27 Jul 2024 07:48:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21562
Expires: Mon, 29 Jul 2024 14:36:43 GMT
Date: Mon, 29 Jul 2024 08:37:21 GMT
Connection: keep-alive

GET webmail.blackfoot.net/

129.159.110.135

200 OK

4.5 kB

URL User Request GET HTTP/1.1
webmail.blackfoot.net/
IP
129.159.110.135:443
ASN
#31898 ORACLE-BMC-31898

Certificate
IssuerLet's Encrypt
Subjectwebmail.blackfoot.net
FingerprintB3:6C:3B:AD:93:CB:1D:46:B5:3E:AD:32:47:6F:34:CA:C2:2C:EC:A3
ValidityMon, 08 Jul 2024 13:08:42 GMT - Sun, 06 Oct 2024 13:08:41 GMT

File type
HTML document, Unicode text, UTF-8 text, with very long lines (729)
Size
4.5 kB (4538 bytes)
Hash
6809e90c9f46b73c1ff5c8b616e6d4fc
5069115a8f24621ddb83d8bb6471c9fdf22a4f2c
e2129bd9a03de087b75b4b3773647bd3a423b1947c73868ab0914f76ff41393a

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Zimbra Web Client

HTTP Headers

GET / HTTP/1.1
Host: webmail.blackfoot.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Jul 2024 08:37:21 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: no-referrer
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Language: en-US
Set-Cookie: ZM_TEST=true
ZM_LOGIN_CSRF=1127f21c-c8a7-423c-8b3c-eb310512caad;HttpOnly
X-UA-Compatible: IE=edge
Vary: User-Agent, Accept-Encoding
Content-Encoding: gzip

GET webmail.blackfoot.net/css/common,login,zhtml,skin.css?skin=harmony&v=220324043827

129.159.110.135

200 OK

12 kB

URL GET HTTP/1.1
webmail.blackfoot.net/css/common,login,zhtml,skin.css?skin=harmony&v=220324043827
IP
129.159.110.135:443
ASN
#31898 ORACLE-BMC-31898

Requested by
https://webmail.blackfoot.net/
Certificate
IssuerLet's Encrypt
Subjectwebmail.blackfoot.net
FingerprintB3:6C:3B:AD:93:CB:1D:46:B5:3E:AD:32:47:6F:34:CA:C2:2C:EC:A3
ValidityMon, 08 Jul 2024 13:08:42 GMT - Sun, 06 Oct 2024 13:08:41 GMT

File type
ASCII text, with very long lines (751)
Size
12 kB (11913 bytes)
Hash
c6a6278602f68d4fdf90ff83011e52f4
0e517981baf9b3b1cbb9c0125c0961f1f1431f18
cf06ef91e1dfe796d9115242919c1b46a9d79c392839275ad69c153e18cd987d

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Zimbra Web Client

HTTP Headers

GET /css/common,login,zhtml,skin.css?skin=harmony&v=220324043827 HTTP/1.1
Host: webmail.blackfoot.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=1127f21c-c8a7-423c-8b3c-eb310512caad
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Jul 2024 08:37:21 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: no-referrer
X-Frame-Options: SAMEORIGIN
Expires: Wed, 28 Aug 2024 09:37:21 GMT
Cache-Control: public, max-age=2595600
Vary: User-Agent, Accept-Encoding
Content-Encoding: gzip

GET webmail.blackfoot.net/img/logo/favicon.ico

129.159.110.135

200 OK

1.2 kB

URL GET HTTP/1.1
webmail.blackfoot.net/img/logo/favicon.ico
IP
129.159.110.135:443
ASN
#31898 ORACLE-BMC-31898

Requested by
https://webmail.blackfoot.net/
Certificate
IssuerLet's Encrypt
Subjectwebmail.blackfoot.net
FingerprintB3:6C:3B:AD:93:CB:1D:46:B5:3E:AD:32:47:6F:34:CA:C2:2C:EC:A3
ValidityMon, 08 Jul 2024 13:08:42 GMT - Sun, 06 Oct 2024 13:08:41 GMT

File type
MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Size
1.2 kB (1150 bytes)
Hash
8c7d1c14e4b9c42f07bd6b800d93b806
87e49826ffb3bc1ddac38feebb6bb98eaef568b2
1afd891aacc433e75265e3ddc9cb4fc63b88259977811384426c535037711637

Detections

Analyzer	Verdict	Alert
urlquery	phishing	Phishing - Zimbra Web Client

HTTP Headers

GET /img/logo/favicon.ico HTTP/1.1
Host: webmail.blackfoot.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=1127f21c-c8a7-423c-8b3c-eb310512caad
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 29 Jul 2024 08:37:22 GMT
Content-Type: image/x-icon
Content-Length: 1150
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: no-referrer
X-Frame-Options: SAMEORIGIN
Expires: Wed, 28 Aug 2024 09:37:22 GMT
Cache-Control: public, max-age=2595600
Last-Modified: Thu, 24 Mar 2022 08:00:10 GMT
Accept-Ranges: bytes

GET cas.neonova.net/zimbra/blackfoot.net-large.png

137.118.7.42

200 OK

9.7 kB

URL GET HTTP/1.1
cas.neonova.net/zimbra/blackfoot.net-large.png
IP
137.118.7.42:443
ASN
#6250 NEONOVA-NET

Requested by
https://webmail.blackfoot.net/
Certificate
IssuerGoDaddy.com, Inc.
Subject*.neonova.net
FingerprintD8:E8:46:53:A7:78:FD:7E:DA:DF:AC:14:A9:A3:FA:EC:66:D7:06:BC
ValidityWed, 06 Dec 2023 16:21:27 GMT - Sat, 04 Jan 2025 19:12:38 GMT

File type
PNG image data, 440 x 60, 8-bit/color RGBA, non-interlaced
Size
9.7 kB (9654 bytes)
Hash
3604df086e1fafb419a716695aa3539c
986923a69318697351a94da67a0e5b10eca63f54
f1003575ad2dc6bd8d6f539c5df98ecc08b32bbbfc0917ea34f997c98d541785

HTTP Headers

GET /zimbra/blackfoot.net-large.png HTTP/1.1
Host: cas.neonova.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 29 Jul 2024 08:37:22 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 06 Dec 2023 11:06:38 GMT
ETag: "aa325-25b6-60bd5585b28b0"
Accept-Ranges: bytes
Content-Length: 9654
Connection: close
Content-Type: image/png

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
9a7aa74598eea5bc84f07fc2318a2e3c
5de3cab9a17f1d5becc592a7e890fdf7270f6f68
b91855e23d5499619d9f797b60209740f0c9b5c3514d0939124ac1afa6b577bf

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "B91855E23D5499619D9F797B60209740F0C9B5C3514D0939124AC1AFA6B577BF"
Last-Modified: Sat, 27 Jul 2024 06:27:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=5594
Expires: Mon, 29 Jul 2024 10:10:37 GMT
Date: Mon, 29 Jul 2024 08:37:23 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.77.32

504 B

URL
r10.o.lencr.org/
IP
23.36.77.32:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
9a7aa74598eea5bc84f07fc2318a2e3c
5de3cab9a17f1d5becc592a7e890fdf7270f6f68
b91855e23d5499619d9f797b60209740f0c9b5c3514d0939124ac1afa6b577bf

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "B91855E23D5499619D9F797B60209740F0C9B5C3514D0939124AC1AFA6B577BF"
Last-Modified: Sat, 27 Jul 2024 06:27:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=5594
Expires: Mon, 29 Jul 2024 10:10:37 GMT
Date: Mon, 29 Jul 2024 08:37:23 GMT
Connection: keep-alive

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (4)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

Introduced by

Embedded in HTML

Observations

Hash

Observations

Hash

HTTP Transactions (11)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/1.1

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP