Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Credentials Leaks on VirusTotal

Published: 2022-03-10
Last Updated: 2022-03-10 08:24:04 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform.

Here is the list of files I found yesterday and I’m pretty sure that it’s only the visible part of the iceberg!

-rw-r--r--@   1 xavier  rem   18925199 Mar  9 11:32 539K.TR.EMail.Pass.crackerteam.com.by-MeMaTi-22.txt
-rw-r--r--@   1 xavier  rem   19723010 Mar  9 11:56 553K_TR_sauwick.txt
-rw-r--r--@   1 xavier  rem    3487094 Mar  9 11:56 118k_combo_United_States.txt
-rw-r--r--@   1 xavier  rem   17173723 Mar  9 11:58 518K.txt
-rw-r--r--@   1 xavier  rem    4989847 Mar  9 11:59 145K-MAIL-ACCESS-VALID-HQ-COMBOLIST-MIX.txt
-rw-r--r--@   1 xavier  rem   19757718 Mar  9 12:00 632k.txt
-rw-r--r--@   1 xavier  rem    6557939 Mar  9 12:01 200K-NL.txt

It was time to gather some statistics. The total amount of credentials collected yesterday was 2.713.282. Amongst them, 2.163.756 were unique. Here is the top-30 of domain names extract from email addresses:

732702 hotmail.com
281541 aol.com
210844 gmail.com
206774 yahoo.com
 67424 live.nl
 63512 wanadoo.nl
 59580 web.de
 58987 hotmail.de
 49680 comcast.net
 48233 mail.com
 45333 gmx.de
 37792 mail.ru
 26356 wanadoo.fr
 26196 yandex.ru
 25930 rambler.ru
 19759 msn.com
 19449 mynet.com
 17839 orange.fr
 17107 yahoo.ca
 14748 aim.com
 14596 hotmail.fr
 14051 t-online.de
 13265 live.de
 12756 ymail.com
 12748 live.com
 10990 windowslive.com
 10539 bellsouth.net
 10167 arcor.de
  9745 hotmail.nl

On the opposite, let's search for interesting domain names like the ones that contain the string ".gov":

  86 tmo.gov.tr
  85 sgk.gov.tr
  60 icisleri.gov.tr
  23 iskur.gov.tr
  17 gsgm.gov.tr
  16 saglik.gov.tr
  16 estb.moe.gov.sa
  12 rb.moe.gov.sa
  12 gumruk.gov.tr
  11 milliemlak.gov.tr
   9 mkhb.moe.gov.sa
   8 mkhg.moe.gov.sa
   7 eskisehir-bld.gov.tr
   6 schools.bedfordshire.gov.uk
   6 sanayi.gov.tr
   6 rg.moe.gov.sa
   6 mb.moe.gov.sa
   6 istanbul.gov.tr
   5 egm.gov.tr
   5 antalyadefterdarligi.gov.tr
   4 tbmm.gov.tr
   4 r1.deped.gov.ph
   4 ncr2.deped.gov.ph
   4 isparta.gov.tr
   4 gumushane.gov.tr
   4 denizli.gov.tr
   4 casur.gov.co
   4 balikesirozelidare.gov.tr
   4 antalyasm.gov.tr
   3 zonguldakdef.gov.tr
   3 vks.gov.vn
   3 ubak.gov.tr
   3 tuik.gov.tr
   3 r4a-1.deped.gov.ph
   3 jzb.moe.gov.sa
   3 ibb.gov.tr
   3 estg.moe.gov.sa
   3 eskisehirozelidare.gov.tr
   3 dtm.gov.tr
   3 adalet.gov.tr
   3 abgs.gov.tr
   2 trabzonnumune.gov.tr
   2 tpao.gov.tr
   2 thainguyen.gov.vn
   2 tedas.gov.tr
   2 tcmb.gov.tr
   2 tarimnet.gov.tr
   2 state.gov
   2 sgk.gov
   2 sayistay.gov.tr
   2 saomanuel.sp.gov.br
   2 r7-2.deped.gov.ph
   2 petrol.tpao.gov.tr
   2 osmaniyeailedanisma.gov.tr
   2 nnptnt.daklak.gov.vn
   2 nevsehirdefterdarligi.gov.tr
   2 nevsehir.gov.tr
   2 ncr1.deped.gov.ph
   2 mg.moe.gov.sa
   2 meteor.gov.tr
   2 meteo.gov.mk
   2 meb.gov.tr
   2 malatya.gov.tr
   2 koski.gov.tr
   2 kosgeb.gov.tr
   2 kirikkaleilozelidare.gov
   2 kep.gov.gr
   2 kayseridis.gov.tr
   2 kayseri-meb.gov.tr
   2 karamansm.gov.tr
   2 jpd.gov.lv
   2 istanbul.mfa.gov.il
   2 iski.gov.tr
   2 health.wa.gov.
   2 hazine.gov.tr
   2 halton.gov.uk
   2 gsim.gov.tr
   2 giresunsaglik.gov.tr
   2 giresun.gov.tr
   2 fsco.gov.on.ca
   2 fbi.gov
   2 euas.gov.tr
   2 etimaden.gov.tr
   2 erzurumozelidare.gov.tr
   2 ego.gov.tr
   2 edu.madeira.gov.pt
   2 doj.ca.gov
   2 dmo.gov.tr
   2 diyanet.gov.tr
   2 denizlidh.gov.tr
   2 cdcr.ca.gov
   2 byegm.gov.tr
   2 bybs.gov.tr
   2 bilecikdh.gov.tr
   2 banbridge.gov.uk
   2 asrb.moe.gov.sa
   2 artvinozelidare.gov.tr
   2 artvinkhb.gov.tr
   2 ardahandh.gov.tr
   2 antalya.gov.tr.tr.tr
   2 ankaracocuk.gov.tr
   2 ankara-bel.gov.tr
   2 angkasa.gov.my
   2 afyonkarahisar.gov.tr
   2 act.gov.au
   1 wcb.gov.ns.ca
   1 vargemgrandepta.sp.gov.br
   1 usarec.gov
   1 tunja.gov.co
   1 tubitak.gov.tr
   1 te.vte.gov.lb
   1 southtyneside.gov.uk
   1 southsomerset.gov.uk
   1 seduc.go.gov.br
   1 sec.gov
   1 saocarlos.sp.gov.br
   1 sanliurfaozelidare.gov.tr
   1 sanjuan.gov.ar
   1 redencao.pa.gov.br
   1 r9.deped.gov.ph
   1 r11.deped.gov.ph
   1 qsmg.moe.gov.sa
   1 ptc.gov.ye
   1 psa.gov.ph
   1 policiacientifica.sp.gov.br
   1 plymouth.gov.uk
   1 ouropreto.mg.gov.br
   1 mto.gov.on.ca
   1 mkek.gov.tr
   1 mirempet.gov.ao
   1 mgs.gov.on.ca
   1 mgm.gov.tr
   1 memphistn.gov
   1 mbs.gov.on.ca
   1 masfamu.gov.ao
   1 mail.gov.nl.ca
   1 leicester.gov.uk
   1 la.gov
   1 kirklees.gov.uk
   1 kent.gov.uk
   1 jzg.moe.gov.sa
   1 jus.gov.on.ca
   1 jatai.go.gov.br
   1 jaguaribe.ce.gov.br
   1 inder.gov.co
   1 highways.gov.sk.ca
   1 gems9.gov.bc.ca
   1 gems2.gov.bc.ca
   1 finance.gov.sr
   1 finance.gov.sk.ca
   1 faan.gov.ng
   1 etec.sp.gov.br
   1 ene.gov.on.ca
   1 educacao.sp.gov.br
   1 educacao.mt.gov.br
   1 educ.somerset.gov.uk
   1 edu.lagosstate.gov.ng
   1 ebserh.gov.br
   1 dolma.gov.np
   1 dl.gov.cn
   1 dh.gsi.gov.uk
   1 dgs.ca.gov
   1 dfg.ca.gov
   1 defra.gsi.gov.uk
   1 curionopolis.pa.gov.br
   1 css.gov.on.ca
   1 crt01.gov.br
   1 cefospe.pe.gov.br
   1 cdph.ca.gov
   1 cbm.ba.gov.br
   1 calepa.ca.gov
   1 bury.gov.uk
   1 botas.gov.tr
   1 aphis.usda.gov
   1 angiang.gov.vn

Then, I used the good old tool "pipal" created by DigiNinga to generate some statistics about the passwords' strength. Pipal[2] is an old tool but it's doing a great job. Here are the basic Results

Total entries = 2711303
Total unique entries = 1547231

Top 10 passwords

galatasaray = 33943 (1.25%)
istanbul = 27191 (1.0%)
fenerbahce = 26108 (0.96%)
123456 = 19312 (0.71%)
123456789 = 13660 (0.5%)
besiktas = 13614 (0.5%)
ankara = 13551 (0.5%)
yasemin = 7328 (0.27%)
antalya = 6030 (0.22%)
trabzon = 5705 (0.21%)

Top 10 base words

istanbul = 52725 (1.94%)
galatasaray = 47861 (1.77%)
fenerbahce = 37905 (1.4%)
ankara = 32097 (1.18%)
besiktas = 23710 (0.87%)
trabzon = 14174 (0.52%)
antalya = 13206 (0.49%)
yasemin = 12977 (0.48%)
malatya = 12135 (0.45%)
sakarya = 10643 (0.39%)

Password length (length ordered)

1 = 452 (0.02%)
2 = 318 (0.01%)
3 = 2890 (0.11%)
4 = 9331 (0.34%)
5 = 23670 (0.87%)
6 = 312288 (11.52%)
7 = 401317 (14.8%)
8 = 849978 (31.35%)
9 = 380064 (14.02%)
10 = 313613 (11.57%)
11 = 173130 (6.39%)
12 = 100220 (3.7%)
13 = 44323 (1.63%)
14 = 31227 (1.15%)
15 = 31763 (1.17%)
16 = 12971 (0.48%)
17 = 5404 (0.2%)
18 = 5632 (0.21%)
19 = 2393 (0.09%)
20 = 2034 (0.08%)
21 = 1007 (0.04%)
22 = 1255 (0.05%)
23 = 852 (0.03%)
24 = 959 (0.04%)
25 = 489 (0.02%)
26 = 310 (0.01%)
27 = 225 (0.01%)
28 = 203 (0.01%)
29 = 177 (0.01%)
30 = 183 (0.01%)
31 = 70 (0.0%)
32 = 1909 (0.07%)
33 = 96 (0.0%)
34 = 42 (0.0%)
35 = 24 (0.0%)
36 = 32 (0.0%)
37 = 18 (0.0%)
38 = 66 (0.0%)
39 = 22 (0.0%)
40 = 264 (0.01%)
41 = 5 (0.0%)
42 = 3 (0.0%)
43 = 4 (0.0%)
44 = 6 (0.0%)
45 = 4 (0.0%)
46 = 1 (0.0%)
47 = 1 (0.0%)
48 = 2 (0.0%)
50 = 15 (0.0%)
51 = 1 (0.0%)
52 = 3 (0.0%)
53 = 5 (0.0%)
54 = 2 (0.0%)
60 = 2 (0.0%)
65 = 4 (0.0%)
68 = 1 (0.0%)
69 = 1 (0.0%)
70 = 1 (0.0%)
80 = 1 (0.0%)
81 = 3 (0.0%)
83 = 1 (0.0%)
85 = 3 (0.0%)
86 = 6 (0.0%)
87 = 1 (0.0%)
89 = 2 (0.0%)
90 = 4 (0.0%)

Password length (count ordered)

8 = 849978 (31.35%)
7 = 401317 (14.8%)
9 = 380064 (14.02%)
10 = 313613 (11.57%)
6 = 312288 (11.52%)
11 = 173130 (6.39%)
12 = 100220 (3.7%)
13 = 44323 (1.63%)
15 = 31763 (1.17%)
14 = 31227 (1.15%)
5 = 23670 (0.87%)
16 = 12971 (0.48%)
4 = 9331 (0.34%)
18 = 5632 (0.21%)
17 = 5404 (0.2%)
3 = 2890 (0.11%)
19 = 2393 (0.09%)
20 = 2034 (0.08%)
32 = 1909 (0.07%)
22 = 1255 (0.05%)
21 = 1007 (0.04%)
24 = 959 (0.04%)
23 = 852 (0.03%)
25 = 489 (0.02%)
1 = 452 (0.02%)
2 = 318 (0.01%)
26 = 310 (0.01%)
40 = 264 (0.01%)
27 = 225 (0.01%)
28 = 203 (0.01%)
30 = 183 (0.01%)
29 = 177 (0.01%)
33 = 96 (0.0%)
31 = 70 (0.0%)
38 = 66 (0.0%)
34 = 42 (0.0%)
36 = 32 (0.0%)
35 = 24 (0.0%)
39 = 22 (0.0%)
37 = 18 (0.0%)
50 = 15 (0.0%)
44 = 6 (0.0%)
86 = 6 (0.0%)
41 = 5 (0.0%)
53 = 5 (0.0%)
43 = 4 (0.0%)
45 = 4 (0.0%)
65 = 4 (0.0%)
90 = 4 (0.0%)
42 = 3 (0.0%)
52 = 3 (0.0%)
81 = 3 (0.0%)
85 = 3 (0.0%)
48 = 2 (0.0%)
54 = 2 (0.0%)
60 = 2 (0.0%)
89 = 2 (0.0%)
46 = 1 (0.0%)
47 = 1 (0.0%)
51 = 1 (0.0%)
68 = 1 (0.0%)
69 = 1 (0.0%)
70 = 1 (0.0%)
80 = 1 (0.0%)
83 = 1 (0.0%)
87 = 1 (0.0%)

       |
       |
       |
       |
       |
       |
       |
       |
      ||
      ||
     ||||
     ||||
     |||||
     |||||
     ||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
000000000011111111112222222222333333333344444444445555555555666666666677
012345678901234567890123456789012345678901234567890123456789012345678901

One to six characters = 348949 (12.87%)
One to eight characters = 1600244 (59.02%)
More than eight characters = 1111059 (40.98%)

Only lowercase alpha = 964588 (35.58%)
Only uppercase alpha = 15068 (0.56%)
Only alpha = 979656 (36.13%)
Only numeric = 367723 (13.56%)

First capital last symbol = 33154 (1.22%)
First capital last number = 149291 (5.51%)
Single digit on the end = 199328 (7.35%)
Two digits on the end = 363743 (13.42%)
Three digits on the end = 158454 (5.84%)

Last number

0 = 137616 (5.08%)
1 = 247000 (9.11%)
2 = 133639 (4.93%)
3 = 176774 (6.52%)
4 = 121218 (4.47%)
5 = 114059 (4.21%)
6 = 129914 (4.79%)
7 = 111782 (4.12%)
8 = 105108 (3.88%)
9 = 108479 (4.0%)

|
|
|
|
| |
| |
| |
||||  |
|||||||| |
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
||||||||||
0123456789

Last digit

1 = 247000 (9.11%)
3 = 176774 (6.52%)
0 = 137616 (5.08%)
2 = 133639 (4.93%)
6 = 129914 (4.79%)
4 = 121218 (4.47%)
5 = 114059 (4.21%)
7 = 111782 (4.12%)
9 = 108479 (4.0%)
8 = 105108 (3.88%)

Last 2 digits (Top 10)

23 = 79010 (2.91%)
12 = 40311 (1.49%)
56 = 34572 (1.28%)
11 = 31147 (1.15%)
00 = 30333 (1.12%)
89 = 29147 (1.08%)
01 = 27355 (1.01%)
34 = 26567 (0.98%)
07 = 24614 (0.91%)
10 = 23597 (0.87%)

Last 3 digits (Top 10)

123 = 65452 (2.41%)
456 = 27030 (1.0%)
789 = 18101 (0.67%)
234 = 11293 (0.42%)
000 = 10709 (0.39%)
345 = 8833 (0.33%)
321 = 8071 (0.3%)
007 = 6489 (0.24%)
111 = 6127 (0.23%)
907 = 5942 (0.22%)

Last 4 digits (Top 10)

3456 = 24279 (0.9%)
6789 = 15731 (0.58%)
1234 = 10306 (0.38%)
2345 = 8016 (0.3%)
1907 = 5648 (0.21%)
1905 = 5373 (0.2%)
1903 = 4359 (0.16%)
4321 = 3835 (0.14%)
1987 = 3833 (0.14%)
2000 = 3696 (0.14%)

Last 5 digits (Top 10)

23456 = 24016 (0.89%)
56789 = 15559 (0.57%)
12345 = 7812 (0.29%)
45678 = 3400 (0.13%)
54321 = 3215 (0.12%)
23123 = 2993 (0.11%)
34567 = 2841 (0.1%)
11111 = 2441 (0.09%)
00000 = 2178 (0.08%)
67890 = 2073 (0.08%)

Character sets

loweralphanum: 1017832 (37.54%)
loweralpha: 964588 (35.58%)
numeric: 367723 (13.56%)
mixedalphanum: 177478 (6.55%)
mixedalpha: 38905 (1.43%)
mixedalphaspecialnum: 32426 (1.2%)
loweralphaspecialnum: 29438 (1.09%)
upperalphanum: 28480 (1.05%)
loweralphaspecial: 18937 (0.7%)
upperalpha: 15068 (0.56%)
mixedalphaspecial: 8315 (0.31%)
specialnum: 5449 (0.2%)
upperalphaspecialnum: 1824 (0.07%)
upperalphaspecial: 596 (0.02%)
special: 99 (0.0%)

Character set ordering

allstring: 1018561 (37.57%)
stringdigit: 907054 (33.45%)
alldigit: 367723 (13.56%)
othermask: 160397 (5.92%)
digitstring: 101157 (3.73%)
stringdigitstring: 80481 (2.97%)
digitstringdigit: 36441 (1.34%)
stringspecialdigit: 14594 (0.54%)
stringspecial: 12641 (0.47%)
stringspecialstring: 10952 (0.4%)
specialstring: 671 (0.02%)
specialstringspecial: 532 (0.02%)
allspecial: 99 (0.0%)

These statistics must be read carefully because there is no way to verify their accuracy. Many times, such files are based on very old leaks and probably most of the passwords are not valid anymore (or the account).

[1] https://www.darkreading.com/threat-intelligence/researchers-explore-hacking-virustotal-to-find-stolen-credentials
[2] https://github.com/digininja/pipal

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
Diary Archives