# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/ # Reference: https://otx.alienvault.com/pulse/5d95e1d8a958c288f7e3d6ed 4d9p5678.myvnc.com agosto2019.servepics.com hostsize.sytes.net noturnis.zapto.org seradessavez.ddns.net # Reference: https://twitter.com/JAMESWT_MHT/status/1245383637442482178 newlife2020.club vqz8.gotdns.ch # Reference: https://twitter.com/JAMESWT_MHT/status/1245399620945092609 jkue.myftp.biz # Reference: https://twitter.com/JAMESWT_MHT/status/1268811438707159040 nhoquemassa.com # Reference: https://twitter.com/JAMESWT_MHT/status/1272427444486766592 # Reference: https://app.any.run/tasks/7ac99b76-0ac3-4764-bfa3-e35925ecb39b/ albumdepremios.com.br hostmeusite.ddns.net # Reference: https://twitter.com/JAMESWT_MHT/status/1277476249988972544 # Reference: https://app.any.run/tasks/00594f1b-f778-49ea-bfc5-2a0853a41347/ apkelites10.com baza.alta-bars.ru # Reference: https://twitter.com/ffforward/status/1329507229066801153 # Reference: https://www.virustotal.com/gui/ip-address/128.199.139.227/relations # Reference: https://pastebin.com/gNgD4PS2 09dfwss6g1v73sya.online 2xo0uaqv4cqds331mart.online 3n1ujw621vaxpro.online 4atcj6ygql4l.online 4yw2twoy438df9qt.online 6c48ax07dy25hvu0hub.online ah0nm2v13mhl8ynn.online cevda3jvv5oz1t37.online fd8nvvlufung.website k6ue95v1ca2r.online l155vcram2hl6ws0.online mpy8n37wvwu2.website mpy8n37wvwu2now.online p77x09sqwx37j1l2.online udndtiho0q7r.online v6pa59086808a28mpro.online x50zbqev4po5.online x6vl9710f400g7alstar.online yuphsa6qwtg5.online z5im1ou9o480se02pro.online zfi8ny6yi30s.website zfi8ny6yi30shub.online # Reference: https://www.virustotal.com/gui/file/be1ff9ea0cd1d99838eedabc9d4faba081d1fbf9c7c94d2575b70c64ba2298ed/detection chooseanother.com # Reference: https://twitter.com/ESETresearch/status/1367456126195924993 # Reference: https://twitter.com/ESETresearch/status/1367456135389851648 http://178.32.119.184/upa/2302 http://46.4.141.206a21/ld/index.php a8b.site cnn2602.gotdns.ch fiscal.canadaeast.cloudapp.azure.com # Reference: https://twitter.com/ffforward/status/1485619226023018498 hunntjadhfgempresafactura.com solitudeempresasfactura.com tyjghhasdempresasfactura.com # Reference: https://twitter.com/ffforward/status/1486067904814764036 # Reference: https://www.virustotal.com/gui/ip-address/77.243.85.107/relations down425.xyz down5861.serveblog.net 62rdsfvcxza.freedynamicdns.net # Reference: https://twitter.com/1ZRR4H/status/1486075893596491785 mgjw.zapto.org # Reference: https://twitter.com/pr0xylife/status/1486082528578576386 # Reference: https://www.virustotal.com/gui/ip-address/149.248.50.230/relations # Reference: https://www.virustotal.com/gui/file/84da58457b87687c8247d862ca1c0c709a29e5e2856af27e52e433931fc1d0d5/detection # Reference: https://www.virustotal.com/gui/file/ee1869a4c8346e495891f8234258e1112363538bd84b102f5e57df6902488293/detection contmxlk.gotdns.ch contmx1.website contxm3.ddnsking.com # Reference: https://twitter.com/StopMalvertisin/status/1491336673518813184 /Contador/serv.php # Reference: https://twitter.com/malware_traffic/status/1491514321309822978 158.69.110.217:42112 fischerpersianas.duckdns.org obarrielsoluctionssx.com /DocBr20?VF9C32I0402/4L84VA5UEVELFX0Q76L9S1K8J9/ /DocBr20?VF9C32I0402/ /4L84VA5UEVELFX0Q76L9S1K8J9/ # Reference: https://twitter.com/1ZRR4H/status/1525175056283877379 http://172.105.111.154 /a1a/10/index.php # Reference: https://www.virustotal.com/gui/file/a41185db4d4c0accc3339f07a63965f0cbd7920fd38564f0c78944def57abfb6/detection mercadoenvios1.loseyourip.com # Reference: https://twitter.com/AvastThreatLabs/status/1560562872932978689 http://172.105.111.154 http://192.46.216.151 tributaria.website vin6.icu # Reference: https://twitter.com/pollo290987/status/1571897876988719106 # Reference: https://twitter.com/johnk3r/status/1572626297339224064 # Reference: https://www.virustotal.com/gui/file/e35bc9f085d3c7ec459e11452913b20fb44bf32ecd9b5e6dd3e12598d127dae9/detection http://40.124.25.196 /cliente/vamoqvamo.php /vamospracima/seligamano.php /vamospracima/vamoqvamo.php /vamoqvamo.php # Reference: https://twitter.com/nuria_imeq/status/1583106258202394625 recibopagosmx2022.blob.core.windows.net # Reference: https://twitter.com/pollo290987/status/1653112689189609482 http://185.185.87.45 http://51.38.235.152 http://89.117.37.61 amarte.store fnfactura.cfd # Reference: https://github.com/Cisco-Talos/IOCs/blob/main/2023/05/new-horabot-targets-americas.txt http://137.220.53.87 http://139.177.193.74 http://185.45.195.226 http://191.101.2.101 http://212.46.38.43 http://216.238.70.224 facturacionmarzo.cloud wiqp.xyz # Reference: https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2 # Reference: https://www.virustotal.com/gui/ip-address/45.32.90.70/relations http://185.183.98.135 http://216.238.82.27 http://45.32.90.70 adjuntos.shop cgdf.shop contactofiscal.cfd factdigital.shop factudigital.cfd fiscalcgdf.shop serviciofac.shop xtream-ui.info live.xtream-ui.info # Reference: https://twitter.com/0xToxin/status/1694756006889206044 agost.shop # Reference: https://twitter.com/Merlax_/status/1708941045122187358 # Reference: https://www.virustotal.com/gui/file/50d0aa6d8cdc2d80ec611cacb8fc5c4bfe344f55b2c039b7b3faff8d2244238f/detection http://20.92.164.32 serviciosfiscales.australiaeast.cloudapp.azure.com # Reference: https://twitter.com/JAMESWT_MHT/status/1717052375511265692 # Reference: https://urlhaus.abuse.ch/browse/tag/TelegramLogin/ # Reference: https://app.any.run/tasks/577f79cb-2fe6-401b-ad03-8397b7d0b82d/ http://154.223.16.114 http://62.72.22.30 # Reference: https://twitter.com/V3n0mStrike/status/1719041666080755838 oliga.canadacentral.cloudapp.azure.com # Reference: https://twitter.com/JAMESWT_MHT/status/1719337821490597905 # Reference: https://app.any.run/tasks/f14e52db-90c9-4ea9-837b-7a3103065e0b/ http://154.56.63.216 # Reference: https://twitter.com/1ZRR4H/status/1727857791245627765 # Reference: https://www.virustotal.com/gui/ip-address/154.223.16.114/relations # Reference: https://www.virustotal.com/gui/file/e278639e9d55ec17c5758a09fbceefd522c8bbcbef62eccfccc888786c66cddd/detection # Reference: https://www.virustotal.com/gui/file/cc3f1dff7aaa5a79a7ca130d74cf0337fb5bd666aced2c2f3f65ccf231af800d/detection http://149.100.158.179 http://193.203.190.217 http://38.54.20.180 ambjulio.com facturacionmovistar.tech familysinaloa.website appsinteligentes.myftp.org dftssa.3utilities.com frances.gotdns.ch org.freedynamicdns.net # Reference: https://twitter.com/1ZRR4H/status/1769360501341851814 # Reference: https://www.virustotal.com/gui/ip-address/38.54.20.37/relations # Reference: https://www.virustotal.com/gui/ip-address/86.38.217.167/relations # Reference: https://www.virustotal.com/gui/ip-address/89.116.236.122/relations # Reference: https://www.virustotal.com/gui/file/148ab112b116cb5d7fc484a4626ebd8958b7528ff87ca4d568ddd080f1e94a10/detection # Reference: https://www.virustotal.com/gui/file/0ea385ed685886ac4304f498bf6235e690f68c9e30e99f0f437a1e610e4abd17/detection # Reference: https://www.virustotal.com/gui/file/d1ed933bf75f604cebc4a9523689766e50102cdb53f447d83869155c3b020506/detection http://38.54.20.37 http://86.38.217.167 http://89.117.37.61 adbd.tech amarte.store archivosdwn.cloud facturas.co.in facturasm.cloud facturasmex.cloud fsnat.shop satventasfac.tech a.3utilities.com ad2.gotdns.ch avs.myftp.biz ca1.sytes.net cnv.gotdns.ch cs2.servepics.com dsu.zapto.org ffv.webhop.me jan.viewdns.net tths.ddns.net # Generic /J8v0x5a3a6v4x0BTCsc/