AOL phish running on bursa[.]bel[.]tr

1. Found: 2018-01-07 11:23:24.522000
2. URL: http://cevreduzeniplani.bursa.bel.tr/ab/dwn.zip
3. File: cevreduzeniplani.bursa.bel.tr-ab-dwn.zip
4. Domain: bursa.bel.tr
5. Target: AOL
6. Name Size Date MD5 dwn/dwn/aa.php 1295 2017-12-21 09:01:52 4abaf0693e4f5bec879e228c8def1722
7. dwn/dwn/aodc.php 16989 2017-05-10 13:32:42 6bc3d73a59de8559581de23d19dac346
8. File appears in 3 kits
9. dwn/dwn/error.php 1909 2016-08-22 06:13:42 345fa2b4c557753e0f201e804326f328
10. File appears in 27 kits
11. dwn/dwn/geoplugin.class.php 4647 2014-04-25 08:14:28 c8ea1e960b48a620c00bc65d525a721c
12. File appears in 1075 kits and under 3 different file names
13. dwn/dwn/index.php 39830 2017-05-23 11:10:22 dc346821bc3b6155aad279e8e04f11aa
14. File appears in 3 kits
15. dwn/dwn/Of365.php 14988 2017-05-23 11:03:48 cfe4c40ae6ba038fde4f34e8fc5da478
16. File appears in 3 kits
17. dwn/dwn/ofp.php 1297 2017-12-21 09:03:28 4ebe107fcc89757b0e9e4d7aa67fb1d4
18. dwn/dwn/otdc.php 14952 2017-05-23 11:06:30 1b588e4a80da86bbc6ffbe0b08e2aa61
19. File appears in 3 kits
20. dwn/dwn/otp.php 1305 2017-12-21 09:04:04 ddac8e6143ad22b20f144f654c527629
21. dwn/dwn/ss_files/aodc.png 15857 2017-05-23 01:49:04 ef8a5981db9eb379977dd906bfbb7c88
22. File appears in 3 kits
23. dwn/dwn/ss_files/base.css 3807 2017-05-22 23:33:20 6d1f4c1278de1c5581b9c8ecdf9297d5
24. File appears in 3 kits
25. dwn/dwn/ss_files/bootstrap.css 99961 2017-05-22 23:33:20 8a7442ca6bedd62cec4881040b9a9e83
26. File appears in 3 kits
27. dwn/dwn/ss_files/images.png 2899 2017-05-23 02:23:24 df3829fa7b84d9e92afc174363a61bee
28. File appears in 3 kits
29. dwn/dwn/ss_files/immmm.ico 285 2016-06-13 15:45:06 3e47d71cae18960fcd9772c836da50fd
30. File appears in 114 kits and under 4 different file names
31. dwn/dwn/ss_files/index.css 3112 2017-05-22 23:33:18 d594ebc0f6b1c27a44b26e15e7cb0949
32. File appears in 3 kits
33. dwn/dwn/ss_files/logo.png 7635 2017-05-09 08:54:20 1059986618539574ca4fa0bcfd699006
34. File appears in 50 kits and under 3 different file names
35. dwn/dwn/ss_files/ofdc.png 6905 2017-05-23 00:47:08 9f68017947e9ec02850b97115add63a6
36. File appears in 3 kits
37. dwn/dwn/ss_files/ofdc1.png 4585 2017-05-23 03:48:54 9f09a27d4f69b3557c7433574a29d726
38. File appears in 71 kits and under 4 different file names
39. dwn/dwn/ss_files/pcill.png 203294 2016-06-11 22:14:56 65283b123eb235e6176ae98c02ac5b1c
40. File appears in 141 kits and under 4 different file names
41. dwn/dwn/ss_files/rrrr.ico 17174 2016-06-12 00:03:50 12e3dac858061d088023b2bd48e2fa96
42. File appears in 234 kits and under 8 different file names
43. dwn/dwn/ss_files/s1.css 7815 2017-05-23 03:51:46 779c4723ad3225c9370378f14fc2f570
44. File appears in 3 kits
45. dwn/dwn/ss_files/s2.css 7815 2017-05-23 04:05:32 8df5769d8da3d0a3ba5f37f6c95207d9
46. File appears in 3 kits
47. dwn/dwn/ss_files/stylesheet.css 37811 2017-05-23 02:21:22 3b9f22bb2fb8e2a10918c1f5be1ed95e
48. File appears in 3 kits
49. dwn/dwn/ss_files/Thumbs.db 393728 2017-05-23 11:21:44 6d00da053fed1bc805765652f4d0f659
50. File appears in 3 kits
51. dwn/dwn/Thumbs.db 49152 2017-05-06 15:22:22 aaa74d950bd965dffd62f7b6c3426770
52. File appears in 3 kits
53. dwn/dwn/verification.php 52847 2017-12-21 09:04:40 b19b8159a91e59e9e61fc00febf2d0b6
54.  
55. 3 Email addresses found:
56. nakatomoney101@gmail.com
57. gp_support@geoplugin.com (appears in 1052 kits)
58. email@domain.com (appears in 89 kits)
59.  
60.  
61.  
62. https://texasmalwareblog.blogspot.com @phish_total