Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 91.215.85.223 to blocklists #446

Merged

Conversation

g0d33p3rsec
Copy link
Contributor

Phishing Domain/URL/IP(s):

91.215.85.223
http://91.215.85.223/ 
http://91.215.85.223/ali.ps1
http://91.215.85.223/asdf.EXE
http://91.215.85.223/asdf.ps1
http://91.215.85.223/asdfg.exe
http://91.215.85.223/ghjk.exe
http://91.215.85.223/ghjkl.exe
http://91.215.85.223/kanorindex.php (C2 login)
http://91.215.85.223/mkv.ps1
http://91.215.85.223/native.exe
http://91.215.85.223/net.exe
http://91.215.85.223/payload.ps1 
http://91.215.85.223/plugin1.dll
http://91.215.85.223/plugin2.dll 
http://91.215.85.223/plugin3.dll
http://91.215.85.223/pps.ps1
http://91.215.85.223/ppx.ps1
http://91.215.85.223/qwerty.ps1
http://91.215.85.223/qwertyj1.ps1
http://91.215.85.223/telly.ps1
http://91.215.85.223/zxcv.EXE
http://91.215.85.223/zxcv.ps1
http://91.215.85.223/zxcvb.exe
http://91.215.85.223/zxcvb.ps1
http://www.bratiop.ru/zxcvb.ps1
http://mail.check-time.ru/zxcvb.exe 
http://www.check-time.ru/pps.ps1 
http://www.dgkhj.ru/zxcvb.exe
http://nicoslag.ru/net.exe
http://ftp.nicoslag.ru/ghjkl.exe
http://www.nicoslag.ru/native.exe
http://paipaisdvzxc.ru/net.exe
http://www.partaususd.ru/zxcvb.exe
http://mail.partaususd.ru/ghjk.exe
http://www.qd34gf23ewrfsd1233.ru/native.exe
http://www.qwertasd.ru/zxcvb.exe
http://ns2.qwerty12346.ru/zxcvb.exe
http://www.qwerty12346.ru/qwerty.ps1
http://hubvera.ac.ug/native.exe
http://mail.pastratas.ac.ug/zxcv.ps1 
http://ns2.badhabits.ug/zxcvb.exe
http://karimgouss.ug/asdf.EXE
http://www.karimgouss.ug/zxcvb.exe
http://mail.lastimaners.ug/ghjkl.exe
http://mail.lastimaners.ug/zxcvb.exe 
http://www.malayska.ug/mkv.ps1
http://www.marksidfgs.ug/pps.ps1 
http://ns1.mistitis.ug/zxcvb.exe
http://www.mistitis.ug/net.exe
http://www.opesjk.ug/ppx.ps1
http://www.opsdjs.ug/ghjkl.exe 
http://mail.playwell.ug/zxcv.ps1 
http://www.playwell.ug/ghjkl.exe
http://mail.timebound.ug/asdfg.exe
http://ns1.timecheck.ug/ghjkl.exe
http://ns2.timecheck.ug/zxcvb.exe
http://www.timecheck.ug/ghjk.exe
http://ns1.timekeeper.ug/native.exe
http://triathlethe.ug/native.exe 
http://mail.tuskslacx.ug/ghjk.exe
http://www.tuskslacx.ug/asdf.ps1
http://www.tuskslacx.ug/zxcvb.exe
http://wellplayed.ug/native.exe
http://zxvbcrt.ug/ghjkl.exe
http://mail.zxvbcrt.ug/asdfg.exe

Impersonated domain

Describe the issue

This IP is hosting files and Command and Control (C2) infrastructure for the Godzilla Loader. An open directory listing is visible at http://91.215.85.223/. The Godzilla login can be seen at http://91.215.85.223/kanorindex.php. The site is hosting the following malicious files, most of which are associated with Azorult 3.3, Rhadamanthys, PureCrypter, Pure Miner, zgRAT and obfuscated using .NET Reactor:

  • AZORult V3.3/ Rhadamanthys
    http://91.215.85.223/asdf.EXE 
    http://karimgouss.ug/asdf.EXE
    https://www.virustotal.com/gui/file/33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
    https://app.any.run/tasks/88e3e025-c801-48ea-bc8b-2a063222e8a3/
    https://any.run/report/33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546/88e3e025-c801-48ea-bc8b-2a063222e8a3
    
    • trojan.msil/blocker
      http://91.215.85.223/asdfg.exe 
      http://91.215.85.223/ghjk.exe
      http://91.215.85.223/ghjkl.exe 
      http://91.215.85.223/native.exe 
      http://91.215.85.223/net.exe
      http://91.215.85.223/zxcv.EXE
      http://91.215.85.223/zxcvb.exe
      http://mail.check-time.ru/zxcvb.exe
      http://www.dgkhj.ru/zxcvb.exe
      http://nicoslag.ru/net.exe
      http://ftp.nicoslag.ru/ghjkl.exe
      http://www.nicoslag.ru/native.exe
      http://paipaisdvzxc.ru/net.exe
      http://www.qd34gf23ewrfsd1233.ru/native.exe
      http://www.qwertasd.ru/zxcvb.exe 
      http://ns2.qwerty12346.ru/zxcvb.exe
      http://mail.partaususd.ru/ghjk.exe
      http://www.partaususd.ru/zxcvb.exe
      http://www.karimgouss.ug/zxcvb.exe
      http://hubvera.ac.ug/native.exe
      http://ns2.badhabits.ug/zxcvb.exe
      http://mail.lastimaners.ug/ghjkl.exe
      http://mail.lastimaners.ug/zxcvb.exe
      http://ns1.mistitis.ug/zxcvb.exe 
      http://www.mistitis.ug/net.exe
      http://www.opsdjs.ug/ghjkl.exe
      http://www.playwell.ug/ghjkl.exe
      http://mail.timebound.ug/asdfg.exe
      http://ns1.timecheck.ug/ghjkl.exe 
      http://ns2.timecheck.ug/zxcvb.exe
      http://ns1.timekeeper.ug/native.exe
      http://triathlethe.ug/native.exe
      http://mail.tuskslacx.ug/ghjk.exe
      http://www.tuskslacx.ug/zxcvb.exe
      http://wellplayed.ug/native.exe
      http://zxvbcrt.ug/ghjkl.exe
      http://mail.zxvbcrt.ug/asdfg.exe 
      https://www.virustotal.com/gui/file/7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
      https://app.any.run/tasks/715219ee-cd52-49ae-839c-227f68b5c15a/
      https://any.run/report/7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224/715219ee-cd52-49ae-839c-227f68b5c15a
      
    • trojan.powershell/pwrsh
      http://91.215.85.223/ali.ps1 
      http://91.215.85.223/asdf.ps1
      http://91.215.85.223/mkv.ps1
      http://91.215.85.223/payload.ps1
      http://91.215.85.223/pps.ps1 
      http://91.215.85.223/ppx.ps1
      http://91.215.85.223/qwerty.ps1
      http://91.215.85.223/qwertyj1.ps1
      http://91.215.85.223/telly.ps1
      http://91.215.85.223/zxcv.ps1
      http://91.215.85.223/zxcvb.ps1
      http://www.bratiop.ru/zxcvb.ps1
      http://www.check-time.ru/pps.ps1
      http://mail.pastratas.ac.ug/zxcv.ps1
      http://www.qwerty12346.ru/qwerty.ps1 
      http://www.malayska.ug/mkv.ps1
      http://www.marksidfgs.ug/pps.ps1
      http://www.opesjk.ug/ppx.ps1
      http://mail.playwell.ug/zxcv.ps1
      http://www.tuskslacx.ug/asdf.ps1
      https://www.virustotal.com/gui/file/82f7781ebf1aa649a3697ed570fc11ba0a35b810782c953c145850f314c07e21
      https://app.any.run/tasks/f3076fd2-9bb5-41ca-bdf5-b17ff0526c4c/
      https://any.run/report/82f7781ebf1aa649a3697ed570fc11ba0a35b810782c953c145850f314c07e21/f3076fd2-9bb5-41ca-bdf5-b17ff0526c4c#i-table-processes-6a874d93-8bb5-4eb7-a3a2-60ccde0eb4c7
      

Related external source

https://urlscan.io/search/#page.ip:%2291.215.85.223%22
https://search.censys.io/hosts/91.215.85.223
https://www.shodan.io/host/91.215.85.223
https://any.run/cybersecurity-blog/pure-malware-family-analysis/

Screenshot

Click to expand

image
image
image
image

iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this pull request Jul 9, 2024
Copy link
Contributor

@spirillen spirillen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGM

@spirillen spirillen merged commit 4f07381 into Phishing-Database:main Jul 9, 2024
1 check passed
@g0d33p3rsec g0d33p3rsec deleted the add-91.215.85.223-to-blocklists branch July 12, 2024 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants