HSBC phish ** running on getwealthi[.]com

1. Found: 2018-04-09 15:20:08.367000
2. URL: https://getwealthi.com/hbfd.zip
3. File: getwealthi.com-foo-hbfd.zip
4. Domain: getwealthi.com
5. Target: HSBC
6. Name Size Date MD5 hbfd/images/cmplete.png 941 2017-06-21 22:55:34 cc320e634754298804295f84e2d6a7c1
7. hbfd/images/continue.png 1181 2017-06-21 22:46:28 1cf27336334ba766fa0397fd078f1bc4
8. hbfd/images/favicon.ico 4663 2017-06-06 02:07:14 45c769d7b53bb91b3286262d926368bd
9. hbfd/images/h24.png 21879 2017-06-06 01:24:06 47d061a76b9c12fd24252d8cd1e60627
10. hbfd/images/hhb.gif 32584 2017-06-06 01:46:58 dcb01c076001abf8964b98a50b517634
11. hbfd/images/s1.png 62935 2017-06-21 22:41:54 79bb7d2ce4b47588f755c524584226c4
12. hbfd/images/s10.png 31495 2017-06-21 22:47:30 2b257342a248f6449466b018653befd1
13. hbfd/images/s11.png 18904 2017-06-21 22:48:46 b542908c4bf79a10c3b36530f60b1c88
14. hbfd/images/s13.png 9509 2017-06-21 22:49:20 c923a2eb57433ada1530ee0af13ddede
15. hbfd/images/s14.png 27843 2017-06-21 22:49:36 1c30eab56746d74ff5218a2603673691
16. hbfd/images/s15.png 847 2017-06-21 22:50:12 ee9014dd14a6f1efb828b64e95dfa8f8
17. hbfd/images/s16.png 27813 2017-06-21 22:50:44 7a756f3cb2c784e160d7721632dc968a
18. hbfd/images/s17.png 16866 2017-06-21 22:51:14 8443d7aab168c2ff1e5ebf1403f7db94
19. hbfd/images/s18.png 30389 2017-06-21 22:51:34 90ad1326dc10f5690288e0a61e8d6dc2
20. hbfd/images/s19.png 6424 2017-06-21 22:51:44 69705ee5ddad457c3612457a3409a5d6
21. hbfd/images/s2.png 25392 2017-06-21 22:42:26 465cec99c15695c7a8d7f3c7f30c01b0
22. hbfd/images/s21.png 10692 2017-06-21 22:52:32 ce2dd318ef1537d62e6153761696d4f7
23. hbfd/images/s22.png 12762 2017-10-20 17:04:00 f6138477872ea260ee7ba8a329a337a6
24. hbfd/images/s23.png 3311 2017-06-21 22:53:24 7095c65c62ccdd5df7d4415815907377
25. hbfd/images/s24.png 284 2017-06-21 22:53:36 45197c84088b22a046f2352d84f71382
26. hbfd/images/s25.png 10640 2017-06-21 22:54:48 ec3e56160edada09a0f2790cda51411c
27. hbfd/images/s26.png 8043 2017-10-21 01:06:42 9f65e35510ce79598132a22ddaf981ca
28. hbfd/images/s27.png 3062 2017-06-21 23:15:58 264a25cc40a25ff44dd6e1ba49a8780b
29. hbfd/images/s3.png 27923 2017-06-21 22:42:54 529eecd49d1668e4ab54b0ba3a2544b6
30. hbfd/images/s4.png 19474 2017-06-21 22:43:40 82e6ba6cd1207ff3036e84d054388357
31. hbfd/images/s5.png 1211 2017-06-21 22:44:02 d0486fa813a39f02ed38ee947f05233c
32. hbfd/images/s6.png 13615 2017-06-21 22:44:34 005d731f5171cfa188854ae81dce5b93
33. hbfd/images/s7.png 12687 2017-06-21 22:45:28 66ae2c62d5bd9969bfa402510846a0a2
34. hbfd/images/s8.png 1137 2017-06-21 22:45:58 b58895a7b55e5c898ff121940b6ccc52
35. hbfd/images/s9.png 3967 2017-06-21 22:46:44 e012fc77e956c951e5c11fe9294a7e50
36. hbfd/index.php 144 2016-03-10 22:42:26 0526c242a1f7b6117202fe21d47e31b1
37. File appears in 167 kits and under 4 different file names
38. hbfd/login.php 3727 2017-06-21 23:28:54 f35d8ada98fd5db2e053f24963fe0ffb
39. hbfd/post1.php 1386 2017-10-26 22:11:18 3889d9e190f54c9dc3cadb18966bc7bf
40. hbfd/post2.php 2106 2017-10-26 22:11:32 d9d2544ef8611cde4fa39f6f1e044c8e
41. hbfd/post3.php 1721 2017-10-26 22:11:50 cabed20ef0038d95fdbdfc0ca5cc7495
42. hbfd/step2.php 2483 2017-06-21 23:31:20 e0f03b384d7064ec5c161c30b6681122
43. hbfd/step3.php 7567 2017-10-21 02:12:42 d9bbc0f6c86d44b7c79730944bd9f1ae
44. hbfd/step4.php 5133 2017-10-21 02:13:24 3a2ab072e890dc18db79defcd5c665ac
45. hbfd/step5.php 2139 2017-06-21 23:52:30 bfa7e9b40e15cc142df730f256378050
46.  
47. 4 Email addresses found:
48. sternaiverry@gmail.com
49. zagayzzyy@gmail.com (appears in 3 kits)
50. supertools@mxtoolbox.com
51. supertool@mxtoolbox.com (appears in 60 kits)
52.  
53.  
54.  
55. https://texasmalwareblog.blogspot.com @phish_total