search

mypdns / matrix

My Privacy DNS #Matrix lists for blacklisting
https://mypdns.org/
Other
73 stars 10 forks source link

91.215.85.223 - Godzilla Loader host #650

Closed g0d33p3rsec closed 2 weeks ago

g0d33p3rsec commented 2 weeks ago

Comments

This IP is hosting files and Command and Control (C2) infrastructure for the Godzilla Loader. An open directory listing is visible at http://91.215.85.223/. The Godzilla login can be seen at http://91.215.85.223/kanorindex.php. The site is hosting the following malicious files, most of which are associated with Azorult 3.3, Rhadamanthys, PureCrypter, Pure Miner, zgRAT and obfuscated using .NET Reactor:

See also: https://github.com/mitchellkrogza/phishing/pull/446

Wildcard domain records

32.223.85.215.91|malicious

Sub-Domain records

No response

Hosts (RFC:953) specific records, not used by DNS RPZ firewalls

No response

SeafeSearch records

No response

Screenshots

Screenshot ![346653974-f767bfae-b5f2-4973-888c-b774af1d58f2](https://github.com/mypdns/matrix/assets/108126637/ad05598f-3de6-4ebb-8e2e-c0df4c7ea3b3) ![346654029-e47b5241-c752-4dd0-a05d-b0f3005e4e0e](https://github.com/mypdns/matrix/assets/108126637/60d4ba2c-8d79-456b-8fba-b4548d3f2a05) ![346654172-b7fa705d-672c-4863-8b99-b4439091e465](https://github.com/mypdns/matrix/assets/108126637/01d276cc-5012-4a8e-a79d-77dbedf03601)

Links to external sources

http://91.215.85.223/ 
http://91.215.85.223/ali.ps1
http://91.215.85.223/asdf.EXE
http://91.215.85.223/asdf.ps1
http://91.215.85.223/asdfg.exe
http://91.215.85.223/ghjk.exe
http://91.215.85.223/ghjkl.exe
http://91.215.85.223/kanorindex.php (C2 login)
http://91.215.85.223/mkv.ps1
http://91.215.85.223/native.exe
http://91.215.85.223/net.exe
http://91.215.85.223/payload.ps1 
http://91.215.85.223/plugin1.dll
http://91.215.85.223/plugin2.dll 
http://91.215.85.223/plugin3.dll
http://91.215.85.223/pps.ps1
http://91.215.85.223/ppx.ps1
http://91.215.85.223/qwerty.ps1
http://91.215.85.223/qwertyj1.ps1
http://91.215.85.223/telly.ps1
http://91.215.85.223/zxcv.EXE
http://91.215.85.223/zxcv.ps1
http://91.215.85.223/zxcvb.exe
http://91.215.85.223/zxcvb.ps1
http://www.bratiop.ru/zxcvb.ps1
http://mail.check-time.ru/zxcvb.exe 
http://www.check-time.ru/pps.ps1 
http://www.dgkhj.ru/zxcvb.exe
http://nicoslag.ru/net.exe
http://ftp.nicoslag.ru/ghjkl.exe
http://www.nicoslag.ru/native.exe
http://paipaisdvzxc.ru/net.exe
http://www.partaususd.ru/zxcvb.exe
http://mail.partaususd.ru/ghjk.exe
http://www.qd34gf23ewrfsd1233.ru/native.exe
http://www.qwertasd.ru/zxcvb.exe
http://ns2.qwerty12346.ru/zxcvb.exe
http://www.qwerty12346.ru/qwerty.ps1
http://hubvera.ac.ug/native.exe
http://mail.pastratas.ac.ug/zxcv.ps1 
http://ns2.badhabits.ug/zxcvb.exe
http://karimgouss.ug/asdf.EXE
http://www.karimgouss.ug/zxcvb.exe
http://mail.lastimaners.ug/ghjkl.exe
http://mail.lastimaners.ug/zxcvb.exe 
http://www.malayska.ug/mkv.ps1
http://www.marksidfgs.ug/pps.ps1 
http://ns1.mistitis.ug/zxcvb.exe
http://www.mistitis.ug/net.exe
http://www.opesjk.ug/ppx.ps1
http://www.opsdjs.ug/ghjkl.exe 
http://mail.playwell.ug/zxcv.ps1 
http://www.playwell.ug/ghjkl.exe
http://mail.timebound.ug/asdfg.exe
http://ns1.timecheck.ug/ghjkl.exe
http://ns2.timecheck.ug/zxcvb.exe
http://www.timecheck.ug/ghjk.exe
http://ns1.timekeeper.ug/native.exe
http://triathlethe.ug/native.exe 
http://mail.tuskslacx.ug/ghjk.exe
http://www.tuskslacx.ug/asdf.ps1
http://www.tuskslacx.ug/zxcvb.exe
http://wellplayed.ug/native.exe
http://zxvbcrt.ug/ghjkl.exe
http://mail.zxvbcrt.ug/asdfg.exe

logs from uBlock Origin

N/A

g0d33p3rsec commented 2 weeks ago

@spirillen I'll populate the additional domains later today. I wanted to try to avoid a repeat of my mistake from #640 yesterday by listing everything in a single issue.