Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add 185.81.115.28 to IP block lists #445

Conversation

g0d33p3rsec
Copy link
Contributor

@g0d33p3rsec g0d33p3rsec commented Jul 7, 2024

Phishing Domain/URL/IP(s):

185.81.115.28
C2 -> 79.137.197.154:15666
https://185.81.115.28/lander/6cw/PACKAGE_DEMO.exe
http://79.137.197.154/auth/login
https://crypto-wave.net/lander/6cw/PACKAGE_DEMO.exe
https://crypto-wave.store/lander/6cw/PACKAGE_DEMO.exe
https://crypto-wave.top/lander/6cw/PACKAGE_DEMO.exe 
https://cutepoochstore.com/lander/6cw/PACKAGE_DEMO.exe
https://www.cutepoochstore.com/lander/6cw/PACKAGE_DEMO.exe
https://dubai-never-sleep.agency/lander/6cw/PACKAGE_DEMO.exe
https://fsqaj.com/lander/6cw/PACKAGE_DEMO.exe 
https://5a94eca1-13d6-4443-924a-ad8ecc9eee15.random.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://sitemaps.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://www.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://michaelconstantinebhanos.com/lander/6cw/PACKAGE_DEMO.exe 
https://www.michaelconstantinebhanos.com/lander/6cw/PACKAGE_DEMO.exe
https://simplylovingproducts.com/lander/6cw/PACKAGE_DEMO.exe
https://www.simplylovingproducts.com/lander/6cw/PACKAGE_DEMO.exe

Impersonated domain

Describe the issue

This IP is hosting several domains that are being used to distribute MeduzaStealer. When the file is viewed on VirusTotal, the string {"C2 url": "79.137.197.154:15666"} is visible in the Decoded Text section of the behavior report. Viewing http://79.137.197.154/ shows the login screen for the C2 dashboard.

Related external source

https://www.virustotal.com/gui/file/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff
https://urlscan.io/result/df9b6e3c-593e-45e2-88cf-71a3eb013fb7/
https://urlscan.io/search/#page.ip:%22185.81.115.28%22
https://www.virustotal.com/gui/ip-address/79.137.197.154
https://urlscan.io/result/1f50e487-c5df-498c-9fa1-c71b7cb0c961/
https://app.any.run/tasks/ca4568e0-294d-429a-a850-28380a384521
https://any.run/report/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff/ca4568e0-294d-429a-a850-28380a384521

Screenshot

Click to expand

image
image
image
image
1f50e487-c5df-498c-9fa1-c71b7cb0c961

@spirillen spirillen merged commit 5c95d13 into Phishing-Database:main Jul 7, 2024
1 check passed
@spirillen
Copy link
Contributor

Sorry for the delay...

@g0d33p3rsec
Copy link
Contributor Author

Sorry for the delay...

It wasn't noticeable. I barely had time to transfer the information to your matrix. 😊

@g0d33p3rsec g0d33p3rsec deleted the add-185.81.115.28-to-IP-block-lists branch July 7, 2024 22:40
@spirillen
Copy link
Contributor

This was pure luck as I was about to shutdown my computer to make the final backup before the transition to Debian

spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #644

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #645

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #646

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #647

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #648

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #649

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 7, 2024
Fixes #640

Relate: Phishing-Database/phishing#445

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this pull request Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants