Alan Neilan's blog of random stuff™

Project maintained by ANeilan Hosted on GitHub Pages — Theme by mattgraham

Crap I Found On The Internet: (2020/10/17)

Hey folks, ran out of time yesterday, so i’m posting this today. Went through some freenom domains, as well as no-ip domains combing for some phishing kits. Might update this later with more domains / a separate table for those as i find them.

Phishing Kits

UPDATED (2020/10/18): uploaded samples to malshare.com

URL	IP	Exfil Email
aleatoresdemanufactores-paraaviones[.]gq/yan/x[.]zip	50[.]87[.]148[.]254	None [1]
beyondperfumes[.]icu/tbconline[.]zip	91[.]234[.]99[.]115	zate123man@gmail[.]com
bigfishocean[.]gq/HSVMENSCLUB/HSVMENSCLUB[.]zip	104[.]168[.]155[.]242	martinsbossman83@gmail[.]com [2]
check-police-6347544558[.]ga/CC_LOGIN%20(1)[.]zip	101[.]50[.]1[.]53	None [3]
check-police-6347544559[.]ga/CC_LOGIN%20(1)[.]zip	101[.]50[.]1[.]53	None [3]
check-police-6347544560[.]ga/CC_LOGIN%20(1)[.]zip	101[.]50[.]1[.]53	None [3]
custoclietsserver[.]myftp[.]org/cha3e[.]zip	13[.]82[.]143[.]56	rzult@custoclietsserver[.]myftp[.]org
discountjugaad[.]icu/tbconline[.]zip	N/A	zate123man@gmail[.]com
huwire[.]cf/success/dropboxu%20(1)[.]zip	91[.]234[.]99[.]98	annyoordaz@gmail[.]com keiernslopper@gmail[.]com meycroxxmayne@gmail[.]com robbinscott130@gmail[.]com sendinfo2@africamail[.]com
jasonballinteriors[.]icu/tbconline[.]zip	91[.]234[.]99[.]115	zate123man@gmail[.]com
justiceforcecily[.]icu/tbconline[.]zip	91[.]234[.]99[.]115	zate123man@gmail[.]com
loginchaseonline[.]ddns[.]net/Login-1[.]zip	3[.]135[.]247[.]1	sarubhabhai4288@gmail[.]com
maques[.]ddns[.]net/MeD-pLoy-CheCkeR-ChAse-Bank[.]zip	162[.]241[.]121[.]204	testchcek@gmail[.]com
myappsamazonwbnukm[.]servecounterstrike[.]com/16Shop-AMZ-V19[.]zip [3]	162[.]241[.]127[.]119	jeni@jenifer[.]com jeniferse@openid[.]store
mytest-server[.]ddnsking[.]com/b0a[.]zip	152[.]67[.]230[.]155	richk3059@gmail[.]com
myusaaportal[.]myvnc[.]com/usaalogin/USAA[.]zip	34[.]226[.]140[.]55	dianath247@yandex[.]com
pickupaccessories[.]icu/tbconline[.]zip	N/A	zate123man@gmail[.]com
primeelement[.]icu/tbconline[.]zip	91[.]234[.]99[.]115	zate123man@gmail[.]com
redzoneplus[.]icu/of1[.]zip	91[.]234[.]99[.]115	logs[.]box45@yandex[.]com Ronniesimp2@gmail[.]com
reedit[.]zzvx[.]my[.]id/FreeLuckyCreat%5BIkhbalJb%5D[.]zip	192[.]210[.]219[.]168	spayzye@gmail[.]com
reedit[.]zzvx[.]my[.]id/Incu_xm8_tersembunyi[.]zip	192[.]210[.]219[.]168	bersama[.]1akun@gmail[.]com
reedit[.]zzvx[.]my[.]id/reedit%202%20imel[.]zip	192[.]210[.]219[.]168	charlezganz@gmail[.]com pakeemaillo@gmail[.]com
securewebpage07[.]hopto[.]org/xlcheck/xlcheck[.]zip	128[.]199[.]8[.]149	jdakmamak3@mail[.]ru
security-404[.]servehttp[.]com/ppl/login[.]zip	62[.]210[.]130[.]232	zaek69120@gmail[.]com
securityppldsp2[.]ddns[.]net/Santos[.]zip	159[.]203[.]6[.]146	testthet@yandex[.]ru
servinfo-secure[.]bounceme[.]net/Joker[.]zip	62[.]4[.]17[.]59	sezersez3r@yandex[.]com
servinfo-secure[.]bounceme[.]net/login[.]zip	62[.]4[.]17[.]59	xnadori@yandex[.]com
servinfo-secure[.]bounceme[.]net/signin[.]zip	62[.]4[.]17[.]59	sifouloucif@yandex[.]com
servinfo-secure[.]bounceme[.]net/test[.]zip	62[.]4[.]17[.]59	Ahmedbenaissa681@yandex[.]com
servinfo-secure[.]bounceme[.]net/test(1)[.]zip	62[.]4[.]17[.]59	Ahmedbenaissa681@yandex[.]com
servinfo-secure[.]bounceme[.]net/xTornado-scama[.]zip	62[.]4[.]17[.]59	YOUR-EMAIL@DOMAINE[.]COM (unconfigured most likely)
srvs-ctmrsvcsrbcds[.]servebeer[.]com/16Shop-PP-V1[.]4%20(1)[.]zip [4]	52[.]229[.]191[.]9	segelaskopi77@yandex[.]com
srvs-dfnetacntlckd[.]servebeer[.]com/16Shop-PP-V1[.]4%20(1)[.]zip [4]	52[.]229[.]191[.]9	segelaskopi77@yandex[.]com
thejobsavailable[.]icu/tbconline[.]zip	N/A	zate123man@gmail[.]com

note: `N/A` under the IP header indicates the site was no longer resolving (according to maltego) by the time i originally started putting the data into a table

note: some of the samples couldn’t be uploaded at the moment due to upload constraints

[1]: writes to file: `culo.html`

[2]: also sends to telegram chat: 1211929484; token: `1111796277:AAFxcNgtuKsw4PmEXPfYs---CM8HgjHyCbM`

[3]: writes to two text files: `________PAYPAL_.txt` and `_C^C__.txt`

[4]: C2 is `178.128.104.179`

Return to index

Alan Neilan's blog of random stuff™

Crap I Found On The Internet: (2020/10/17)

Phishing Kits

note: N/A under the IP header indicates the site was no longer resolving (according to maltego) by the time i originally started putting the data into a table

note: some of the samples couldn’t be uploaded at the moment due to upload constraints

[1]: writes to file: culo.html

[2]: also sends to telegram chat: 1211929484; token: 1111796277:AAFxcNgtuKsw4PmEXPfYs---CM8HgjHyCbM

[3]: writes to two text files: ____________PAYPAL_________.txt and ___________________________C^C________________________.txt

[4]: C2 is 178.128.104.179

note: `N/A` under the IP header indicates the site was no longer resolving (according to maltego) by the time i originally started putting the data into a table

[1]: writes to file: `culo.html`

[2]: also sends to telegram chat: 1211929484; token: `1111796277:AAFxcNgtuKsw4PmEXPfYs---CM8HgjHyCbM`

[3]: writes to two text files: `________PAYPAL_.txt` and `_C^C__.txt`

[4]: C2 is `178.128.104.179`