# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/James_inthe_box/status/1193539893000986624 # Reference: https://www.virustotal.com/gui/ip-address/130.185.238.32/relations # Reference: https://www.virustotal.com/gui/file/179349534f184774b18b7dbcf7442a537fe640e373f5c4cc6b39d3076240c11b/detection # Reference: https://www.virustotal.com/gui/file/9cc448001e8ed355520e26c328d33f1b8031b26796923608cdf920fb6617dbb2/detection # Reference: https://www.virustotal.com/gui/file/b078b3cba73f7dc905d395b014f610000ab37cc1500be00d64ce48c7cd9378b2/detection http://130.185.238.32 coinstolkbr79.dyndns.org # Reference: https://twitter.com/reecdeep/status/1291002877633331201 # Reference: https://app.any.run/tasks/1c5c1fef-a022-4143-b3d8-e365a38b8a20/ # Reference: https://www.virustotal.com/gui/file/8df61999996b08c2f77e53869f75e2ea399f1bad5a5dc5d5969f4b5e9d8d5751/detection 142.11.212.211:8081 pizzacircusbarcelona.com # Reference: https://twitter.com/JAMESWT_MHT/status/1291013627680624642 167.114.217.220:9090 # Reference: https://twitter.com/Dashowl/status/1296886074053099520 http://173.0.54.19 # Reference: https://twitter.com/JAMESWT_MHT/status/1303248634507657216 155.138.137.44:3030 # Reference: https://twitter.com/K_N1kolenko/status/1328605692643713025 146.59.193.20:1948 # Reference: https://twitter.com/ESETresearch/status/1390263927859208193 # Reference: https://twitter.com/ESETresearch/status/1390263930833063938 binanceassistance.com spotifyannounce.com # Reference: https://twitter.com/johnk3r/status/1524847789766852630 24.152.38.130:4398 # Reference: https://twitter.com/da_667/status/1530296455981936646 # Reference: https://www.virustotal.com/gui/ip-address/167.114.88.99/relations # Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/ 167.114.43.27:4433 belfaro.com.br iuc1tab1tatitbw.freedynamicdns.org iuc1tag1sjsdtbb.freedynamicdns.org iuc1tan1xatmtkk.freedynamicdns.org iuc1tan1xqs4tjf.freedynamicdns.org iuc1tas1satjtjo.freedynamicdns.org iuc1tas1xao3taf.freedynamicdns.org iuc1tbb0sqpmtak.freedynamicdns.org iuc1tbs0taoztjw.freedynamicdns.org iuc1tbw0sasztjb.freedynamicdns.org iuc1tbw1xjoztko.freedynamicdns.org iuc1tjf0satltbs.freedynamicdns.org iuc1tjj0uas0tbs.freedynamicdns.org iuc1tjk0sqpltbo.freedynamicdns.org iuc1tjk0xqpltbo.freedynamicdns.org iuc1tko1sqs5tjg.freedynamicdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1531566144594841601 http://20.187.91.219 20.187.91.219:44441 # Reference: https://twitter.com/1ZRR4H/status/1549261002725679105 # Reference: https://www.virustotal.com/gui/ip-address/20.70.2.177/relations http://20.70.2.177 a404140024b44.servehalflife.com a40494449.servehalflife.com a4049475a475955.servehalflife.com a404e4306.servecounterstrike.com a40595c5747595c.servehalflife.com a41534548.servequake.com a425b4159455043.zapto.org a44504159455043.zapto.org a44504605.zapto.org a44504959.zapto.org a44524358475241.servehalflife.com a4452435e475959.servehalflife.com a445b525b.zapto.org a454b4603.zapto.org a45504205455053.zapto.org a45504603.zapto.org a455b5303.zapto.org a455b5e02455b42.zapto.org a46404600.zapto.org a46405259.zapto.org a46405e00455b5a.zapto.org a464b4205455a5a.zapto.org a464b534b.zapto.org a46524b5b.servehalflife.com a46594b5a.servehalflife.com a4742475f475858.servehalflife.com a49405305.zapto.org a4940534b.zapto.org a495b5258.zapto.org a4a585057.servequake.com a4b42435b475155.servehalflife.com a4b424b5a.servehalflife.com a4b42505f.servehalflife.com a4b425c57475144.servehalflife.com a4b52505a.servehalflife.com a4b525c06475151.servehalflife.com a4b59505f.servehalflife.com a4c454c5d.servecounterstrike.com ftpbtag1sjoztbf.freedynamicdns.org ftpbtao1sztitjf.freedynamicdns.org ftpbtbs0uatmtko.freedynamicdns.org ftpbtjw0xaphtaw.freedynamicdns.org ftpxtak1wqo1tjk.freedynamicdns.org ftpxtan0xas5tab.freedynamicdns.org ftpxtjj0uaphtar.freedynamicdns.org iuc1tbw0tas4tab.freedynamicdns.org iuc1tjg0xjsftbo.freedynamicdns.org iuc1tjn1tjo3tjs.freedynamicdns.org iuc1tjs0xasftbo.freedynamicdns.org xacjtjozxaw3.freedynamicdns.org xaxhtbkzsqcm.freedynamicdns.org # Reference: https://twitter.com/ankit_anubhav/status/1555521068734902272 premierecombate.eastus.cloudapp.azure.com # Reference: https://twitter.com/ankit_anubhav/status/1555815597769863168 # Reference: https://www.virustotal.com/gui/ip-address/20.115.83.63/relations http://54.39.194.67 amixtubinemasterx.com beacocosmasterx.top centroempresarialkutsni.com customdefivewrs.top dextelmacwordsx.top domanekiewex.top empresarialkutsni.com empresarialkutsnicorp.com empresarialmixtur.ml empresarialmixtur.tk empresarialwebcustom.top mixtubinemasterx.com mixtubinemasterxnet.com /$NOTADIGITALFISCAL # Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-08-05_Grandoreiro http://20.10.3.196 http://20.197.31.100 http://20.226.27.45 http://209.127.179.58 http://54.39.194.67 amixtubinemasterx.com beacocosmasterx.top dextelmacwordsx.top domanekiewex.top empresarialkutsni.com empresarialkutsnicorp.com empresarialwebcustom.top mixtubinemasterx.com mixtubinemasterxnet.com # Reference: https://twitter.com/reecdeep/status/1291717803385520128 142.11.213.42:8081 # Reference: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals http://15.188.63.127 http://18.231.180.92 http://35.180.117.32 http://35.181.59.254 http://52.67.27.173 http://54.232.38.61 15.188.63.127:36992 assesorattlas.me atlasassessorcontabilidade.com barusgorlerat.me damacenapirescontab.com mantersaols.com perfomacepnneu.me vamosparaonde.com premiercombate.eastus.cloudapp.azure.com chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org jmllmedvhgmhldjgmhvmmlljhvgdzvzz.dynns.com odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com pcbbcrjcgbcghjpbcgkccbjorkhhjcjj.fantasyleague.cc /$FISCALIGENERAL3489213839012 # Reference: https://twitter.com/1ZRR4H/status/1570233170997694466 20.206.121.215:4144 procedimentos09092022.blob.core.windows.net # Reference: https://app.any.run/tasks/74ed9bfb-68d7-492a-8c2a-4236fe2589c6/ java-update.online mymodulop2pcar.servehttp.com /Bv3wF1uHKG/counter.php /Bv3wF1uHKG/ # Reference: https://www.virustotal.com/gui/file/fd00307c2ea5313be921b31b2c9ddad5a5cd0df4bcf81814d07243fdf24fbc49/detection http://108.62.118.17 # Reference: https://hybrid-analysis.com/sample/f8991e3f7b524edc26a64543b57dd3f7cd69a2f8b04ce934d9334bf8ade8b396 sgd.servehttp.com # Reference: https://twitter.com/StopMalvertisin/status/1575427033504501760 # Reference: https://www.virustotal.com/gui/file/0a9d7369a1c4cb32172404abd4e1a6c5aa35a674b4bfdcca81dc909b0f047b65/detection filestorel.eastus.cloudapp.azure.com # Generic /Adkflgog30.iso /dyngcdnefn_03.iso /nivyjlzhdj_04.iso /nnkokysdggit.iso /obmkumjoxq_05.iso /ugqvhozczb_04.iso /yqcnfempzc.iso /ronivon.txt /BR01?NF-eBR102822MY91822BT1 /BR02?NF-eBR102822MY91822BT1 /BR01/?NF-eBR102822MY91822BT1 /BR02/?NF-eBR102822MY91822BT1 /?NF-eBR102822MY91822BT1