# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.proofpoint.com/us/threat-insight/post/gootkit-banking-trojan-jumps-channel swysocki77.com gorski83.com ostrowski87.com jasinski2015.com olszewski78.com pozheeshebudem.com freforevermailtes.com nidermidertom.com ecuremailbestfree.com securewebgooglesite.com robertpouslen12494.pw robertpouslen1234524.com update-service7825t28.com domolor.com babosikimne.com babosikidai.com vaillantsawer.com proballansmen.com reputamadrell.com lastrizariano.com rokobarokkino.com artipreambulo.com trequablaster.com pretriquestro.com rebellintosto.com mellicianactr.com abc.doitgraphic.org updatebase.bid shop.lifexcellence.org # Reference: http://www.broadanalysis.com/2017/03/13/rig-exploit-kit-via-eitest-delivers-gootkit-banking-malware-2/ duplanty.top # Reference: https://www.cert-pa.it/news?id=10536 sph.expoartshop.com # Reference: https://twitter.com/James_inthe_box/status/1102904911212101634 vancouverislandprocessor.com # Reference: https://twitter.com/James_inthe_box/status/914111090425917440 # Reference: https://pastebin.com/T2ryBWdZ /rpersist4/ # Reference: https://twitter.com/JAMESWT_MHT/status/1113395985043079169 # Reference: https://sugitamuchi.hatenablog.com/entry/2019/04/13/224350 (JP-lang) /loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php # Reference: https://www.joesandbox.com/analysis/117861/0/pdf /crypt0DD1D2637FDB71097213D70B94E86930.php # Reference: https://twitter.com/VK_Intel/status/1006545151823613952 ftps.layermag.com lab.aplusstatus.com 0.turkcedusunturkcekonus.com # Reference: https://twitter.com/malware_traffic/status/767852827200761856 apsoo3k2i.ahgsuy3829.top # Reference: https://twitter.com/Racco42/status/1063412662623760385 ppp.picchio-intl.com ricci.bikescout24.fr # Reference: https://twitter.com/BroadAnalysis/status/815211105664565248 cedar.igrooveweb.com salsx.sedtinterrighthe.top # Reference: https://twitter.com/BroadAnalysis/status/788400179091214336 acc.arabicdessert.co kd67.prmhohzsl.top # Reference: https://twitter.com/BroadAnalysis/status/782996903025844224 b6l2op.dxzvkr.top # Reference: https://twitter.com/malware_traffic/status/766412267063607296 dmqxmz.lowashemterle.top # Reference: https://blog.yoroi.company/warning/campagna-gootkit-verso-pec-italiane/ ami.sigaingegneria.com erre.effe-erre.es filuetrama.top martatov.top # Reference: https://twitter.com/reecdeep/status/1130497379411595266 fila.heathercrowe.ca koohy.top # Reference: https://app.any.run/tasks/77932db7-ffb1-409a-9b28-9cf6c8e70c1c/ fila.su170.org # Reference: https://twitter.com/reecdeep/status/1136950470696681473 it.goodvibeskicking.com tru.cheersportacademy.com # Reference: https://twitter.com/reecdeep/status/1139063611681325056 kohe.even-air.com ove.resourceny.net # Reference: https://twitter.com/reecdeep/status/1139436492152102912 box.therusticsandbox.com # Reference: https://twitter.com/James_inthe_box/status/1141326136212766720 checkcacheonline.com # Reference: https://twitter.com/abuse_ch/status/1141330445663113218 onlinecachecheck.com # Reference: https://www.cert-pa.it/notizie/campagna-gootkit-tramite-jasperloader-verso-pubbliche-amministrazioni/ fattura.directionalforcedrive.com majorleaguepub.com calc.1407cty13pec.com koh.191northfront.com karysmarie.me otnhmtkwnz.top # Reference: https://twitter.com/reecdeep/status/1153248954911514625 me.karysmarie.me # Reference: https://twitter.com/reecdeep/status/1156085593148932097 koh.corkysfreshwater.com lucky.bayonetbreakers.com # Reference: https://twitter.com/reecdeep/status/1156866545651474432 drive.deescreationstore.com kope.deessolutionsdemo.com # Reference: https://twitter.com/reecdeep/status/1159353959271845888 me.woodlandsareareview.com # Reference: https://twitter.com/reecdeep/status/1159349342144253954 drive.gstroop4822.org free.deescreationstore.com # Reference: https://twitter.com/reecdeep/status/1158754365559193602 me.kaleighrose.me otnhmdmwnz.top # Reference: https://twitter.com/reecdeep/status/1158751070425763840 soft.photosbydee.com # Reference: https://twitter.com/peterkruse/status/1158761928736628736 bill.newsrental.net help.skofirm.org zgzimdqwnj.top # Reference: https://twitter.com/reecdeep/status/1156866545651474432 drive.deescreationstore.com kope.deessolutionsdemo.com # Reference: https://twitter.com/reecdeep/status/1164503528271990784 hop.hopedaleweb.com web.tilmonday.com wws.no-shirt-no-shoes.com # Reference: https://twitter.com/reecdeep/status/1164508719742423044 hop.hopedaleweb.com zgzimdkwod.top # Reference: https://twitter.com/JAMESWT_MHT/status/1164511396849160193 web.cfmontessori.com wws.dbimages.com # Reference: https://twitter.com/JAMESWT_MHT/status/1169549992345985025 wow.doorattendants.com me.jmitchelldayton.com web.speakingofhome.com pro.prosperitybookkeeping.net # Reference: https://twitter.com/reecdeep/status/1171022723587420162 ser.jonnalbandian.com wws.christinedavies.biz vps.healinglightwithin.com it.its1ofakind.net # Reference: https://twitter.com/JAMESWT_MHT/status/1172515470202871808 ser.jonnalbandian.com wws.christinedavies.biz you.cypressstakeyouth.com adp.mjmentertainment.com # Reference: https://twitter.com/MBThreatIntel/status/1174471949059125248 adp.reevesandcompany.com beta.madeintaylors.com picturecrafting.site # Reference: https://twitter.com/JAMESWT_MHT/status/1175128962919542785 guipicturecrafting.site # Reference: https://twitter.com/reecdeep/status/1176407972249001984 wws.breebrasil.com wws.guidemyhunt.com # Reference: https://twitter.com/reecdeep/status/1176414815033679873 web.speakingofhome.com pro.prosperitybookkeeping.net # Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html (# Win.Malware.Gootkit-7333291-0) cibariefoodconsulting.com hymnsontap.com its1ofakind.net jmitchelldayton.com kaleighrose.me karysmarie.me kkillihhy.top mjmentertainment.com otnhmdmwnz.top picturecrafting.site reevesandcompany.com simplebutmatters.com thebellamyfamily.me ttbuilders.com woodlandsareareview.com # Reference: https://twitter.com/deepspacesc/status/1133755269836693506 capfaregreem.eu # Reference: https://any.run/malware-trends/goodkit (Note: as seen on 2019-12-04) web.speakingofhome.com home.ktxhome.com home.hopedaybook.com beta.madeintaylors.com # Reference: https://app.any.run/tasks/18e0b136-bfa9-4837-8ea7-5ee4a6a732e9/ kasdima.top # Reference: https://twitter.com/0xCARNAGE/status/1246485252903702528 # Reference: https://app.any.run/tasks/137d26a0-a94a-414b-a953-711647b4093b/ medicinecomplete.com # Reference: https://twitter.com/ffforward/status/1326144202997166084 # Reference: https://twitter.com/ffforward/status/1326144205106909185 # Reference: https://tria.ge/201110-shdmh4swv6/ # Reference: https://bazaar.abuse.ch/sample/416215d488021e257a7a0552efd53ca8e80b6d066135cbf94dab5b898612c6e7/ # Reference: https://www.virustotal.com/gui/file/30c57c642bb1fc530f6a22718c8eec2b6a6834b2165168a7567c4cee4d298037/detection # Reference: https://www.virustotal.com/gui/file/35fd40cd3529e9b39b363bba62990949468f3a97ebb7e30e0f7629a64ae3c1d3/detection chaabattent.com kerymarynicegross.com kladrykroptur.com kvaladrigrosdrom.top madregobilsg.com pillygreamstronh.com # Reference: https://securelist.com/gootkit-the-cautious-trojan/102731/ # Reference: https://otx.alienvault.com/pulse/60be30837c3f13bb72131f36 kerymarynicegross.top kvaladrigrosdrom.top lbegardingstorque.com pillygreamstronh.com scellapreambulus.top # Reference: https://www.virustotal.com/gui/ip-address/185.130.104.179/relations # Reference: https://www.virustotal.com/gui/file/89450d2a60569fb344706de0f1d2105dfb60cfec7118f8d517a2ad0022697fad/detection admovinseth.com insourcehawaii.com vinsethteas.com dp.insourcehawaii.com lps.admovinseth.com xrp.vinsethteas.com # Reference: https://www.virustotal.com/gui/file/1d0030552e6ff56b7d5469c869af95f0e315888568c00ff2c85da6ba6efa9d4c/detection 195.22.26.252:8080 195.22.26.252:6969 195.22.26.253:6969 ere5453.com vip.ere5453.com # Reference: https://twitter.com/GootLoaderSites/status/1514211046629814272 kepw.org korsakovmusic.com lacocinadefrabisa.lavozdegalicia.es # Reference: https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ # Reference: https://otx.alienvault.com/pulse/6278f9624d491d800adf4944 jp.imonitorsoft.com/test.php?hjkiofilihyl= junk-bros.com/test.php?hjkiofilihyl= kakiosk.adsparkdev.com/test.php?hjkiofilihyl= /test.php?hjkiofilihyl= # Reference: https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html # Reference: https://otx.alienvault.com/pulse/62e3c4e56e6b1aff022c72ff http://89.238.185.13 # Reference: https://tria.ge/220802-qrqatsfcf5/behavioral1 /test.php?xkiutrbcfgqble= # Reference: https://tria.ge/220802-xhw6cabcgr/behavioral1 /test.php?wiliidivzlonkb= # Reference: https://tria.ge/220728-tgsvrahbb3/behavioral1 /test.php?rgfufxdpdybaw= # Reference: https://tria.ge/220728-msbmaaehf6/behavioral1 /test.php?pmfvhcbyovwmpdyx= # Reference: https://twitter.com/AvastThreatLabs/status/1561685383368286210 frerecapucinbenin.org/search.php giuseppedeluigi.com/search.php kettlebellgie.be/search.php # Reference: https://www.virustotal.com/gui/file/acf7ed3990f94b5c55dfb66537b8ec8ffc8b44855f6107934e750377d1831fb0/detection 195.22.26.253:8080 195.22.26.254:8080 # Generic /rpersist4/-1008320073 /rpersist4/-327594751 /rpersist4/ /search?elweodvfxwfrwey= /rbody320 /tes2t