# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/ViriBack/status/1035683053459460098 3dchesmellltda.club # Reference: https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/ compra-da-sorte.com vemsorte2015.com # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banloa-CRQ/detailed-analysis.aspx triocar.web1629.kinghost.net www.inducar.kinghost.net # Reference: https://twitter.com/pancak3lullz/status/1040343104564473865 beladoces.online/wp/wp-includes/brazilkrisemundial/index.php # Reference: https://twitter.com/James_inthe_box/status/1242573224006696961 /AppCounter20032020-001/index.php # Reference: https://twitter.com/1ZRR4H/status/1243178915507703810 seguridadsucursal.online tma8sjw.myftp.org # Reference: https://blog.scilabs.mx/blog/2019/12/06/campana-cosmic-banker-sigue-activa-y-revela-vinculo-con-banload/ # Reference: https://www.virustotal.com/gui/ip-address/51.79.31.28/relations http://51.79.31.28 comprobantes.sytes.net dgi1b2n3m4.ddns.net /RO3473I4R4Y.php # Reference: https://twitter.com/James_inthe_box/status/1245427754977263617 receitafazenda.webcindario.com /primo/verifique.php # Reference: https://twitter.com/NtSetDefault/status/1253292071877820416 4up4.com/uploads/file_2020-04-13_031927.jpg # Reference: https://twitter.com/Bank_Security/status/1258359587729813504 # Reference: https://seguranca-informatica.pt/brazilian-trojan-banker-is-targeting-portuguese-users-using-browser-overlay/ # Reference: https://www.virustotal.com/gui/file/ed1e2a3767b575cce54e13e05112f30156590cc080a0d0865aaf85686c4e51be/detection 23.108.57.243:3389 http://23.106.124.20/avs/img1/index.php # Reference: https://twitter.com/sevenofnull/status/1275342947068915713 # Reference: https://app.any.run/tasks/141db5f3-0e93-43c3-96e9-ebf0e69bccda/ (# MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload)) # Reference: https://www.virustotal.com/gui/ip-address/104.154.43.185/relations # Reference: https://www.virustotal.com/gui/file/b22f8eaf82e15fe8118617cd7db703486696a82924dbafcbc31d8ce1262fcdb5/detection # Reference: https://www.virustotal.com/gui/file/2f4db2bd529b5705308afd647b26d1a172d34b31d3382da57bac67aa3373a43c/detection # Reference: https://www.virustotal.com/gui/file/507b299b76133f4ee7a30c12e23e45fa6fe9a1990ac87cb39136c25cc015e011/detection 104.154.43.185:60001 # Reference: https://twitter.com/NtSetDefault/status/1282277236423512065 # Reference: https://www.virustotal.com/gui/file/bc0073b75adda338d994361b4ebc1bc964197826ee75cf790948f128785780bc/detection # Reference: https://app.any.run/tasks/637f560b-00da-442c-aef5-6ebc990a0646/ outlook39923.autodesk360.com # Reference: https://twitter.com/NtSetDefault/status/1285909036815323136 # Reference: https://twitter.com/NtSetDefault/status/1285914518095302656 # Reference: https://app.any.run/tasks/599e1eb9-a1c9-4d80-b33d-281cd619cc6c/ correiosbrasilsedex.serveftp.org enviocorreios.serveftp.org sendcorreiosbr.serveftp.org seusedexrapido.serveftp.org m0380933669.s3-us-west-1.amazonaws.com u3028903369.s3-us-west-1.amazonaws.com # Reference: https://twitter.com/NtSetDefault/status/1273040649542131713 emissaocontadigital.eastus.cloudapp.azure.com # Reference: https://twitter.com/sirpedrotavares/status/1305076741107519488 # Reference: https://www.virustotal.com/gui/file/e6cbaf9d2d01467048c758ba5e6ef3b68e624f67ece32dd68ebfeab235ed7ce5/detection # Reference: https://www.virustotal.com/gui/file/cd878cd53b60f3bd950dc84ca731e07b4b49e18aed28f7e5d0bb39e5ab9c4ae7/detection # Reference: https://www.virustotal.com/gui/file/373386e10c2e71329f0e8b4f51bef1fc0c4eb716f459cdf8a93941cff336b89b/detection # Reference: https://www.virustotal.com/gui/file/8e9e5c2e16c8712f9e1ebfd4c295a1afe9373b95580ca73352f32e37d07408b6/detection # Reference: https://www.virustotal.com/gui/file/4227332820fffcae05ae9d12a0e0b20f2291eb7b6bf8982b5301f24caadfbe8e/detection # Reference: https://www.virustotal.com/gui/file/c05e9c1b155559d500ed0a2b3ca4c02d2a679db4191a7b35b9c44c2bdd61210d/detection # Reference: https://www.virustotal.com/gui/file/985485888ef165eba912578cceb76981e9e5841bf928db739afbf472ea09deff/detection # Reference: https://www.virustotal.com/gui/file/23892054f9494f0ee6f4aa8749ab3ee6ac13741a0455e189596edfcdf96416b3/detection # Reference: https://www.virustotal.com/gui/ip-address/191.235.99.13/relations # Reference: https://www.virustotal.com/gui/ip-address/52.91.227.152/relations http://191.235.99.13 http://52.91.227.152 # Reference: https://otx.alienvault.com/pulse/5f75c5efcce31cfc583bafaa 58sky.com wdx.go890.com khelpdesk.com.br go890.com mg.5636.com master.khelpdesk.com.br # Reference: https://www.virustotal.com/gui/ip-address/31.220.59.65/relations # Reference: https://www.virustotal.com/gui/file/3c23a8a65d78c035753bc0a437ed1bcab53f4a981608c10dbf936de28be4f3e3/detection # Reference: https://www.virustotal.com/gui/file/99ba789471d2df7249bddf5741a0d5fa58147af4e3865490a93fcd1ea609c3ec/detection # Reference: https://www.virustotal.com/gui/file/8aff76bef1eaed56b46d983051e8a817a893905c82cda79573316adc823baa54/detection # Reference: https://www.virustotal.com/gui/file/1e6aaee1a283c652812fec6a70f8d1759de53a723af4ea415d3a4fa2ea083166/detection defaqw.duckdns.org fyjftn.duckdns.org hsjkse.duckdns.org jddrtj.duckdns.org lokj.duckdns.org xcgt.duckdns.org xder.duckdns.org xeida.duckdns.org yiydk.duckdns.org zere.duckdns.org zxcw.duckdns.org # Reference: https://www.virustotal.com/gui/domain/novelsim.shacknet.us/relation # Reference: https://www.virustotal.com/gui/file/7ca842d8f2c83eddf6bd393415c4cff54ec7fa5c51f34738bb6aa1114714c6ec/detection novelsim.shacknet.us /troBEROamkr0192013.php # Reference: https://twitter.com/JAMESWT_MHT/status/1329728270326247425 # Reference: https://bazaar.abuse.ch/sample/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/ # Reference: https://www.virustotal.com/gui/file/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/detection # Reference: https://analyze.intezer.com/analyses/55ad918a-ba00-497f-a2c5-262c957aa52f/sub/dc9bf2d0-cfce-46e1-8b22-6034f5df3d68 217.8.117.74:8364 # Reference: https://twitter.com/wwp96/status/1337112340001681411 gassmp.podzone.org /Bebroms29129MSKEdrf.php # Reference: https://www.virustotal.com/gui/file/3f15a5000fe56acf94ddaf281bbb634cc14d0d84ffed7b244ac38f97c4b23a0c/detection lojinha-deroupas.com.br /muralavisos.php # Reference: https://www.virustotal.com/gui/file/9d4e819a148f6f3ba4d205cf7f3e383ba5c1e6510e34968c38f192dc0e8b3e07/detection guardasnoturnos.com.br # Reference: https://otx.alienvault.com/pulse/5ffc3ef208af976d9393d1e2 # Reference: https://www.virustotal.com/gui/domain/cp2.sanandresplazza.com/relations # Reference: https://www.virustotal.com/gui/file/87c87de35dcd8832043ead5aee4d937ad57f60eb7b68506bd2d976c52d694f3a/detection # Reference: https://www.virustotal.com/gui/file/cb28fb0cd8281caab59fd57ed18619d9d8c41cfbd01e6e8ed1b35399d2d36d73/detection astylo.net guiama.is /plugins/authentication/ldap/Des_x_.png # Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz # Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz # Reference: https://www.virustotal.com/gui/domain/lucas.digitaldesk.biz/relations lucas.digitaldesk.biz prepara.biricell.com.br # Reference: https://www.virustotal.com/gui/file/02131c8c30c6852ea1094661960d8cd697e014c2327582b9bbfc8440100d08ef/detection casting.diamondhostess.hu uslugi-ryazan.ru # Reference: https://www.virustotal.com/gui/file/f8d9e056bfaa7ee2d74c2fcd5411de3868f47c1301e1cf55a0180b774df1d348/detection # Reference: https://www.virustotal.com/gui/file/42575b866129035b28068456fa9d988ff86d5573e86a8138ba63c0b3423f6820/detection mssql.maurosouza9899.kinghost.net # Reference: https://twitter.com/dgarcianet/status/1352235429160955904 web.groupe-convergence.com # Reference: https://www.virustotal.com/gui/file/34e16a68835f05ec748e2928409c3f07bdc5268eae0916cfef8a182e031cf6d1/detection # Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/detection # Reference: https://www.virustotal.com/gui/file/43ea536308e35b15858237ff4b4b565ca70c1434af0b40dc7336c90c5362e99d/detection critichotshot.com # Reference: https://otx.alienvault.com/pulse/6023cbfddb978ba4bf15730b 5636.com 58sky.com go890.com jxwan.com wanyouxi7.com lordstark.dynamic-dns.net # Reference: https://twitter.com/Unit42_Intel/status/1369043270429466634 # Reference: https://github.com/pan-unit42/tweets/blob/master/2021-03-08-IOCs-from-Banload-infection.txt arquivomes03.brazilsouth.cloudapp.azure.com casaprodutosportal.net hirotrindade.webcindario.com shonitrohifi.com # Reference: https://www.virustotal.com/gui/file/8e95a0564b92cc9285ab0f74076c2aa5c666658a3933ceeaa9942d1a3823a7e2/detection nwdnydxxxeo.hosthampster.com # Reference: https://www.virustotal.com/gui/file/a9045a3692c91964dcb62966c7d44f6c00344bf11b5784374b7b64eef9c3ed31/detection br12jh87te87lkre63a.servepics.com /hhrytn35/lw1.php # Reference: https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html (# Win.Downloader.Banload-9861199-0) brasilcargas.space cabanadosol.net # Reference: https://www.virustotal.com/gui/file/d51886e1555a1a94472f639a4cc9d670993011eafa7be4a3ea93219cd2a7b975/detection http://74.125.230.247 http://98.137.201.117 deliverycards.sytes.net rdsbox.no-ip.info # Reference: https://www.virustotal.com/gui/file/e62d5c2402f3455766839f357ae4a4c9ff48cb82451e7a06329fe7186dc9fbcc/detection 41.100.82.137:1891 salah-dz.no-ip.biz # Reference: https://www.virustotal.com/gui/file/48739c53c560536f074d4b4ad5e98e6be128ea137ecf6658d31fb4dbe98a1038/detection http://3.96.187.180 /zebudega/5CG46H2J8740503TR.php /5CG46H2J8740503TR.php # Reference: https://www.virustotal.com/gui/domain/universal101.com/relations universal101.com # Reference: https://www.virustotal.com/gui/file/5a0d1b0431f975ee227c77a951711e749095cf872b2761c3370e3cdb7726d003/detection raimundex.no-ip.biz raimundex.no-ip.biz.ovh.net # Reference: https://www.virustotal.com/gui/file/07eb52e969a2bfb9181e132b235e161516264934edd24a197d7f09505a24c4e0/detection 187.113.20.62:11891 klinspect3.no-ip.info # Reference: https://www.virustotal.com/gui/file/455f4167f9f057c160956e9e1a27e662dfc5abd820cfe1be99c7728403af67b4/detection ret.space # Reference: https://www.virustotal.com/gui/file/ec124a8ed148e2f6943dffc8cc2b072ae2ef887aa2ce87de5c93e4006bc9a846/detection 172.105.155.183:7777 getmalware.com # Reference: https://www.virustotal.com/gui/file/85ee41bba3c7946de4d8b807a6aa07019fa27bdd7d923906773135f541c893b9/detection myserverok.myftp.org # Reference: https://www.virustotal.com/gui/domain/upsvcm.myftp.org/detection upsvcm.myftp.org # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil # Reference: https://otx.alienvault.com/pulse/617bc3fe39fce40899c10840 http://13.36.240.208 http://15.237.27.77 http://15.237.60.133 http://52.47.163.237 centralcfconsulta.net centreldaconsulta.com /ando998.002 /carindodone.ways /esperanca.lig2 /esperanca.liga /microsft.crts /msftq.doge /nanananao.uooo # Reference: https://twitter.com/r3dbU7z/status/1456797053317701633 # Reference: https://twitter.com/r3dbU7z/status/1489192209119387649 # Reference: https://twitter.com/r3dbU7z/status/1489548681154076676 # Reference: https://www.virustotal.com/gui/file/d97e54139ae34a8aeefff4d5ac760caa5b8cbb1a91af6fa5d725a0cfba6dfeb0/detection 147.182.207.189:8000 googlyconnect.tk googlyconnect.xyz ngetconnect.tk tatamagicexpress.tk # Reference: https://twitter.com/ffforward/status/1490419292202012677 lamboarrived.com lamboarrivesssd.com # Reference: https://www.virustotal.com/gui/file/e46f8a434d8935182491ccb8cd4d17e120458af5821b12613931ee3bb826c706/detection scan-x9.gleeze.com # Reference: https://twitter.com/abuse_ch/status/1491102298642157569 http://18.222.122.216 # Reference: https://twitter.com/JAMESWT_MHT/status/1511574103316221952 # Reference: https://twitter.com/1ZRR4H/status/1511588774618169350 # Reference: https://twitter.com/pr0xylife/status/1511753527827353606 filtrosefioseletricosd.eastus.cloudapp.azure.com pdf-nfe82234018756.australiaeast.cloudapp.azure.com toystorehuewjir2341234.norwayeast.cloudapp.azure.com # Reference: https://twitter.com/malwrhunterteam/status/1512501726410166280 # Reference: https://www.virustotal.com/gui/file/c07afe27b4f94dbeb6a21e23deb331a3ede658975471c689226162fda28325e0/detection bussines.click # Reference: http://blog.talosintelligence.com/2022/04/threat-roundup-0408-0415.html (# Win.Downloader.Banload-9943209-0) # Reference: https://www.virustotal.com/gui/file/6e88c0fc568192968be1ea2c0242bce09141b8b151b469a9d378b66c32909207/detection # Reference: https://www.virustotal.com/gui/file/f4dc20793b32c7fe417de28cbe15e158f6e71e984dae1aaca9fd0d6db91b3bbb/detection # Reference: https://www.virustotal.com/gui/file/ab52085f0cb9a9466f526defcc6535793ea415eea35c9bd89afdd2250f61f4da/detection # Reference: https://www.virustotal.com/gui/file/197218e9d34b526633f525d0b4287cb2a7822b5eca468706861e9305975001f2/detection # Reference: https://www.virustotal.com/gui/file/357e7e3938085403df07804b7df5bfb204383383e471dcc8fadc621e0827fae6/detection acreunagoias.com.br arquivos2011.net bamcodedados.com bancodados.com ceyfad.com divixonde.com.br encontragoiania.com.br # Reference: https://twitter.com/b3ard3dav3ng3r/status/1522554429836509185 http://135.148.155.27 # Reference: https://www.virustotal.com/gui/file/157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5/detection # Reference: https://www.virustotal.com/gui/file/ef8457a60771b1eefdbd53cf09b30b546d96736748db2e3e325b26993abe1afe/detection 193.124.22.17:23520 # Reference: https://www.virustotal.com/gui/file/c192c4a8647935e35a756e0e9cb71a2b4536f927bee108ec1580e6d31fcca785/detection http://193.124.22.17 # Reference: https://twitter.com/James_inthe_box/status/1562089001124708354 # Reference: https://twitter.com/Computeus7/status/1562108381187522561 # Reference: https://app.any.run/tasks/10bd0f91-2556-4574-8acb-bdf67441a276/ 51.161.108.106:44233 # Reference: https://www.virustotal.com/gui/file/c94d2ab86cd34531f591a849b3b4a7349e9c57ab7eb53dd58f4aa9a69e1eff0e/detection lordgunz.com.br # Reference: https://twitter.com/Merlax_/status/1614742984943181824 # Reference: https://www.virustotal.com/gui/file/2f04292fac6ce3a8ab250dc256894f037e302f82912f365d93f915cb184ed3f7/detection # Reference: https://www.virustotal.com/gui/file/4b9fc4775b932ff14eab52b990e61e7a2277b4d53c6cf3ac38902ceec8e55101/detection # Reference: https://www.virustotal.com/gui/file/56f827c9a7df7f2ad1666ff803f79a99bc2005591a7095b1d36f65c2e2c46ecd/detection # Reference: https://www.virustotal.com/gui/file/414acda5515a33333d51720b26fd80f51d15840294502fe253320c0aa49cbd8b/detection http://194.180.191.50 http://51.77.193.20 comiteradvogadosbr.com adsshfitletgowchatwi.ukwest.cloudapp.azure.com aniversarioagostovw.servesarcasm.com hown1301.s3.us-east-2.amazonaws.com imobiliariapacheco.ciscofreak.com modonlineservletgowads.southafricanorth.cloudapp.azure.com # Reference: https://twitter.com/Merlax_/status/1617673017181736960 http://20.226.125.180 joliedocescapnhalida.com hownter2301.blob.core.windows.net /brumnx2301fff/ /KKKK/nmhjhghhhjh.php /nmhjhghhhjh.php # Reference: https://www.virustotal.com/gui/file/9c1732d555a02453ad01c3a2555980d2722a2e49a5c58385ca91efc3af54a526/detection 4.235.112.145:30000 # Reference: https://www.virustotal.com/gui/file/863dbdb4a47448c7ed262700f0e5f7dbae552c196ffdd906a6407717789b3873/detection 162.33.178.82:4411 # Reference: https://twitter.com/0xToxin/status/1655558045810688001 # Reference: https://twitter.com/0xToxin/status/1655568340520148992 # Reference: https://app.validin.com/axon?type=ip&limit=100&find=161.35.75.27 # Reference: https://www.virustotal.com/gui/ip-address/161.35.75.27/relations # Reference: https://tria.ge/230508-p2pavacd8v/behavioral2 # Reference: https://www.virustotal.com/gui/file/009744efc6add254a302d5f13316dbc3e949210a50ad284e8f74f9a83436b494/detection # Reference: https://www.virustotal.com/gui/file/8dd25b5662494e16c5a0926aa0439a249fe99eda604f86e2f523bb7404ccd476/detection # Reference: https://www.virustotal.com/gui/file/76cc21b1dfe2b839f5bba0e90a2c3cb9ce3d29f9b5e70c50d04f69bf9c21f1e1/detection # Reference: https://www.virustotal.com/gui/file/3c758a47e63a69f826091543c4b3ebe8198f4928f769cdf571b3b3ffdf9cea9b/detection 194.15.216.218:11940 alemaoautopecas.com arquivosclientes.online atendimento-arquivos.com contatosclientes.services fantasiacinematica.online cartolabrasil.com # Reference: https://twitter.com/JAMESWT_MHT/status/1686693663600959488 # Reference: https://www.virustotal.com/gui/ip-address/38.60.216.75/relations # Reference: https://app.any.run/tasks/e493067a-3c2b-480e-9d4d-fe7dee17b16e/ # Reference: https://www.virustotal.com/gui/file/eb7422a5e1d44906531dc6e5357468200c57eeb616bb288acd9b9e4d526b5c49/detection espinafrehome.com # Reference: https://twitter.com/ThreatBookLabs/status/1688184398653382656 # Reference: https://www.virustotal.com/gui/file/59fc50d5d9400a0402cd5510d7a0158d20d1cf9a566e8c65b4045a46ef257839/detection kingalem.no-ip.org # Reference: https://www.virustotal.com/gui/file/bee71f38e39043227cd2454d3fbc1a9f260248c92c797ef404ca90669a2e24f2/detection novossim.com cc23c237.thaieasydns.com mastercash237237.servehttp.com mastercash237238.servehttp.com mastercash237239.servehttp.com nostra23770.thaieasydns.com # Reference: https://threatfox.abuse.ch/browse/malware/jar.banload/ bagnovo.duckdns.org felfacturas.serveexchange.com pancinhabrasil.duckdns.org # Reference: https://www.virustotal.com/gui/ip-address/4.228.57.28/relations # Reference: https://www.virustotal.com/gui/file/102d058393d47801d714fa7af1d7a68280984f325f2af731dfaa80d3757d1ba6/detection # Reference: https://www.virustotal.com/gui/file/96eee4f2533216ed17187439a80704beb001458772a51253a00c385605f7caed/detection contabilidade3irmaos.com marmitariasaobernado.com # Reference: https://www.virustotal.com/gui/file/1608dc13532992176305dd7ee7e5574d1750edd20bd7481b145566d2771fdef4/detection 27.124.36.23:12345 27.124.36.23:8080 jnybf.gotdns.com xdks.selfip.com # Reference: https://www.virustotal.com/gui/file/e83d77bc8516a2b79979e15193f29293f81ddede663babdffadda31b6816c378/detection carcarah.game-server.cc # Reference: https://www.virustotal.com/gui/file/d2359d42fb8b0b4dcd4ad2fba4239440600b31b2fcf1e9c70997024e808fd2d5/detection avisos-kalitop.duckdns.org /bnmyj35/lw1.php # Reference: https://www.virustotal.com/gui/file/61e2b01ecd0591e16907a64e0064bb25305cf2714898af952767500d77373920/detection servidoressmtps.sytes.net # Reference: https://twitter.com/JAMESWT_MHT/status/1729109795905413587 # Reference: https://www.virustotal.com/gui/file/cefcb2def056527eb0f8c63019b0fb1f080cb430fabc345cd5784c7d71439fe2/detection jf27z.app.goo.gl # Reference: https://www.virustotal.com/gui/file/0269114cddff224ac896111843a7a4c7d61696933ce1d8b9d0940e46c43511b4/detection thekiwi.club petitbrun1.websiteseguro.com # Reference: https://threatfox.abuse.ch/ioc/1211203/ arenterprese2023.is-a-caterer.com # Reference: https://www.virustotal.com/gui/file/11f7dd1f31a21800737152a2146f25f4f19ebe1399351dc8f93da0960ab59c01/detection srv434307.hstgr.cloud # Reference: https://twitter.com/naumovax/status/1783157180482330859 # Reference: https://www.virustotal.com/gui/file/21ea08b654bff294ac1266fdac15711e1436f66a29053117b4128e48226f247f/detection # Reference: https://www.virustotal.com/gui/file/25517d74909089984bc23d6ed441fad051fa75919efe31a59e28c0adef7a65f0/detection http://67.23.231.76 /bbs/.dc/infecteds.php /bbs/.dc/infecteds.php?&vit= /bbs/.dc/phpiespana.php /bbs/.dc/phpiespana.php?&vit= # Reference: https://twitter.com/banthisguy9349/status/1783064442210513213 # Reference: https://www.virustotal.com/gui/file/bafd74790fa95d49afac2710dd231ec413dfd0078b57efd75e20704e28a36fe8/detection # Reference: https://www.virustotal.com/gui/file/9baba9e4c8cbdc25b71ed0ab4ea7586c6bc3f0639b6a96c828a52a5dafe16c9a/detection # Reference: https://www.virustotal.com/gui/file/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757/detection 45.88.90.32:5000 45.88.90.68:5000 dsahgduoi.ddns.net # Reference: https://twitter.com/naumovax/status/1783461745954013309 # Reference: https://www.virustotal.com/gui/file/f1dfdb145e5eaa6dbdc6e5b15ef04832476f5602aab19262e28552e11dcd6e7d/detection # Reference: https://www.virustotal.com/gui/file/d97e3271b25dacc5bba07b56524fb72586efdd34e09732331efed207ac98fb4e/detection # Reference: https://www.virustotal.com/gui/file/ba75a09cb2c7a3bdce016eef3ff72d4a8035842716ddc1b1b73fa18b08ad9804/detection ormskirkhistoricalsociety.co.uk/site/content/users/themes/index1.php # Reference: https://www.virustotal.com/gui/file/d394f24125e3d4bb8efc5a09be3b43cbe7c48519a641b998d91b34dd6f0a0386/detection tsil.xyz # Reference: https://x.com/malwrhunterteam/status/1818749021902848418 # Reference: https://www.virustotal.com/gui/file/a52c992d733d2d1b7b6cead217dd75121a3b25ec4c97747eeef9e0647b33ffde/detection # Reference: https://www.virustotal.com/gui/file/6a03346444779ce622dfff7c6797f325a196777d8df8c40c667e7dce6ad2c12a/detection http://91.92.248.168 # Reference: https://x.com/1ZRR4H/status/1828314898683646309 # Reference: https://www.virustotal.com/gui/file/ae920c4b5dffeee77b84412ecf076d8f536770a71a4f71e29caff6182b6729ec/detection # Reference: https://www.virustotal.com/gui/file/968fb68f27657aff6230a96641d1761dcc77d8d5f593f716e406ac7638a41f24/detection http://157.245.91.85 http://170.238.45.64 http://184.168.31.104 http://68.178.202.77 http://85.198.108.68 104.31.168.184.host.secureserver.net 77.202.178.68.host.secureserver.net fsistviewer.online starlinkmini-planos.online learn.kungfu-taichi.ca cpanel.learn.kungfu-taichi.ca mail.learn.kungfu-taichi.ca webdisk.learn.kungfu-taichi.ca # Reference: https://x.com/johnk3r/status/1828539602849685966 # Reference: https://search.censys.io/hosts/191.101.131.244 # Reference: https://www.virustotal.com/gui/file/4d9fd02f8a969b2b3a3ecccb5569a5948ebc0e09ba588c09079f26f7477ca7a7/detection # Reference: https://www.virustotal.com/gui/file/a98e3725e67617856e80da1d29ce39d491f0f56f7f832b949825749d02b8225e/detection # Reference: https://www.virustotal.com/gui/file/8a076222fcbe733eb3e729f12117a23a3062642f47e9bde0aca1712e1996e568/detection http://191.101.131.244 191.101.131.244:443 191.101.131.244:445 191.101.131.244:47001 191.101.131.244:5395 # Reference: https://x.com/johnk3r/status/1836466799518384279 # Reference: https://search.censys.io/hosts/4.228.227.50 4.228.227.50:3389 4.228.227.50:4194 # Reference: https://x.com/johnk3r/status/1842388967322251455 # Reference: https://x.com/johnk3r/status/1842390498641690735 # Reference: https://www.virustotal.com/gui/file/4ecd197919beb808c5e60247dae7bdaabfdab659dce65af626e41bf729ff032a/detection circulomaximo.com nvidrive.com # Reference: https://app.validin.com/detail?find=Nota%20Fiscal&type=raw&ref_id=5663d651f5d#tab=host_pairs ment-notafiscal.online notasfiscaisbr.online ofertagridz.store pay.ment-notafiscal.online # Reference: https://x.com/johnk3r/status/1907837072750063687 # Reference: https://x.com/johnk3r/status/1907837075451433005 # Reference: https://x.com/johnk3r/status/1907925793336078675 # Reference: https://www.virustotal.com/gui/file/51ed2115debb9d3ae34bbc2660bbc8c7930482ccc378a06175b24d3fba7af874/detection # Reference: https://www.virustotal.com/gui/file/89be5190f71185821d657f9df2c1112f61099ad23c8c668bb4d03ccfbed28430/detection # Reference: https://www.virustotal.com/gui/file/508a4646dbf7deaa99eee8db6b21e36c14c1570f627b31a264e8fa84e7db063b/detection http://18.231.162.77 accioretmoi.fr adlabs.live agenciametadesign.com apixlogistica.it arkutec.cl artamnet.ir atlas-dental.kz avr.pl avvakumovanata.com aydintepeheritage.com aznar.ir bestbikeshopsinamerica.com cashellkitchensandbaths.com cercledesoie.fr chefderarmee.ch clientepj.com clinicadentalargarate.com connectingdisorders.org damadesign.co danke2.com dinosvault.com ekoclima.cl eurotrain71.ru explosionwebs.com foraj-piloti.ro futebolmilionario.com gemherald.com global4web.com grahamtrott.com helpvenezuelanow.com htmedia.net imen44.com itmind.lk jknewsnation.com koalahouse.com.vn koalahouse.edu.vn lescoeurssains.fr macskavar.hu malhasvitoria.com.br mmcsitalia.com mykorsaa.online newcovenantoffaithchurch.org nicholasmarley.com notalone.online nuk.vn olivierweiter.eu plaridge.com playstacja.pl pousadacasabonita.com.br proexcorp.com ranchocentral.com rdonkk.com.ua rerum.lt rnpapeles.com rnpapeles.site samerelsharkawy.net savannaplaza.com sellodeempresa.com sellodeempresa.es sepidehbakht.com sharlot.com.co sika-dealer.ru smartworkafrica.com staffsound.com.mx treomay.vn usmiku.cz vchot.ru villasol.pl vinucuoitretho.org wiusbso.com zumangn.com almeida.clientepj.com clien.ranchocentral.com enota.clientepj.com /almeida/contador.php # Reference: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/operation-phantom-enigma atual2025.com computadorpj.com financial-executive.com nf-eletronica.org nfe-fiscal.com relay.lombrelone.com servidor2025.com syarousi-search.com webrelayapi.online # Reference: https://x.com/JAMESWT_WT/status/1910556202045411823 vmi2471669.contaboserver.net pt-app.link emitirnf.pt-app.link notasfiscais.pt-app.link # Reference: https://x.com/malwrhunterteam/status/1912398777341583423 # Reference: https://app.validin.com/detail?find=avisos-sat.com.mx&type=raw&ref_id=377814eea86#tab=host_pairs (# 2025-04-17) # Reference: https://app.validin.com/detail?find=5d1a275870f739288cee8cef951b54df074a83aa&type=hash&ref_id=377814eea86#tab=host_pairs (# 2025-04-17) # Reference: https://www.virustotal.com/gui/file/78f081bc44c2fc5e4bf90a316332368ccbcc91985c1e79b48f50cf351c358f1a/detection # Reference: https://www.virustotal.com/gui/file/b1cad3b4ac48ee249fbfbcef539387bf452c1a065002b916b930cef527288040/detection http://46.101.106.166 elquecreeenmiviviraporsiempre.xyz servw092msm2.com servw092msm2.online servw092msm2.xyz diosesmipastorynadamefaltara.elquecreeenmiviviraporsiempre.xyz windows-update-microsoft.mx-acceso9l73i1.com /ufidwowifbgreowdnweirfjoibfgeiosndwiefmoshifg/contar.php /ufidwowifbgreowdnweirfjoibfgeiosndwiefmoshifg/ # Reference: https://x.com/ShadowOpCode/status/1960708643344576873 # Reference: https://www.virustotal.com/gui/ip-address/209.159.144.13/relations # Reference: https://www.virustotal.com/gui/file/07edfb9644cad117abc6f44b4c23b80ae70ff549482df56fe4682a62e32a828f/detection 181.214.48.127:443 209.159.144.13:3020 casabahia.servicos.ws ducksmicro.servicos.ws ne12bradesconet.servicos.ws # Reference: https://x.com/smica83/status/1967150448084988368 # Reference: https://www.virustotal.com/gui/file/250211575c54473201b735e38d410ad8ce4a38492d565f14ed993bd5e12711ae/detection # Reference: https://www.virustotal.com/gui/file/4c76c0a3a00690785fce0189cd7c6f92b93c49a4790f140a1d4aa7e1bb8005cc/detection # Reference: https://www.virustotal.com/gui/file/8931fc2ae9a8a215471d841242717809fbb0132dba4b13b0dabcca13fafb4156/detection # Reference: https://www.virustotal.com/gui/file/894c2045934fa8df2dca86772746522469b9706bfdb8c35ae47aa3e7c44a1d8d/detection baa4ts.is-a-good.dev # Reference: https://x.com/smica83/status/1970599463648743501 # Reference: https://tria.ge/250923-z4lylswwew/behavioral1 bebidasbrener.icu crifer.bebidasbrener.icu tridiz.bebidasbrener.icu # Reference: https://x.com/smica83/status/1973484424563138704 # Reference: https://www.virustotal.com/gui/file/2ee8446db11ef44dee1093b90f8020f9b3a5eda3c4b42fe26575c7584d26939e/detection # Reference: https://www.virustotal.com/gui/file/71a061e6be9d52d004f18dbeebdacf64a04596b4bfdd33bad1a08b2a8dd263bf/detection # Reference: https://www.virustotal.com/gui/file/900e9a21413f74241e67fd9d0d6538992bfb7ad08e1d8c6ab326b9f0f8c4edd3/detection # Reference: https://www.virustotal.com/gui/file/e388cabfef2ca40bb97f17810f478a16f2ff4e464bffe00b4b0691bf35c68f7a/detection # Reference: https://www.virustotal.com/gui/file/f7cf519e446015dc443fdc27a844404aaf9b619fab5e04c6db80c5fb51cd28d5/detection bebidasbrener.homes vazinbanmol28.bebidasbrener.homes # Reference: https://x.com/smica83/status/1987534242155262045 # Reference: https://tria.ge/251109-r7rdhafj41/behavioral1 # CLASS_0_HASH-HOST=dad34ce3ec1e73876567b517bd797b72 aondechega.com blackmeli.com datasyncpanel.online lalelilolu.org novoservidor2026.com painelcomputadorespj.com purge.dev rrpapers.cc securepainelx.com sistemacloudx.com systemcloud26.com test25q0307.sbs traanalysisviev.com transgressao.erpfat.shop pastas-2ey.pages.dev /painelgpt/api.php # Reference: https://x.com/suyog41/status/1988136389641465906 # Reference: https://www.virustotal.com/gui/file/c35a2cb983fc33f11d3dc48d81220ac9da5d6ec92910ad9cbd47c2bf8cecbeab/detection http://181.224.24.23 http://181.224.24.66 /kit-btc-663546/dyVVFLFqC3ouqzNlxf6Q1e2jA0D8G0LA64sE87WO/instalador.php /dyVVFLFqC3ouqzNlxf6Q1e2jA0D8G0LA64sE87WO/instalador.php /kit-btc-663546/dyVVFLFqC3ouqzNlxf6Q1e2jA0D8G0LA64sE87WO/ /kit-btc-663546/ /dyVVFLFqC3ouqzNlxf6Q1e2jA0D8G0LA64sE87WO/ # Reference: https://x.com/tial_cl/status/1993513185270182148 # Reference: https://app.any.run/tasks/8edec8c5-9075-4d9c-a24d-291ced9df70f # Reference: https://www.virustotal.com/gui/file/d0b20e1a15e3061f2068d7c356e5e8a4e469cee53135015fa7d41f845a94b0f3/detection http://45.12.131.32 panelfactura.online # Reference: https://x.com/johnk3r/status/2015825592650789258 # Reference: https://www.virustotal.com/gui/file/1a10e9cc3c8f6e3c6dd8f8220c9bbd3183b71cd59a8e3736073a3128fe97cc88/detection # BANNER_0_HASH-HOST=235c7fe58b334a348e777ab7c7ee99e4 # BANNER_0_HASH-HOST=7062e085daffd708b6ec8a4a06d42698 # BANNER_0_HASH-HOST=ec7187da872c4298ecbabf4f515c4909 36f2b6s.020cyzs.com admescritorios.lat admtecnotes.space aides-edf.com api.compy.pe api.intellix.cc api.n2xtapp.com api.xoxlabs.io atualpalacems.net bitcontractbiz.sbs brscomunicacao.net castcomunicacao.net cdn.plllaymax.site cordiantbiz.pics ctmnacional.digital dcmnotaveis.net dcnativos.com dgtaldownloads.com dinamostecsp.com dtmempretec.com entretecspm.com fgtescritorios.lat gsio.strik.io gsnacional.com heshengpay.mom intellix.cc lmaishenjianpay.mom masptecrm.online msnacionaltps.org ntscomunicacao.net ortografiasn.com paytollmoza.vip paytollutjg.vip paytollybqj.vip plllaymax.site pornvop.com previewhub.codista.dev pytguard.com smartswap.cfd talegrern-h.com tgtescritorios.lat ucspos.buzz uvspes.buzz wjk-telegram-u.org # Reference: https://x.com/JAMESWT_WT/status/2020097037572677789 # Reference: https://www.virustotal.com/gui/file/78c98b16430e6c0c56041ed4df99954542491f3ec83bdb33ace350993b0f5cb7/detection 75.119.139.244:3511 vmi3049912.contaboserver.net # Generic /ezemeneotewdoiazbi.djx /ezemeneroaelenozi.djx