# xmrwallet.biz — Escape Domain #2

## WHOIS
| Field | Value |
|-------|-------|
| **Registered** | 2026-02-09 |
| **Expires** | 2031-02-09 (5 years prepaid) |
| **Registrar** | Web Commerce Communications Limited dba WebNic.cc |
| **Status** | clientTransferProhibited · clientDeleteProhibited · clientUpdateProhibited · **serverTransferProhibited** |
| **Nameservers** | NS1.DDOS-GUARD.NET · NS2.DDOS-GUARD.NET |

## Hosting
| Field | Value |
|-------|-------|
| **IP** | 190.115.31.40 |
| **ASN** | AS59692 — IQWeb FZ-LLC |
| **Country** | 🇧🇿 Belize (offshore) |
| **Hostname** | ddos-guard.net |

## VirusTotal Intelligence
| Field | Value |
|-------|-------|
| **Domains** | www.xmrwallet.biz · xmrwallet.biz |
| **ASN** | AS59692 (confirmed — same as xmrwallet.com) |
| **IP** | 190.115.31.40 |
| **Files served** | **23 file hashes identified** by VirusTotal |

### File Hashes (SHA256) — served by xmrwallet.biz
These are files VT observed being delivered from this domain — wallet JS, possible WebAssembly modules, obfuscated scripts:
```
218d0b6b7f5c87d3b30873fb50a758d04dfc273d1c6b4b3ca2b7d76c5ab38644
f69b42f78220120198354610c63b66496ed2cf2be2d80c959a686f0a214e4866
3095da81424eadc32e00c1d6cc61b5be32252ce1a5f5b1e7a1ac514aa9cac1ea
a4f78aea3aac7159cb7ae772a4e464ccd777a5d31ebbad52a4216e9b1cd616de
15e72fdb916883d853277aa3739c37ceea6b07f5daf89ceae59bc5a254b0da1a
e9248abdcdbce1a575f0110f42e440a462e606c2980b2bf5c0ca2e75c9e7eb52
cc94edd838df4adc55ce2633c00a9fcbcc870200650df140329f4f1fd0c49414
9d39530709b9e8614f396330a965280adba383beede90bab89fd5edc4c6bbcd9
9d490aaeb13bd8189d64ec8ebbd77544d59e36809fe729d79b7ec31fcb5bd931
08b546948de3d545112d01e3f672187b72b0903eca3ea62827bc1f406beef132
859eb46de6abdfc0566e306f934cc7d53ce2124aa0935cfa6bd8daa864574d81
9fd2a9ad8f3df4e00ea67a63182eddaf84f1c18f95c6dc5b7efc3b4244b39622
c27edc9fff36d2995489f7baa21e2abecea314580b2fa63490fe9d8d251ef09c
98f125506abf1d8f277a3e365a5efef067caba4cca844f0cf4db75f6a1e0b3d2
700e57eb67e4186237739be928d0e05c2dea1a817b8394ee029580176318a60b
ab9226498b999eae84e141cce8aaad49a943fd282f94593828b5e9c43df0de82
d662c3adafb0f4f250360d76b4a47b8677b1d115fee9ec93e7923039d8e1de48
a7ba66a7f394dda8d9869d11f046cd0c4dfcb655900e5aeae4b4640eb8d859a4
2c63a044d1eb522df9d5934220a76e391961baaf6b6437827fac498d2c1b9b6e
8dc48e707230735233bdf19687878c4c66724e6038f863d8d98f1319ce63f013
ce78c84763cb09c1399a13b96c5ace6dce47cc61333379939b78939ece61a6e3
8c8d7271319d3b9c33b4b9a02675ac4694a5a62499bd33b699b4b333e6e58c13
66a4d807739a998e6bca0f644e624eecca4ec61f6a4bd19b5b48d8636b5b8e8d
```

Cross-reference each hash: https://www.virustotal.com/gui/file/[HASH]

## Key Facts
- Registered **2026-02-09** — 5 days after xmrwallet.cc, both post-investigation
- **4 lock statuses** including `serverTransferProhibited` — registry-level, cannot be removed by registrar alone
- Same backend AS59692 IQWeb FZ-LLC as xmrwallet.com
- WebNic.cc (Malaysia) — abuse contact: **abuse@webnic.cc**
- 23 files already indexed by VirusTotal = site already active and serving content

## Report
- abuse@webnic.cc
- https://www.virustotal.com/gui/domain/xmrwallet.biz
- https://safebrowsing.google.com/safebrowsing/report_phish/
- https://phish.report/ (auto-reports to 6+ platforms)