In this analysis we’ll take a look at the Internet connected infrastructure of U.S Secret Service’s most wanted cybercriminal with a $10M reward Danil Potekhin using a variety of tools in terms of connecting the dots using current real time and historical passive DNS information to find out where he was and used to host his Web properties and domains online for the purpose of assisting other researchers organizations and vendors in terms of establishing the foundation for a successful Threat Hunting and cyber threat actor attribution efforts and that would also include U.S Law Enforcement.
Using several OSINT methodologies we managed to obtain his personal email including to also find several additional personal emails which are known to belong to him for the purpose of cross checking them for various domain registrations which would assist in our research and infrastructure mapping with success.
Sample personal email address accounts include: [email protected]; [email protected]; [email protected]
We’ve also managed to find one of his primary domains using current and historical WHOIS databases.
hxxp://agressivex.com (MD5: 922530c5371a3d029e4cc330e2d0f4d3 -> 194.58.56.61 -> 194.58.56.91) - 46.30.40.103 - Email: [email protected]; [email protected]
Sample known responding IPs for hxxp://agressivex.com historically:
194.58.56.120
194.58.56.54
194.58.56.80
31.31.204.161
194.67.71.86
194.67.71.61
Related domain registrations:
[email protected] -> hxxp://firstplaymarket.store
First we started by doing the relatively easy part which is to launch a Technical Collection campaign using open source information including public and proprietary sources on our way to find as much actionable intelligence about Danil Potehin as possible. The next logical step was to begin processing and taking notes and then enriching the technical details which we obtained using open source information on our way to analyze and connect the dots where our ultimate goal for this assignment would be to provide as much actionable intelligence and technical details about his Internet connected infrastructure both in real time current Internet presence and activities including historical Internet footprint in terms of some of his Web properties which we have discovered using open source information including Technical Collection for processing enriching analyzing and connecting the dots on Danil's Internet whereabouts.
For starters we ended up with a pretty straightforward and obvious fact which no matter how awkward it may sound with Danil's name listed on U.S Secret Service's $10M reward web site is known to have been running a Android based botnet service on one of his primary domains which basically speaks for itself and is yet another indication on how the correlation of multiple public and proprietary databases can lead to the big picture where often a single detail can provide the big picture and most importantly all the details prior to doing proper Technical Collection including OSINT as a methodology including research enrichment and analysis of the obtained and processed data for Danil.
Sample photo:
hxxp://agressivex.com - 46.30.40.103 - AS 210079 - First Seen: 2019-08-26 Last Seen: 2020-05-19 - NS: ns2.eurobyte.ru
hxxp://deluxe-wash.com - 46.30.40.103 - AS 210079 - First Seen: 2019-08-26 Last Seen: 2020-01-18 - NS: ns1.eurobyte.ru
hxxp://agressivex.com - 194.58.56.58 - AS 57043 First Seen: 2019-09-27 Last Seen: 2019-09-27 - NS: ns4.eurobyte.ru
Sample domains known to belong to Danil Potekhin:
agressivex.com
kill-tourn.com
agressivex.com
deluxe-wash.com
muznet-vrn.net
alialiservices.com
frontagermaner.pw
hemoritanmak.pw
sennymotial.pw
miragenotax.pw
jikajikamorta.pw
frontagermaner.pw
hemoritanmak.pw
sennymotial.pw
miragenotax.pw
jikajikamorta.pw
claimid99033-irs.com
hertutaro.xyz
alijobjob.com
powerstick.pw
loveyourop.pw
bangbanghot.pw
bigbustown.pw
ionutikob.top
csbdanqqv.top
taoouresq.top
ultquoire.top
ufatildip.top
binvmdyrs.top
lewlatfab.top
jabgocmig.top
modobijat.top
babsepora.top
aidcorcsc.top
megaversj.top
mrofourps.top
fulcirdog.top
spyallasa.top
minhreage.top
delbanlom.top
deekrunth.top
pegptatho.top
wayirkurd.top
iostehoms.top
offgodtic.top
eseunisex.top
nowneymee.top
regdaynub.top
bopjobwed.top
colfynbai.top
gibpakmzi.top
saxgocger.top
dueashgnu.top
malbelcom.top
lahdurfba.top
dorgltdoz.top
saydefcry.top
qtoiboavo.top
orewigair.top
fracsmlye.top
ritasoiom.top
homeporn21.com
romnumepa.top
posdfmsgt.top
cwodeesot.top
dabpprlei.top
bidhabviz.top
lindwtrct.top
pahtenwoo.top
tryidehub.top
mendoweta.top
tygamiohm.top
recsawvav.top
mscpesroc.top
cyllamgmb.top
sunmlaitu.top
hrhpaccio.top
morjownow.top
cryopeexp.top
nefuhfsir.top
rigrsalex.top
nutlottop.top
haeetdemp.top
groseqeel.top
icstaghsm.top
urdpahgev.top
sexydaysnow.com
pyatasugh.top
rsjptagij.top
qqvtodpac.top
garnapsow.top
amuheyqsl.top
toomemaba.top
romrwdcop.top
fezallwog.top
bmapawrec.top
nabotared.top
namkudasd.top
findyoursexbuddytoday.com
ilovesosialsex.com
checknudephotosbase.com
iwanttobefuckedhard.com
oldestwomenwanttobefucked.com
onedaysexdating.com
jakagdbar.top
fuckmypussytoday.com
datingtube4sex.com
fuckmerightnowbaby.com
findyourpussynow.com
067894479.com
756744426.com
039288221.com
We’ve also managed to identify the domain name hxxp://alialiservices.com used here to come up with yet another related portfolio of malicious and fraudulent domains registered using the same personally identifiable email address account.
Related domain registrations:
067894479.com
039288221.com
900938923.com
756744426.com
iwanttobefuckedhard.com
checknudephotosbase.com
onedaysexdating.com
datingtube4sex.com
fuckmerightnowbaby.com
ilovesosialsex.com
fuckmypussytoday.com
sabosatur.top
asvvasrat.top
tayeraasf.top
tayreeafg.top
blessingbasketjob.com
564533466.com
fucksexporn21.com
dailysex18.com
porn21yearold.com
sexteenporn21.com
sexualporn21.com
seexteen18porn.com
oldsexmomporn.com
sexteen18now.com
sexualdance18.com
sexualteennice.com
sexxteens18.com
sexteen18today.com
sexydaysnow.com
findyoursexbuddytoday.com
findyourpussynow.com
oldestwomenwanttobefucked.com
iostehoms.top
ionutikob.top
eseunisex.top
ufatildip.top
lewlatfab.top
pegptatho.top
megaversj.top
colfynbai.top
taoouresq.top
regdaynub.top
saydefcry.top
jabgocmig.top
saxgocger.top
babsepora.top
fulcirdog.top
dueashgnu.top
csbdanqqv.top
minhreage.top
hemoritanmak.pw
bigbustown.pw
caughtfiles.pw
sennymotial.pw
fortuneultracam.pw
frontagermaner.pw
miragenotax.pw
jikajikamorta.pw
claimid99033-irs.com
hertutaro.xyz
alijobjob.com
webshoot.pw
sobbernews.pw
alybayshop.pw
sortbyname.pw
alishopnow.pw
playmediatv.pw
shoppingwithus.pw
pakitonat.pw
youcaught.pw
playtvmedia.pw
doodilkoka.pw
caughtyou.pw
holyxxxmamapumpum.pw
clickjumbitora.pw
buffertak.site
pollonex.com
pollonilex.com
poloneliex.com
polonilex.com
polonnliex.com
nuumtracker.net
adspeedtracking.net
adshotservice.net
adstrtacker.net
tracksbooster.net
poloniliex.com
adstotrack.net
trackservads.net
blttrex.com
myfilessee.pw
yupphdbks.top
pvcwccboo.top
lagdewluk.top
frtwbcrip.top
alamagpew.top
rapflathe.top
tivbumroc.top
lomenshoe.top
homeporn21.com
dicktoanalporn118.com
pornoanalll.com
pornoanimegirl18.com
pornosexxanal21.com
girlpussy18teen.com
porntubesexteen.com
mezluocie.top
jctcolplr.top
malbelcom.top
poloniexservices.site
poloniexcenter.site
bittrexworld.site
bittrexsolutions.site
poloniexworld.club
poloniexsolutions.club
bitfinexservices.club
poloniexcenter.club
bitfinexexchange.club
bitfinexcenter.club
bittrexworld.club
bittrexcenter.club
bitfinexworld.club
bitfinexsolutions.club
bittrex.site
bittrex.club
billingstadtracker.club
nesoddtangentracker.club
geminl.com
mergionaxomar.pw
bllttriex.com
picachu.pw
neskliyoka.club
bittrexservices.site
bittrexcenter.site
bithumbworld.site
bithumbsolutions.site
bithumbservices.site
poloniexworld.site
bithumbexchange.site
poloniexsolutions.site
bithumbcenter.site
bittrexbtc.com
bitfienex.com
analitics-service.com
winmoneytracker.club
trackernorway.club
rotnestracker.club
trackermag.club
wincashtracker.club
drobaktracker.club
arostracker.club
kjenntracker.club
vestfoldtracker.club
anebytracker.club
trackerwork.club
trackerblog.club
fezallwog.top
qqvtodpac.top
bmapawrec.top
amuheyqsl.top
jakagdbar.top
namkudasd.top
nabotared.top
morjownow.top
dabpprlei.top
mscpesroc.top
lindwtrct.top
pahtenwoo.top
tygamiohm.top
cyllamgmb.top
cwodeesot.top
groseqeel.top
hrhpaccio.top
tryidehub.top
pyatasugh.top
garnapsow.top
rsjptagij.top
toomemaba.top
romrwdcop.top
ultquoire.top
ritasoiom.top
wayirkurd.top
haeetdemp.top
sunmlaitu.top
urdpahgev.top
rigrsalex.top
nefuhfsir.top
mendoweta.top
posdfmsgt.top
nutlottop.top
icstaghsm.top
romnumepa.top
bidhabviz.top
cryopeexp.top
recsawvav.top
mrofourps.top
fracsmlye.top
orewigair.top
lahdurfba.top
delbanlom.top
qtoiboavo.top
deekrunth.top
modobijat.top
spyallasa.top
bopjobwed.top
dorgltdoz.top
nowneymee.top
gibpakmzi.top
binvmdyrs.top
aidcorcsc.top
offgodtic.top
Next by using VirusTotal we also managed to identify malicious samples phoning back to some of these related domains such as for instance:
20c87e0c160e657c393cdb10fe6b2f5d
5234ebc96a89a19cdb383c7342a7b11d
90639e11babbc7b19c1a18b050dd04bf
5cb1a99de8b2fc609c06813a76c52b52
Including:
3bd7b3263ba89be9e64fc1ef786bb302240dbdd0378916aefa362390fc0a15a5
85908ef943867d8f37dc279ba09ae3634ae71b3164b0f563117c733dc7041edc
892c587ee3a18d22efe2480252640aa55b870b2a381c0e6fa3edc1296f167299
8d7f4274c965bcf1cf7b90966797270c13d34a003f71b90a8974458e393871ce
1e8f15e386b6101a9daf19caaca091867c251040df5db252e30fe98b67654f75
aec6368fde53736fc0f6c02e1851bfabecb226b90d4553d78b25a85f435719da
37c4013699f3a052eb1c4c5ef50167db3a437daebc98788ba319c3032bdd5eb8
cb77288204095da074b39c6ae2ef65ddc06ed33209f4cde6da4dd78d20c62d40
e7f7eea370298c60a21805290f755b28c9a5b7d137d785c169e2da90087a681a
f63c724d8269b4c7511fce47790574b15c6f700743fe0a39b84bbf310e888354
0bc81dd4e2507449c61814d23c76c6272d5d0572522a2e9ac20ab40d233ab98f
0d7bd806b1d526b7e75fb86dbe040b1d13421f7a3c2932f15128c7cdad47e2af
76f42c0170de0f414efe47ce1fddaf571745f7420b5dd833dc9709942845ffc3
Where we could further go deeper into the inner workings of this campaign and malicious and fraudulent ecosystem possibly related to and operated by Danil Potkhin and his associates by figuring out a way to find out where these malicious samples phone back to once executed and try to establish the foundations for a successful connect the dots and build a bigger picture type of campaign and threat hunting efforts on our behalf.