Alan Neilan's blog of random stuff™

Project maintained by ANeilan Hosted on GitHub Pages — Theme by mattgraham

Crap I Found On The Internet (2020/11/09)

Hey folks, i decided to make another blogpost with some more kits i’ve found over the past few days, a handful of freenom domains, with mostly dynamic dns domains making up the majority of the kits i found.

There was one kit (across 3 domains) that for whatever reason was in some weird encoding, feel free to take a look once i upload the kits to malshare, as i can’t seem to make heads or tails of it.

Phishing Kits

URL IP Exfil Email
74joseph[.]ddns[.]net/luesdotham/vnn[.]zip 103[.]255[.]237[.]180 N/A, writes to c5ee9de66d957e8dcf2f9bd74b337825[.]txt
account-service-updates2[.]duckdns[.]org/16Shop-PP-V1[.]4[.]zip 162[.]241[.]127[.]29 monyetcin@yandex[.]com
account-service-updates285[.]duckdns[.]org/16Shop-PP-V1[.]4[.]zip 162[.]241[.]127[.]29 monyetcin@yandex[.]com
ainhemaem[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
ainhemaem1[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
ainhemaem2[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
ainhemaem3[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
ainhemaem4[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
binfacts[.]3utilities[.]com/tr[.]zip 193[.]239[.]84[.]203 N/A, writes to saved[.]txt
cccvvv14[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
cccvvv15[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
cccvvv16[.]duckdns[.]org/loginmongolia[.]zip 198[.]252[.]98[.]58 N/A, writes to anhdeptraivl[.]txt
claimthizcodashopz[.]tk/Script_Reedit_Codashop(AlanGamers)[.]zip [1] 173[.]249[.]26[.]90 jekygradi@gmail[.]com
connect[.]verify[.]w3llsfargo[.]giize[.]com/Wellsfargo[.]zip 134[.]209[.]215[.]123 angrygerad@yandex[.]com
krarae[.]ga/uprg/counting[.]zip 91[.]234[.]99[.]98 unknown998877@yandex[.]com
logistic11[.]serveirc[.]com/mynewupdate[.]zip 99[.]79[.]190[.]44 securednotification8@yandex[.]com
lordnoob[.]hopto[.]org/gx40[.]zip 158[.]101[.]22[.]140 N/A
lordnoob[.]hopto[.]org/gx40/sendinbox-master[.]zip 158[.]101[.]22[.]140 ekasyahwan@hotmail[.]com
lordnoob[.]hopto[.]org/SendMailer-master[.]zip 158[.]101[.]22[.]140 smeekl@mail[.]ru
moreverifiedinfo[.]ddns[.]net/office%20(1)[.]zip 46[.]17[.]96[.]115 Your_email@gmail[.]com (unconfigured)
mysafeserver[.]sytes[.]net/SpoxV5[.]zip 152[.]67[.]235[.]91 lilduke060@gmail[.]com
no-reply[.]bounceme[.]net/KLODVSKY[.]zip 188[.]166[.]114[.]181 prindi[.]diar@yandex[.]com
ovcslogs[.]cf/office12[.]zip 192[.]185[.]144[.]193 N/A
ovcslogs[.]islamsalim[.]com/office12[.]zip 192[.]185[.]144[.]193 N/A
paypalwys[.]ddns[.]net/%E6%97%A5%E6%9C%AC%E4%BA%9A%E9%A9%AC%E9%80%8A%E6%BA%90%E7%A0%81[.]zip 13[.]58[.]153[.]151 gerard[.]haustrate19@gmail[.]com
slimslimmx@yahoo[.]com
pcikaeo-71[.]gq/Drve/OneeDrive[.]zip 20[.]75[.]88[.]26* rexulbox@protonmail[.]com
pelotasdebalompiesfutbolytenispatael-mejordeportes[.]tk/iko/in-co[.]zip 192[.]185[.]17[.]44 onlineservicebofa@usa[.]com
s-unknown[.]sina[.]oghab-host[.]xyz/Ip[.]zip 80[.]209[.]233[.]22 ¯\_(ツ)\_/¯ (file is in an odd encoding, can’t read it)
s-unknown[.]tk/Ip[.]zip 80[.]209[.]233[.]22 ¯\_(ツ)\_/¯ (file is in an odd encoding, can’t read it)
secure-89[.]redirectme[.]net/paypal%20scam%20page[.]zip 18[.]216[.]167[.]91 youremail@mail[.]com (unconfigured)
secure-account-aout9[.]duckdns[.]org/16Shop-PP-V1[.]4[.]zip 162[.]241[.]127[.]29 monyetcin@yandex[.]com
secure-particuliare[.]ddns[.]net/com[.]zip 134[.]209[.]119[.]157 karimpsn@yahoo[.]com
secure07websecure05c[.]duckdns[.]org/a/xbalti%20v4[.]zip 91[.]234[.]99[.]171 XBALTI@EMAIL[.]COM (unconfigured)
secureserver1001[.]ddns[.]net/4_5890888327564888243[.]zip 152[.]67[.]225[.]238 your-email@mail[.]com (unconfigured)
secureserver1001[.]ddns[.]net/Verification[.]zip 152[.]67[.]225[.]238 mix[.]max771@yandex[.]com
securewebload[.]hopto[.]org/wetranfer_lagacyV1[.]zip 46[.]17[.]96[.]115 frynbeq@yandex[.]com
hunting4pussy@protonmail[.]com
serv-lingarduska[.]duckdns[.]org/16Shop-PP-V1[.]4[.]zip 162[.]241[.]121[.]81 ppkmktest@yandex[.]com
servicepaypalnet[.]ddns[.]net/4_6042084340458850037[.]zip 134[.]209[.]211[.]63 hamitakt@yandex[.]com
sg-secure[.]myvnc[.]com/com[.]zip 134[.]209[.]119[.]157 karimpsn@yahoo[.]com
snimir[.]cf/new/counting[.]zip 91[.]234[.]99[.]98 unknown998877@yandex[.]com
staybent[.]cf/gci/netflix[.]zip 192[.]185[.]48[.]126 damaandaa@gmail[.]com
staybent[.]lsebd[.]com/gci/netflix[.]zip 192[.]185[.]48[.]126 damaandaa@gmail[.]com
verify-securema001[.]ddns[.]net/1[.]zip 165[.]232[.]109[.]200 N/A, writes to saved/stored[.]html
w3llsfargo[.]giize[.]com/connect[.]verify/Wellsfargo[.]zip 134[.]209[.]215[.]123 angrygerad@yandex[.]com
webbsuser[.]3utilities[.]com/16057957824655090001605795789102639000_content[.]zip 46[.]17[.]96[.]115 boalin20@yandex[.]com
rootcg25@gmail[.]com
www[.]s-unknown[.]sina[.]oghab-host[.]xyz/Ip[.]zip 80[.]209[.]233[.]22 ¯_(ツ)_/¯ (file is in an odd encoding, can’t read it)
yfghh[.]gotdns[.]ch/kkk/onedrive%20ne[.]zip 139[.]59[.]27[.]95 resultbox@domain[.]com
yfghh[.]gotdns[.]ch/kkk/upload[.]zip 139[.]59[.]27[.]95 rwangaudioquest[.]com@gmail[.]com
ytrioi-71[.]gq/update%20page[.]zip 51[.]103[.]136[.]215 yung[.]nelly123@yandex[.]ru

*: url was no longer resolving at time of publication

[1]: links to https://www.facebook.com/IdhamDotID

Welp, that’s it, folks. Have a good and safe thanksgiving if you’re celebrating it this year. Stay safe, nonetheless.

Return to index