# PhishDestroy threat dossier — sqlbatimcorporation.vu
================================================================

Fetched:   2026-06-26 00:51:50 UTC
Canonical: https://phishdestroy.io/domain/sqlbatimcorporation.vu/

## VERDICT
----------------------------------------------------------------
CRITICAL THREAT — DO NOT VISIT
Composite threat score: 100/100 (PhishDestroy scoring — see methodology below)

## DETECTION EVIDENCE
----------------------------------------------------------------
VirusTotal:      14/91 security vendors flagged this domain
  Flagging vendors: alphaMountain.ai, BitDefender, Chong Lua Dao, CRDF, CyRadar, ESET, Forcepoint ThreatSeeker, Fortinet, G-Data, Gridinsoft, Lionic, SOCRadar, Sophos, VIPRE
AlienVault OTX:  5 pulses (threat-intel feed mentions)
Public blocklists: listed on 1 independent blocklist

## INFRASTRUCTURE
----------------------------------------------------------------
IP address:      172.67.191.223
Registered:      2026-06-14
Page title:      Suspected Phishing | Cloudflare
HTTP response:   403

## TLS CERTIFICATE
----------------------------------------------------------------
Issuer:     Let's Encrypt / E8
Expires:    2026-08-15
Status:     INVALID chain
Fingerprint: 06872192fe2d8d4b800015130139f6d0156f3c05d81d0c4c0d9455d487127996

## ABUSE-REPORT HISTORY (evidence of registrar non-response)
----------------------------------------------------------------
Status: pending notification queue. No abuse reports filed yet — this domain is
waiting for the next cycle of our automated abuse-reporter.

## TIMELINE
----------------------------------------------------------------
Domain registered: 2026-06-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration)
First detected:    2026-06-14 18:09:15 UTC (by PhishDestroy tracker)
Last verified:     2026-06-26 00:20:35 UTC
Current status:    ACTIVE / observable

## ANALYST NARRATIVE
----------------------------------------------------------------
[Generated: 2026-06-25 21:09:23 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.]

This domain, sqlbatimcorporation.vu, operates as a fraudulent Cloudflare security alert phishing site designed to deceive users into believing their browser or connection has been flagged for security violations. Analysis indicates the site employs generic_phishing tactics, presenting a fabricated 'Suspected Phishing' warning page to manipulate victims into downloading malicious software, entering sensitive credentials, or executing unauthorized transactions. The deceptive page mimics legitimate security notifications, exploiting user trust in established security brands to facilitate credential theft or malware distribution.  Infrastructure analysis reveals multiple high-confidence threat indicators. The domain was registered on June 14, 2026, through the Vanuatu country-code top-level domain (ccTLD) registrar, a pattern frequently observed in phishing campaigns due to relaxed registration requirements. VirusTotal detection metrics report 14 out of 95 security vendors flagging the domain as malicious, while AlienVault OTX records its presence in five distinct threat intelligence pulses. The domain appears on one security blocklist and is actively blocked by specialized anti-phishing systems. It resolves to the IP address 172.67.191.223, which is proxied through Cloudflare infrastructure, a common tactic to obscure hosting origins and evade takedown efforts. The SSL certificate is issued by Let's Encrypt, providing a veneer of legitimacy while failing to mitigate the underlying malicious intent.  Users who have visited sqlbatimcorporation.vu should immediately terminate any active sessions and avoid interacting with prompts or download requests. If credentials were entered, all associated accounts must be secured through password resets via official channels, and multi-factor authentication should be enabled where available. System scans using updated security tools are recommended to detect potential malware infections. Network-level protections should be implemented, including DNS filtering to block resolution of the domain and its associated IP address. Organizations should update internal blocklists and threat intelligence feeds to include this domain, its resolving IP, and any observed indicators of compromise. Given the elevated risk level and active status, continuous monitoring for related phishing domains using similar naming conventions or infrastructure patterns is advised.

## EVIDENCE HASHES
----------------------------------------------------------------
TLS cert SHA-256:      06872192fe2d8d4b800015130139f6d0156f3c05d81d0c4c0d9455d487127996

## SCORING METHODOLOGY
----------------------------------------------------------------
Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates:
  - VirusTotal positive ratio
  - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus,
    CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB)
  - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor)
  - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.)
  - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing
  - URLScan / URLQuery verdicts
  - Brand-impersonation heuristics (DOM analysis of forms, logos, wording)
  - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures)
  - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...)
  - Free-TLS vs paid-cert ratio (throwaway infrastructure signal)
  - Registrar/hosting abuse history (this registrar's track record)
  - Human researcher sign-off (volunteer takedown team)

A domain present in our database is ALREADY flagged. A low VT count by itself does
NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their
first 7–30 days while actively draining wallets. Always cross-reference the composite
score and the individual indicators above, not just VT.

## CORRECTIONS / APPEALS
----------------------------------------------------------------
Full HTML report:  https://phishdestroy.io/domain/sqlbatimcorporation.vu/
JSON API:          https://api.destroy.tools/v1/check?domain=sqlbatimcorporation.vu
Appeal a flag:     https://phishdestroy.io/appeals/  (responded to within 48 hours, FP rate <0.01%)
Submit a report:   https://t.me/PhishDestroy_bot

About PhishDestroy: volunteer-driven open-source threat-intelligence platform.
Tracked: 170,045 domains (12,242 alive under monitoring, 157,244 confirmed takedowns/dead). Site: https://phishdestroy.io