wp-admin » 🔴 R4gn4r0 Mailer 1.0

🔴 R4gn4r0 Mailer 1.0

A straightforward PHP script called R4gn4r0 Mailer is used to send bulk emails from WordPress websites that have been hacked. It offers capabilities like email address filtering, mass emailing, and blacklist checking and is essentially a clone of the LeafMailer.

The malware is often discussed as a wp-active2.php file.

Simple login form, the password is stored inside the code:

image 13 - 🔴 R4gn4r0 Mailer 1.0
R4gn4r0 Mailer login form
image 14 - 🔴 R4gn4r0 Mailer 1.0
R4gn4r0 Mailer password

Email filter:

image 16 1024x547 - 🔴 R4gn4r0 Mailer 1.0

Mass mailer:

image 15 - 🔴 R4gn4r0 Mailer 1.0

It appears as though someone simply added colors and changed the language to Spanish because the source code is nearly identical to LeafMailer.


Emails mentioned inside the source code: [email protected] [email protected] [email protected]

IP addresses that have known to exploit this script: 45.91.20.96

45.91.20.96 - - [27/Sep/2022:23:14:58 +0200] "POST /wp-active2.php HTTP/2.0" 200 10884 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:15:01 +0200] "POST /wp-active2.php HTTP/2.0" 200 131315 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:16:08 +0200] "POST /wp-active2.php HTTP/2.0" 200 22514 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:05 +0200] "POST /wp-active2.php HTTP/2.0" 200 32377 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:21 +0200] "POST /wp-active2.php HTTP/2.0" 200 32377 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:28 +0200] "POST /wp-active2.php HTTP/2.0" 200 15952627 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:23:41 +0200] "POST /wp-active2.php HTTP/2.0" 200 45077 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:23:47 +0200] "POST /wp-active2.php HTTP/2.0" 200 36430158 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:30:53 +0200] "POST /wp-active2.php HTTP/2.0" 200 45077 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
See also  Use PHP Regex Replace Line-by-Line to remove Malware from large Database Dumps

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.

Recommended