Exposing the Sonatrach Data Leak and the Data Leak Broker Behind it - An OSINT Analysis

0
June 13, 2024
Dear blog readers,

In this analysis I'll offer and provide an in-depth technical overview of the Internet-connected infrastructure behind the Maze Ransomware Group using public sources including the data leak broker who’s responsible for the Sonatrach Data Leak with the idea to assist the appropriate parties researchers and analysts on their way to properly attribute the leak to the cyber threat actor known as Maze Ransomware Group where the ultimate idea would be to prevent future network intrusions including to actually assist in attempting to take their Internet-connected infrastructure offline.

Although the group has publicly announced that it’s shutting down its operations its Internet-connected infrastructure remains online and operational.

Sample screenshots:


Sample screenshots of the ISPs currently hosting the Maze Ransomware Group’s Internet-connected infrastructure include:




Sample personally identifiable email of the individual involved in the leak:
s0natrach[.]proton.me

Sample URLs for leaked information obtained from the leak:
hxxp://anonfiles[.]com/cbz9z225y4/Le_contr_le_de_gestion_pour_managers_zip
hxxp://easyupload[.]io/rps33q
hxxp://easyupload[.]io/ax8jh3
hxxp://easyupload[.]io/n443ev
hxxp://easyupload[.]io/dw9209

Sample domains known to have been involved in the campaign include:
hxxp://mazedecrypt[.]top
hxxp://mazenews[.]top
hxxp://newsmaze[.]top
hxxp://mazedecrypt[.]top

Related actionable intelligence and C&Cs on the Maze Ransomware Group:

hxxp://mazedecrypt[.]top - 35[.]205[.]61[.]67

Name servers used: ns1[.]csof[.]net

Dark Web Onion: aoacugmutagkwctu[.]onion

Sample Bitcoin Address: 3JGqKRWSsXQsnHWDpHXXNg7TJcubszJher

Related domains:
hxxp://munsys[.]icu
hxxp://deepletelyre[.]club
hxxp://gamsaymin[.]club
hxxp://hersendentp[.]club
hxxp://nistreecongl[.]club
hxxp://cllbguhxggwd[.]club
hxxp://cxwbtywohnimbat[.]biz
hxxp://xbknggwrsigwvqg[.]biz
hxxp://xyrcwgdibytikak[.]biz
hxxp://okxlqotixjlxbst[.]biz

hxxp://mazedecrypt[.]top
hxxp://avoirparticulierserv[.]xyz - 94[.]140[.]114[.]197 - 146[.]0[.]72[.]74

Sample malicious MD5s known to have been involved in the campaign include:
4e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e
067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b
1161b030293e58d15b6a6a814a61a6432cf2c98ce9d156986157b432f3ebcf78
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806
5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 
822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8
83f8ce81f71d6f0b1ddc6b4f3add7a5deef8367a29f59b564c9539d6653d1279
877c439da147bab8e2c32f03814e3973c22cbcd112d35bc2735b803ac9113da1
91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
9be70b7fe15cd64aed5b1adc88c2d5270bce534d167c4a42d143ae0059c3da1c
b30bb0f35a904f67d3ac0082c59770836cc415dc5b7225be04e8d7c79bde73be 
c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 
c11b964916457579a268a36e825857866680baf1830cd6e2d26d4e1e24dec91b 
ea19736c8e89e871974aabdc0d52ad0f0948159d4cf41d2889f49448cbe5e705 
ecd04ebbb3df053ce4efa2b73912fd4d086d1720f9b410235ee9c1e529ea52a2 
F491fb72f106e879021b0bb1149c4678fb380c255d2ef11ac4e0897378793f49 
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:
hxxp://104[.]168[.]198[.]208/wordupd[.]tmp
hxxp://104[.]168[.]215[.]54/wordupd[.]tmp
hxxp://104[.]168[.]174[.]32/wordupd_3[.]0[.]1[.]tmp

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

91[.]218[.]114[.]4
5[.]199[.]167[.]188
185[.]147[.]15[.]22
91[.]218[.]114[.]11
91[.]218[.]114[.]25
91[.]218[.]114[.]26
91[.]218[.]114[.]31
91[.]218[.]114[.]32
91[.]218[.]114[.]37
91[.]218[.]114[.]38
91[.]218[.]114[.]77
91[.]218[.]114[.]79

Related malicious MD5s known to have been involved in the campaign include:

19aaa6c900a5642941d4ebc309433e783befa4cccd1a5af8c86f6e257bf0a72e 
6878f7bd90434ac5a76ac2208a5198ce1a60ae20e8505fc110bd8e42b3657d13
9ad15385f04a6d8dd58b4390e32d876070e339eee6b8da586852d7467514d1b1
b950db9229db2f37a7eb5368308de3aafcea0fd217c614daedb7f334292d801e

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

hxxp://91[.]218[.]114[.]4/nwjknpeevx[.]action?pw=g1y652l&kyn=21y3vvhh&dvr=5e&us=g25e3582a

hxxp://91[.]218[.]114[.]11/forum/siaib[.]jspx?v=h&xyna=0vip863&eul=xsn3q0

hxxp://91[.]218[.]114[.]26/view/ticket/pigut[.]jspx?o=664quo0s&fp=ot52

hxxp://91[.]218[.]114[.]25/xrr[.]jspx?ygad=r35e2cx&e=6as6ta

hxxp://91[.]218[.]114[.]4/j[.]php

hxxp://91[.]218[.]114[.]11/payout/view/fa[.]aspx?y=y&qbx=4&kws=n2&iuy=8k7

hxxp://91[.]218[.]114[.]25/lxh[.]asp?mtxm=l7&r=836wy5

hxxp://91[.]218[.]114[.]26/signin/ticket/eq[.]action?x=yk6rr&e=50b&q=327dr5&ofk=065cdp

hxxp://91[.]218[.]114[.]31/signin/rnmnnekca[.]jsp?kdn=6snl5&e=7a50cx4hyp

hxxp://91[.]218[.]114[.]31/forum/a[.]aspx?byx=56&bc=62t0h&u=75w6n6&sot=2v0l761or6

hxxp://91[.]218[.]114[.]32/withdrawal/checkout/l[.]do?nuny=qj6&sdv=45g2boyf5q&dnr=rh8lk31ed

hxxp://91[.]218[.]114[.]77/task/bxfbpx[.]jspx?nq=cge63

hxxp://91[.]218[.]114[.]38/account/payout/ujwkjhoui[.]shtml

hxxp://91[.]218[.]114[.]37/imrhhjitop[.]phtml?wto=344dsc84&sp=x&oml=c173s71u&iy=m3u2

hxxp://91[.]218[.]114[.]38/auth/login

hxxp://91[.]218[.]114[.]79/logout/hfwdmugdi[.]php?upaj=mj7g

hxxp://91[.]218[.]114[.]38/sepa/juel[.]php?ars=51qse4p3y&xjaq=r5o4t4dp

hxxp://91[.]218[.]114[.]32/fwno[.]cgi?yd=410&o=y7x5kx371&p=m3361672

hxxp://91[.]218[.]114[.]37/sepa/signout/mjsnm[.]aspx?r=7o47wri&rtew=uu8764ssy&bri=51gxx6k5&opms=72gy0a

hxxp://91[.]218[.]114[.]77/payout/analytics/lrkaaosp[.]do?y=62h&aq=3jq8k6&v=0svt

hxxp://91[.]218[.]114[.]79/create/dpcwk[.]php?u=28qy0dpmt&qwbh=k&f=g1ub5ei&ek=3ee

Related malicious domains known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

hxxp://mazedecrypt[.]top
hxxp://mazedecrypt[.]top
hxxp://mazenews[.]top
hxxp://newsmaze[.]top

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

91[.]218[.]114[.]11
91[.]218[.]114[.]25
91[.]218[.]114[.]26
91[.]218[.]114[.]31
91[.]218[.]114[.]32
91[.]218[.]114[.]37
91[.]218[.]114[.]38
91[.]218[.]114[.]4
91[.]218[.]114[.]77
91[.]218[.]114[.]79

hxxp://92[.]63[.]8[.]47
hxxp://92[.]63[.]32[.]2
hxxp://92[.]63[.]37[.]100
hxxp://92[.]63[.]194[.]20
hxxp://92[.]63[.]17[.]245
hxxp://92[.]63[.]32[.]55
hxxp://92[.]63[.]11[.]151
hxxp://92[.]63[.]194[.]3
hxxp://92[.]63[.]15[.]8
hxxp://92[.]63[.]29[.]137
hxxp://92[.]63[.]32[.]57
hxxp://92[.]63[.]15[.]56
hxxp://92[.]63[.]11[.]151
hxxp://92[.]63[.]32[.]52
hxxp://92[.]63[.]15[.]6

Related malicious MD5s known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

064058cf092063a5b69ed8fd2a1a04fe

0f841c6332c89eaa7cac14c9d5b1d35b

108a298b4ed5b4e77541061f32e55751

11308e450b1f17954f531122a56fae3b

15d7dd126391b0e7963c562a6cf3992c

21a563f958b73d453ad91e251b11855c

27c5ecbb94b84c315d56673a851b6cf9

2f78ff32cbb3c478865a88276248d419

335aba8d135cc2e66549080ec9e8c8b7

3bfcba2dd05e1c75f86c008f4d245f62

46b98ee908d08f15137e509e5e69db1b

5774f35d180c0702741a46d98190ff37

5df79164b6d0661277f11691121b1d53

658e9deec68cf5d33ee0779f54806cc2

65cf08ffaf12e47de8cd37098aac5b33

79d137d91be9819930eeb3876e4fbe79

8045b3d2d4a6084f14618b028710ce85

8205a1106ae91d0b0705992d61e84ab2

83b8d994b989f6cbeea3e1a5d68ca5d8

868d604146e7e5cb5995934b085846e3

87239ce48fc8196a5ab66d8562f48f26

89e1ddb8cc86c710ee068d6c6bf300f4

910aa49813ee4cc7e4fa0074db5e454a

9eb13d56c363df67490bcc2149229e4c

a0c5b4adbcd9eb6de9d32537b16c423b

a3a3495ae2fc83479baeaf1878e1ea84

b02be7a336dcc6635172e0d6ec24c554

b40a9eda37493425782bda4a3d9dad58

b4d6cb4e52bb525ebe43349076a240df

b6786f141148925010122819047d1882

b93616a1ea4f4a131cc0507e6c789f94

bd9838d84fd77205011e8b0c2bd711e0

be537a66d01c67076c8491b05866c894

bf2e43ff8542e73c1b27291e0df06afd

c3ce5e8075f506e396ee601f2757a2bd

d2dda72ff2fbbb89bd871c5fc21ee96a

d3eaab616883fcf51dcbdb4769dd86df

d552be44a11d831e874e05cadafe04b6

deebbea18401e8b5e83c410c6d3a8b4e

dfa4631ec2b8459b1041168b1b1d5105

e57ba11045a4b7bc30bd2d33498ef194

e69a8eb94f65480980deaf1ff5a431a6

ef95c48e750c1a3b1af8f5446fa04f54

f04d404d84be66e64a584d425844b926

f457bb5060543db3146291d8c9ad1001

f5ecda7dd8bb1c514f93c09cea8ae00d

f83cef2bf33a4d43e58b771e81af3ecc

fba4cbb7167176990d5a8d24e9505f71

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

91[.]218[.]114[.]11

91[.]218[.]114[.]25

91[.]218[.]114[.]26

91[.]218[.]114[.]31

91[.]218[.]114[.]32

91[.]218[.]114[.]37

91[.]218[.]114[.]38

91[.]218[.]114[.]4

91[.]218[.]114[.]77

91[.]218[.]114[.]79

92[.]63[.]11[.]151

92[.]63[.]15[.]6 

92[.]63[.]15[.]8 

92[.]63[.]17[.]245

92[.]63[.]194[.]20

92[.]63[.]194[.]3

92[.]63[.]29[.]137

92[.]63[.]32[.]2 

92[.]63[.]32[.]52

92[.]63[.]32[.]55

92[.]63[.]32[.]57

92[.]63[.]37[.]100

92[.]63[.]8[.]47

Related C&Cs:

hxxp://104[.]168[.]174[.]32/wordupd_3[.]0[.]1[.]tmp

hxxp://104[.]168[.]198[.]208/wordupd[.]tmp

hxxp://104[.]168[.]201[.]35/dospizdos[.]tmp

hxxp://104[.]168[.]201[.]47/wordupd[.]tmp

hxxp://104[.]168[.]215[.]54/wordupd[.]tmp

hxxp://149[.]56[.]245[.]196/wordupd[.]tmp

hxxp://192[.]119[.]106[.]235/mswordupd[.]tmp

hxxp://192[.]119[.]106[.]235/officeupd[.]tmp

hxxp://192[.]99[.]172[.]143/winupd[.]tmp

hxxp://54[.]39[.]233[.]188/win163[.]65[.]tmp

hxxp://91[.]208[.]184[.]174:8079/windef[.]exe

hxxp://agenziainformazioni[.]icu/wordupd[.]tmp

hxxp://www[.]download-invoice[.]site/Invoice_29557473[.]exe

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

173[.]209[.]43[.]61

193[.]36[.]237[.]173

37[.]1[.]213[.]9

37[.]252[.]7[.]142

5[.]199[.]167[.]188

hxxp://checksoffice[.]me

hxxp://drivers[.]updatecenter[.]icu

hxxp://plaintsotherest[.]net

hxxp://thesawmeinrew[.]net

hxxp://updates[.]updatecenter[.]icu

hxxp://att-customer[.]com

hxxp://att-information[.]com

hxxp://att-newsroom[.]com

hxxp://att-plans[.]com

hxxp://bezahlen-1und1[.]icu

hxxp://bzst-info[.]icu

hxxp://bzst-inform[.]icu

hxxp://bzstinfo[.]icu

hxxp://bzstinform[.]icu

hxxp://canada-post[.]icu

hxxp://canadapost-delivery[.]icu

hxxp://canadapost-tracking[.]icu

hxxp://hilfe-center-1und1[.]icu

hxxp://hilfe-center-internetag[.]icu

hxxp://trackweb-canadapost[.]icu

Related personally identifiable email address accounts known to have been involved in the campaign include:

abusereceive[.]hitler.rocks
gladkoff1991[.]yandex.ru

Related C&Cs known to be part of Maze Ransomware Group’s Internet-connected infrastructure include:

hxxp://91[.]218[.]114[.]4
hxxp://91[.]218[.]114[.]11
hxxp://91[.]218[.]114[.]25
hxxp://91[.]218[.]114[.]26
hxxp://91[.]218[.]114[.]31
hxxp://91[.]218[.]114[.]32
hxxp://91[.]218[.]114[.]37
hxxp://91[.]218[.]114[.]38
hxxp://91[.]218[.]114[.]77
hxxp://91[.]218[.]114[.]79

hxxp://globalsign[.]icu
hxxp://ocspverisign[.]pw
hxxp://officecloud[.]top

92[.]63[.]8[.]47 
92[.]63[.]3[.]2 
92[.]63[.]37[.]100
92[.]63[.]194[.]20
92[.]63[.]17[.]245
92[.]63[.]32[.]55
92[.]63[.]11[.]151 
92[.]63[.]194[.]3 
92[.]63[.]15[.]8 
92[.]63[.]29[.]137
92[.]63[.]32[.]57 
92[.]63[.]15[.]56 
92[.]63[.]11[.]151 
92[.]63[.]32[.]52 
92[.]63[.]15[.]6
91[.]218[.]114[.]11
91[.]218[.]114[.]25
91[.]218[.]114[.]26
91[.]218[.]114[.]31
91[.]218[.]114[.]32
91[.]218[.]114[.]37
91[.]218[.]114[.]38
91[.]218[.]114[.]4
91[.]218[.]114[.]77
91[.]218[.]114[.]79

Sample screenshots:










Continue reading →

Exposing a Domains Portfolio Courtesy of Breached Forum Team Members - An OSINT Analysis

0
June 13, 2024

I’ve recently obtained access to a publicly obtainable set of personally identifiable information belonging to a secondary Breached Forum team members and based on this discovery I've decided to dig a little bit deeper and find out related domain name registrations courtesy of the same individuals that are members of the forum on our way to look for related fraudulent and malicious activity.

Interesting domains include:

hxxp://secured-logins.online

hxxp://microsoftupdale.com

hxxp://amzn-offer.com.ng

hxxp://paypalcustomerservices.com

Sample domains known to have been involved in the campaign include:

hxxp://biunj[.]top

hxxp://wzmxec[.]cn

hxxp://semainedelapopphilosophie[.]fr

hxxp://haileybeauty[.]fr

hxxp://kellyblake[.]us

hxxp://securitylab[.]hk

hxxp://texasaction[.]us

hxxp://kazuko[.]us

hxxp://purgestresser[.]xyz

hxxp://bagipokemon[.]com

hxxp://moneymatterswitheric[.]com

hxxp://idriss[.]fr

hxxp://bluesteelcraft[.]net

hxxp://phohangcu[.]com

hxxp://kookwinkels[.]net

hxxp://mediumsonja[.]net

hxxp://ukmshops[.]com

hxxp://makebelief[.]science

hxxp://depressioncure[.]science

hxxp://aisukoneko[.]net

hxxp://82flex[.]club

hxxp://ssri[.]science

hxxp://snri[.]science

hxxp://gadjahmada[.]org

hxxp://keralacultural[.]science

hxxp://internetmarketergroup[.]com

hxxp://sampitroda[.]science

hxxp://apjabdulkalam[.]science

hxxp://floatingmind[.]science

hxxp://neurotransmission[.]science

hxxp://sunitawilliams[.]science

hxxp://teslamemorial[.]science

hxxp://moodregulation[.]science

hxxp://antipsychotic[.]science

hxxp://originofearth[.]science

hxxp://wardenclyffetower[.]science

hxxp://antidepressant[.]science

hxxp://chuvabravasolfeliz[.]com

hxxp://vasthu[.]science

hxxp://resumosparaprovas[.]com[.]br

hxxp://ultra1337s[.]pro

hxxp://indiancultural[.]science

hxxp://resuminhosparaprovas[.]com

hxxp://benchfee[.]net

hxxp://homijbhabha[.]science

hxxp://blunder[.]science

hxxp://paradisusloscabos[.]com

hxxp://meums[.]edu[.]ly

hxxp://serinformatico[.]com

hxxp://gs-france[.]fr

hxxp://modaparatodo[.]com[.]br

hxxp://proshoponline[.]com[.]br

hxxp://sr-ken1[.]com

hxxp://iltdamktdigital[.]com[.]br

hxxp://meums[.]ly

hxxp://sportday[.]com[.]br

hxxp://chauffeur24[.]ma

hxxp://shoukai-system[.]net

hxxp://fuertedestination[.]com

hxxp://bykvu[.]com

hxxp://f-gmail[.]com

hxxp://marsoul-tech[.]ly

hxxp://alanosempre[.]com

hxxp://esercizi-e-rimedi[.]com

hxxp://whdhwfawla[.]com

hxxp://vectorofdream[.]club

hxxp://p-at-g[.]info

hxxp://recruitmentsourcing[.]us

hxxp://koisit[.]com

hxxp://your-candle[.]com

hxxp://woshilaosijikuaishangche[.]xyz

hxxp://casadipasta[.]fr

hxxp://connectionloop[.]jp

hxxp://osamathabet[.]com

hxxp://capl[.]com[.]sg

hxxp://puccinis[.]us

hxxp://allinfotoday[.]us

hxxp://btler[.]kz

hxxp://aventerpriseindia[.]com

hxxp://smart99sendai[.]com

hxxp://mgo777[.]us

hxxp://ced-guitare34[.]fr

hxxp://suntech[.]com[.]pa

hxxp://merhawitravels[.]com

hxxp://weknownothingpodcast[.]com

hxxp://purehempsoap[.]ca

hxxp://organia[.]com[.]ua

hxxp://lnwgame[.]com

hxxp://vikingventures[.]us

hxxp://vygoranie[.]su

hxxp://my-mail-gmail[.]com

hxxp://login-mail-gmail[.]com

hxxp://fundaciondeespecialistas[.]com

hxxp://market365[.]com[.]ua

hxxp://lindsayfashions[.]com

hxxp://jornaldosbairrosonline[.]com[.]br

hxxp://petirketarketir[.]vip

hxxp://siam1[.]net

hxxp://hi9765[.]com

hxxp://fathersclub[.]us

hxxp://account-my-mail-gmail[.]com

hxxp://myaccount-my-mail-gmail[.]com

hxxp://goodgirls101[.]com

hxxp://freender[.]us

hxxp://myaccounts-mail-gmail[.]com

hxxp://hot-auto[.]com[.]ua

hxxp://ygu-1[.]net

hxxp://xn--jn2a86s[.]tw

hxxp://kvadrat-m[.]com

hxxp://curriculo2022[.]com

hxxp://vishakafoundation[.]com

hxxp://app12123[.]com

hxxp://donnaree[.]net

hxxp://e-standart[.]com

hxxp://neposidko[.]com

hxxp://mgo55[.]us

hxxp://bidiknews24[.]com

hxxp://mosclub[.]su

hxxp://iniq[.]us

hxxp://mfenno[.]com

hxxp://2t[.]gs

hxxp://deesign[.]co[.]kr

hxxp://mail-gmail[.]com

hxxp://iorganicpetshop[.]com

hxxp://iorganichouse[.]com

hxxp://humresource[.]com

hxxp://ko-bo-440[.]com

hxxp://hayao0819[.]com

hxxp://hog-lab[.]com

hxxp://hi12123[.]com

hxxp://hshealt[.]com

hxxp://myaccounts-my-mail-gmail[.]com

hxxp://findabitch[.]info

hxxp://my-account-mail-gmail[.]com

hxxp://gosspcrepair[.]com

hxxp://my-accounts-mail-gmail[.]com

hxxp://lizihost[.]com

hxxp://copticsite[.]com

hxxp://petenjess[.]com

hxxp://shinobu[.]kr

hxxp://shinbou[.]co[.]kr

hxxp://hamptoonu[.]com

hxxp://cryptbits[.]us

hxxp://cryptoskope[.]us

hxxp://blockhodl[.]us

hxxp://cryptomonist[.]us

hxxp://cityofcrypto[.]us

hxxp://chainofthings[.]us

hxxp://hesapcibaba[.]com

hxxp://emeraldenzosculptures[.]com

hxxp://gh-herbals[.]us

hxxp://hallareview[.]com

hxxp://solnyshko-2022[.]kz

hxxp://amzn-offer[.]com[.]ng

hxxp://rce[.]net[.]cn

hxxp://arol[.]us

hxxp://consejoscomunalesparaladefensaintegral[.]xyz

hxxp://noticiasnaweb[.]net

hxxp://quick2pey[.]us

hxxp://microsoftupdale[.]com

hxxp://sribiosys[.]com

hxxp://proxmoxve[.]cn

hxxp://whmcsservices[.]cn

hxxp://virtualizor[.]cn

hxxp://goodealhosting[.]cn

hxxp://fetomagduruaileler[.]net

hxxp://28subatvefetomagduruaileler[.]net

hxxp://zjmftheme[.]cn

hxxp://shieyingxiong[.]cn

hxxp://whmcshelp[.]com

hxxp://habersilvangazetesi[.]com

hxxp://dusunce360[.]com

hxxp://hurtakipci[.]com

hxxp://urfahurhaber[.]com

hxxp://dieq41[.]com

hxxp://arminarekaperdanahalim[.]com

hxxp://cains[.]party

hxxp://topsalestoday[.]us

hxxp://stuartpowell[.]us

hxxp://animu[.]su

hxxp://cleanconnect[.]us

hxxp://truthtrend[.]us

hxxp://milina[.]jp

hxxp://pchd[.]one

hxxp://ricambiauto[.]us

hxxp://rachelmorton[.]us

hxxp://shopauro[.]us

hxxp://sppt[.]us

hxxp://effectivtech[.]us

hxxp://careerchanger[.]us

hxxp://jleon-automation[.]us

hxxp://johnlwaite[.]com

hxxp://lakeshore[.]tw

hxxp://no-no-no-no[.]com

hxxp://alisonjones[.]us

hxxp://segner[.]us

hxxp://charliem[.]us

hxxp://valuation[.]co[.]il

hxxp://no-no[.]com

hxxp://trumpersonly[.]us

hxxp://posten-no-no[.]com

hxxp://totallyavir[.]us

hxxp://kathypizzino[.]us

hxxp://wildburger[.]us

hxxp://cfodesk[.]co[.]il

hxxp://whisky-a-no-no[.]com

hxxp://trevorhill[.]us

hxxp://charliemoore[.]us

hxxp://no-no-no[.]com

hxxp://michaelstamerfarms[.]com

hxxp://voidedparadox[.]com

hxxp://my-no-no[.]com

hxxp://zeromatter[.]us

hxxp://cuntmode[.]com

hxxp://figyak[.]com

hxxp://oht[.]com[.]tw

hxxp://herbalhongkong[.]com

hxxp://mo-no-no[.]com

hxxp://jumphost[.]kz

hxxp://nana-no-no[.]com

hxxp://liveearth-no-no[.]com

hxxp://candronepilotcoop[.]com

hxxp://celebrity-no-no[.]com

hxxp://escobarproductions[.]us

hxxp://yasu-no-no[.]com

hxxp://vjdiamonds[.]co[.]il

hxxp://burkardt[.]us

hxxp://buy-no-no[.]com

hxxp://makabaka[.]us

hxxp://me-no-no[.]com

hxxp://pnrsyntax[.]us

hxxp://big-no-no[.]com

hxxp://visentagroup[.]com

hxxp://aki-no-no[.]com

hxxp://carte-vital-notification[.]fr

hxxp://epichi[.]us

hxxp://vpnsvr[.]top

hxxp://verification-amazon-fr[.]fr

hxxp://laurencecouture[.]fr

hxxp://it-serve[.]pro

hxxp://thefeelgoodhood[.]com

hxxp://bookrichandsassy[.]com

hxxp://pio-no-no[.]com

hxxp://apt4[.]kr

hxxp://minjs[.]us

hxxp://demandredesign[.]org

hxxp://riches-elenas[.]kz

hxxp://test-ryhall-dns-is-us-test-gmail[.]com

hxxp://try-no-no[.]com

hxxp://eliteautoloans[.]ca

hxxp://akixi-test-gmail[.]com

hxxp://get-no-no[.]com

hxxp://fatemzassl[.]com[.]ng

hxxp://aryamatbaa[.]com

hxxp://official-no-no[.]com

hxxp://thizastore[.]com[.]br

hxxp://everydayweplay365new[.]com

hxxp://curiousq[.]info

hxxp://hgarbaglobalventures[.]com[.]ng

hxxp://dafdfeafeae[.]com

hxxp://facebooksexlist[.]com

hxxp://attavitacons[.]com

hxxp://test-bh-staging-domain28082021025944[.]com

hxxp://politics-is-a[.]science

hxxp://alexcohen[.]us

hxxp://esv[.]jp

hxxp://wagnitzsoftware[.]com

hxxp://cdcysj[.]cn

hxxp://demonslayerswords[.]net

hxxp://wolftecno[.]com

hxxp://epic-hi[.]us

hxxp://outletku[.]com

hxxp://serialmail[.]net

hxxp://oh-no-no[.]com

hxxp://cysj1[.]cn

hxxp://skjdnsn[.]com

hxxp://sallybestor[.]com

hxxp://hotelfortkolesnik[.]com

hxxp://birdy[.]com[.]tw

hxxp://ebiz[.]co[.]il

hxxp://youngfaith[.]us

hxxp://vitejambe[.]com

hxxp://kittybox[.]us

hxxp://artech-a[.]fr

hxxp://jrspipesandtubes[.]com

hxxp://herbsandnature[.]us

hxxp://tlftest[.]us

hxxp://laboratorioedn[.]com

hxxp://subprimary[.]com

hxxp://cyrusmedia[.]ca

hxxp://trogdor-test-teststs-devee[.]com

hxxp://leenuts[.]com

hxxp://gmo-test-2022-05-05-ishitoya01[.]com

hxxp://dd9[.]co[.]kr

hxxp://smsvg[.]com

hxxp://s-proj[.]co[.]il

hxxp://spartanguild[.]com

hxxp://becysj[.]cn

hxxp://test-bh-staging-domain06092021131217[.]com

hxxp://tjcysj[.]cn

hxxp://thanushcreations[.]com

hxxp://cartevitale-am[.]fr

hxxp://piephomedia[.]com

hxxp://theinquiryhub[.]com

hxxp://smsnh[.]com

hxxp://yuanayu[.]com

hxxp://plusswagath[.]com

hxxp://asukaindonesia[.]com

hxxp://smsrb[.]com

hxxp://maacademia[.]com

hxxp://topfactsglobal[.]com

hxxp://prakrie[.]com

hxxp://i-socialapp[.]com

hxxp://luzxd[.]us

hxxp://findmyiphone-view[.]com

hxxp://ipklll[.]us

hxxp://ip-pbx[.]su

hxxp://terminodador[.]com

hxxp://test1122[.]net

hxxp://manurnu[.]com

hxxp://testingdomainwsuite12345[.]net

hxxp://jorcustoms[.]com

hxxp://testingdomainwsuite123456[.]net

hxxp://0br[.]us

hxxp://yandex-toloka[.]ru[.]com

hxxp://dollpls[.]com

hxxp://weeblycombo2[.]com

hxxp://whcysj[.]cn

hxxp://weeblycombotesting1[.]com

hxxp://programadorweb[.]net

hxxp://aaravidevelopers[.]com

hxxp://44518[.]cn

hxxp://inviz[.]host

hxxp://kz123[.]cn

hxxp://collectifpolar[.]fr

hxxp://naromedia[.]space

hxxp://secandosemparar[.]com

hxxp://steemdice[.]online

hxxp://uvlfastmarket[.]com

hxxp://trackblogexperthealth[.]space

hxxp://changyouworld[.]cn

hxxp://weeblycombo[.]com

hxxp://lovepets[.]fr

hxxp://gombong[.]asia

hxxp://lei-nuo[.]com[.]cn

hxxp://runhr[.]us

hxxp://kaya-bunga[.]com

hxxp://dimensionengiservices[.]com

hxxp://thomashcliu[.]com

hxxp://ttglobaladvisory[.]net

hxxp://0xe[.]us

hxxp://underarmourstore[.]us

hxxp://friendsland[.]pp[.]ua

hxxp://eoczy[.]host

hxxp://qualiteletrica[.]com[.]br

hxxp://heskes[.]info

hxxp://quemseduzconquista[.]com

hxxp://nitix[.]biz

hxxp://starhelectricalservicesllc[.]com

hxxp://2xlipat[.]com

hxxp://mugyuphotoworks[.]com

hxxp://exroot[.]us

hxxp://promicom[.]ma

hxxp://ibracket[.]net

hxxp://compteabonnement[.]fr

hxxp://gotowka-doreki[.]info

hxxp://pamyu-pamyu[.]com

hxxp://ismarcoscastro[.]com

hxxp://a-gmail[.]com

hxxp://doremi-hochouki[.]com

hxxp://hahapetshop[.]com

hxxp://joshuahatten[.]com

hxxp://reza-najafi[.]com

hxxp://lloyds-area[.]com

hxxp://fibvo[.]com

hxxp://codenific[.]com

hxxp://linhtinhcenter[.]com

hxxp://zo1984[.]com

hxxp://lifevantagethai-nrf2[.]com

hxxp://greenenershop[.]com

hxxp://gaytravelcrowd[.]com

hxxp://aythotellock[.]com

hxxp://doooectb[.]com

hxxp://gratiasmarthome[.]com

hxxp://myrenttoownhomes[.]us

hxxp://voxchronicle[.]com

hxxp://cloudtest[.]asia

hxxp://teedin789[.]org

hxxp://car789[.]org

hxxp://alarmmoney[.]info

hxxp://cctvnon[.]com

hxxp://ouvoleravecmondrone[.]com

hxxp://vtechwriter[.]com

hxxp://greenmage321[.]com

hxxp://avtoremont36[.]xyz

hxxp://carav[.]us

hxxp://flowerwseb[.]info

hxxp://cjford[.]org

hxxp://ouvoleravecmondrone[.]net

hxxp://suns-vip[.]com

hxxp://mindyshousecleaners[.]com

hxxp://gaytravelcrowd[.]biz

hxxp://healthlantern[.]us

hxxp://greens333[.]com

hxxp://vacation-crowd[.]com

hxxp://blockpays[.]info

hxxp://rem971verslesucces[.]com

hxxp://nsr-sys[.]com

hxxp://aminpour[.]info

hxxp://ba2b[.]xyz

hxxp://nwtgck[.]xyz

hxxp://classhelper[.]us

hxxp://dustbinservices[.]com

hxxp://checkiclouds[.]info

hxxp://lclsecuret[.]com

hxxp://toretto[.]host

hxxp://antoinetbt[.]host

hxxp://ecomyparty[.]com

hxxp://vil-diesel[.]host

hxxp://ontime-a[.]com

hxxp://canlammotteam[.]host

hxxp://dominic-toretto[.]host

hxxp://semailaanhem[.]host

hxxp://badromance[.]host

hxxp://cd-storage-reviews[.]com

hxxp://antoinegriezmann[.]host

hxxp://seeyouagain[.]host

hxxp://mrtbt[.]host

hxxp://line-dn[.]com

hxxp://eklink[.]org

hxxp://emlakhaberleri[.]org

hxxp://eklink[.]info

hxxp://legendturk[.]biz

hxxp://secured-logins[.]online

hxxp://64bitcongnghe[.]com

hxxp://pocket0077[.]com

hxxp://dallaporte[.]com

hxxp://etchmall[.]com

hxxp://accounts-my-mail-gmail[.]com

hxxp://account-mail-gmail[.]com

hxxp://accounts-mail-gmail[.]com

hxxp://art-photo-story[.]com

hxxp://azarter[.]com

hxxp://youractiontoys[.]com

hxxp://sil21[.]com

hxxp://indicatorchoice[.]com

hxxp://myaccount-mail-gmail[.]com

hxxp://teamkill[.]pro

hxxp://mdhanastha[.]com

hxxp://smpplugin[.]com

hxxp://smp-plugin[.]com

hxxp://todaymagazine[.]xyz

hxxp://thecouponparty[.]com

hxxp://todayradio[.]xyz

hxxp://serva4ok[.]pro

hxxp://forteam[.]pro

hxxp://facebuilder[.]xyz

hxxp://irandirectory[.]xyz

hxxp://mixandmastering[.]xyz

hxxp://nameforbaby[.]xyz

hxxp://justpayforshipping[.]biz

hxxp://justpayforshipping[.]org

hxxp://justpayforshipping[.]info

hxxp://lambdaf[.]info

hxxp://herdiesel-santoso[.]com

hxxp://keywordriches[.]org

hxxp://energybodyart[.]com

hxxp://floresemangola[.]com

hxxp://sonyatour[.]com

hxxp://doktorhatasi[.]biz

hxxp://probono123[.]org

hxxp://personalitynetwork[.]org

hxxp://gold4money[.]us

hxxp://odt[.]moscow

hxxp://okget[.]xyz

hxxp://mixedfire[.]com

hxxp://batikidalestari[.]com

hxxp://frugalandresponsibleliving[.]com

hxxp://makrandownload[.]com

hxxp://yfilatov[.]xyz

hxxp://artbodyart[.]com

hxxp://meme-generator[.]info

hxxp://delhitransport[.]info

hxxp://trisnoidamanbatik[.]com

hxxp://modadhanasta[.]com

hxxp://okemoviezone[.]com

hxxp://gowanusindustrial[.]org

hxxp://ydafmc[.]com

hxxp://books-mania[.]com

hxxp://buettner[.]science

hxxp://vdeserve[.]com

hxxp://k-u-n-s-t-s-t-o-f-f[.]com

hxxp://f-f[.]com

hxxp://f-l-u-f-f[.]com

hxxp://a-f-f[.]com

hxxp://t-a-f-f[.]com

hxxp://b-f-f[.]com

hxxp://k-f-f[.]com

hxxp://f-f-f[.]com

hxxp://m-f-f[.]com

hxxp://g-f-f[.]com

hxxp://p-u-f-f[.]com

hxxp://s-t-a-f-f[.]com

hxxp://okrok[.]info

hxxp://d-i-f-f[.]com

hxxp://roukio[.]info

hxxp://t-f-f[.]com

hxxp://teotio[.]info

hxxp://s-u-n-o-f-f[.]com

hxxp://s-t-i-f-f[.]com

hxxp://okrok[.]org

hxxp://w-f-f[.]com

hxxp://teotio[.]org

hxxp://h-f-f[.]com

hxxp://pokere[.]org

hxxp://v-f-f[.]com

hxxp://roukio[.]org

hxxp://f-a-c-e-o-f-f[.]com

hxxp://s-u-f-f[.]com

hxxp://take-o-f-f[.]com

hxxp://u-s-f-f[.]com

hxxp://qeou[.]online

hxxp://u-f-f[.]com

hxxp://karatsu-f-f[.]com

hxxp://j-f-f[.]com

hxxp://l-f-f[.]com

hxxp://o-f-f[.]com

hxxp://f--f[.]com

hxxp://e-f-f[.]com

hxxp://gardener-f-f[.]com

hxxp://i-f-f[.]com

hxxp://p-j-f-f[.]com

hxxp://y-f-f[.]com

hxxp://s-f-f[.]com

hxxp://c-f-f[.]com

hxxp://boulangerie-dupont-f-f[.]com

hxxp://s-t-f-f[.]com

hxxp://n-u-f-f[.]com

hxxp://ca-f-f[.]com

hxxp://sts-rci-rogers[.]ca

hxxp://p-f-f[.]com

hxxp://scholarlysources[.]com

hxxp://f-f-f-f[.]com

hxxp://globalrealez[.]com

hxxp://df-we-4234-f-we-fw-4234-f-we-f-f[.]com

hxxp://iconarise[.]com

hxxp://hamad-f-f[.]com

hxxp://toplifedailylive[.]com

hxxp://n-f-f[.]com

hxxp://s-o-f-f[.]com

hxxp://p-i-s-s-o-f-f[.]com

hxxp://c-u-f-f[.]com

hxxp://d-f-f[.]com

hxxp://z-f-f[.]com

hxxp://r-i-f-f[.]com

hxxp://r-f-f[.]com

hxxp://innovationoffice[.]org

hxxp://mindsxchange[.]com

hxxp://marketresearchcolloquium[.]com

hxxp://danielles-f-f-f[.]com

hxxp://x-f-f[.]com

hxxp://q-f-f[.]com

hxxp://platformxchange[.]com

hxxp://d-i-l-l-i-g-a-f-f[.]com

hxxp://c-i-f-f[.]com

hxxp://k-y-f-f[.]com

hxxp://kairosteknoloji[.]download

hxxp://enesaldemir[.]net

hxxp://tenadesign[.]net

hxxp://shyfzorg[.]com

hxxp://disdikbud-papua[.]org

hxxp://al-azharaslichmughny[.]org

Continue reading →

Profiling the Recently Seized Samourai Cryptocurrency Mixer Service - An Analysis

0
June 13, 2024

I've decided to take a closer look at the recently seized domain portfolio owned by the infamous Samourai Cryptocurrency Mixer where the actual infrastructure consists of several primary domains and several secondary domains including a vast social media presence including an actual Android application for the cryptocurrency mixing service.

Sample description of the service:

"Samourai Wallet is the most feature rich and advanced bitcoin wallet available on Android today. It has been created from the ground up by privacy activists to be extremely portable, highly secure, and lead the pack in protecting the privacy of bitcoin users.

- Full Segwit Support for the most efficient transactions and lowest miner fees

- You control your private keys on your device, they are never communicated with any server

- Best in class dynamic miner fee estimation and custom fee settings

- STONEWALL for increasing the privacy of your transactions

- Ricochet spend for mitigation against address clustering attacks

- Send and receive Stealth Payments directly into your wallet with PayNym (BIP47)

- Deterministic sorting of input/outputs to prevent the wallet from leaving a discernible block chain fingerprint (BIP69)

- Bump a stuck transaction with full Replace By Fee (RBF) and Child Pays for Parent (CPFP) support

- Route outgoing transactions via your own trusted node

- No addresses are reused to help manage metadata leakage

- Standard import/export functionality. Compatible with any other BIP44/BIP49/BIP84 wallet.

- Stealth mode hides the wallet on the device. Dial a secret code to access your wallet.

- Enable remote SMS commands to regain access to your funds if you lose your phone

- Block Explorer support for all popular services

- Passphrase protection by default (BIP39)

- Fully encrypted client side and offline

- Connect via your preferred VPN

- Connect via Tor (Socks5 proxy)"


Primary domains involved in the campaign include:

hxxp://samourai.io

hxxp://samouraiwallet.com

hxxp://samourai.support

Sample responding IPs:

68[.]65[.]123[.]241

198[.]27[.]104[.]163

37[.]143[.]131[.]158

162[.]255[.]119[.]8

82[.]221[.]130[.]110

37[.]143[.]131[.]230

52[.]203[.]48[.]25

162[.]255[.]119[.]42

136[.]243[.]224[.]53

193[.]29[.]187[.]225

82[.]221[.]131[.]139

82[.]221[.]139[.]204

172[.]67[.]194[.]72

206[.]253[.]90[.]229

104[.]21[.]68[.]107

193[.]29[.]187[.]21

Sample responding IPs:

68[.]65[.]123[.]241

198[.]27[.]104[.]163

37[.]143[.]131[.]158

162[.]255[.]119[.]8

82[.]221[.]130[.]110

37[.]143[.]131[.]230

52[.]203[.]48[.]25

162[.]255[.]119[.]42

136[.]243[.]224[.]53

193[.]29[.]187[.]225

82[.]221[.]131[.]139

82[.]221[.]139[.]204

172[.]67[.]194[.]72

206[.]253[.]90[.]229

104[.]21[.]68[.]107

193[.]29[.]187[.]21

Related responding IPs:

37[.]143[.]131[.]158

160[.]19[.]51[.]112

82[.]221[.]131[.]27

185[.]165[.]170[.]172

99[.]83[.]154[.]118

185[.]165[.]170[.]173

82[.]221[.]131[.]139

188[.]214[.]30[.]147

192[.]95[.]12[.]14

162[.]255[.]119[.]161

37[.]143[.]131[.]195

185[.]165[.]170[.]143

Related domains known to have been involved in the campaign include:

hxxp://oxtresearch.com

hxxp://nextblock.is

hxxp://samourai.email

Sample social media accounts:

hxxp://twitter.com/SamouraiWallet

Android application URL:

hxxp://play.google.com/store/apps/details?id=com.samourai.wallet&hl=en_US

hxxp://www.youtube.com/c/Samouraiwallet

hxxp://www.facebook.com/samouraiwallet

hxxp://github.com/Samourai-Wallet

The group behind the cryptocurrency mixing service also maintains several other domains:

hxxp://paynym.is - 193.29.187.225; 192.95.12.14; 188.214.30.147

hxxp://oxt.me

hxxp://sovereign.ly

hxxp://mule.tools

Sample known responding IPs:

13[.]56[.]33[.]8

54[.]243[.]255[.]92

54[.]225[.]158[.]198

50[.]19[.]120[.]203

199[.]73[.]55[.]35

188[.]114[.]96[.]6

23[.]217[.]138[.]108

188[.]114[.]97[.]3

198[.]54[.]117[.]218

188[.]114[.]96[.]0

198[.]54[.]117[.]217

104[.]21[.]65[.]40

192[.]64[.]119[.]152

188[.]114[.]97[.]29

23[.]202[.]231[.]167

I'll continue monitoring the campaign and will post updates as soon as new developments take place.

Continue reading →

A Compilation of DDoS Booter Services URLs - An Analysis

0
June 13, 2024
The following is a compilation of publicly accessible DDoS booter services URLs.

Sample related URLs:
hxxp://str3ssed.com
hxxp://dream-stresser.su
hxxp://zdstresser.net
hxxp://darkvr.io
hxxp://tresser.io
hxxp://xstress.top
hxxp://blaststress.ru
hxxp://dreams-stresser.co
hxxp://dreams-stresser.su
hxxp://hatter.cloud
hxxp://undisclosed.is
hxxp://mythicalstress.xyz
hxxp://dragonstresser.net
hxxp://inverse.sh
hxxp://stresser.zone
hxxp://ipstresser.me
hxxp://blaze-api.cc
hxxp://vacstresser.org
hxxp://stressers.io
hxxp://stresslab.cc
hxxp://stresser.st
hxxp://tokenview.life
hxxp://stressthem.to
hxxp://stresshit.club
hxxp://stresser.is
hxxp://cyberbooter.net
hxxp://stresser.ga
hxxp://metastresser.io
hxxp://stresser.su
hxxp://wrldsecurity.net
hxxp://hexstresser.org
hxxp://ipstresser.ltd
hxxp://urgstresser.com
hxxp://cryptostresser.vip
hxxp://silentstress.cc
hxxp://freestresser.top
hxxp://joker.sh
hxxp://ddoser.vip
hxxp://stresser.website
hxxp://liquidsec.space
hxxp://quickdown.pro
hxxp://demonicstresser.xyz
hxxp://stressed.su
hxxp://ddos.sc
hxxp://panel.ddos.sc
hxxp://mao-stress.tech
hxxp://neostress.net
hxxp://crazystresser.net
hxxp://susstresser.xyz
hxxp://stresse.re
hxxp://ddosstresser.com
hxxp://redstresser.net
hxxp://zeusstress.fun
hxxp://getstress.us
hxxp://ipstresser.pro
hxxp://thunderstresser.su
hxxp://ipstresser.sx
hxxp://lkxstress.su
hxxp://starkstresser.net
hxxp://stresser.tech
hxxp://io9.su
hxxp://stresser.media
hxxp://nkstresser.net
hxxp://vanishstress.com
hxxp://booter.cc
hxxp://quantum-stresser.org
hxxp://Freeddos.pw
hxxp://cfxsecurity.ru
hxxp://stresse.ru
hxxp://ddg.lol
hxxp://1981.re
hxxp://mythicalstress.net
hxxp://stresser.pe
hxxp://packetsto.me
hxxp://quantum-stress.org
hxxp://shock-stresser.org
hxxp://stresser.city
hxxp://stresslab.sx
hxxp://sunstresser.net
hxxp://informants.su
hxxp://zerostresser.net
hxxp://elitesecurity.cc
hxxp://orbitalstress.org
hxxp://stresser.ovh
hxxp://wrldsecurity.org
hxxp://warapi.net
hxxp://volitystress.vip
hxxp://infinity-studios.icu
hxxp://stressednet.xyz
hxxp://stresse.app
hxxp://solostress.net
hxxp://silentstress.net
hxxp://downed.is
hxxp://cryptostresser.org
hxxp://rocket-stress.com
hxxp://ipstresser.gg
hxxp://spacestresser.com
hxxp://stresseruno.net
hxxp://royalstresser.net
hxxp://lkxstress.us
hxxp://stresser.ai
hxxp://stresser.fun
hxxp://neostresser.us
hxxp://webstress.xyz
hxxp://999stresser.gay
hxxp://l7stresser.com
hxxp://nukebooter.org
hxxp://stresser.uno
hxxp://virtualstress.net
hxxp://TarkovStresser.com
hxxp://rolexapi.xyz
hxxp://quez.in
hxxp://redstresser.org
hxxp://atomic-stresser.xyz
hxxp://bootcaat.fr
hxxp://apinigger.buzz
hxxp://alya.dev
hxxp://ackflood.is
hxxp://stresserhub.org
hxxp://inverse.best
hxxp://securityhide.net
hxxp://stresse.cat
hxxp://ripstresser.top
hxxp://digitalstress.net
hxxp://topstresser.top
hxxp://scystress.xyz
hxxp://silentstress.wtf
hxxp://powerstresser.pro
hxxp://destroyersv.best
hxxp://sunipstresser.com
hxxp://stressergg.com
hxxp://atom-stresser.net
hxxp://anonstress.com
hxxp://zxstresser.xyz
hxxp://ciasecrets.su
hxxp://cloudleague.de
hxxp://intelsecrets.su
hxxp://downon.click
hxxp://prostress.pro
hxxp://ipstress.vip
hxxp://pluto.cx
hxxp://ovhstresser.com
hxxp://orbital-solutions.xyz
hxxp://nulling.it
hxxp://minecraftstresser.net
hxxp://loudstresser.net
hxxp://inversecurity.org
hxxp://exoticbooter.com
hxxp://spacestresser.net
hxxp://hkstresser.net
hxxp://hirestresser.net
hxxp://high-stress.com
hxxp://heydos.cc
hxxp://freestresser.net
Continue reading →

Wassim Gerges Dahdan’s Advanced Web Tech’s (AWT) Al-Manar Hosting Provider

0
June 13, 2024

Dear blog readers,

In this analysis I'll discuss and provide actionable intelligence on Wassim Gerges Dahdan’s Advanced Web Tech’s (AWT) Al-Manar Hosting Provider.

Name: Khalil Abbas

Company: Advanced Web Tech

Site URL: hxxp://awt.com.lb

Email: webmaster[.]awt.com.lb

Phone: 009613481199

Current domain registrations:

hxxp://lcg-lb.com


Related domain registrations:

hxxp://almanartv.news

hxxp://fastpublish.net

hxxp://app-news.org

hxxp://manar.news

hxxp://manartv.news

hxxp://lcg-lb.com

hxxp://awt-lb.com

hxxp://awt-lb.org

hxxp://awt-lb.net

hxxp://dar-almanar.org

hxxp://almanar-tv.net

hxxp://dar-almanar.net

hxxp://dar-almanar.com

Related domain registrations:

hxxp://almanartv.news

hxxp://fastpublish.net

hxxp://app-news.org

hxxp://manar.news

hxxp://manartv.news

hxxp://lcg-lb.com

hxxp://awt-lb.com

hxxp://awt-lb.org

hxxp://awt-lb.net

hxxp://dar-almanar.org

hxxp://almanar-tv.net

hxxp://dar-almanar.net

hxxp://dar-almanar.com

Related Advanced Web Tech domain registrations:

hxxp://itweetpe.com

hxxp://itweetpe.org

hxxp://theswaonline.com

hxxp://sbbarista.com

hxxp://sendateacherca.com

hxxp://fastpublish.net

hxxp://phikappapsidepaul.com

hxxp://outertides.com

hxxp://sendateacher.com

hxxp://supportbaa.com

hxxp://app-news.org

hxxp://my-tgraphics.com

hxxp://lcg-lb.com

hxxp://awt-lb.com

hxxp://awt-lb.org

hxxp://awt-lb.net

hxxp://dar-almanar.net

hxxp://dar-almanar.com

hxxp://advancedleases.com

hxxp://wsidigitalinternet.com

hxxp://wsisimpledigitalweb.com

hxxp://dar-almanar.org

Continue reading →

Exposing the MOLERaTS Cyber Threat Actor - An Analysis

0
June 13, 2024

Dear blog readers,

In this analysis I'll take an in-depth look inside the MOLERaTS cyber threat actor in terms of actionable intelligence and the gang's online and Internet-connected infrastructure.

Related URLs:

hxxp://bitly[.]com/1YRoIPX

hxxp://mafy[.]2waky[.]com

Related known responding IPs:

192[.]52[.]167[.]118

204[.]152[.]203[.]99

192[.]161[.]48[.]59

192[.]52[.]167[.]118

185[.]82[.]202[.]207

173[.]254[.]236[.]130

168[.]235[.]86[.]156

167[.]160[.]36[.]101

107[.]191[.]47[.]42

84[.]200[.]68[.]163

72[.]11[.]148[.]147

23[.]229[.]3[.]70

84[.]200[.]68[.]163

23[.]229[.]3[.]70

204[.]152[.]203[.]99

192[.]52[.]167[.]118

168[.]235[.]86[.]156

167[.]160[.]36[.]101

Related primary group's URLs:

hxxp://gaza-hacker[.]com

hxxp://hacker[.]ps

hxxp://gaza-hacker[.]net

hxxp://gaza-hack[.]org

hxxp://gaza-hack[.]info

hxxp://xhackerx[.]com

hxxp://gaza-hack[.]com

hxxp://gaza-Hackers[.]com

Personally identifiable email address account:

moayy2ad[.]hotmail.com

Related MD5s:

b1071ab4c3ef255c6ec95628744cfd3d

77d6e2068bb3367b1a46472b56063f10

Related C&Cs:

hxxp://mrayesh[.]blogspot[.]com

hxxp://education-support[.]space

hxxp://falcondefender[.]com

hxxp://support-update[.]ml

hxxp://such[.]market

Related known responding IPs:

84[.]200[.]68[.]163

23[.]229[.]3[.]70

204[.]152[.]203[.]99

192[.]52[.]167[.]118

168[.]235[.]86[.]156

167[.]160[.]36[.]101

Related MD5s:

59bab785127418972dda9da5571b73fd

07dae7dada9ec3fa22507dfa5921c993

4bd6a959cce13d1f5b5511a428e88c9c

2ba0e52b885cabfbcd88866ab4072f54

1d922e183418ac087933c526f7bd06c1

3ce39f8afce9463c6d90c00ce72edb86

77fd78042407a7318dba388da00700cc

Related C&C URLs:

hxxp://smail.otzo[.]com/W/Gfsdfsdfsrydkfpsdmfpsadsdfsdfsdfsdfdfsp.php

hxxp://smail.otzo[.]com/y/analysis--hezbollah.rar

hxxp://drive.google[.]com/uc?export=download&id=0B7XzN8DNbJKiQlFNRHdVTmpCd0U

hxxp://drive.google[.]com/uc?export=download&id=0BxaUrWGCqlWLMTQzMVFNOENIUFk

hxxp://drive.google[.]com/uc?export=download&id=0B7n4BFDObRocdm1uS2J4SWVUNWc

hxxp://drive.google[.]com/uc?export=download&id=0ByjYVMTYJB0saHlTalJ6ZWlWWGM

hxxp://support.mafy-koren[.]online/reg-update

hxxp://support.mafy-koren[.]online/UFeed.php

hxxp://may2008[.]dyndns[.]info

hxxp://menu[.]dyndns[.]biz

hxxp://flashsoft[.]no-ip[.]biz

hxxp://monagameel[.]chickenkiller[.]com

hxxp://hatamaya[.]chickenkiller[.]com

hxxp://powerhost[.]zapto[.]org

hxxp://helpme[.]no-ip[.]biz

hxxp://mjed10[.]no-ip[.]info

hxxp://good[.]zapto[.]org

hxxp://hint[.]zapto[.]org

hxxp://hint1[.]zapto[.]org

hxxp://natco1[.]no-ip[.]net

hxxp://natco2[.]no-ip[.]net

hxxp://natco3[.]no-ip[.]net

hxxp://natco4[.]no-ip[.]net

hxxp://loading[.]myftp[.]org

hxxp://skype[.]servemp3[.]com

hxxp://test[.]cable-modem[.]org

hxxp://idf[.]blogsite[.]org

hxxp://javaupdate[.]no-ip[.]info

hxxp://lokia[.]mine[.]nu

hxxp://hint-sms[.]com

hxxp://owner[.]no-ip[.]biz

hxxp://remoteback[.]no-ip[.]biz

hxxp://ramadi[.]no-ip[.]biz

Related MD5s:

A5DE87646EE943CD1F448A67FDBE2817

F982401E46864F640BCAEDC200319109

EC5B360F5FF6251A08A14A2E95C4CAA4

97576FA7A236679DBE3ABE1A4E852026

C1EC435E97A4A4C5585392D738B5879F

2559FE4EB88561138CE292DF5D0E099F

0ABF3FA976372CBC8BF33162795E42A8

1f1e9958440d773c34415d9eb6334b25

0B3B1E2E22C548D8F53C2AA338ABD66E

0AA7B256D2DCC8BD3914F895B134B225

B455426811B82CB412952F63D911D2A8

E431634699D7E5025ECDF7B51A800620

FF8E19CA8A224CC843BF0F2F74A3274E

7C5272F3F24ACB225270DDED72CFC1D4

8AEAA0C81A36449EC9613CA846E196F2

FC17F3B2E2C7F5F24D35899D95B8C4A6

926235FCF7B91442A405B5760A0729EB

963BFAE19B3DA5BECE081DFF1D1E3EF9

EBC9BDF9FDF0A9773899D96D24AC46F4

4A06D9989A8C3A9967C2011E5BAF3010

4DC0BCDCFB3F3D794175B21872A76079

998F30457BC48A1A6567203E0EC3282E

91FC9D1B635FDEE4E56AEC32688A0E6C

940B3ACDF1E26FCCCF74A5A0359FB079

cebc8b51d51e442e2af8c86e70c8adf4

31F96ADD841594D35E6E97376114E756

6E416C45A833F959A63785892042595A

0DC102CFB87C937EEFFE01A06F94E229

B7DF947B4A67A884C751840F83C4405E

2EB1503751A7C74890096B1837C7BD81

C21D7165B25CAF65D7F92FF758C1B5B1

0A67F9CC30083AFB7E1F8295AE152BB6

15FC009D9CAAA8F11D6C3DA2B69EA06E

D9D1B0C467FA4999DEF6CD53447F1221

E9823B61E6CE999387DE821DFBF6E741

2AAD951DBECB6D4715B306B337CA5C34

ED53831468DDF4220E1DC3C3398F7F39

66DDF27517985A75B2317231B46A6F62

86BE5F0D2303FB4A8A8E297A53AC0026

A1187DE4C4B88E560D46940B820A6228

D14E0A3D408065B1551F2827B50B83CA

B6C8A6D6C35428779C5C65C1B273EBA0

841565C67006E6A0A450C48054CF348C

C8202523F35295E8BC8CC1731EDB0559

C03B5985F2504939DA9874246A439E25

216689B2CA82F16A0CAB3A2712C27DA6

5B740B4623B2D1049C0036A6AAE684B0

9C39D6F52E1E1BE5AE61BAB90971D054

E7E05001A294EBFE8A012DD3BCE78E96

F68F85B0FBCA450F0D5C8828063AD30D

3DA8C22F5340850EE5A2C25B1D17FC27

9D144A828F757A90B86976EF0C906B3F

DBE2AC744A3947B6306E13EBCCB718BF

861C90536B3B5A4A8309ADBBFD5C4713

947557A55267DFFB3F85E0D7496A3679

2BFE41D7FDB6F4C1E38DB4A5C3EB1211

2BCDC5091C446E8B6888D802A3589E09

72FD6074915F8F123EB44B3DD475D36B

41454B390B73A45004B916B96C693312

Continue reading →

My Team WhoisXML API at RSAC2024

0
May 10, 2024
Dear blog readers,
I wanted to say that I'm proud to be part of the WhoisXML API Team for three years and two months now as a DNS Threat Researcher where I promise that I'll continue crunching my usual batch of white papers on a monthly basis.

Related photos:



Stay tuned.
Continue reading →

Exposing Bulgaria’s "Circles" Commercial Spyware Vendor - An Analysis

0
April 26, 2024

It doesn't get any better than this.

Infecting users with commercial spyware where you've managed to somehow infiltrate the global ecosystem of exploits vulnerabilities including "cyber arms" for your own commercial gain and other's suffering to the point of point and click malware infections to both experienced and simple users is simply disgusting.

Here's my OSINT analysis of Bulgaria's infamous commercial spyware vendor known as Circles.

hxxp://circles.bz - support@circles.bz

Nadezhda Ropleva -> hxxp://lighthousesystem.net

52.29.174.30 -> ec2-52-29-174-30.eu-central-1.compute.amazonaws.com -> hxxp://vulcan-club-online.com

Related responding IPs:

52.59.17.122

52.57.237.76

52.59.25.179

52.59.84.176

52.58.213.184

97.74.215.85

50.87.144.136

46.107.239.88

118.169.224.5

hxxp://tracksystem.info

87.121.58.6

46.107.239.141

87.121.58.4

46.107.239.89

46.107.239.12

hxxp://nac-2013.us - Email: dimitar.markov@circles.bz

hxxp://globalhubcom.com - Email: YyhplaFwhvhlp@hotmail.com - Email: nadia.ropleva@circles.bz

46.107.239.88 -> hxxp://worldsupport.info

AS60097

hxxp://vulcan-club-online.com -> hxxp://vlk-casino-club.com

Social media accounts:

hxxp://www.facebook.com/nadia.ropleva

hxxp://www.slideshare.net/nadiaropleva

Sample screenshots:

Related sample screenshots:

Stay tuned.

Continue reading →
Subscribe to: Comments (Atom)