Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

91.215.85.223 - Godzilla Loader host #650

Closed
g0d33p3rsec opened this issue Jul 8, 2024 · 1 comment · Fixed by #678
Closed

91.215.85.223 - Godzilla Loader host #650

g0d33p3rsec opened this issue Jul 8, 2024 · 1 comment · Fixed by #678
Assignees
@g0d33p3rsec
Labels
Malicious Domains used for Malicious software

Comments

@g0d33p3rsec
Copy link
Collaborator

Comments

This IP is hosting files and Command and Control (C2) infrastructure for the Godzilla Loader. An open directory listing is visible at http://91.215.85.223/. The Godzilla login can be seen at http://91.215.85.223/kanorindex.php. The site is hosting the following malicious files, most of which are associated with Azorult 3.3, Rhadamanthys, PureCrypter, Pure Miner, zgRAT and obfuscated using .NET Reactor:

  • AZORult V3.3/ Rhadamanthys 
    http://91.215.85.223/asdf.EXE 
http://karimgouss.ug/asdf.EXE
https://www.virustotal.com/gui/file/33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
https://app.any.run/tasks/88e3e025-c801-48ea-bc8b-2a063222e8a3/
https://any.run/report/33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546/88e3e025-c801-48ea-bc8b-2a063222e8a3
    • trojan.msil/blocker 
      http://91.215.85.223/asdfg.exe 
http://91.215.85.223/ghjk.exe
http://91.215.85.223/ghjkl.exe 
http://91.215.85.223/native.exe 
http://91.215.85.223/net.exe
http://91.215.85.223/zxcv.EXE
http://91.215.85.223/zxcvb.exe
http://mail.check-time.ru/zxcvb.exe
http://www.dgkhj.ru/zxcvb.exe
http://nicoslag.ru/net.exe
http://ftp.nicoslag.ru/ghjkl.exe
http://www.nicoslag.ru/native.exe
http://paipaisdvzxc.ru/net.exe
http://www.qd34gf23ewrfsd1233.ru/native.exe
http://www.qwertasd.ru/zxcvb.exe 
http://ns2.qwerty12346.ru/zxcvb.exe
http://mail.partaususd.ru/ghjk.exe
http://www.partaususd.ru/zxcvb.exe
http://www.karimgouss.ug/zxcvb.exe
http://hubvera.ac.ug/native.exe
http://ns2.badhabits.ug/zxcvb.exe
http://mail.lastimaners.ug/ghjkl.exe
http://mail.lastimaners.ug/zxcvb.exe
http://ns1.mistitis.ug/zxcvb.exe 
http://www.mistitis.ug/net.exe
http://www.opsdjs.ug/ghjkl.exe
http://www.playwell.ug/ghjkl.exe
http://mail.timebound.ug/asdfg.exe
http://ns1.timecheck.ug/ghjkl.exe 
http://ns2.timecheck.ug/zxcvb.exe
http://ns1.timekeeper.ug/native.exe
http://triathlethe.ug/native.exe
http://mail.tuskslacx.ug/ghjk.exe
http://www.tuskslacx.ug/zxcvb.exe
http://wellplayed.ug/native.exe
http://zxvbcrt.ug/ghjkl.exe
http://mail.zxvbcrt.ug/asdfg.exe 
https://www.virustotal.com/gui/file/7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
https://app.any.run/tasks/715219ee-cd52-49ae-839c-227f68b5c15a/
https://any.run/report/7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224/715219ee-cd52-49ae-839c-227f68b5c15a
    • trojan.powershell/pwrsh 
      http://91.215.85.223/ali.ps1 
http://91.215.85.223/asdf.ps1
http://91.215.85.223/mkv.ps1
http://91.215.85.223/payload.ps1
http://91.215.85.223/pps.ps1 
http://91.215.85.223/ppx.ps1
http://91.215.85.223/qwerty.ps1
http://91.215.85.223/qwertyj1.ps1
http://91.215.85.223/telly.ps1
http://91.215.85.223/zxcv.ps1
http://91.215.85.223/zxcvb.ps1
http://www.bratiop.ru/zxcvb.ps1
http://www.check-time.ru/pps.ps1
http://mail.pastratas.ac.ug/zxcv.ps1
http://www.qwerty12346.ru/qwerty.ps1 
http://www.malayska.ug/mkv.ps1
http://www.marksidfgs.ug/pps.ps1
http://www.opesjk.ug/ppx.ps1
http://mail.playwell.ug/zxcv.ps1
http://www.tuskslacx.ug/asdf.ps1
https://www.virustotal.com/gui/file/82f7781ebf1aa649a3697ed570fc11ba0a35b810782c953c145850f314c07e21
https://app.any.run/tasks/f3076fd2-9bb5-41ca-bdf5-b17ff0526c4c/
https://any.run/report/82f7781ebf1aa649a3697ed570fc11ba0a35b810782c953c145850f314c07e21/f3076fd2-9bb5-41ca-bdf5-b17ff0526c4c#i-table-processes-6a874d93-8bb5-4eb7-a3a2-60ccde0eb4c7

See also: mitchellkrogza/phishing#446

Wildcard domain records

32.223.85.215.91|malicious

Sub-Domain records

No response

Hosts (RFC:953) specific records, not used by DNS RPZ firewalls

No response

SeafeSearch records

No response

Screenshots

Screenshot

346653974-f767bfae-b5f2-4973-888c-b774af1d58f2
346654029-e47b5241-c752-4dd0-a05d-b0f3005e4e0e
346654172-b7fa705d-672c-4863-8b99-b4439091e465

Links to external sources

http://91.215.85.223/ 
http://91.215.85.223/ali.ps1
http://91.215.85.223/asdf.EXE
http://91.215.85.223/asdf.ps1
http://91.215.85.223/asdfg.exe
http://91.215.85.223/ghjk.exe
http://91.215.85.223/ghjkl.exe
http://91.215.85.223/kanorindex.php (C2 login)
http://91.215.85.223/mkv.ps1
http://91.215.85.223/native.exe
http://91.215.85.223/net.exe
http://91.215.85.223/payload.ps1 
http://91.215.85.223/plugin1.dll
http://91.215.85.223/plugin2.dll 
http://91.215.85.223/plugin3.dll
http://91.215.85.223/pps.ps1
http://91.215.85.223/ppx.ps1
http://91.215.85.223/qwerty.ps1
http://91.215.85.223/qwertyj1.ps1
http://91.215.85.223/telly.ps1
http://91.215.85.223/zxcv.EXE
http://91.215.85.223/zxcv.ps1
http://91.215.85.223/zxcvb.exe
http://91.215.85.223/zxcvb.ps1
http://www.bratiop.ru/zxcvb.ps1
http://mail.check-time.ru/zxcvb.exe 
http://www.check-time.ru/pps.ps1 
http://www.dgkhj.ru/zxcvb.exe
http://nicoslag.ru/net.exe
http://ftp.nicoslag.ru/ghjkl.exe
http://www.nicoslag.ru/native.exe
http://paipaisdvzxc.ru/net.exe
http://www.partaususd.ru/zxcvb.exe
http://mail.partaususd.ru/ghjk.exe
http://www.qd34gf23ewrfsd1233.ru/native.exe
http://www.qwertasd.ru/zxcvb.exe
http://ns2.qwerty12346.ru/zxcvb.exe
http://www.qwerty12346.ru/qwerty.ps1
http://hubvera.ac.ug/native.exe
http://mail.pastratas.ac.ug/zxcv.ps1 
http://ns2.badhabits.ug/zxcvb.exe
http://karimgouss.ug/asdf.EXE
http://www.karimgouss.ug/zxcvb.exe
http://mail.lastimaners.ug/ghjkl.exe
http://mail.lastimaners.ug/zxcvb.exe 
http://www.malayska.ug/mkv.ps1
http://www.marksidfgs.ug/pps.ps1 
http://ns1.mistitis.ug/zxcvb.exe
http://www.mistitis.ug/net.exe
http://www.opesjk.ug/ppx.ps1
http://www.opsdjs.ug/ghjkl.exe 
http://mail.playwell.ug/zxcv.ps1 
http://www.playwell.ug/ghjkl.exe
http://mail.timebound.ug/asdfg.exe
http://ns1.timecheck.ug/ghjkl.exe
http://ns2.timecheck.ug/zxcvb.exe
http://www.timecheck.ug/ghjk.exe
http://ns1.timekeeper.ug/native.exe
http://triathlethe.ug/native.exe 
http://mail.tuskslacx.ug/ghjk.exe
http://www.tuskslacx.ug/asdf.ps1
http://www.tuskslacx.ug/zxcvb.exe
http://wellplayed.ug/native.exe
http://zxvbcrt.ug/ghjkl.exe
http://mail.zxvbcrt.ug/asdfg.exe

logs from uBlock Origin

N/A
@g0d33p3rsec g0d33p3rsec added the Malicious Domains used for Malicious software label Jul 8, 2024
@g0d33p3rsec
Copy link
Collaborator Author

@spirillen I'll populate the additional domains later today. I wanted to try to avoid a repeat of my mistake from #640 yesterday by listing everything in a single issue.

This was referenced Jul 8, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@g0d33p3rsec g0d33p3rsec self-assigned this Jul 8, 2024
@g0d33p3rsec g0d33p3rsec mentioned this issue Jul 8, 2024
Merged
@spirillen spirillen linked a pull request Jul 9, 2024 that will close this issue
Add 91.215.85.223 and related domains to malicious lists #678
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@g0d33p3rsec g0d33p3rsec

Labels
Malicious Domains used for Malicious software
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add 91.215.85.223 and related domains to malicious lists g0d33p3rsec/matrix
1 participant
@g0d33p3rsec