185.81.115.28 and related Meduza Stealer infrastructure

[g0d33p3rsec]

Comments

This IP is hosting several domains that are being used to distribute MeduzaStealer. When the file is viewed on VirusTotal, the string {"C2 url": "79.137.197.154:15666"} is visible in the Decoded Text section of the behavior report. Viewing http://79.137.197.154/ shows the login screen for the C2 dashboard.

Wildcard domain records

32.28.115.81.185|malicious

Sub-Domain records

No response

Hosts (RFC:953) specific records, not used by DNS RPZ firewalls

No response

SeafeSearch records

No response

Screenshots

Screenshot

Links to external sources

185.81.115.28
C2 -> 79.137.197.154:15666
https://185.81.115.28/lander/6cw/PACKAGE_DEMO.exe
http://79.137.197.154/auth/login
https://crypto-wave.net/lander/6cw/PACKAGE_DEMO.exe
https://crypto-wave.store/lander/6cw/PACKAGE_DEMO.exe
https://crypto-wave.top/lander/6cw/PACKAGE_DEMO.exe 
https://cutepoochstore.com/lander/6cw/PACKAGE_DEMO.exe
https://www.cutepoochstore.com/lander/6cw/PACKAGE_DEMO.exe
https://dubai-never-sleep.agency/lander/6cw/PACKAGE_DEMO.exe
https://fsqaj.com/lander/6cw/PACKAGE_DEMO.exe 
https://5a94eca1-13d6-4443-924a-ad8ecc9eee15.random.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://sitemaps.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://www.fsqaj.com/lander/6cw/PACKAGE_DEMO.exe
https://michaelconstantinebhanos.com/lander/6cw/PACKAGE_DEMO.exe 
https://www.michaelconstantinebhanos.com/lander/6cw/PACKAGE_DEMO.exe
https://simplylovingproducts.com/lander/6cw/PACKAGE_DEMO.exe
https://www.simplylovingproducts.com/lander/6cw/PACKAGE_DEMO.exe
https://www.virustotal.com/gui/file/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff
https://urlscan.io/result/df9b6e3c-593e-45e2-88cf-71a3eb013fb7/
https://urlscan.io/search/#page.ip:%22185.81.115.28%22
https://www.virustotal.com/gui/ip-address/79.137.197.154
https://urlscan.io/result/1f50e487-c5df-498c-9fa1-c71b7cb0c961/
https://app.any.run/tasks/ca4568e0-294d-429a-a850-28380a384521
https://any.run/report/44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff/ca4568e0-294d-429a-a850-28380a384521

logs from uBlock Origin

N/A

[spirillen]

Damned, this is teen records in one..., will solves this for you, as you are a big supplier of info

[g0d33p3rsec]

Damned, this is teen records in one..., will solves this for you, as you are a big supplier of info

Sorry about that. I wasn't sure which approach would be best. It felt like it made sense to keep the group together to show the relation. What would be the best way to keep this sort of information organized here? A parent post with the host IP then reference the derived domains and C2?