Credentials Leaks on VirusTotal

Published: 2022-03-10
Last Updated: 2022-03-10 08:24:04 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform.

Here is the list of files I found yesterday and I’m pretty sure that it’s only the visible part of the iceberg!

-rw-r--r--@   1 xavier  rem   18925199 Mar  9 11:32 539K.TR.EMail.Pass.crackerteam.com.by-MeMaTi-22.txt
-rw-r--r--@   1 xavier  rem   19723010 Mar  9 11:56 553K_TR_sauwick.txt
-rw-r--r--@   1 xavier  rem    3487094 Mar  9 11:56 118k_combo_United_States.txt
-rw-r--r--@   1 xavier  rem   17173723 Mar  9 11:58 518K.txt
-rw-r--r--@   1 xavier  rem    4989847 Mar  9 11:59 145K-MAIL-ACCESS-VALID-HQ-COMBOLIST-MIX.txt
-rw-r--r--@   1 xavier  rem   19757718 Mar  9 12:00 632k.txt
-rw-r--r--@   1 xavier  rem    6557939 Mar  9 12:01 200K-NL.txt

It was time to gather some statistics. The total amount of credentials collected yesterday was 2.713.282. Amongst them, 2.163.756 were unique. Here is the top-30 of domain names extract from email addresses:

732702 hotmail.com
281541 aol.com
210844 gmail.com
206774 yahoo.com
 67424 live.nl
 63512 wanadoo.nl
 59580 web.de
 58987 hotmail.de
 49680 comcast.net
 48233 mail.com
 45333 gmx.de
 37792 mail.ru
 26356 wanadoo.fr
 26196 yandex.ru
 25930 rambler.ru
 19759 msn.com
 19449 mynet.com
 17839 orange.fr
 17107 yahoo.ca
 14748 aim.com
 14596 hotmail.fr
 14051 t-online.de
 13265 live.de
 12756 ymail.com
 12748 live.com
 10990 windowslive.com
 10539 bellsouth.net
 10167 arcor.de
  9745 hotmail.nl

On the opposite, let's search for interesting domain names like the ones that contain the string ".gov":

  86 tmo.gov.tr
  85 sgk.gov.tr
  60 icisleri.gov.tr
  23 iskur.gov.tr
  17 gsgm.gov.tr
  16 saglik.gov.tr
  16 estb.moe.gov.sa
  12 rb.moe.gov.sa
  12 gumruk.gov.tr
  11 milliemlak.gov.tr
   9 mkhb.moe.gov.sa
   8 mkhg.moe.gov.sa
   7 eskisehir-bld.gov.tr
   6 schools.bedfordshire.gov.uk
   6 sanayi.gov.tr
   6 rg.moe.gov.sa
   6 mb.moe.gov.sa
   6 istanbul.gov.tr
   5 egm.gov.tr
   5 antalyadefterdarligi.gov.tr
   4 tbmm.gov.tr
   4 r1.deped.gov.ph
   4 ncr2.deped.gov.ph
   4 isparta.gov.tr
   4 gumushane.gov.tr
   4 denizli.gov.tr
   4 casur.gov.co
   4 balikesirozelidare.gov.tr
   4 antalyasm.gov.tr
   3 zonguldakdef.gov.tr
   3 vks.gov.vn
   3 ubak.gov.tr
   3 tuik.gov.tr
   3 r4a-1.deped.gov.ph
   3 jzb.moe.gov.sa
   3 ibb.gov.tr
   3 estg.moe.gov.sa
   3 eskisehirozelidare.gov.tr
   3 dtm.gov.tr
   3 adalet.gov.tr
   3 abgs.gov.tr
   2 trabzonnumune.gov.tr
   2 tpao.gov.tr
   2 thainguyen.gov.vn
   2 tedas.gov.tr
   2 tcmb.gov.tr
   2 tarimnet.gov.tr
   2 state.gov
   2 sgk.gov
   2 sayistay.gov.tr
   2 saomanuel.sp.gov.br
   2 r7-2.deped.gov.ph
   2 petrol.tpao.gov.tr
   2 osmaniyeailedanisma.gov.tr
   2 nnptnt.daklak.gov.vn
   2 nevsehirdefterdarligi.gov.tr
   2 nevsehir.gov.tr
   2 ncr1.deped.gov.ph
   2 mg.moe.gov.sa
   2 meteor.gov.tr
   2 meteo.gov.mk
   2 meb.gov.tr
   2 malatya.gov.tr
   2 koski.gov.tr
   2 kosgeb.gov.tr
   2 kirikkaleilozelidare.gov
   2 kep.gov.gr
   2 kayseridis.gov.tr
   2 kayseri-meb.gov.tr
   2 karamansm.gov.tr
   2 jpd.gov.lv
   2 istanbul.mfa.gov.il
   2 iski.gov.tr
   2 health.wa.gov.
   2 hazine.gov.tr
   2 halton.gov.uk
   2 gsim.gov.tr
   2 giresunsaglik.gov.tr
   2 giresun.gov.tr
   2 fsco.gov.on.ca
   2 fbi.gov
   2 euas.gov.tr
   2 etimaden.gov.tr
   2 erzurumozelidare.gov.tr
   2 ego.gov.tr
   2 edu.madeira.gov.pt
   2 doj.ca.gov
   2 dmo.gov.tr
   2 diyanet.gov.tr
   2 denizlidh.gov.tr
   2 cdcr.ca.gov
   2 byegm.gov.tr
   2 bybs.gov.tr
   2 bilecikdh.gov.tr
   2 banbridge.gov.uk
   2 asrb.moe.gov.sa
   2 artvinozelidare.gov.tr
   2 artvinkhb.gov.tr
   2 ardahandh.gov.tr
   2 antalya.gov.tr.tr.tr
   2 ankaracocuk.gov.tr
   2 ankara-bel.gov.tr
   2 angkasa.gov.my
   2 afyonkarahisar.gov.tr
   2 act.gov.au
   1 wcb.gov.ns.ca
   1 vargemgrandepta.sp.gov.br
   1 usarec.gov
   1 tunja.gov.co
   1 tubitak.gov.tr
   1 te.vte.gov.lb
   1 southtyneside.gov.uk
   1 southsomerset.gov.uk
   1 seduc.go.gov.br
   1 sec.gov
   1 saocarlos.sp.gov.br
   1 sanliurfaozelidare.gov.tr
   1 sanjuan.gov.ar
   1 redencao.pa.gov.br
   1 r9.deped.gov.ph
   1 r11.deped.gov.ph
   1 qsmg.moe.gov.sa
   1 ptc.gov.ye
   1 psa.gov.ph
   1 policiacientifica.sp.gov.br
   1 plymouth.gov.uk
   1 ouropreto.mg.gov.br
   1 mto.gov.on.ca
   1 mkek.gov.tr
   1 mirempet.gov.ao
   1 mgs.gov.on.ca
   1 mgm.gov.tr
   1 memphistn.gov
   1 mbs.gov.on.ca
   1 masfamu.gov.ao
   1 mail.gov.nl.ca
   1 leicester.gov.uk
   1 la.gov
   1 kirklees.gov.uk
   1 kent.gov.uk
   1 jzg.moe.gov.sa
   1 jus.gov.on.ca
   1 jatai.go.gov.br
   1 jaguaribe.ce.gov.br
   1 inder.gov.co
   1 highways.gov.sk.ca
   1 gems9.gov.bc.ca
   1 gems2.gov.bc.ca
   1 finance.gov.sr
   1 finance.gov.sk.ca
   1 faan.gov.ng
   1 etec.sp.gov.br
   1 ene.gov.on.ca
   1 educacao.sp.gov.br
   1 educacao.mt.gov.br
   1 educ.somerset.gov.uk
   1 edu.lagosstate.gov.ng
   1 ebserh.gov.br
   1 dolma.gov.np
   1 dl.gov.cn
   1 dh.gsi.gov.uk
   1 dgs.ca.gov
   1 dfg.ca.gov
   1 defra.gsi.gov.uk
   1 curionopolis.pa.gov.br
   1 css.gov.on.ca
   1 crt01.gov.br
   1 cefospe.pe.gov.br
   1 cdph.ca.gov
   1 cbm.ba.gov.br
   1 calepa.ca.gov
   1 bury.gov.uk
   1 botas.gov.tr
   1 aphis.usda.gov
   1 angiang.gov.vn

Then, I used the good old tool "pipal" created by DigiNinga to generate some statistics about the passwords' strength. Pipal[2] is an old tool but it's doing a great job. Here are the basic Results

Total entries = 2711303
Total unique entries = 1547231

Top 10 passwords

galatasaray = 33943 (1.25%)
istanbul = 27191 (1.0%)
fenerbahce = 26108 (0.96%)
123456 = 19312 (0.71%)
123456789 = 13660 (0.5%)
besiktas = 13614 (0.5%)
ankara = 13551 (0.5%)
yasemin = 7328 (0.27%)
antalya = 6030 (0.22%)
trabzon = 5705 (0.21%)

Top 10 base words

istanbul = 52725 (1.94%)
galatasaray = 47861 (1.77%)
fenerbahce = 37905 (1.4%)
ankara = 32097 (1.18%)
besiktas = 23710 (0.87%)
trabzon = 14174 (0.52%)
antalya = 13206 (0.49%)
yasemin = 12977 (0.48%)
malatya = 12135 (0.45%)
sakarya = 10643 (0.39%)

Password length (length ordered)

1 = 452 (0.02%)
2 = 318 (0.01%)
3 = 2890 (0.11%)
4 = 9331 (0.34%)
5 = 23670 (0.87%)
6 = 312288 (11.52%)
7 = 401317 (14.8%)
8 = 849978 (31.35%)
9 = 380064 (14.02%)
10 = 313613 (11.57%)
11 = 173130 (6.39%)
12 = 100220 (3.7%)
13 = 44323 (1.63%)
14 = 31227 (1.15%)
15 = 31763 (1.17%)
16 = 12971 (0.48%)
17 = 5404 (0.2%)
18 = 5632 (0.21%)
19 = 2393 (0.09%)
20 = 2034 (0.08%)
21 = 1007 (0.04%)
22 = 1255 (0.05%)
23 = 852 (0.03%)
24 = 959 (0.04%)
25 = 489 (0.02%)
26 = 310 (0.01%)
27 = 225 (0.01%)
28 = 203 (0.01%)
29 = 177 (0.01%)
30 = 183 (0.01%)
31 = 70 (0.0%)
32 = 1909 (0.07%)
33 = 96 (0.0%)
34 = 42 (0.0%)
35 = 24 (0.0%)
36 = 32 (0.0%)
37 = 18 (0.0%)
38 = 66 (0.0%)
39 = 22 (0.0%)
40 = 264 (0.01%)
41 = 5 (0.0%)
42 = 3 (0.0%)
43 = 4 (0.0%)
44 = 6 (0.0%)
45 = 4 (0.0%)
46 = 1 (0.0%)
47 = 1 (0.0%)
48 = 2 (0.0%)
50 = 15 (0.0%)
51 = 1 (0.0%)
52 = 3 (0.0%)
53 = 5 (0.0%)
54 = 2 (0.0%)
60 = 2 (0.0%)
65 = 4 (0.0%)
68 = 1 (0.0%)
69 = 1 (0.0%)
70 = 1 (0.0%)
80 = 1 (0.0%)
81 = 3 (0.0%)
83 = 1 (0.0%)
85 = 3 (0.0%)
86 = 6 (0.0%)
87 = 1 (0.0%)
89 = 2 (0.0%)
90 = 4 (0.0%)

Password length (count ordered)

8 = 849978 (31.35%)
7 = 401317 (14.8%)
9 = 380064 (14.02%)
10 = 313613 (11.57%)
6 = 312288 (11.52%)
11 = 173130 (6.39%)
12 = 100220 (3.7%)
13 = 44323 (1.63%)
15 = 31763 (1.17%)
14 = 31227 (1.15%)
5 = 23670 (0.87%)
16 = 12971 (0.48%)
4 = 9331 (0.34%)
18 = 5632 (0.21%)
17 = 5404 (0.2%)
3 = 2890 (0.11%)
19 = 2393 (0.09%)
20 = 2034 (0.08%)
32 = 1909 (0.07%)
22 = 1255 (0.05%)
21 = 1007 (0.04%)
24 = 959 (0.04%)
23 = 852 (0.03%)
25 = 489 (0.02%)
1 = 452 (0.02%)
2 = 318 (0.01%)
26 = 310 (0.01%)
40 = 264 (0.01%)
27 = 225 (0.01%)
28 = 203 (0.01%)
30 = 183 (0.01%)
29 = 177 (0.01%)
33 = 96 (0.0%)
31 = 70 (0.0%)
38 = 66 (0.0%)
34 = 42 (0.0%)
36 = 32 (0.0%)
35 = 24 (0.0%)
39 = 22 (0.0%)
37 = 18 (0.0%)
50 = 15 (0.0%)
44 = 6 (0.0%)
86 = 6 (0.0%)
41 = 5 (0.0%)
53 = 5 (0.0%)
43 = 4 (0.0%)
45 = 4 (0.0%)
65 = 4 (0.0%)
90 = 4 (0.0%)
42 = 3 (0.0%)
52 = 3 (0.0%)
81 = 3 (0.0%)
85 = 3 (0.0%)
48 = 2 (0.0%)
54 = 2 (0.0%)
60 = 2 (0.0%)
89 = 2 (0.0%)
46 = 1 (0.0%)
47 = 1 (0.0%)
51 = 1 (0.0%)
68 = 1 (0.0%)
69 = 1 (0.0%)
70 = 1 (0.0%)
80 = 1 (0.0%)
83 = 1 (0.0%)
87 = 1 (0.0%)

       |
       |
       |
       |
       |
       |
       |
       |
      ||
      ||
     ||||
     ||||
     |||||
     |||||
     ||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901

One to six characters = 348949 (12.87%)
One to eight characters = 1600244 (59.02%)
More than eight characters = 1111059 (40.98%)

Only lowercase alpha = 964588 (35.58%)
Only uppercase alpha = 15068 (0.56%)
Only alpha = 979656 (36.13%)
Only numeric = 367723 (13.56%)

First capital last symbol = 33154 (1.22%)
First capital last number = 149291 (5.51%)
Single digit on the end = 199328 (7.35%)
Two digits on the end = 363743 (13.42%)
Three digits on the end = 158454 (5.84%)

Last number

0 = 137616 (5.08%)
1 = 247000 (9.11%)
2 = 133639 (4.93%)
3 = 176774 (6.52%)
4 = 121218 (4.47%)
5 = 114059 (4.21%)
6 = 129914 (4.79%)
7 = 111782 (4.12%)
8 = 105108 (3.88%)
9 = 108479 (4.0%)

|
|
|
|
| |
| |
| |
||||  |
|||||||| |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit

1 = 247000 (9.11%)
3 = 176774 (6.52%)
0 = 137616 (5.08%)
2 = 133639 (4.93%)
6 = 129914 (4.79%)
4 = 121218 (4.47%)
5 = 114059 (4.21%)
7 = 111782 (4.12%)
9 = 108479 (4.0%)
8 = 105108 (3.88%)

Last 2 digits (Top 10)

23 = 79010 (2.91%)
12 = 40311 (1.49%)
56 = 34572 (1.28%)
11 = 31147 (1.15%)
00 = 30333 (1.12%)
89 = 29147 (1.08%)
01 = 27355 (1.01%)
34 = 26567 (0.98%)
07 = 24614 (0.91%)
10 = 23597 (0.87%)

Last 3 digits (Top 10)

123 = 65452 (2.41%)
456 = 27030 (1.0%)
789 = 18101 (0.67%)
234 = 11293 (0.42%)
000 = 10709 (0.39%)
345 = 8833 (0.33%)
321 = 8071 (0.3%)
007 = 6489 (0.24%)
111 = 6127 (0.23%)
907 = 5942 (0.22%)

Last 4 digits (Top 10)

3456 = 24279 (0.9%)
6789 = 15731 (0.58%)
1234 = 10306 (0.38%)
2345 = 8016 (0.3%)
1907 = 5648 (0.21%)
1905 = 5373 (0.2%)
1903 = 4359 (0.16%)
4321 = 3835 (0.14%)
1987 = 3833 (0.14%)
2000 = 3696 (0.14%)

Last 5 digits (Top 10)

23456 = 24016 (0.89%)
56789 = 15559 (0.57%)
12345 = 7812 (0.29%)
45678 = 3400 (0.13%)
54321 = 3215 (0.12%)
23123 = 2993 (0.11%)
34567 = 2841 (0.1%)
11111 = 2441 (0.09%)
00000 = 2178 (0.08%)
67890 = 2073 (0.08%)

Character sets

loweralphanum: 1017832 (37.54%)
loweralpha: 964588 (35.58%)
numeric: 367723 (13.56%)
mixedalphanum: 177478 (6.55%)
mixedalpha: 38905 (1.43%)
mixedalphaspecialnum: 32426 (1.2%)
loweralphaspecialnum: 29438 (1.09%)
upperalphanum: 28480 (1.05%)
loweralphaspecial: 18937 (0.7%)
upperalpha: 15068 (0.56%)
mixedalphaspecial: 8315 (0.31%)
specialnum: 5449 (0.2%)
upperalphaspecialnum: 1824 (0.07%)
upperalphaspecial: 596 (0.02%)
special: 99 (0.0%)

Character set ordering

allstring: 1018561 (37.57%)
stringdigit: 907054 (33.45%)
alldigit: 367723 (13.56%)
othermask: 160397 (5.92%)
digitstring: 101157 (3.73%)
stringdigitstring: 80481 (2.97%)
digitstringdigit: 36441 (1.34%)
stringspecialdigit: 14594 (0.54%)
stringspecial: 12641 (0.47%)
stringspecialstring: 10952 (0.4%)
specialstring: 671 (0.02%)
specialstringspecial: 532 (0.02%)
allspecial: 99 (0.0%)

These statistics must be read carefully because there is no way to verify their accuracy. Many times, such files are based on very old leaks and probably most of the passwords are not valid anymore (or the account).

[1] https://www.darkreading.com/threat-intelligence/researchers-explore-hacking-virustotal-to-find-stolen-credentials
[2] https://github.com/digininja/pipal

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
ISC Stormcast For Thursday, March 10th, 2022 https://isc.sans.edu/podcastdetail.html?id=7914

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives