W3LLSTORECO - Phishing Kit Author
#W3LLSTORECO #PhishingKitAuthor #phishing #phishingkit
@ActorExpose found a phishing kit that has a full admin panel inside it with a password as well. It's unique in that the default password appears to be W3LLSTORECO, it logs to \logs\access.log and \results\info-login.txt . It has a file PANEL PASSWORD.txt that tells you your password. The Admin Panel page title has the name W3LL in it. Also some of the post parameters end with "_akhir"
also interesting it appears to have a pro license key for geo ip lookup in a php file
\core\functions.php appears to have a key in the url
return json_decode(file_get_contents("hxxps://pro.ip-api[.]com/json/$ip?key=WjRgk4zNd0tp4JX"), true);
folder structure
\admin\config.php (writes to ../logs/access.log, stores the password in clear text $config['key'] = 'W3LLSTORECO';)
\admin\index.php (contains text <title>W3LL OFFICE 365 PANEL</title> )
\assets\css\
\assets\images\
\config\config.php (contains #threatactoremail)
\core\security\blocker_1.php
\core\security\blocker_2.php
\core\security\blocker_4.php
\core\security\blacklist.dat
\core\security\whitelist.dat
\core\blocker.php
\core\functions.php (calls pro.ip-api.com for geo location with key WjRgk4zNd0tp4JX, operating system detection, etc)
\logs\access.log
\result\info-login.txt
\.htaccess
\another.php
\index.php
\login.php
\pass.php (saves results to \result\info-login.txt )
\PANEL PASSWORD.txt says
ADMIN PANEL IS ON
YOURLINK.COM/admin
PASSWORD IS W3LLSTORECO
emails passwords to drop account as base64 encoded instead of clear text
some post parameters end with "_akhir"
$_POST['password_akhir']);
example 1:
md5 00a5e38a1b2b405496fca044df2f1a53
https://www.virustotal.com/gui/file/4672b6bbc1521f9714365d819346b1b0bcf61509c20b7a6761c64d98fbc776ec/detection
hxxp://mlbfanforum[.]tk
reference
https://twitter.com/ActorExpose/status/1133714460479295488
@ActorExpose found a phishing kit that has a full admin panel inside it with a password as well. It's unique in that the default password appears to be W3LLSTORECO, it logs to \logs\access.log and \results\info-login.txt . It has a file PANEL PASSWORD.txt that tells you your password. The Admin Panel page title has the name W3LL in it. Also some of the post parameters end with "_akhir"
also interesting it appears to have a pro license key for geo ip lookup in a php file
\core\functions.php appears to have a key in the url
return json_decode(file_get_contents("hxxps://pro.ip-api[.]com/json/$ip?key=WjRgk4zNd0tp4JX"), true);
folder structure
\admin\config.php (writes to ../logs/access.log, stores the password in clear text $config['key'] = 'W3LLSTORECO';)
\admin\index.php (contains text <title>W3LL OFFICE 365 PANEL</title> )
\assets\css\
\assets\images\
\config\config.php (contains #threatactoremail)
\core\security\blocker_1.php
\core\security\blocker_2.php
\core\security\blocker_4.php
\core\security\blacklist.dat
\core\security\whitelist.dat
\core\blocker.php
\core\functions.php (calls pro.ip-api.com for geo location with key WjRgk4zNd0tp4JX, operating system detection, etc)
\logs\access.log
\result\info-login.txt
\.htaccess
\another.php
\index.php
\login.php
\pass.php (saves results to \result\info-login.txt )
\PANEL PASSWORD.txt says
ADMIN PANEL IS ON
YOURLINK.COM/admin
PASSWORD IS W3LLSTORECO
emails passwords to drop account as base64 encoded instead of clear text
some post parameters end with "_akhir"
$_POST['password_akhir']);
example 1:
md5 00a5e38a1b2b405496fca044df2f1a53
https://www.virustotal.com/gui/file/4672b6bbc1521f9714365d819346b1b0bcf61509c20b7a6761c64d98fbc776ec/detection
hxxp://mlbfanforum[.]tk
reference
https://twitter.com/ActorExpose/status/1133714460479295488
I hope you would be doing well. Dear admin your site is really easy to understand and one of the best in the town. I had gone through your site and I can confidently say that your site is free of bugs. Therefore, everyone should use this website. However, we also provide website development tools. Here is the link of our site jsononline
ReplyDeleteDear admin your site is really easy to understand and one of the best in the town. I had gone through your site and I can confidently say that your site is free of bugs. تحويل pdf الى word
ReplyDeleteSelling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.
ReplyDelete**PRICE**
>>2$ FOR EACH LEAD/FULLZ/PROFILE
>>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE
**DETAILS IN EACH LEAD/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYEE DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
>All Leads are Tested & Verified.
>Invalid info found, will be replaced.
>Serious buyers will be welcome & I will give discounts for bulk orders.
>Fresh spammed data of USA Credit Bureau
>Good credit Scores, 700 minimum scores
>Bulk order will be preferable
>Minimum order 20 leads/fullz
>Hope for the long term business
>You can asked for samples, specific states & zips (if needed)
>Payment mode BTC, PAYPAL & PERFECT MONEY
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
''OTHER GADGETS PROVIDING''
>SSN Fullz
>Dead Fullz
>Carding Tutorials
>Hacking Tutorials
>SMTP Linux Root
>DUMPS with pins track 1 and 2
>Sock Tools
>Server I.P's
>USA emails with passwords (bulk order preferable)
**Contact 24/7**
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040