hendryadrian.com

hendryadrian.com

Focus of This Report:
How ANY.RUN allowed us to detect, dissect, and pivot into a larger phishing infrastructure targeting Indonesian organizations.

🚀 1. Introduction — Why ANY.RUN Matters in This Investigation

The entire threat discovery began with a simple search inside ANY.RUN using the keyword:
“indonesia”

This search immediately surfaced a suspicious sandbox task involving:
“mssindonesia.zerantis.info”

From this point, ANY.RUN provided every key artifact needed to confirm, expand, and correlate the threat:

• malicious URL
• browser behavior
• phishing page rendering
• network traffic
• SNI information
• IP resolution
• certificate anomalies
• PCAP export for offline validation

This demonstrates how ANY.RUN is not just a sandbox, but a threat intelligence pivoting platform.

🧭 2. Initial Discovery

2.1 Suspicious URL Loaded by Browser

ANY.RUN’s process tree revealed Microsoft Edge launching with:

“C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe”
“https://mssindonesia.zerantis.info/[email protected]”

From just one line of command-line arguments, ANY.RUN gave us:

ANY.RUN captured everything end-to-end, automatically.

🖼️ 2.2. Browser Recording Exposed a Full Fake Zimbra Login

The rendered output inside ANY.RUN clearly showed:

• A clone Zimbra login page
• Username field pre-filled with target victim email
• Accurate UI replication (colors, icons, layout)
• Functional phishing form

Because ANY.RUN records the GUI session, we visually verified the following:

1. This is not a redirect – the phishing site hosts a full HTML clone.
2. Likely credential harvesting – password box sends data via hidden POST.

🌐 3. Network Panel

The Network tab in ANY.RUN exposed all outbound connections, letting us pivot into the full infrastructure.

3.1 Observed Connections

⚠️ 4. Second-Stage Malicious Domain

While inspecting the traffic graph, ANY.RUN revealed unexpected TLS sessions to:
kteakgpvzn.zylvantis.info

ANY.RUN detections showed:

• Hostname resolution
• TLS handshake metadata
• SNI revealing exact domain accessed
• Traffic size (2–3 KB upload, 22–154 KB download)

GH0STnet GmbH Hosting

ANY.RUN identified the resolved IP as belonging to:
ASN12586 — GH0STnet GmbH

External intelligence confirmed GH0STnet is associated with multiple:

• brute-force attempts
• malware C2 infrastructure
• phishing campaigns
• bulletproof-style hosting behavior

📄 5. PCAP Export Confirmed Encrypted Phishing Flow

ANY.RUN allowed direct export of the PCAP, giving us full packet-level evidence.

PCAP analysis confirmed:

• HTTPS traffic to both malicious domains
• browser-centric POST/GET behavior
• no malware downloads
• pure credential harvesting operation

PCAP revealed both:

• zerantis.info
• zylvantis.info

embedded directly in TLS SNI

🧠 6. Correlation With External Threat Intelligence

6.1 Spamhaus DBL

Spamhaus lookup: zerantis.info → LISTED (malicious)

6.2 AbuseIPDB / ThreatFox on GH0STnet ASN

• botnet involvement
• brute force attacks
• scanning activity

6.3 Pattern Matches Known Zimbra Phishing Campaigns

• cloned Zimbra login
• prefilled victim email
• Cloudflare-proxied phishing

These match ESET & BleepingComputer reports on Zimbra phishing,

🌏 7. Regional Threat Context

ANY.RUN’s initial artifact (phishing URL) led us to identify a broader pattern seen in Indonesia:

• spear-phishing emails with the victim’s email in URL parameters
• fake Zimbra portals used heavily against Indonesian companies
• combosquatting domains impersonating local brands
• Cloudflare-proxied infrastructure

🏁 Conclusion

Through the power of ANY.RUN’s visibility, we exposed:

• a Multi-Domain Phishing Campaign
• active impersonation of Zimbra Webmail
• Spear-Phishing targeting Indonesian victims
• second-stage infrastructure on a High-Risk ASN
• Cloudflare-Proxied phishing pages
• Credential Harvesting with encrypted POSTs

Source: https://app.any.run/tasks/32e7219e-840f-4f42-9454-2bf088db1860