The DNS-focused investigation into the Samourai Wallet led to IoCs including domains samourai.io, samourai.support, and samouraiwallet.com and extended artifact discovery via DNS and WHOIS methods. The research surfaced multiple IPs, domains, and non-public email addresses, with a full dataset available on WhoisXMLAPI’s threat reports and related summaries. #SamouraiWallet #DanchoDanchev #WhoisXMLAPI #Namecheap #GandiSAS
Keypoints
- Samourai Wallet IoCs identified: samourai.io, samourai.support, and samouraiwallet.com.
- DNS analysis expanded artifacts to four IP resolutions, two IP-connected domains, and 66 string-connected domains.
- IoCs were split between two registrars: Namecheap and Gandi SAS.
- Most domains were created in 2015, with one created in 2021.
- The domains were registered in Iceland (two) and the United States (one).
- WHOIS History API and DNS lookups were used to uncover artifacts; full findings are available on WhoisXMLAPI’s threat reports.
MITRE Techniques
- [T1583] Acquire Infrastructure – Domain and IP infrastructure discovery via DNS lookups and associated artifacts. “DNS lookups … enabled us to uncover four unique IP address resolutions” and related domain/artifact mapping. “, which enabled us to uncover four unique IP address resolutions. “
- [T1593] Search Open Websites – OSINT collection of domain history and related artifacts via WHOIS data. “We began our search … by conducting WHOIS History API queries for the three domains tagged as IoCs.” and “bulk WHOIS lookup” helped reveal ancillary artifacts. “”
Indicators of Compromise
- [Domain] domain names – samourai.io, samourai.support, samouraiwallet.com
- [IP Address] – 104.21.68.107, 162.255.119.8, 172.67.194.72
- [Email Address] – three email addresses discovered via WHOIS History API (not public)