# PhishDestroy threat dossier — sanisidrova.com.ar ================================================================ Fetched: 2026-07-17 07:47:46 UTC Canonical: https://phishdestroy.io/domain/sanisidrova.com.ar/ ## VERDICT ---------------------------------------------------------------- TAKEN DOWN (neutralised) Composite threat score: 100/100 (PhishDestroy scoring — see methodology below) Scam classification: Generic Phishing ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/91 security vendors flagged this domain Flagging vendors: ADMINUSLabs, alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, Fortinet, G-Data, Gridinsoft, Lionic, SOCRadar, Sophos AlienVault OTX: 2 pulses (threat-intel feed mentions) Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 168.181.186.136 (AR, Rosario) ASN: AS27823 Dattatec.com Hosting org: Dattatec.com Registrar: nicar Nameservers: ns10.hostmar.com, ns9.hostmar.com Registered: 2015-10-23 Page title: .: San Isidro Villa Residencial :. HTTP response: 200 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Sectigo Limited / Sectigo Public Server Authentication CA DV R36 Expires: 2027-01-05 Status: INVALID chain Fingerprint: 6d6172023b4023ab446b04eaa9f4d7d32b45a5d67a93a6c9d6975670be09dab0 Subject Alternative Names (related infrastructure — often same operator): - www.sanisidrova.com.ar ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: CLOSED — no report required. This domain was neutralised before the abuse-report cycle could be dispatched — either the hosting provider / registrar suspended it on their own, the DNS went dead, or the operator abandoned the infrastructure. PhishDestroy keeps the evidence bundle on file for audit but no formal notice was sent. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2015-10-23 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-05-11 15:29:57 UTC (by PhishDestroy tracker) First reported: 2026-05-11 15:28:40 UTC (abuse notice filed) Last verified: 2026-07-17 08:20:40 UTC Neutralised: 2026-06-06 17:31:12 UTC Current status: taken down (registrar suspended or DNS dead) ## EXTERNAL CORROBORATION (third-party evidence) ---------------------------------------------------------------- URLScan.io: https://urlscan.io/result/019e1700-f943-75bb-9d6f-8933c8d0736c/ URLQuery: https://urlquery.net/report/b086ed48-87aa-4916-9aaa-59d8d158cbe2 Wayback Machine: https://web.archive.org/web/*/sanisidrova.com.ar crt.sh CT logs: https://crt.sh/?q=%25.sanisidrova.com.ar Google transparency: https://transparencyreport.google.com/safe-browsing/search?url=sanisidrova.com.ar AlienVault OTX: https://otx.alienvault.com/indicator/domain/sanisidrova.com.ar URLhaus: https://urlhaus.abuse.ch/host/sanisidrova.com.ar/ ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-26 05:39:48 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain, sanisidrova.com.ar, is flagged as a credential theft phishing site impersonating the San Isidro Villa Residencial brand. Analysis indicates the site was designed to harvest login credentials or personal information from visitors under the guise of a legitimate residential property portal. No evidence of crypto drainer kits or payment redirection scripts was observed in initial triage, but the domain exhibits characteristics consistent with credential harvesting infrastructure, including a plausible facade for real estate transactions or account access. Technical indicators confirm elevated risk: the domain is detected by 12 out of 95 security vendors on VirusTotal, registered through nic.ar on October 23, 2015, and resolves to the IP address 168.181.186.136. It appears on one security blocklist and is referenced in two threat intelligence pulses on AlienVault OTX. The SSL certificate is issued by Sectigo Limited, which, while not inherently malicious, is frequently leveraged by threat actors to lend false legitimacy to phishing sites. The domain’s creation date predates typical phishing campaigns, suggesting either long-term compromise of a dormant domain or repurposing of existing infrastructure for malicious use. As of the latest assessment, sanisidrova.com.ar has been taken offline, reducing immediate exposure risk. However, the domain remains registered and could be reactivated or repurposed for future campaigns. Organizations are advised to block the domain and its associated IP at the perimeter, monitor for residual DNS queries, and conduct internal audits for any prior interactions with the site. Users who may have entered credentials should assume compromise and initiate password resets across all platforms where identical credentials were reused. Continued vigilance is warranted due to the domain’s historical association with malicious activity and its presence in threat intelligence feeds. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: 571f68a73e33c695103f845a6f911e75 TLS cert SHA-256: 6d6172023b4023ab446b04eaa9f4d7d32b45a5d67a93a6c9d6975670be09dab0 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (operator takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/sanisidrova.com.ar/ JSON API: https://api.destroy.tools/v1/check?domain=sanisidrova.com.ar Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: independent open-source threat-intelligence platform. Tracked: 179,659 domains (51,117 alive under monitoring, 128,542 confirmed takedowns/dead). Site: https://phishdestroy.io