# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/James_inthe_box/status/1193539893000986624 # Reference: https://www.virustotal.com/gui/ip-address/130.185.238.32/relations # Reference: https://www.virustotal.com/gui/file/179349534f184774b18b7dbcf7442a537fe640e373f5c4cc6b39d3076240c11b/detection # Reference: https://www.virustotal.com/gui/file/9cc448001e8ed355520e26c328d33f1b8031b26796923608cdf920fb6617dbb2/detection # Reference: https://www.virustotal.com/gui/file/b078b3cba73f7dc905d395b014f610000ab37cc1500be00d64ce48c7cd9378b2/detection http://130.185.238.32 coinstolkbr79.dyndns.org # Reference: https://twitter.com/reecdeep/status/1291002877633331201 # Reference: https://app.any.run/tasks/1c5c1fef-a022-4143-b3d8-e365a38b8a20/ # Reference: https://www.virustotal.com/gui/file/8df61999996b08c2f77e53869f75e2ea399f1bad5a5dc5d5969f4b5e9d8d5751/detection 142.11.212.211:8081 pizzacircusbarcelona.com # Reference: https://twitter.com/JAMESWT_MHT/status/1291013627680624642 167.114.217.220:9090 # Reference: https://twitter.com/Dashowl/status/1296886074053099520 http://173.0.54.19 # Reference: https://twitter.com/JAMESWT_MHT/status/1303248634507657216 155.138.137.44:3030 # Reference: https://twitter.com/K_N1kolenko/status/1328605692643713025 146.59.193.20:1948 # Reference: https://twitter.com/ESETresearch/status/1390263927859208193 # Reference: https://twitter.com/ESETresearch/status/1390263930833063938 binanceassistance.com spotifyannounce.com # Reference: https://twitter.com/johnk3r/status/1524847789766852630 24.152.38.130:4398 # Reference: https://twitter.com/da_667/status/1530296455981936646 # Reference: https://www.virustotal.com/gui/ip-address/167.114.88.99/relations # Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/ 167.114.43.27:4433 belfaro.com.br iuc1tab1tatitbw.freedynamicdns.org iuc1tag1sjsdtbb.freedynamicdns.org iuc1tan1xatmtkk.freedynamicdns.org iuc1tan1xqs4tjf.freedynamicdns.org iuc1tas1satjtjo.freedynamicdns.org iuc1tas1xao3taf.freedynamicdns.org iuc1tbb0sqpmtak.freedynamicdns.org iuc1tbs0taoztjw.freedynamicdns.org iuc1tbw0sasztjb.freedynamicdns.org iuc1tbw1xjoztko.freedynamicdns.org iuc1tjf0satltbs.freedynamicdns.org iuc1tjj0uas0tbs.freedynamicdns.org iuc1tjk0sqpltbo.freedynamicdns.org iuc1tjk0xqpltbo.freedynamicdns.org iuc1tko1sqs5tjg.freedynamicdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1531566144594841601 http://20.187.91.219 20.187.91.219:44441 # Reference: https://twitter.com/1ZRR4H/status/1549261002725679105 # Reference: https://www.virustotal.com/gui/ip-address/20.70.2.177/relations http://20.70.2.177 a404140024b44.servehalflife.com a40494449.servehalflife.com a4049475a475955.servehalflife.com a404e4306.servecounterstrike.com a40595c5747595c.servehalflife.com a41534548.servequake.com a425b4159455043.zapto.org a44504159455043.zapto.org a44504605.zapto.org a44504959.zapto.org a44524358475241.servehalflife.com a4452435e475959.servehalflife.com a445b525b.zapto.org a454b4603.zapto.org a45504205455053.zapto.org a45504603.zapto.org a455b5303.zapto.org a455b5e02455b42.zapto.org a46404600.zapto.org a46405259.zapto.org a46405e00455b5a.zapto.org a464b4205455a5a.zapto.org a464b534b.zapto.org a46524b5b.servehalflife.com a46594b5a.servehalflife.com a4742475f475858.servehalflife.com a49405305.zapto.org a4940534b.zapto.org a495b5258.zapto.org a4a585057.servequake.com a4b42435b475155.servehalflife.com a4b424b5a.servehalflife.com a4b42505f.servehalflife.com a4b425c57475144.servehalflife.com a4b52505a.servehalflife.com a4b525c06475151.servehalflife.com a4b59505f.servehalflife.com a4c454c5d.servecounterstrike.com ftpbtag1sjoztbf.freedynamicdns.org ftpbtao1sztitjf.freedynamicdns.org ftpbtbs0uatmtko.freedynamicdns.org ftpbtjw0xaphtaw.freedynamicdns.org ftpxtak1wqo1tjk.freedynamicdns.org ftpxtan0xas5tab.freedynamicdns.org ftpxtjj0uaphtar.freedynamicdns.org iuc1tbw0tas4tab.freedynamicdns.org iuc1tjg0xjsftbo.freedynamicdns.org iuc1tjn1tjo3tjs.freedynamicdns.org iuc1tjs0xasftbo.freedynamicdns.org xacjtjozxaw3.freedynamicdns.org xaxhtbkzsqcm.freedynamicdns.org # Reference: https://twitter.com/ankit_anubhav/status/1555521068734902272 premierecombate.eastus.cloudapp.azure.com # Reference: https://twitter.com/ankit_anubhav/status/1555815597769863168 # Reference: https://www.virustotal.com/gui/ip-address/20.115.83.63/relations http://54.39.194.67 amixtubinemasterx.com beacocosmasterx.top centroempresarialkutsni.com customdefivewrs.top dextelmacwordsx.top domanekiewex.top empresarialkutsni.com empresarialkutsnicorp.com empresarialmixtur.ml empresarialmixtur.tk empresarialwebcustom.top mixtubinemasterx.com mixtubinemasterxnet.com /$NOTADIGITALFISCAL # Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-08-05_Grandoreiro http://20.10.3.196 http://20.197.31.100 http://20.226.27.45 http://209.127.179.58 http://54.39.194.67 amixtubinemasterx.com beacocosmasterx.top dextelmacwordsx.top domanekiewex.top empresarialkutsni.com empresarialkutsnicorp.com empresarialwebcustom.top mixtubinemasterx.com mixtubinemasterxnet.com # Reference: https://twitter.com/reecdeep/status/1291717803385520128 142.11.213.42:8081 # Reference: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals http://15.188.63.127 http://18.231.180.92 http://35.180.117.32 http://35.181.59.254 http://52.67.27.173 http://54.232.38.61 15.188.63.127:36992 assesorattlas.me atlasassessorcontabilidade.com barusgorlerat.me damacenapirescontab.com mantersaols.com perfomacepnneu.me vamosparaonde.com premiercombate.eastus.cloudapp.azure.com chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org jmllmedvhgmhldjgmhvmmlljhvgdzvzz.dynns.com odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com pcbbcrjcgbcghjpbcgkccbjorkhhjcjj.fantasyleague.cc /$FISCALIGENERAL3489213839012 # Reference: https://twitter.com/1ZRR4H/status/1570233170997694466 20.206.121.215:4144 procedimentos09092022.blob.core.windows.net # Reference: https://app.any.run/tasks/74ed9bfb-68d7-492a-8c2a-4236fe2589c6/ java-update.online mymodulop2pcar.servehttp.com /Bv3wF1uHKG/counter.php /Bv3wF1uHKG/ # Reference: https://www.virustotal.com/gui/file/fd00307c2ea5313be921b31b2c9ddad5a5cd0df4bcf81814d07243fdf24fbc49/detection http://108.62.118.17 # Reference: https://hybrid-analysis.com/sample/f8991e3f7b524edc26a64543b57dd3f7cd69a2f8b04ce934d9334bf8ade8b396 sgd.servehttp.com # Reference: https://twitter.com/StopMalvertisin/status/1575427033504501760 # Reference: https://www.virustotal.com/gui/file/0a9d7369a1c4cb32172404abd4e1a6c5aa35a674b4bfdcca81dc909b0f047b65/detection filestorel.eastus.cloudapp.azure.com # Reference: https://twitter.com/noexceptcpp/status/1578403486181560322 # Reference: https://app.any.run/tasks/218fcddb-49f5-4eaa-9ea3-8d22535c2a1d/ http://20.70.3.186 104.129.205.92.host.secureserver.net nmp20887a02021498.s3.amazonaws.com /contgmx/clientes.php /.Nfe1456345340/ # Reference: https://twitter.com/1ZRR4H/status/1592906505363542016 http://185.191.228.227 18.231.179.202:65535 192.95.55.50:28322 192.95.55.50:45774 # Reference: https://twitter.com/Merlax_/status/1594862075897339904 http://192.95.6.196 # Reference: https://twitter.com/Merlax_/status/1594862079734857728 http://138.99.74.213 http://170.82.181.99 http://185.153.176.148 http://186.249.213.178 http://191.96.4.160 http://191.96.5.221 # Reference: https://twitter.com/Merlax_/status/1598875723602989056 http://138.99.74.21 http://186.249.213.225 # Reference: https://twitter.com/Merlax_/status/1603854200605184035 http://138.99.74.212 http://15.235.193.43 http://186.249.213.221 http://201.14.45.23 # Reference: https://twitter.com/Merlax_/status/1619666797879255041 http://149.56.91.172 http://177.73.101.138 http://186.249.213.39 http://188.121.116.157 http://52.67.94.240 http://54.221.142.212 http://89.223.88.138 54.221.142.212:28551 /eliteseguros/autorizar.php # Reference: https://twitter.com/Merlax_/status/1624239435033329665 http://20.68.30.50 maxfoxchatdestfalouro.com thylachatmarcamarketin.com minha-faturaecurit-vivoinforma.securitytactics.com # Reference: https://twitter.com/malwrhunterteam/status/1625055108273676293 # Reference: https://twitter.com/1ZRR4H/status/1625163730081263622 cortafogoempresarial.shop contratacao.blob.core.windows.net /calcaseroupasbr/qabzchxbp4pfpkr /calcaseroupasbr/ /qabzchxbp4pfpkr # Reference: https://twitter.com/petrovic082/status/1641357912361558017 # Reference: https://twitter.com/JAMESWT_MHT/status/1641367455300714496 # Reference: https://app.any.run/tasks/e38d130b-4e0b-4ea3-a540-33e88a766bed/ 4.204.223.50:4389 # Reference: https://twitter.com/StopMalvertisin/status/1653317890131763201 # Reference: https://www.virustotal.com/gui/file/079ee055b833a515f7fb0d5e7964ebf4f78457de7215f44e3d14a8a0b01a41fc/detection http://20.14.172.115 # Reference: https://twitter.com/Dkavalanche/status/1659931870807638017 # Reference: https://twitter.com/Merlax_/status/1659939922168496129 104.234.200.30:443 20.121.15.3:3894 factura-mail.hopp.to factura.hopp.to facturapdf.hopp.to facturaxml.hopp.to # Reference: https://twitter.com/Dkavalanche/status/1669440086776205345 15.228.233.242:9719 18.228.23.145:7969 18.230.134.37:14866 54.233.246.105:40881 54.233.246.105:9515 olikes.likes-pie.com ompimorpgsflofb.for-the.biz rolosoolgjosflofb.health-carereform.com # Reference: https://twitter.com/Ttargaryen1/status/1691555443875655949 # Reference: https://twitter.com/Ttargaryen1/status/1691556540606513248 # Reference: https://app.any.run/tasks/a7dbd8b8-87d6-47f3-b570-9e032c446bd7/ 18.229.123.232:41005 18.229.123.232:9519 18.231.112.86:9515 54.232.20.194:8815 bjejofphrsflrmm.merseine.com gbfhpspdljfsflrmm.mysecuritycamera.org projetosam.page.link rinafluvialytproducciones.australiasoutheast.cloudapp.azure.com rolosoolgjosflrmm.mysecuritycamera.org thantv.worse-than.tv /OnrlcTEc.xml # Reference: https://twitter.com/Ttargaryen1/status/1641133397325017088 # Reference: https://www.virustotal.com/gui/file/ad13b322af32b0966edc156beb9ca83d82a0bbc6c6cf49d10cc77ebdace76fa3/detection fastcomerciouniverso.com savanachatdelivery.northeurope.cloudapp.azure.com # Reference: https://twitter.com/James_inthe_box/status/1702061706028175853 # Reference: https://app.any.run/tasks/78d2c46f-2627-4b9b-89ed-e44c12362dee/ 18.231.102.112:4318 18.231.112.86:4318 18.229.136.62:157 18.229.136.62:26978 18.229.136.62:4317 soluttionacorreougr.westus3.cloudapp.azure.com # Reference: https://twitter.com/James_inthe_box/status/1706358071336096123 # Reference: https://app.any.run/tasks/d8906703-56da-446c-ad4c-a43c8885b666/ 177.71.234.117:4261 177.71.234.117:18451 /idgIzsnF.xml # Reference: https://www.virustotal.com/gui/file/3824b4153dfc569de86f3a1935423eb6035dc73974d06b41bea7b8aee00b37d1/detection # Reference: https://www.virustotal.com/gui/file/ff1c50b1292266ee0ee9c607397071c011ac45b557a48404c81e62cad6c4b195/detection 18.230.74.51:4318 18.230.74.51:4899 remember-and.forgot.her.name # Reference: https://twitter.com/Joseliyo_Jstnk/status/1722186209760350394 # Reference: https://www.virustotal.com/gui/file/0037802d70239004a03345d4f4519a25ae7fe733d762a0383db90fc317cb6193/detection nuestraseguridadmxgob.eastus2.cloudapp.azure.com # Reference: https://twitter.com/N4hualH/status/1725981871514030423 # Reference: https://tria.ge/231118-ayr51aga78/behavioral1 # Reference: https://www.virustotal.com/gui/file/3f84e3c84b232bf415e2306ff0a65b1a2b5bd61badb4228e16ba520e7c098f2b/detection http://62.113.116.144 http://62.113.119.202 # Reference: https://twitter.com/1ZRR4H/status/1728138606173188567 portalvisualizacionseguro.southafricanorth.cloudapp.azure.com # Reference: https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware http://62.84.98.5 http://77.246.104.202 # Reference: https://twitter.com/Dkavalanche/status/1729582807666557143 cogfactmgsolucionesoinsaarme.eastus.cloudapp.azure.com # Reference: https://twitter.com/Dkavalanche/status/1729638073707696471 18.230.131.153:4318 jiniahfngggbggb.office-on-the.net # Reference: https://twitter.com/1ZRR4H/status/1729732946611851648 15.228.54.44:157 15.228.54.44:19661 15.228.54.44:4917 18.231.148.254:62169 # Reference: https://github.com/eset/malware-ioc/tree/master/grandoreiro # Reference: https://www.virustotal.com/gui/ip-address/185.228.72.38/relations # Reference: https://www.virustotal.com/gui/ip-address/167.114.138.249/relations # Reference: https://www.virustotal.com/gui/ip-address/20.151.89.252/relations # Reference: https://www.virustotal.com/gui/ip-address/66.70.160.251/relations # Reference: https://www.virustotal.com/gui/file/2c01734ff63d041a91d10acdb302ef4ffc400396e34140335e4faa2e3f002dbe/detection # Reference: https://www.virustotal.com/gui/file/305e220e1f1cb506c32bb509f246515e3cba7ec1dabae95298f358d26654bfa6/detection # Reference: https://www.virustotal.com/gui/file/0d5028f8c064b0eea4b7217bfedbfb91bb1c0f8968e7d970c7ed68d47936fb9a/detection http://178.20.45.23 http://62.84.100.225 http://88.210.12.135 http://91.142.72.194 http://50.114.32.81 50.114.32.81:2020 1254-santander.duckdns.org amadeos.no-ip.net atendimentoos.duckdns.org baiaknew.ddns.net f3kstab1uaoetjg.freedynamicdns.org f3kstbw0tjphtjk.freedynamicdns.org f3kstkk1wao2tar.freedynamicdns.org f3kstkk1wqo2tar.freedynamicdns.org ftpxtab1sqtltjg.freedynamicdns.org ftpxtaf1sjs4taj.freedynamicdns.org ftpxtar1ujtjtak.freedynamicdns.org ftpxtas1wzo2tbo.freedynamicdns.org ftpxtaw1xqs3tag.freedynamicdns.org ftpxtbo1uatltjk.freedynamicdns.org ftpxtbs0tzthtkw.freedynamicdns.org ftpxtbw0sathtjo.freedynamicdns.org ftpxtjf1sqo4tbf.freedynamicdns.org ftpxtjf1tqtitkb.freedynamicdns.org ftpxtjg0sas2taj.freedynamicdns.org ftpxtjn1tzoftjb.freedynamicdns.org ftpxtjw0sapktar.freedynamicdns.org ftpxtjw0xqpktbs.freedynamicdns.org ftpxtkk1sqo1tjw.freedynamicdns.org ftpxtko1wqoftjb.freedynamicdns.org ies2tbw0sas2taf.freedynamicdns.org j2xutar1xqtmtak.freedynamicdns.org j2xutbb0uas4tab.freedynamicdns.org j2xutbf0wqs5taf.freedynamicdns.org j2xutjb0xjpjtbs.freedynamicdns.org knsxtaj1wao1tjw.freedynamicdns.org knsxtaw1xqoetjj.freedynamicdns.org knsxtjk0sqs3tbw.freedynamicdns.org knsxtkk1sao4tbf.freedynamicdns.org ldaztao1sqtltag.freedynamicdns.org ldaztao1szo3tbk.freedynamicdns.org ldaztas1xatktjk.freedynamicdns.org ldaztjk0wzs3tbw.freedynamicdns.org ouvidoria.duckdns.org santander-br.duckdns.org santanderday.duckdns.org valtarga.ddns.net # Reference: https://twitter.com/Dkavalanche/status/1752425961876779408 # Reference: https://app.any.run/tasks/862f9c7e-213f-4351-ba06-b2f1de53de0c/ 15.229.116.173:18556 15.229.116.173:4917 # Reference: https://twitter.com/Merlax_/status/1752509628347216132 # Reference: https://app.any.run/tasks/1b25da9f-dd38-45ab-9137-aeae29464431/ 15.228.255.38:157 15.228.255.38:4917 15.228.255.38:50814 54.207.104.144:52256 # Reference: https://twitter.com/1ZRR4H/status/1755999160862482926 afipconsudeclaracioncontrib.westus3.cloudapp.azure.com buzntribtacion.italynorth.cloudapp.azure.com chwzfacservconsudigitales.switzerlandnorth.cloudapp.azure.com efacdigitalservonsultcris.westus3.cloudapp.azure.com eyedocservicioconserfec.westus3.cloudapp.azure.com lvetfacdigitalservconsultibsc.westus3.cloudapp.azure.com stoconecservstalcloudytz.westus3.cloudapp.azure.com sycleanservicioconsultc.swedencentral.cloudapp.azure.com sycleanservicioconsultcon.westus3.cloudapp.azure.com tocmacipd.australiaeast.cloudapp.azure.com upohfacdigitalservconsultiyun.swedencentral.cloudapp.azure.com wattservicioconsulcroncl.swedencentral.cloudapp.azure.com yunfacdigitalservconsultbls.swedencentral.cloudapp.azure.com # Reference: https://twitter.com/1ZRR4H/status/1755949113646981557 # Reference: https://www.virustotal.com/gui/ip-address/15.228.167.91/relations camerahousebusiness.dvrcam.info ctifacdigitservconsulentif.westus3.cloudapp.azure.com pcuippbjcopfoplfb.access.ly f3kstan1tas0tkk.freedynamicdns.org f3kstbw0tqsdtjn.freedynamicdns.org j2xutaf1xqo4tjk.freedynamicdns.org j2xutkk1wqpltjg.freedynamicdns.org ldaztaw1xqsztas.freedynamicdns.org ldaztjb0xao2tbk.freedynamicdns.org # Reference: https://twitter.com/seguridadyredes/status/1757675287137972595 # Reference: https://www.virustotal.com/gui/ip-address/198.50.222.174/relations # Reference: https://www.virustotal.com/gui/file/297b92d9c014268213e15ef7c1adde58879eff0c2c8d9239ebfaa49ef7f6ec65/detection http://198.50.222.174 a424b5e0045505b.zapto.org ftpxtbf0szo1taj.freedynamicdns.org /Scdfr5.zip # Reference: https://twitter.com/1ZRR4H/status/1757954866813563300 # Reference: https://twitter.com/voidm4p/status/1758102818236338393 # Reference: https://twitter.com/johnk3r/status/1760014996854247552 18.230.211.48:30657 18.230.211.48:4318 edrfacdigitservconsulospl.westus3.cloudapp.azure.com health.health-carereform.com icafacdigitservconsulgarc.swedencentral.cloudapp.azure.com /BFQcxLymGo.xml # Reference: https://twitter.com/V3n0mStrike/status/1773450543056257447 # Reference: https://twitter.com/pollo290987/status/1773504555763855426 18.228.118.198:34950 18.228.224.29:157 18.228.224.29:4317 18.228.224.29:55842 18.230.202.197:15375 aenfacdigitaclav.switzerlandnorth.cloudapp.azure.com aljfacdigitastr.norwayeast.cloudapp.azure.com efranfacdigitaanglur.norwayeast.cloudapp.azure.com hamfacdigitasto.swedencentral.cloudapp.azure.com kwifacdigitntca.switzerlandnorth.cloudapp.azure.com lsuppfacdigitafiscaligy.swedencentral.cloudapp.azure.com portabledocformat.uksouth.cloudapp.azure.com tplfacdigitaoperacion.switzerlandnorth.cloudapp.azure.com # Generic /Adkflgog30.iso /dyngcdnefn_03.iso /nivyjlzhdj_04.iso /nnkokysdggit.iso /obmkumjoxq_05.iso /ugqvhozczb_04.iso /yqcnfempzc.iso /ronivon.txt /BR01?NF-eBR102822MY91822BT1 /BR02?NF-eBR102822MY91822BT1 /BR01/?NF-eBR102822MY91822BT1 /BR02/?NF-eBR102822MY91822BT1 /?NF-eBR102822MY91822BT1