MICROSOFT phish running on 162[.]144[.]25[.]189

1. Found: 2018-09-03 15:15:26.439000
2. URL: https://162.144.25.189/office-autopage-incorrect-pass.zip
3. File: 162.144.25.189-foo-office-autopage-incorrect-pass.zip
4. Domain: 162.144.25.189
5. Target: MICROSOFT
6. Name Size Date MD5 officelogs/authenticate.php 4077 2018-03-08 10:12:20 c87c14595b73ae5e4732b436fe8d03a4
7. officelogs/error.php 18429 2017-09-21 14:14:02 d9779b7472f313f36353938cd3664d6c
8.  
9. officelogs/geoplugin.class.php 4647 2017-09-21 14:13:48 c8ea1e960b48a620c00bc65d525a721c
10. File appears in 1330 kits and under 3 different file names
11. officelogs/index.php 13326 2017-09-21 14:13:40 05f80413b5927e606bbe6c1ea7186689
12.  
13. officelogs/login.php 1292 2018-03-08 10:12:06 be5a8c8767edf6485723b2b9496bc4d5
14. officelogs/pass.php 18316 2017-09-21 14:13:24 54d9b9ab9208c927460e3f5cccd3fdf6
15.  
16. officelogs/Sign in to your Microsoft account_files/AppCentipede_Microsoft.svg 7174 2017-09-21 14:15:52 aed5eb9ccea43f119a25b3b74c59c7e7
17. File appears in 115 kits
18. officelogs/Sign in to your Microsoft account_files/Default1033.css 73727 2017-09-21 14:15:44 902952e2e05ab3451fb7438bb77059fb
19. File appears in 87 kits and under 2 different file names
20. officelogs/Sign in to your Microsoft account_files/DefaultLogin_Core.js.txt 126766 2017-09-21 14:15:34 a85dcfb7c3eda9c13ad3690c2dd27822
21. File appears in 82 kits and under 2 different file names
22. officelogs/Sign in to your Microsoft account_files/DefaultLoginStrings1033.js.txt 9898 2017-09-21 14:15:28 b507b90640721b4e47154d97609105bc
23. File appears in 83 kits and under 2 different file names
24. officelogs/Sign in to your Microsoft account_files/logo.jpg 3602 2017-09-21 14:15:20 885531c6229490a82386b12b01cc5553
25. File appears in 68 kits
26. officelogs/Sign in to your Microsoft account_files/Microsoft_Logotype_Gray.svg 5435 2017-09-21 14:15:12 5feaa482d83c2a69d012f9bff660d373
27. File appears in 115 kits
28. officelogs/Sign in to your Microsoft account_files/prefetch.htm 3326 2017-09-21 14:15:06 68b1e3007431d49789c66d75b9f606c6
29. File appears in 68 kits
30. officelogs/Sign in to your Microsoft account_files/prefetch_data/boot.css 159658 2017-09-21 14:17:24 30da6f6f4e2d60d8aacbe2ed1583ae7f
31. File appears in 68 kits
32. officelogs/Sign in to your Microsoft account_files/prefetch_data/boot.js.txt 650764 2017-09-21 14:17:16 3fcf01abd2872c7fe233a3abaa50e122
33. File appears in 68 kits and under 2 different file names
34. officelogs/Sign in to your Microsoft account_files/prefetch_data/boot_002.js.txt 646615 2017-09-21 14:17:08 9c766769f81c9884d74819f3dfe915be
35. File appears in 68 kits and under 2 different file names
36. officelogs/Sign in to your Microsoft account_files/prefetch_data/boot_003.js.htm 650184 2017-09-21 14:16:58 4cfbdab231025e8b0ee7d08368516d5c
37. File appears in 68 kits and under 2 different file names
38. officelogs/Sign in to your Microsoft account_files/prefetch_data/boot_004.js.txt 648527 2017-09-21 14:16:50 1b403af938697ddd9ed483405ff47cd4
39. File appears in 68 kits and under 2 different file names
40. officelogs/Sign in to your Microsoft account_files/prefetch_data/sprite1.css 7304 2017-09-21 14:16:44 7c23768ca9a97f74fc7b0486747deeaf
41. File appears in 68 kits
42. officelogs/Sign in to your Microsoft account_files/prefetch_data/sprite1.png 14983 2017-09-21 14:16:38 d502a13c4f154e9fe86802b1f0338466
43. File appears in 68 kits
44.  
45. 2 Email addresses found:
46. gp_support@geoplugin.com (appears in 1279 kits)
47. box.rl.time@gmail.com
48.  
49.  
50.  
51. https://texasmalwareblog.blogspot.com @phish_total