# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: carbanak, jssloader, odinaff, wemosis

# Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

bigred-tours.com
clients12-google.com
clients2-google.com
p3-marketing.com
cdn-googleapi.com
cdn-googleservice.com
acity-lawfirm.com
algew.me
aloqd.pw
amhs.club
anselbakery.com
apvo.club
arctic-west.com
auyk.club
b-bconsult.com
bcleaningservice.com
bigrussianbss.com
bipismol.com
bipovnerlvd.com
blopsadmvdrl.com
blopsdmvdrl.com
bnrnboerxce.com
bpee.pw
bureauofinspections.com
bvyv.club
bwuk.club
bwwrvada.com
cgqy.us
chatterbuzz-media.com
chenstravelconsulting.com
cihr.site
citizentravel.biz
cjsanandreas.com
ckwl.pw
cloo.com
cnkmoh.pw
cnlu.net
cnmah.pw
coec.club
coffee-joy-usa.com
cspg.pw
ctxdns.org
ctxdns.pw
cuuo.us
daskd.me
dbxa.pw
ddmd.pw
deliciouswingsny.com
dlex.pw
dlox.pw
dnstxt.net
dnstxt.org
doof.pw
dosdkd.mo
dpoo.pw
dsud.com
dtxf.pw
duglas-manufacturing.com
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
extmachine.biz
facs.pw
fbjz.pw
fhyi.club
firsthotelgroup.com
firstprolvdrec.com
fkij.net
flowerprosv.com
fredbanan.com
futh.pw
gcan.site
ge-stion.com
gjcu.pw
gjuc.pw
glavpojdfde.com
gnoa.pw
gnsn.us
goldman-travel.com
goproders.com
gprw.site
grand-mars.ru
grij.us
gsdg.site
guopksl.com
gxhp.top
hijrnataj.com
hilertonv.com
hilopser.com
hippsjnv.com
hldu.site
hoplessinple.com
hoplessinples.com
hopsl3.com
hvzr.info
idjb.us
ihrs.pw
imyo.site
itstravel-ekb.ru
ivcm.club
jblz.net
jersetl.com
jimw.club
jipdfonte.com
jiposlve.com
jjee.site
johsimsoft.org
jomp.site
josephevinchi.com
just-easy-travel.com
juste-travel.com
jxhv.site
kalavadar.com
kashtanspb.ru
kbep.pw
kiposerd.com
kiprovol.com
kiprovolswe.com
kjke.pw
kjko.pw
koldsdes.com
kshv.site
kuyarr.com
kwoe.us
ldzp.pw
lgdr.com
lhlv.club
lnoy.site
luckystartwith.com
lvrm.pw
lvxf.pw
manchedevs.org
maofmdfd5.com
meli-travel.com
melitravel.ru
mewt.us
mfka.pw
michigan-construction.com
mjet.pw
mjot.pw
mjut.pw
mkwl.pw
molos-2.com
mtgk.site
mtxf.com
muedandubai.com
muhh.us
mut.pw
mvze.pw
mvzo.pw
mxfg.pw
mxtxt.net
myspoernv.com
navigators-travel.com
neartsay.com
nevaudio.com
neverfaii.com
nroq.pw
ns0.site
ns0.space
ns0.website
ns1.press
ns1.website
ns2.press
ns3.site
ns3.space
ns4.site
ns4.space
ns5.biz
ns5.online
ns5.pw
ntlw.net
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
olckwses.com
olgw.my
oloqd.pw
oneliveforcopser.com
onokder.com
ooep.pw
oof.pw
ooyh.us
orfn.com
otzd.pw
oxrp.info
oyaw.club
p3marketing.org
pafk.us
palj.us
park-travels.com
parktravel-mx.ru
partnersind.biz
pbbk.us
pbsk.site
pdoklbr.com
pdokls3.com
pgnb.net
pinewood-financial.com
pjpi.com
plusmarketingagency.com
ppdx.pw
prideofhume.com
pronvowdecee.com
proslr3.com
prostelap3.com
proverslokv4.com
provnkfexxw.com
pvze.club
qdtn.us
qefg.info
qlpa.club
qsez.club
qznm.pw
rdnautomotiv.biz
redtoursuk.org
reld.info
rescsovwe.com
revital-travel.com
revitaltravel.com
rmbs.club
rnkj.pw
rtopsmve.com
rzzc.pw
sgvt.pw
shield-checker.com
simpelkocsn.com
simplewovmde.com
soru.pw
sprngwaterman.com
strideindastry.biz
strideindustrial.com
strideindustrialusa.com
strikes-withlucky.com
swio.pw
tijm.pw
tnt-media.net
true-deals.com
trustbankinc.com
tsrs.pw
turp.pw
twfl.us
ueox.club
ufyb.club
utca.site
uwqs.club
vdfe.site
viebsdsccscw.com
viebvbiiwcw.com
vikppsod.com
vjro.club
vkpo.us
voievnenibrinw.com
vpua.pw
vpuo.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wein.net
wfsv.us
whily.pw
wider-machinery-usa.com
widermachinery.biz
widermachinery.com
wnzg.us
wqiy.info
wruj.club
wuc.pw
wvzu.pw
xhqd.pw
xnlz.club
xnmy.com
yamd.pw
ybnz.site
ydvd.net
yedq.pw
yodq.pw
yomd.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zrst.com
zugh.us
clients14-google.com
clients18-google.com
clients19-google.com
clients23-google.com
clients31-google.com
clients33-google.com
clients39-google.com
clients46-google.com
clients47-google.com
clients51-google.com
clients52-google.com
clients55-google.com
clients56-google.com
clients57-google.com
clients58-google.com
clients6-google.com
clients62-google.com
clients7-google.com
fda-gov.com
dropbox-security.com
google-sll1.com
google-ssls.com
google-stel.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
ssl-googles4.com
ssl-googlesr5.com
stats10-google.com
stats25-google.com
treasury-government.com
usdepartmentofrevenue.com
bols-googls.com
moopisndvdvr.com
dewifal.com
essentialetimes.com
fisrdteditionps.com
fisrteditionps.com
micro-earth.com
moneyma-r.com
newuniquesolutions.com
wedogreatpurchases.com

# Reference: http://blog.talosintelligence.com/2017/03/dnsmessenger.html

algew.me
aloqd.pw
bpee.pw
bvyv.club
bwuk.club
cgqy.us
cihr.site
ckwl.pw
cnmah.pw
coec.club
cuuo.us
daskd.me
dbxa.pw
dlex.pw
doof.pw
dtxf.pw
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
fbjz.pw
fhyi.club
futh.pw
gjcu.pw
gjuc.pw
gnoa.pw
grij.us
gxhp.top
hvzr.info
idjb.us
ihrs.pw
jimw.club
jomp.site
jxhv.site
kjke.pw
kshv.site
kwoe.us
ldzp.pw
lhlv.club
lnoy.site
lvrm.pw
lvxf.pw
mewt.us
mfka.pw
mjet.pw
mjut.pw
mvze.pw
mxfg.pw
nroq.pw
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
ooep.pw
ooyh.us
otzd.pw
oxrp.info
oyaw.club
pafk.us
palj.us
pbbk.us
ppdx.pw
pvze.club
qefg.info
qlpa.club
qznm.pw
reld.info
rnkj.pw
rzzc.pw
sgvt.pw
soru.pw
swio.pw
tijm.pw
tsrs.pw
turp.pw
ueox.club
ufyb.club
utca.site
vdfe.site
vjro.club
vkpo.us
vpua.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wfsv.us
wqiy.info
wvzu.pw
xhqd.pw
yamd.pw
yedq.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zugh.us
cspg.pw

# Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf

bipovnerlvd.com
blopsadmvdrl.com
bnrnboerxce.com
dewifal.com
essentialetimes.com
fisrteditionps.com
halyk-bank.com
kiprovolswe.com
kiprovol.com
micro-earth.com
moneyma-r.com
privat-bankau.com
privatbank-ua.com
tejara-bank.com
voievnenibrinw.com
wedogreatpurchases.com

# Reference: https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
# Reference: https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
# Reference: https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf

adguard.name
beefeewhewhush-eelu.biz
blizko.net
blizko.org
comixed.org
coral-trevel.com
datsun-auto.com
di-led.com
financialnewson-line.pw
financialwiki.pw
flowindaho.info
freemsk-dns.com
gjhhghjg6798.com
glonass-map.com
great-codes.com
icafyfootsinso.ru
idedroatyxoaxi.ru
vaserivaseeer.biz
microloule461soft-c1pol361.com
microsoftc1pol361.com
mind-finder.com
operatemesscont.net
paradise-plaza.com
public-dns.us
publics-dns.com
systemsvc.net
system-svc.net
traider-pro.com
travel-maps.info
update-java.net
veslike.com
wefwe3223wfdsf.com
worldnews24.pw
worldnewsonline.pw

# Reference: https://www.tr1adx.net/intel/public/TIB-00002_IOC_Domain.txt

ai0ha.com
atlantis-bahamas.com
bentley-systems-ltd.com
bols-googls.com
dhl-service-au.com
esb-energy-int.com
fda-gov.com
google2-ssl.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
google-ssls.com
google-stel.com
iris-woridwide.com
microfocus-official.com
ornuafood.com
perrigointernational.com
prsnewwire.com
sizzier.com
ssl-googles4.com
ssl-googlesr5.com
strideindustrialusa.com
syngenta-usa.com
taskretaiitechnology.com
treasury-government.com
waldorfs-astoria.com
zynga-ltd.com

# Reference: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
# Reference: https://otx.alienvault.com/pulse/5a16a16d3477580fcf4e359a

1povkjbdw87kgf518nl361.com
adguard.name
adventureseller.com
advetureseller.com
akamai-technologies.org
akkso-dob.in
akkso-dob.xyz
androidn.ne
androidn.net
ass-pussy-fucking.net
baltazar-btc.com
brazilian-love.org
btcshop.cc
c1pol361.com
cameron-archibald.com
casas-curckos.com
castello-casta.com
casting-cortell.com
chugumshimusona.com
comixed.org
coral-travel.com
coral-trevel.com
critical-damage333.org
datsun-auto.com
di-led.com
dimeline.eu
dragonn-force.com
financialnewsonline.pw
freemsk-dns.com
gendelf.com
glonass-map.com
gooip-kumar.com
great-codes.com
ihave5kbtc.biz
ihave5kbtc.org
java-update.co.uk
jhecwhb7832873.com
klyferyinsoxbabesy.biz
levetas-marin.com
maorkkk-grot.xyz
marcello-bascioni.com
mind-finder.com
my-amateur-gals.com
namorushinoshi.com
narko-cartel.com
narko-dispanser.com
ngx.net
nikaka-ost.in
nikaka-ost.xyz
nyugorta.com
oerne.com
onlineoffice.pw
oplesandroxgeoflax.org
paradise-plaza.com
pasteronixca.com
pasteronixus.com
ppc-club.org
public-dns.com
public-dns.us
publics-dns.com
road-to-dominikana.biz
shfdhghghfg.com
skaoow-loyal.net
skaoow-loyal.xyz
strangeerglassingpbx.org
systemsvc.net
travel-maps.info
updateserver.info
vincenzo-bardelli.com
wascodogamel.com
weekend-service.com
worldnewsonline.pw
zaydo.co
zaydo.space
zaydo.website

# Reference: https://twitter.com/VK_Intel/status/1102754053774290946

tw32-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1096515532558340099

logitech-cdn.com

# Reference: https://twitter.com/HONKONE_K/status/1105351576384749568

cdn-skype.com

# Reference: https://twitter.com/MalwareCantFly/status/1059831561498095617

googleapi-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1072716050259681280

cisco-cdn.com

# Reference: https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
# Reference: https://www.flashpoint-intel.com/wp-content/uploads/2019/03/iocs_astra_sqlrat_dnsbot_flashpoint_March2019.csv

bigmoneyforus.com
magicsoundmusic.com

# Reference: https://twitter.com/VK_Intel/status/1112961058812186624

combisecurity.net

# Reference: https://twitter.com/HONKONE_K/status/1117696735973761025
# Reference: https://otx.alienvault.com/pulse/5cb46aba498cfc2a71bb2936

booking-cdn.com
hpservice-cdn.com
jquery-ca-cdn.com
jquery-us-cdn.com
mse-cdn.com
norton-cdn.com

# Reference: https://twitter.com/kyleehmke/status/1123629309539885058

cdn-akamai.net

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# FIN7/GRIFFON)
# Reference: https://twitter.com/malz_intel/status/1144295975999221760

hpservice-cdn.com
realtek-cdn.com
logitech-cdn.com
pci-cdn.com
appleservice-cdn.com
servicebing-cdn.com
cisco-cdn.com
facebook77-cdn.com
yahooservices-cdn.com
globaltech-cdn.com
infosys-cdn.com
google-services-s5.com
instagram-cdn.com
mse-cdn.com
akamaiservice-cdn.com
booking-cdn.com
live-cdn2.com
cloudflare-cdn-r5.com
cdnj-cloudflare.com
bing-cdn.com
servicebing-cdn.com
cdn-yahooapi.com
cdn-googleapi.com
googl-analytic.com
mse-cdn.com
tw32-cdn.com
gmail-cdn3.com
digicert-cdn.com
vmware-cdn.com
exchange-cdn.com
cdn-skype.com
windowsupdatemicrosoft.com
msdn-cdn.com
testing-cdn.com
msdn-update.com
185.162.131.25:222

# Reference: https://twitter.com/kyleehmke/status/1127966783284101120

jquery-cdn-us2.com

# Reference: https://twitter.com/kyleehmke/status/1126663210340372480

jquery-cdn-cn.com
jquery-cdn-us1.com
jquery-update2.com

# Reference: https://twitter.com/HONKONE_K/status/1131432019940917248

bindupdate.com

# Reference: https://twitter.com/HONKONE_K/status/1136489932938072064

comodosec.com

# Reference: https://twitter.com/HONKONE_K/status/1138301293636677632

https://185.159.82.237/odrivers/update-9367.php

# Reference: https://hyas.com/news/magecart-group-4-a-link-with-cobalt-group/

aoreestr.com
aoreestr.online
aoreestr.site
curacao-egaming.online
curacaoegaming.online
curacaoegaming.site
my-1xbet.com
my1xbet.online
my1xbet.top
newreg.host
newreg.online
newreg.site
oracle-business.com
orkreestr.com
orkreestr.host
orkreestr.press
sbeibank.com
sbeibank.online
sbelbank.com
sbelbank.online
sbepbank.com
sbepbank.online
sbersafe.top

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
# Reference: https://otx.alienvault.com/pulse/5d9f3036acdd17b6b5db4d3d

http://109.230.199.227

# Reference: https://twitter.com/Rmy_Reserve/status/1184142117284667393

moviedvdpower.com

# Reference: https://twitter.com/ps66uk/status/1189890438938988544
# Reference: https://app.any.run/tasks/fbad12cf-e3cd-4e27-a554-46c038ba70ff/
# Reference: https://www.virustotal.com/gui/file/9feddbc1e2b90685e444504804670b5f6db9db07f3a2d3d29dafe67540e27c91/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/09720515998190d47bd1e019d7077b0c2996942e269ab8499cfd969f0492415f/detection
# Reference: https://twitter.com/500mk500/status/1189912497102446597

185.156.177.132:443
insta-pulse.ca
insta-pulse.com

# Reference: https://www.endgame.com/blog/technical-blog/protecting-financial-sector-early-detection-trojanodinaff
# Reference: https://www.virustotal.com/gui/ip-address/162.243.45.200/relations

162.243.45.200:443
162.243.45.200:80
beardczaoffr.com
bigtrackrbvo.com
bravotkr.com
bravotrakrday.com
czaroffnow.com
datewomseek.com
extraczaroff.com
getrackroffr.com
goinhancemind.com
gotrackrdeal.com
inteligenbrainoff.com
libertyautogroup.com
livewomensek.com
nerverenewoff.com
newczaroff.online
newoffbravo.com
official-alert.com
savetrackroff.com
seniorwsm.com
staminanoon.com
staminonoffr.com
staminonus.com
trackrealoff.com
trackroffdeal.com
trackroffshop.com
trackrpromoday.com
urtrakrnowoff.com

# Reference: https://twitter.com/ps66uk/status/1190320112894664705

cigpcl.com

# Reference: https://twitter.com/VK_Intel/status/1205205015427727360

hawrickday.com

# Reference: https://twitter.com/VK_Intel/status/1226370026770509824

landscapesboxdesign9.com

# Reference: https://twitter.com/felixaime/status/1243544929281945602
# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/
# Reference: https://otx.alienvault.com/pulse/5e7e18b31f7f5e7279c15455

milkmovemoney.com

# Reference: https://twitter.com/VK_Intel/status/1250189247895744517
# Reference: https://otx.alienvault.com/pulse/5e973b9172c3f4e1a4153960

domenuscdm.com
environmentalist.com

# Reference: https://twitter.com/TweeterCyber/status/1268956628746813440
# Reference: https://www.virustotal.com/gui/file/967882624ba26c4fcd6806791aa4994b5bf64ca4b1e66dd8d24f1fa54b3a43f0/detection

spacemetic.com

# Reference: https://twitter.com/bryceabdo/status/1271063097722183681

colorpickerdesk.com
expressdesign9.com
softowii.com

# Reference: https://twitter.com/IntezerLabs/status/1291355808811409408 (# GOSH, Carbanak related ELF-malware)
# Reference: https://www.virustotal.com/gui/file/2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46/detection

45.35.41.12:443

# Reference: https://twitter.com/Bank_Security/status/1301129840754556928
# Reference: https://threatintel.blog/OPBlueRaven-Part1/
# Reference: https://threatintel.blog/OPBlueRaven-Part2/
# Reference: https://pastebin.com/CKNYfMBG
# Reference: https://otx.alienvault.com/pulse/5f4fd46ac0f4e7ee5448bd40

http://172.86.75.175
http://193.187.175.213
digitalsoundmaker99.com
fgfotr.com
hong-security.com
mozillaupdate.com
nattplot.com
tableofcolorize.com
untypicaldesign9.com
uoplotr.com

# Reference: https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/
# Reference: https://www.virustotal.com/gui/file/452315d33f6c0a9fb77e0e6d88a8cfbbe3a778461e90178d26267215522d2ab2/detection
# Reference: https://www.virustotal.com/gui/file/51060b4e21864f229b5945b24d66cb29c727641c36639de395ebc4c83b0860a9/detection
# Reference: https://www.virustotal.com/gui/file/9a00f0edc87a44d10369fdb9f35ebe1b1df57e01719a5b48ac3eddc068f77f87/detection
# Reference: https://www.virustotal.com/gui/file/de5f89ffa034281a20cbcc5d7482c78b0b5b9b249538e1947034166d68cd21ac/detection

104.232.32.61:443
104.232.32.62:443
141.255.167.28:443
162.221.183.109:443
162.221.183.11:443
162.221.183.11:80
178.209.50.245:443
185.29.9.28:443
192.52.166.66:443
193.203.48.41:700
194.146.180.58:80
216.170.116.120:443
216.170.116.120:700
216.170.116.120:80
31.3.155.123:443
50.62.171.62:700
82.163.78.188:443
84.200.4.226:443
87.98.217.9:443
89.144.14.65:80
91.207.60.68:80
adobe-dns-3-adobe.com
clients4-google.com
in-travelusa.com
seven-sky.org

# Reference: https://www.virustotal.com/gui/file/46c551fed052f3f8857709df900e33d1dbfe9b10f55ff597a1986dc108c6a4f4/detection
# Reference: https://www.virustotal.com/gui/file/d8661896d83427642d3fa2b108752691c90e98a9327f9550e24928ac90504a63/detection
# Reference: https://www.virustotal.com/gui/file/3881f459301b073073bfb2befb4545197af1c8c2160b8e583e46fa769b78289f/detection

79.134.225.126:8596
configsamg.bounceme.net
/fasthamid.php?pwdws=
/systeme.php?pwdws=

# Reference: https://twitter.com/Arkbird_SOLG/status/1310966874352635907
# Reference: https://bazaar.abuse.ch/sample/003645e2686bf863585f95532e847dfe8f3b791c5b36f1a02ea2060f97b12125/
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral1
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral2

195.123.227.40:1433
195.123.227.40:443
195.123.227.40:49725
195.123.227.40:53
195.123.227.40:80

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522

sec-apps-verify.com

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522
# Reference: https://twitter.com/bl4ckh0l3z/status/1316389511182647297
# Reference: https://www.virustotal.com/gui/file/9c8bf89d043ba3ed802d6d4f9b290747d12822402d61065adfbcb48a740a47b8/detection

http://192.236.176.214

# Reference: https://twitter.com/Arkbird_SOLG/status/1319289563404103680
# Reference: https://www.virustotal.com/gui/ip-address/51.210.135.2/relations
# Reference: https://www.virustotal.com/gui/file/da725957d24a193350af135631ab7b286983caeaa1619b61c2535aa1794575c2/detection
# Reference: https://www.virustotal.com/gui/file/c81c1c53b66cdb4d9310bed5e70cec0cd4fa5b6b22f8ae1012b5a9fdcfb218a2/detection

51.210.135.2:443

# Reference: https://twitter.com/ShadowChasing1/status/1339399145933524993
# Reference: https://www.virustotal.com/gui/file/44e95a6a78a80e7ef6f4d92d9708bc04568385304d7a405fa201dfd50be8e172/detection

githubstore.site

# Reference: https://twitter.com/ShadowChasing1/status/1342631173508349952
# Reference: https://www.virustotal.com/gui/file/5a948a8d417c114f13e471cce4141131a496638d0e888564ad9ca74a1170320b/detection (# OSX.Bella)

159.65.147.28:4545

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/662124b0c998fd0826c192514b1f57f8002f2ab031996aa6dd7832f561679779/detection

170.130.55.85:443
besaintegration.com
sephardimension.com

# Reference: https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader
# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf
# Reference: https://otx.alienvault.com/pulse/5ff37057aba1bd56afb7e0cb
# Reference: https://app.any.run/tasks/9ce5148e-531b-415b-9cf4-a047c493ab06/
# Reference: https://www.virustotal.com/gui/file/49895428f1a30131308022dd3aa56eab6a1aa49b08a978ebc1520e289d3d6744/detection

alexisdanger.com
attractivology.com
bungalowphotographyblog.com
culturehiphopcafe.com
dempoloka.com
freshenvironmentaldesigns.com
huskerblackshirts.com
medinamarina.com
mekanuum.com
monusorge.com
petshopbook.com
sdidrichsen.com
skedoilltd.com
spacemetic.com
theelitevailcollection.com

# Reference: https://twitter.com/BushidoToken/status/1346555464931303424

teamgrouppcl-my.sharepoint.com

# Reference: https://twitter.com/z0ul_/status/1361698529228578816
# Reference: https://www.virustotal.com/gui/file/34218554f4469a6c8c5d68fd6c4c90d6e9789d3bf2935704f81897352b3a1627/detection

civilizationidium.com

# Reference: https://twitter.com/kyleehmke/status/1362030909676015618

conglomeratoid.com
cooperativology.com
inspirationizable.com
refrigeratoraholic.com

# Reference: https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

http://138.201.44.4/informs.jsp
aaa.stage.15594901.en.onokder.com
aaa.stage.4710846.ns3.kiposerd.com

# Reference: https://twitter.com/kyleehmke/status/1363845965208297472

vmwarize.com

# Reference: https://twitter.com/kyleehmke/status/1366366163089956872

shareholderma.com

# Reference: https://twitter.com/kyleehmke/status/1375414387415072768

foundationious.com

# Reference: https://twitter.com/kyleehmke/status/1374696986369216517

eyebrowaholic.com

# Reference: https://twitter.com/kyleehmke/status/1374310441036419075

associationable.com
coincidencious.com
offspringance.com
uncertaintology.com

# Reference: https://twitter.com/kyleehmke/status/1381183857916010498

shareholderery.com

# Reference: https://twitter.com/kyleehmke/status/1381514483126927360

occasionent.com

# Reference: https://twitter.com/z0ul_/status/1381590862300377089
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443

# Reference: https://twitter.com/z0ul_/status/1383076948293808129
# Reference: https://www.virustotal.com/gui/file/d41ee5bfeda26eedef14b23efb42497f096c5faf34882d8ff427b66b5afdbc16/detection

192.248.188.166:443

# Reference: https://twitter.com/kyleehmke/status/1384149754045624327
# Reference: https://twitter.com/kyleehmke/status/1384149758613155840

migrationable.com
refrigeratored.com
safarienzo.com

# Reference: https://habr.com/ru/company/bizone/blog/553136/ (Russian)
# Reference: https://www.virustotal.com/gui/file/fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce/detection

108.61.148.97:443
136.244.81.250:443
185.33.84.43:443
195.123.214.181:443
31.192.108.133:443
45.133.203.121:443

# Reference: https://twitter.com/U039b/status/1387487404160860166
# Reference: https://twitter.com/U039b/status/1387495127401308162
# Reference: https://beta.pithus.org/report/ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8

78.46.120.20:443

# Reference: https://twitter.com/kyleehmke/status/1396803284359319560

halfious.com
jurisdictionious.com

# Reference: https://twitter.com/kyleehmke/status/1398190859137470466
# Reference: https://twitter.com/kyleehmke/status/1399316036957179905
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1399116019743010816

curriculumance.com
deprivationant.com
dullism.com
hemispherious.com
injuryless.com
myofibrilliance.com

# Reference: https://twitter.com/z0ul_/status/1400099980250058753
# Reference: https://www.virustotal.com/gui/file/2609c6ec5d4fdde28d29c272484da66e0995e529cf302ed46f94c68cd99352e3/detection

legislationient.com

# Reference: https://twitter.com/Arkbird_SOLG/status/1400845444889120783
# Reference: https://twitter.com/Arkbird_SOLG/status/1400845453101522947

bank4america.com
opposedent.com

# Reference: https://twitter.com/kyleehmke/status/1401480321779052547

indulgology.com
trenchize.com

# Reference: https://twitter.com/kyleehmke/status/1401851062592720898
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1402008850690154504

boldhamia.com
jurisdictionient.com
landownerable.com
perespectable.com
unitious.com
uprestrice.com

# Reference: https://twitter.com/ViriBack/status/1209650095626575872
# Reference: https://www.virustotal.com/gui/file/c1e7d6ec47169ffb1118c4be5ecb492cd1ea34f3f3dd124500d337af3e980436/detection

107.189.11.206:443
huskerblackshirts.com

# Reference: http://tracker.viriback.com/dump.php (# 2020-022-29, JSSLoader)

grepodesk.com

# Reference: https://twitter.com/ShadowChasing1/status/1402533794352025602
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection
# Reference: https://www.virustotal.com/gui/file/fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206/detection

http://108.170.20.89
http://195.123.234.24
108.170.20.89:443
195.123.234.24:443

# Reference: https://twitter.com/ShadowChasing1/status/1402291088740675586
# Reference: https://www.virustotal.com/gui/file/944e1871cecddd5c18a8939f246e5f552cb24f0b0179f4902c0559b2ad3d336b/detection

185.203.118.54:443

# Reference: https://twitter.com/z0ul_/status/1401795117678219267
# Reference: https://twitter.com/z0ul_/status/1401795127601991682
# Reference: https://otx.alienvault.com/pulse/60be3e3f6ba2c7d1bec747a2

capermission.com
hidrofilms.com
primeautorecon.com

# Reference: https://twitter.com/z0ul_/status/1401795123294441475
# Reference: https://www.virustotal.com/gui/file/944e47dc9da19b753beba173214cdebea2aa3651c402dfacae2dde82c4fdaa43/detection
# Reference: https://www.virustotal.com/gui/file/fada67a9f89429d6c191cd6fef5d75cd7b49eebaa2e40d1dd1f9884b3038a23b/detection

185.225.17.78:443
185.33.87.24:443
37.1.210.119:443

# Reference: https://twitter.com/z0ul_/status/1401795124556861441
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443
195.123.243.169:443

# Reference: https://twitter.com/z0ul_/status/1401795126314344453
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection

108.170.20.89:443
195.123.240.46:443
37.252.4.131:443

# Reference: https://twitter.com/kyleehmke/status/1405822067191300100
# Reference: https://www.virustotal.com/gui/ip-address/85.217.171.64/relations

hooferry.com

# Reference: https://twitter.com/kyleehmke/status/1408000343410085889

blankance.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded

bikweb.com

# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1410227748140990469

laccolumn.com

# Reference: https://threatpost.com/fin7s-liquor-lure-law-firm-backdoor/168086/

browm-forman.com
brown-formam.com
pigeonious.com

# Reference: https://twitter.com/_brettfitz/status/1433661555632222251

amusient.com
revokeodoe.com

# Reference: https://www.virustotal.com/gui/file/2ef7d22b9a04e88f3ab84904aa24f05979c37dc7b9ef12194c73fa718dc30415/detection

185.130.104.174:443

# Reference: https://twitter.com/quack_hack/status/1468364640191225864
# Reference: https://twitter.com/quack_hack/status/1468365029229608960
# Reference: https://twitter.com/quack_hack/status/1468366237613031428
# Reference: https://www.virustotal.com/gui/ip-address/45.61.188.31/relations
# Reference: https://www.virustotal.com/gui/file/ee8f394d9e192c453d47a0c57261a03921dcbb97248a67427cb6fc6d8833c8a0/detection
# Reference: https://www.virustotal.com/gui/file/154186b5e0f5fae753a1f90c93a7150927bd03017e55f44abf21a5a08b7ec4ba/detection
# Reference: https://www.virustotal.com/gui/file/a29c97cb43cd16fad9276e161017ae654eb9cc989081c7584f8f14a3795deb0e/detection
# Reference: https://www.virustotal.com/gui/file/78d3d78f6bd90fee7bbd25a15bab36b89072dc738183442d9a6a2d9622835840/detection
# Reference: https://www.virustotal.com/gui/file/92a9fec37bc8e92e3d5ef9344c2d997d3ff02b369b9a040df52f513782940046/detection

myhobbyjapan.com
mosondra.com
sumenghong.com

# Reference: https://www.virustotal.com/gui/file/8640c59f4276a0a764d5c9deec1268ebb5c4225b73074f3b707780fdf89ae4a7/detection
# Reference: https://www.virustotal.com/gui/file/96fa0a49b5e15a83914cff5f5d742802055ebb4ce9f8ddd3993b883259d7c158/detection

pwr4life.com

# Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/BB_FIN7.json

consolidatology.com
hilariousology.com
keywordsance.com
wisecrackism.com
online.versatravel.ru

# Reference: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/
# Reference: https://otx.alienvault.com/pulse/61e683b7d020b229a3c12849

http://138.124.180.127
http://185.232.170.24
http://185.233.80.149
http://185.250.151.126
http://185.53.46.100
http://199.80.55.66
http://206.54.190.230
http://206.54.191.37
http://207.246.92.213
http://37.1.213.194
http://45.142.215.148
http://5.252.177.215
138.124.180.127:443
185.232.170.24:443
185.233.80.149:443
185.250.151.126:443
185.53.46.100:443
199.80.55.66:443
206.54.190.230:443
206.54.191.37:443
207.246.92.213:443
37.1.213.194:443
45.142.215.148:443
5.252.177.215:443

# Reference: https://twitter.com/James_inthe_box/status/1491550200007065603
# Reference: https://app.any.run/tasks/ed2c009a-df98-4bcb-8e03-5c2b9e0570ed/

205.185.117.138:443
divorceradio.com

# Reference: https://twitter.com/0xhido/status/1506672594526822404
# Reference: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files

physiciansofficenews.com
thechinastyle.com

# Reference: https://www.mandiant.com/resources/evolution-of-fin7
# Reference: https://otx.alienvault.com/pulse/624c4e2fe492d9e618422ffc

chyprediction.com
estetictrance.com
fashionableeder.com
incongruousance.com
internethabit.com
modestoobgyn.com
myshortbio.com

# Reference: https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor
# Reference: https://otx.alienvault.com/pulse/6131dd8772536483ad294965

bypassociation.com
tnskvggujjqfcskwk.com

# Reference: https://www.joesandbox.com/analysis/1019077#iocs

idontgetitpodcast.com

# Reference: https://twitter.com/jtrombley90/status/1552504158397337600

bamadora.com
essentialsmassageanddayspa.com
whiteheadscanesyrup.com

# Reference: https://twitter.com/Des00464472/status/1552492184922116096

tuschbrothersbrewery.com

# Reference: https://twitter.com/Des00464472/status/1590548647053524992

pannamoon.com

# Reference: https://twitter.com/Des00464472/status/1593499379322982400

bullerdix.com

# Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/APT-hunting/hunting-cobaltstrike-beacons-in-the-dark.pdf (# Page 103)

http://188.120.248.114
http://195.2.93.160
http://213.202.211.246
http://85.217.171.12
http://89.163.214.57
188.120.248.114:443
195.2.93.160:443
213.202.211.246:443
85.217.171.12:443
89.163.214.57:443
cdnoid.com
techniquesaholic.com

# Reference: https://twitter.com/ThreatBookLabs/status/1600010809031028736
# Reference: https://www.virustotal.com/gui/file/898f75562187c0d4b4d542c7fabf6cf75b7a88f348b817d9a3de9c852dfddeeb/detection

bamadora.com
marioterno.com

# Reference: https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
# Reference: https://otx.alienvault.com/pulse/63a5a3d0765aef678afbc794

colormiagi.com
225ppqutwykx2or3.onion
4ktbtv54flfhs6ea.onion
4r7hlqzkxl5xtjxn.onion
ba2xy52xrtagkrh3.onion
bgumuduxnkkecg3b.onion
dppnmjep33rf6ct3.onion
fndqgtdkj4v6g4aq.onion
red6djrs7fbkchy3.onion
2cedhihsepjtcpwuwes77cle5wb6ml7e5ys6ivsb4a4ivlrw2vc4wwad.onion
xft6kit4fj5mnzsdt75ejf2spriszgaqpujclwimvfz7gtangi72suad.onion

# Reference: https://github.com/WithSecureLabs/iocs/blob/master/FIN7VEEAM/iocs.csv

http://162.248.225.115
http://194.87.148.41
http://195.123.244.162
http://217.12.206.176
http://45.136.199.128
http://77.75.230.112
http://91.149.243.181
http://91.199.147.152
http://95.217.49.123
162.248.225.115:443
194.87.148.41:443
195.123.244.162:443
217.12.206.176:443
45.136.199.128:443
77.75.230.112:443
91.149.243.181:443
91.199.147.152:443
95.217.49.123:443
/icsnd16_64refl.ps1

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2024-04-11-v10573/1563

cdn31.space
cdn32.space
cdn33.space
cdn34.space
cdn35.space
cdn36.space
cdn37.space
cdn38.space

# Reference: https://twitter.com/JAMESWT_MHT/status/1784900827930349915
# Reference: https://app.any.run/tasks/a7482c6d-5f77-47ce-b1a9-3f981df5d990/

5.8.63.140:443
86.104.72.157:443

# Reference: https://twitter.com/rewscel/status/1785407518522401223
# Reference: https://twitter.com/RussianPanda9xx/status/1785682585315647526
# Reference: https://app.validin.com/detail?find=89.105.198.190&type=ip4&ref_id=eda9f1500aa#tab=resolutions
# Reference: https://app.validin.com/detail?type=dom&find=adik33338.gmail.com#tab=dns

acdinf.com
airdrop-claim-web3.eu
airtables.net
app-trello.com
binance-give.us
bitwarden.in.net
bloomberg-t.com
bloomberg-terminal.net
catandpetshouse.com
communityofmatcha.com
d8h37sh29ds.biz
depemsersniziks.com
dkefuj33r8jdwa2.com
dyrnension.xyz
gingersoftware.info
glngersoftware.com
glowwell.eu
jd83hnsy6wbdwds9wjms.biz
keepess.info
keeqess.info
lexisnexis.day
matchablogtime.online
medidenaodmewnx.com
nmap.re
notlon.eu
pepe20.eu
quicken-install.com
trackvar.com
tradingview-softs.com
userfriendlyblogs.com
usuallyfornow.com
varizanantarprisae.com
varizanenterpize.com
verizonbusinesspage.com
verizonenterpriseaccount.com
verizonenterpriselogin.com
verizonenterpriseloginpage.com
vitalityhub.nl
webex-download.pics
webex-install.com
wellbeinghub.nl
wellful.nl
wen-airdrop.net
wen-airdrop.network
wincsp.net
wlncsp.net
workable.uk.com
youngtube.in
yt-panel-1488.com
zabblx.com
zabinewblogofcats.com
zabnewblogofcats.com
zbdemi.com

# Reference: https://twitter.com/ValidinLLC/status/1785973800661594460
# Reference: https://www.virustotal.com/gui/ip-address/94.131.107.181/relations

docusjgn.com
dsui38js2.com
gramrnarly.com
loadsoft.net
sluok.com
account.docusjgn.com

# Reference: https://twitter.com/NDA0E/status/1785729767548797079
# Reference: https://www.virustotal.com/gui/ip-address/94.131.101.65/relations

asana.pm
asana.tel
asana.wf
blackrock.re
blackrock.wf

# Reference: https://twitter.com/RussianPanda9xx/status/1786185148121174450
# Reference: https://urlscan.io/search/#filename%3A%229e4e27b7-bcfb-4298-bf8f-2cf4a6bdb3bf-9b6b40d6-3f8e-4755-9063-562658ebdb95%22

http://94.131.101.65
7-zip.cfd
7-zip.day
advanced-ip-scanner.link
advancedipscannerapp.com
aimp.day
any-connectcisco.com
autodesk.pm
bikejogot.com
bloornberg.org
business-directories.com
cdn1701.com
cdn25.space
cdn48f.space
ciscoconnecctt.com
concur.pm
concur.re
concur.skin
hubspot.pm
investing.wf
meet-go.click
meet-go.day
meet-go.link
pdfreader.link
pgadmin.link
rawafedgold.com
sapconcur.pro
storage.cdn48f.space
tendergram.com
thefoxtech.com
vkontakte.in
wall-street-journal.link
winscp-install.com
workday.pm
wsj.re
wsj.wales
wsj.wf
wwwlegals.com

# Reference: https://twitter.com/cyber_ra1/status/1786288753377718639

http://103.113.70.134
http://103.113.70.142
http://103.113.70.37
http://103.35.191.28
http://103.35.191.53
http://138.124.183.95
http://138.124.184.64
concur.cfd
hubspot.wf
stream-mix.com

# Reference: https://twitter.com/crep1x/status/1786150734121120075
# Reference: https://gist.github.com/qbourgue/62ceee8edf1159452778a8750dd43116

138.124.183.91:3000
138.124.184.247:3000
138.124.184.249:3000
138.124.184.250:3000
45.142.212.150:3000
45.67.229.73:3000
45.89.53.244:3000
86.104.72.155:3000
86.104.72.157:3000
86.104.72.158:3000
91.149.239.120:3000
138.124.183.79.sslip.io
advanced-ip-scanner.cfd
aimp.pm
cdn1102.com
cdn1124.net
cdn1168.net
cdn1702.click
cdn1704.com
cdn2525.com
cdn27.space
cdn30.space
cdn40.click
cdn41.space
cdn42.space
cdn43.space
cdn44.space
cdn45.space
cdn46.space
cdn47.space
eprst251.boo
eprst281.boo
eprst431.boo
hidifypro.turkalphapro.ir
meet-go.org
msq2323232300000.online
static.cdn40.click
statistic.cdn47.space