# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: SOVA, Nexus # Reference: https://www.f5.com/labs/articles/threat-intelligence/f5-labs-investigates-malibot # Reference: https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly # Reference: https://www.virustotal.com/gui/ip-address/5.101.0.44/relations # Reference: https://www.virustotal.com/gui/file/bfa9a861d953247eea496f4a587f59e9ee847e47a68c67a4946a927c37b042c4/detection # Reference: https://www.virustotal.com/gui/file/90ce9980da2d0b4b5493061de20b482d0410468977ff97f4abef088e2d133ad2/detection # Reference: https://www.virustotal.com/gui/file/4f9fb1830f47c3107b2c865a169fab46f02f6e3aeb9a3673877e639755af172a/detection # Reference: https://www.virustotal.com/gui/file/0c9616a945dd44871c7e0b76de33ed92c88ab69bb55dbd180ad75df030a0210b/detection # Reference: https://www.virustotal.com/gui/file/0c9616a945dd44871c7e0b76de33ed92c88ab69bb55dbd180ad75df030a0210b/detection 81.19.139.34:1080 91.232.105.4:1080 busthetrel.xyz cialarynan.xyz covid19-hhs.com dorelicinycass.xyz juradannagaha.xyz malemasenafis.xyz mining-x.tech mycrypto-app.com qusahaunad.xyz trust-nft.app udapppacel.xyz walananlpi.xyz xireycicin.xyz # Reference: https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html # Reference: https://otx.alienvault.com/pulse/613b490772350348717d33b0 # Reference: https://www.virustotal.com/gui/file/795b279f312a773f7f556a978387f1b682f93470db4c1b5f9cd6ca2cab1399b6/detection a0545193.xsph.ru l8j1nsk3j5h1msal973nk37.fun # Reference: https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly # Reference: https://www.virustotal.com/gui/ip-address/185.106.93.34/relations # Reference: https://www.virustotal.com/gui/ip-address/65.108.243.141/relations # Reference: https://www.virustotal.com/gui/ip-address/81.19.139.34/relations # Reference: https://www.virustotal.com/gui/file/f050effef52d04feafe277f40064caf220a4acf5dd442975533c8135b952f17e/detection # Reference: https://www.virustotal.com/gui/file/9621358e53377ab8b0145ea3b8c01c90be60604825d37bd085557845e63dd3a4/detection # Reference: https://www.virustotal.com/gui/file/f8077bb0ace3caea945cacf74c57153b4af35b8198fa9e07c657b3e8200eadfd/detection # Reference: https://www.virustotal.com/gui/file/6a83410c79f9e58e134f07f6e5c953e43c7dfa10046b04a9be14a822cb5d0eb0/detection # Reference: https://www.virustotal.com/gui/file/0b1f76ccc734fa7f9e533b839d85c4bd7ed676e7c3e581fc4a0b1cb989fe4a58/detection apinerqpinsad.site domain4ghost.site domainwpatnlfq.site inj4ghost.site inj4ka.space injqvadpyrs.site miningaitubriat.site omainwpatnlfq.site panel2jueprasqb.site panel3ghost.site panel4ghost.site panel4ka.site panel4ka.space panelquartiquf.site socrersutagans.site squareapp.online trustpquegpan.site satandemantenimiento.com wecrvtbyutrcewwretyntrverfd.xyz /api/?access=0&accounts=%5B%5D&botid= /api/?access=1&accounts=%5B%5D&botid= /api/?access=0&accounts=[]&botid= /api/?access=1&accounts=[]&botid= /api/?method=accessinfo&accessibility=0&botid= /api/?method=accessinfo&accessibility=1&botid= /api/?method=admininfo&admin=0&botid= /api/?method=admininfo&admin=1&botid= /api/?param=accessibility&value=0&botid= /api/?param=accessibility&value=1&botid= /api/?param=admin&value=0&botid= /api/?param=screen&value=0&botid= /api/?param=screen&value=1&botid= /api/?param=sms&value=0&botid= /api/?param=sms&value=1&botid= # Reference: https://twitter.com/malwrhunterteam/status/1567876515613786117 # Reference: https://www.virustotal.com/gui/file/aba460774bb3f99be3be6a0fa08845f75a8c55ba2663c7bcbd9713139844cebf/detection zasxdcfvgbhnjmkazsxdcfvgbhnjmk.xyz # Reference: https://twitter.com/malwrhunterteam/status/1603105037399605250 # Reference: https://www.virustotal.com/gui/file/76d4de84e32bc7f40a131f51e1fc56213b05391cb3a809330a4296c224f9cc22/detection azqewrtynuytcdrxrszaesxcdtfvbgu.shop azqewrtynuytcdrxrszaesxcdtfvbgu.xyz bvgcfxdzsexrectvyubinmlklnjbhvgyctxrry.xyz odeialaipodushkijdutrebeatrafinat.shop zomiapppcalisis.shop # Reference: https://twitter.com/malwrhunterteam/status/1621230303133024256 # Reference: https://www.virustotal.com/gui/file/d9fa9002accd6020f5e605f906268b90731015e34a6f33aa25fe396151012f14/detection http://176.107.160.43 # Reference: https://www.virustotal.com/gui/file/463ced138092bb7c3086256ecb22c4d2688ad9ca7227e30cbf1e9b64bf1c9191/detection # Reference: https://www.virustotal.com/gui/file/02ccb25e14c745fc2a13b314112d0bd84ad003214ff2ccd2c43d5fa5e6e4784e/detection http://5.161.22.162 5.161.22.162:5000 letmetakebaby.net # Reference: https://twitter.com/0xchak/status/1632675520935604224 # Reference: https://twitter.com/0xchak/status/1632675523997442048 # Reference: https://www.virustotal.com/gui/file/37c23fed12edf688ae4d72bbf65815546feefe346421070085938b8506e6a0d9/detection # Reference: https://www.virustotal.com/gui/file/182cc43b2817250ebd80a116f82a7a410ded22ea12821ca192f8a8d29d3b0b09/detection http://5.161.23.122 http://5.161.97.57 5.161.23.122:5000 5.161.97.57:5000 delicesevsinsevenler.page nexsuslazim.net yenihaberbizimsizden.co.vu # Reference: https://twitter.com/0xrb/status/1633034670815469569 # Reference: https://threatfox.abuse.ch/browse/tag/Nexus/ http://109.206.240.7 http://176.107.160.28 http://176.107.160.53 http://176.107.160.57 http://176.107.160.64 http://45.143.138.133 http://45.81.243.180 http://45.81.243.181 http://45.81.243.203 http://45.81.243.204 http://85.217.144.111 http://85.217.144.112 http://85.217.144.114 http://85.217.144.115 http://85.31.45.101 http://85.31.45.128 176.123.6.135:5000 176.123.6.139:5000 176.123.6.140:5000 176.123.6.143:5000 176.123.6.144:5000 176.123.6.78:5000 5.161.105.24:5000 5.161.116.222:5000 5.161.16.185:5000 5.161.16.85:5000 5.161.17.33:6699 5.161.182.30:6699 5.161.189.178:5000 5.161.192.183:5000 5.161.201.122:5000 5.161.22.136:6699 5.161.22.241:5000 5.161.23.29:6699 5.161.48.75:6699 5.161.88.148:6699 aaaksdasfak12512.net aaasksasfdk125asf12.net aaksdk12512.net aaksdk12512gs.net aasfaksd24k12512.net # Reference: https://twitter.com/S4nsLimit3/status/1633481095579664386 # Reference: https://www.virustotal.com/gui/file/76e72d5118c632c1266b6b745e3502ce4abeca5ff76124c01e5837059c7e2a68/detection http://176.107.160.16 # Reference: https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections/ youtubeadvanced.net youtubevanvedadw.net # Reference: https://twitter.com/malwrhunterteam/status/1635355420268314624 # Reference: https://twitter.com/0x6rsk/status/1635946336368443396 # Reference: https://www.virustotal.com/gui/file/376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4/detection # Reference: https://www.virustotal.com/gui/file/8e3c7f755f08831739743c8f68b8ac7c263914e723258f9317bc08c01ca111f2/detection http://193.42.32.87 blog-italia.club # Reference: https://twitter.com/0x6rsk/status/1635955119597420544 # Reference: https://www.virustotal.com/gui/file/9b4539ea135f28a219788db09652ff51b77f20b235e8399de306c94dc7681097/detection http://85.217.144.114 # Reference: https://twitter.com/malwrhunterteam/status/1638290975696080901 # Reference: https://www.virustotal.com/gui/ip-address/79.137.192.10/relations # Reference: https://www.virustotal.com/gui/file/ea40b950dc088504f51181e8ea4e0d1cb500797967637e7124bfbbdb29395635/detection http://85.31.45.130 block-blog.xyz copy-blog.info copy-blog.online drill-blog.ink tab-blog.info