AOL phish running on g2rburn[.]com

1. Found: 2018-01-11 23:17:20.325000
2. URL: https://g2rburn.com/dwn.zip
3. File: g2rburn.com-foo-dwn.zip
4. Domain: g2rburn.com
5. Target: AOL
6. Name Size Date MD5 dwn/dwn/aa.php 1294 2018-01-05 02:39:28 bc79c6b839ea437ad95f94e28ca7b57f
7. dwn/dwn/aodc.php 16989 2017-05-10 13:32:42 6bc3d73a59de8559581de23d19dac346
8. File appears in 4 kits
9. dwn/dwn/error.php 1909 2016-08-22 06:13:42 345fa2b4c557753e0f201e804326f328
10. File appears in 29 kits
11. dwn/dwn/geoplugin.class.php 4647 2014-04-25 08:14:28 c8ea1e960b48a620c00bc65d525a721c
12. File appears in 1086 kits and under 3 different file names
13. dwn/dwn/index.php 39830 2017-05-23 11:10:22 dc346821bc3b6155aad279e8e04f11aa
14. File appears in 4 kits
15. dwn/dwn/Of365.php 14988 2017-05-23 11:03:48 cfe4c40ae6ba038fde4f34e8fc5da478
16. File appears in 4 kits
17. dwn/dwn/ofp.php 1296 2018-01-05 02:38:36 a9149fe3725166c7f8b53f6a908a9646
18. dwn/dwn/otdc.php 14952 2017-05-23 11:06:30 1b588e4a80da86bbc6ffbe0b08e2aa61
19. File appears in 4 kits
20. dwn/dwn/otp.php 1304 2018-01-05 02:38:12 3b292d3afbdaae67112e699fe8ff6f67
21. dwn/dwn/ss_files/aodc.png 15857 2017-05-23 01:49:04 ef8a5981db9eb379977dd906bfbb7c88
22. File appears in 4 kits
23. dwn/dwn/ss_files/base.css 3807 2017-05-22 23:33:20 6d1f4c1278de1c5581b9c8ecdf9297d5
24. File appears in 4 kits
25. dwn/dwn/ss_files/bootstrap.css 99961 2017-05-22 23:33:20 8a7442ca6bedd62cec4881040b9a9e83
26. File appears in 4 kits
27. dwn/dwn/ss_files/images.png 2899 2017-05-23 02:23:24 df3829fa7b84d9e92afc174363a61bee
28. File appears in 4 kits
29. dwn/dwn/ss_files/immmm.ico 285 2016-06-13 15:45:06 3e47d71cae18960fcd9772c836da50fd
30. File appears in 118 kits and under 4 different file names
31. dwn/dwn/ss_files/index.css 3112 2017-05-22 23:33:18 d594ebc0f6b1c27a44b26e15e7cb0949
32. File appears in 4 kits
33. dwn/dwn/ss_files/logo.png 7635 2017-05-09 08:54:20 1059986618539574ca4fa0bcfd699006
34. File appears in 51 kits and under 3 different file names
35. dwn/dwn/ss_files/ofdc.png 6905 2017-05-23 00:47:08 9f68017947e9ec02850b97115add63a6
36. File appears in 4 kits
37. dwn/dwn/ss_files/ofdc1.png 4585 2017-05-23 03:48:54 9f09a27d4f69b3557c7433574a29d726
38. File appears in 74 kits and under 4 different file names
39. dwn/dwn/ss_files/pcill.png 203294 2016-06-11 22:14:56 65283b123eb235e6176ae98c02ac5b1c
40. File appears in 146 kits and under 4 different file names
41. dwn/dwn/ss_files/rrrr.ico 17174 2016-06-12 00:03:50 12e3dac858061d088023b2bd48e2fa96
42. File appears in 240 kits and under 8 different file names
43. dwn/dwn/ss_files/s1.css 7815 2017-05-23 03:51:46 779c4723ad3225c9370378f14fc2f570
44. File appears in 4 kits
45. dwn/dwn/ss_files/s2.css 7815 2017-05-23 04:05:32 8df5769d8da3d0a3ba5f37f6c95207d9
46. File appears in 4 kits
47. dwn/dwn/ss_files/stylesheet.css 37811 2017-05-23 02:21:22 3b9f22bb2fb8e2a10918c1f5be1ed95e
48. File appears in 4 kits
49. dwn/dwn/ss_files/Thumbs.db 393728 2017-05-23 11:21:44 6d00da053fed1bc805765652f4d0f659
50. File appears in 4 kits
51. dwn/dwn/Thumbs.db 49152 2017-05-06 15:22:22 aaa74d950bd965dffd62f7b6c3426770
52. File appears in 4 kits
53. dwn/dwn/verification.php 52846 2018-01-05 02:37:54 74f0f3c42da39db563aa271847df4c9a
54.  
55. 3 Email addresses found:
56. victormarc333@gmail.com (appears in 5 kits)
57. gp_support@geoplugin.com (appears in 1063 kits)
58. email@domain.com (appears in 92 kits)
59.  
60.  
61.  
62. https://texasmalwareblog.blogspot.com @phish_total