# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/James_inthe_box/status/1099786490144448512 advancedepartametno.com # Reference: https://twitter.com/James_inthe_box/status/1126809601825918978 instalacionez.com # Reference: https://twitter.com/JAMESWT_MHT/status/1143875234707181568 # Reference: https://app.any.run/tasks/2ef75909-daa7-45f1-83bc-dfe3ead3ac61/ trabalhoonline.webcindario.com # Reference: https://twitter.com/SoulRage6/status/1146073224045838337 /nossasrdaga/brume.php # Reference: https://twitter.com/0bfusCat/status/1155406244062121984 descargasdocx.com # Reference: https://twitter.com/MisterCh0c/status/1186712875743825920 leavenois.com # Reference: https://twitter.com/JAMESWT_MHT/status/1235558960314400768 # Reference: https://app.any.run/tasks/6cef1963-4881-4f7f-b877-198cfd7eaf17/ mab2020.duckdns.org mundonlop.duckdns.org newtroll-megatron.duckdns.org pumex-new.duckdns.org # Reference: https://twitter.com/3rg4f4/status/1270308334743289860 smsinformativo.com # Reference: https://twitter.com/0bfusCat/status/1181529470475362304 # Reference: https://app.any.run/tasks/f6d7cc92-3215-4103-baeb-eb424016f885/ compraca.000webhostapp.com # Reference: https://twitter.com/SoulRage6/status/1146073224045838337 http://31.207.35.50 # Reference: https://twitter.com/JAMESWT_MHT/status/1299324645787742208 http://34.95.246.154 # Reference: https://app.any.run/tasks/17349d53-0d4e-4857-90a0-9f5dd68385b2/ st-gerrard-const.com/wp-content/themes/twentyfifteen/ perfectart.com.br/ebos/ # Reference: https://app.any.run/tasks/f869690a-e3d1-43e4-a61f-18d05a948e10/ shortsalepontevedra.com/coun7/ # Reference: https://twitter.com/JAMESWT_MHT/status/1328704334721323009 # Reference: https://app.any.run/tasks/2be10df3-e594-4118-9d36-6b93041ec73c/ flsdcment.site sededgtgoes.online # Reference: https://twitter.com/JAMESWT_MHT/status/1328714844573413377 # Reference: https://app.any.run/tasks/d827010e-453c-4d89-8128-20b82832f5ab/ # Reference: https://www.virustotal.com/gui/file/4d45380cd5fdf967988c4f239f61827ad9a80a4d9abcfbddf6e656d9dcc50f58/detection 45.35.104.213:8989 covidezenove.online myd9hzd8cheab.winconnection.net # Reference: https://twitter.com/dgarcianet/status/1352235429160955904 # Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/behavior/C2AE http://40.112.173.153 # Reference: https://twitter.com/1ZRR4H/status/1359963801819430914 # Reference: https://www.virustotal.com/gui/file/66797ef1761fd243a48829335d9e34781cbef324090497897462bf1a5ce0cb39/detection 104.214.107.176:79 gemare.com.br//conteudo/TGR/descarga.php selfhelpwomendevelopment.com/wp-includes/images/mail/descarga.php # Reference: https://cofense.com/blog/autohotkey-banking-trojan/ # Reference: https://www.virustotal.com/gui/file/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305/detection es.sslhermanos.com # Reference: https://twitter.com/JAMESWT_MHT/status/1385156068721012736 # Reference: https://twitter.com/D3LabIT/status/1385151472216776704 # Reference: https://app.any.run/tasks/e48dfdc7-fd3e-4d77-a03a-eeeb458bc909/ conlazionzzytz.eastus.cloudapp.azure.com contecalculacion.eastus.cloudapp.azure.com piazzimulobanquituto.com # Reference: https://twitter.com/JAMESWT_MHT/status/1386976751247634441 amlsempg.com ilavorianmosy.eastus.cloudapp.azure.com multipicas.eastus.cloudapp.azure.com # Reference: https://twitter.com/ESETresearch/status/1387384460568666117 # Reference: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/ # Reference: https://twitter.com/ESETresearch/status/1387384464905547779 apssitemarquivrft.francecentral.cloudapp.azure.com torressircontes.eastus.cloudapp.azure.com # Reference: https://twitter.com/petrovic082/status/1388180117642432515 moveisji.com.br/archivos/ # Reference: https://twitter.com/1ZRR4H/status/1408252818272751621 jinhuidabio.com/reports/words/mail.php arbonato.com.br/Maxx/sowns/HR13I5MD0ASC5J.php # Reference: https://twitter.com/dgsecnet/status/1519263981231296516 http://20.233.43.99 http://20.92.88.38 meuinformativo2.serveblog.net # Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-05-10_Mekotio_MTT_CL thangloitaynguyen.com espatron2022.est-le-patron.com anders-wirken.de/wp-content/languages/Hs56ety2hTg011If56s.coc bremermee.nl/wp-content/languages/MTT0001450001.zip /lib/jquery/grood/1101/3t1x2oBj19sH33.php # Reference: https://twitter.com/1ZRR4H/status/1537539651279405062 # Reference: https://www.virustotal.com/gui/file/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0/detection http://45.147.197.223 http://51.12.218.142 # Reference: https://twitter.com/pr0xylife/status/1537850595981369344 upfdigital.com gomho.upfdigital.com johnickowiczdds.com/wp-admin/telcel.nec /wp-admin/01/02/gigo.php # Reference: https://twitter.com/StopMalvertisin/status/1539171329223831552 http://20.239.69.60 # Reference: https://twitter.com/1ZRR4H/status/1540387288538120192 # Reference: https://twitter.com/Dkavalanche/status/1540113368517935104 # Reference: https://www.virustotal.com/gui/file/db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5/detection http://20.26.198.176 http://20.91.202.137 serviceares.hopto.org # Reference: https://twitter.com/StopMalvertisin/status/1540044306068951040 # Reference: https://www.virustotal.com/gui/file/8e815b6b13c7cef7d6152ff50d07f217420e185eddcc247a9a92dbfd1787e6e9/detection steromask.fr # Reference: https://twitter.com/SeguInfo/status/1542234908491497472 # Reference: https://www.virustotal.com/gui/file/0d16d92c0f451848fbd8d2b255991103c05c84fafbef9978b1aac22578928e4d/detection # Reference: https://www.virustotal.com/gui/file/5e9dc457e117fa875057e9fc29a7b9c3116efec912ccc2e4d4eab49e5e55a486/detection http://20.91.206.86 http://51.132.148.124 pro112.dynuddns.com # Reference: https://twitter.com/StopMalvertisin/status/1545324970246815744 hcservice.us continentepecas.com/adm.puc veroford.com/setup/brume.php # Reference: https://twitter.com/StopMalvertisin/status/1546556580153688065 http://15.228.54.95 http://18.231.189.164 contactopersonas.com ww2www.contactopersonas.com /837617263768912/avionic.mec /con010923/brume.php /connnnnnnnnnntxt/config.txt /connnnnnnnnnntxt/ # Reference: https://twitter.com/StopMalvertisin/status/1549102875829477376 sameh-advisor.com junho2022.serveftp.org # Reference: https://twitter.com/1ZRR4H/status/1551278194560585732 http://18.234.175.226 # Reference: https://twitter.com/StopMalvertisin/status/1556909994586808320 http://192.64.114.228 http://63.250.35.10 # Reference: https://twitter.com/StopMalvertisin/status/1570316886285623298 # Reference: https://www.virustotal.com/gui/file/e64aacfe45af89033778c8149b059c7c5acc56a3a8a89b0695d22d770384eb6b/detection http://20.0.2.192 http://20.168.7.145 20.163.5.160:5060 titiopatas4599.hopto.org # Reference: https://twitter.com/StopMalvertisin/status/1573360173967888386 # Reference: https://www.virustotal.com/gui/file/65a08bcf5f98500a3870786cbd0688e6dc5317b440648d10cfe8a80189f26198/detection # Reference: https://www.virustotal.com/gui/file/de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a/detection http://20.234.231.114 http://20.254.53.47 meupixx22.hopto.org # Reference: https://www.virustotal.com/gui/file/9a8d1314b3cbcbda7dd374fbfe7e8a1289b2d8f9d0bcce1f29febb72669c5345/detection afcasa.hopto.org # Reference: https://twitter.com/StopMalvertisin/status/1547495960783495168 abelcare.co.uk # Reference: https://twitter.com/StopMalvertisin/status/1583710230940028928 # Reference: https://twitter.com/StopMalvertisin/status/1583710237319581696 # Reference: https://www.virustotal.com/gui/ip-address/64.188.27.119/relations # Reference: https://www.virustotal.com/gui/file/081cad61936b76619df3e495b1f8edb80c32533cabee11308fbe7a1cd6dcb2a1/detection # Reference: https://www.virustotal.com/gui/file/73709989c2bc864eaac863974a65aa50a3e740e7796daaa726f96975a33b93c3/detection # Reference: https://www.virustotal.com/gui/file/67b0763fa0c849e0fa4e9159f48cc8adf9684dd62a55a6379d5ff1a4215af87f/detection 107.175.72.131:8889 64.188.27.119:2020 newfutura.eu segurofuturex.ddns.net # Reference: https://twitter.com/Dkavalanche/status/1587583140817768448 jogovirou.serveblog.net # Reference: https://twitter.com/Dkavalanche/status/1590886788864049153 102.37.146.215:6742 20.49.180.84:4682 jobwes.3utilities.com sulgran.servegame.com voltasorte.3utilities.com # Reference: https://twitter.com/Merlax_/status/1591064695066148864 fuhsufiuhfoiurfhesiryghfgfr.japaneast.cloudapp.azure.com irihiuhfiuhiyrhguydrgh.switzerlandnorth.cloudapp.azure.com ofishrohfourdhgiouhgiouruhff.northeurope.cloudapp.azure.com vm3861641.25ssd.had.wf vm3925833.1nvme.had.wf # Reference: https://twitter.com/Merlax_/status/1589947797042008065 http://172.105.24.64 http://51.103.211.106 viwey.koreacentral.cloudapp.azure.com /EMKT_CURSO_775-5693/47940.024663/ # Reference: https://twitter.com/Dkavalanche/status/1591208796965474304 20.49.180.84:6228 foreversoft.servegame.com # Reference: https://twitter.com/Merlax_/status/1594080984130998273 http://45.82.69.152 http://80.85.142.64 13.67.219.10:7779 145.239.39.140:2030 20.162.195.251:7779 5.196.214.1:2020 # Reference: https://twitter.com/Dkavalanche/status/1594093798363369472 20.168.210.3:7429 20.208.43.58:4682 financeirotaller.gleeze.com lifenova.ooguy.com # Reference: https://twitter.com/Merlax_/status/1591436327194710016 107.175.72.131:2020 20.226.43.19:5556 globast3.s3.eu-central-1.amazonaws.com # Reference: https://twitter.com/Merlax_/status/1598764864738033680 # Reference: https://twitter.com/Merlax_/status/1598764867770515467 http://13.67.219.10 http://145.239.39.140 http://172.173.207.185 http://191.252.100.96 http://20.162.195.251 http://20.4.226.118 185.101.93.102:5892 185.101.93.138:7779 185.101.93.170:7090 185.101.93.95:2030 37.228.132.205:2380 37.228.132.207:7779 # Reference: https://twitter.com/Merlax_/status/1602407445048983553 http://37.228.132.153 http://37.228.132.91 http://45.132.106.78 http://45.87.3.238 172.173.207.185:2380 191.252.100.96:7090 # Reference: https://twitter.com/Merlax_/status/1603057915610497029 # Reference: https://twitter.com/Merlax_/status/1603057918408097792 # Reference: https://twitter.com/Merlax_/status/1603057921138589698 20.56.98.139:5060 astyhb.eastus2.cloudapp.azure.com # Reference: https://twitter.com/Dkavalanche/status/1603148512446873601 # Reference: https://twitter.com/Dkavalanche/status/1614626593258835970 185.101.93.181:5892 honranova.giize.com trabajoar.theworkpc.com # Reference: https://twitter.com/noexceptcpp/status/1606434459724795904 /2382799-06.8601.cDX.9191/clientes.php /2382799-06.8601.cDX.9191/ /3973205-45.2022.3.00.4661-03-11-2022/4154012-20.5478.ZxY.9919.html /3973205-45.2022.3.00.4661-03-11-2022/ /4154012-20.5478.ZxY.9919.html # Reference: https://twitter.com/Merlax_/status/1606707407362658306 http://185.101.93.170 172.173.223.15:2382 185.101.93.181:4682 23.106.215.78:2030 4.231.106.159:7429 ufwetyz.uksouth.cloudapp.azure.com # Reference: https://twitter.com/Merlax_/status/1612827626967638017 http://185.101.93.138 http://185.101.93.95 http://185.101.94.186 http://37.228.132.205 http://37.228.132.207 http://37.228.132.40 172.174.70.30:7779 # Reference: https://twitter.com/Merlax_/status/1612886096899366913 bastefac.uksouth.cloudapp.azure.com honra.uksouth.cloudapp.azure.com # Reference: https://twitter.com/Merlax_/status/1613893870827495425 sysofficereconsiderar.com # Reference: https://twitter.com/1ZRR4H/status/1616097608887418881 # Reference: https://twitter.com/Merlax_/status/1616126832449052673 # Reference: https://www.virustotal.com/gui/file/964fbbc3b3a80e3e378e88f8c523d72e539ba06e46643ed212bc0609871fff4e/detection # Reference: https://www.virustotal.com/gui/file/9c4b5b90c3c5f5dd0760bb40e831ef7cbbe8d0a70e3a12516151cba8d6fb0c5d/detection 15.228.46.182:5050 15.229.0.61:3081 janeiro2023.duckdns.org # Reference: https://twitter.com/1ZRR4H/status/1614071021761339392 # Reference: https://twitter.com/Merlax_/status/1614119705018523649 alzi3ka2-4twkfsnnqq-wl.a.run.app gamesstonert.serveirc.com # Reference: https://twitter.com/Merlax_/status/1614765313626628096 # Reference: https://twitter.com/Merlax_/status/1614765319293177856 185.101.92.25:8090 betamixstudiomax.hopto.org # Reference: https://twitter.com/Merlax_/status/1615090812492062722 # Reference: https://www.virustotal.com/gui/file/cceff9a60a3653478d7ea25a181b3506112f712751652ce06d4269012269b087/detection http://185.101.92.241 20.70.210.14:3040 51.120.2.28:3030 gamesstrond2.servebeer.com # Reference: https://twitter.com/Merlax_/status/1616163628553486346 http://18.216.179.202 20.203.201.160:5060 37.228.132.212:7779 # Reference: https://twitter.com/Merlax_/status/1617705932116619264 http://185.101.93.178 185.101.93.102:4823 80.89.239.12:2325 jornada.uksouth.cloudapp.azure.com # Reference: https://twitter.com/Dkavalanche/status/1622372174831951879 http://185.101.92.9 http://185.250.205.88 http://37.228.132.199 # Reference: https://twitter.com/Dkavalanche/status/1623456458464702468 185.101.93.102:4823 37.228.132.206:4823 fatura-vivo-combr.online nelore.gleeze.com sendonly.fatura-vivo-combr.online # Reference: https://twitter.com/SeguInfo/status/1630325475452112898 # Reference: https://www.virustotal.com/gui/file/5e04f7e34dfb3324bc1d30d89fe1eaafd48233742b068845ce1454762742218d/detection # Reference: https://www.virustotal.com/gui/file/33f71ae4c8eb3c46a196bb42e321fff5aed2e778912a2bacda83efea654bf447/detection http://20.222.143.29 37.228.132.215:9999 # Reference: https://twitter.com/Dkavalanche/status/1630694677815914504 37.228.132.206:8847 erasorte.kozow.com pyubyw.giize.com legado.japaneast.cloudapp.azure.com # Reference: https://twitter.com/Merlax_/status/1631413618800574465 172.93.201.197:9998 37.228.132.185:10100 40.80.88.104:8088 65.21.64.36:9099 belcion.japaneast.cloudapp.azure.com grupofuturama.eu # Reference: https://www.virustotal.com/gui/file/f8a0a352e40483190ec0800b911e606f50e225dcadc586bf12ead5a5b89eb133/detection 64.44.101.158:3030 # Reference: https://www.virustotal.com/gui/file/f13f2c45dab25a264e188b82038cf67f0618b66f894cf6ec8a4edbafc67427e7/detection 154.16.113.204:3020 newyorknewyorknewn.onthewifi.com # Reference: https://www.virustotal.com/gui/file/b157b06121739a3ba665847125df05b49cde1d661057f3de11b68129e6366dd6/detection http://107.158.94.13 /contadores/index.php # Reference: https://www.virustotal.com/gui/file/8da0f6a428f557f2e09dc513b2026500bbedc6007f6094073e72d284863e771b/detection 107.158.94.13:3020 # Reference: https://www.virustotal.com/gui/file/58bbf396c8703d578e50f872884d7e17307d5b0f231e3912d0b7785c71572dc6/detection 64.44.101.158:3030 au65.gotdns.ch # Reference: https://www.virustotal.com/gui/file/407bed4acae33f7617255658951ced85a7e5a5ff2d544b531de732674afb2193/detection 172.93.201.40:3020 # Reference: https://twitter.com/Dkavalanche/status/1633256558158118913 # Reference: https://threatfox.abuse.ch/ioc/1086480/ # Reference: https://www.virustotal.com/gui/file/55a51de3053671f2fca350fc7c158510042735051b2debfdf5f82a9193d7d688/detection http://23.102.91.186 185.101.93.192:9997 # Reference: https://twitter.com/Merlax_/status/1633595021466148866 http://138.68.136.2 /unvjnguvkhcinpno/73640.827263/ /unvjnguvkhcinpno/ # Reference: https://twitter.com/Merlax_/status/1633601968944840707 20.81.185.81:5400 # Reference: https://twitter.com/JAMESWT_MHT/status/1636358586979819521 # Reference: https://tria.ge/230316-qf33jsdc2w/behavioral1 20.251.14.187:8899 # Reference: https://twitter.com/Merlax_/status/1636797377276411904 50.114.32.153:9002 50.114.32.33:9001 utj7u1gisugxxvptn2z.zapto.org # Reference: https://www.virustotal.com/gui/file/6914cb316d86e5a6063a1c7edaf584298a333796bc7f7bf8bd4032642417df4d/detection http://81.19.141.64 # Reference: https://twitter.com/JAMESWT_MHT/status/1639174777884516353 nabf-2j6pxlwduq-uc.a.run.app # Reference: https://twitter.com/JAMESWT_MHT/status/1640240028126265347 mdhc-emf5vs6xwq-uc.a.run.app # Reference: https://twitter.com/JAMESWT_MHT/status/1640263790641000448 eurt-emf5vs6xwq-uc.a.run.app # Reference: https://twitter.com/Ttargaryen1/status/1641133397325017088 # Reference: https://twitter.com/Ttargaryen1/status/1641133635842473999 # Reference: https://tria.ge/230329-ws6xvsba31/behavioral1 restauranterota152.brazilsouth.cloudapp.azure.com topgearagainsix.uksouth.cloudapp.azure.com /js/Soup2018x.system32 /Soup2018x.system32 # Reference: https://twitter.com/Merlax_/status/1642935684292804609 # Reference: https://www.virustotal.com/gui/domain/corp73p5dao.com.de/relations # Reference: https://www.virustotal.com/gui/file/2152ce21b9e6a53b97eedc4bbf24351d9a31b603293e48c57cfd1f88a0bbfc5b/detection http://79.133.121.107 45.35.6.2:9001 corp73p5dao.com.de a.corp73p5dao.com.de e.corp73p5dao.com.de h.corp73p5dao.com.de i.corp73p5dao.com.de l.corp73p5dao.com.de s.corp73p5dao.com.de server6.corp73p5dao.com.de ssl3.corp73p5dao.com.de ssl7.corp73p5dao.com.de # Reference: https://twitter.com/Merlax_/status/1643009519885090817 20.251.10.230:8899 20.224.3.99:4040 tornesgmalopwej1.servemp3.com # Reference: https://twitter.com/Merlax_/status/1643009522032693251 182.75.172.34.bc.googleusercontent.com 203.218.29.34.bc.googleusercontent.com 37.27.31.34.bc.googleusercontent.com # Reference: https://twitter.com/JAMESWT_MHT/status/1648238717067198465 90.4.154.34.bc.googleusercontent.com lkdyglkd-emf5vs6xwq-uc.a.run.app # Reference: https://twitter.com/JAMESWT_MHT/status/1649304189070188544 120.124.70.34.bc.googleusercontent.com dfghjkfghk-4gykhommfa-uc.a.run.app # Reference: https://twitter.com/Merlax_/status/1651696436013068290 185.101.94.126:7956 185.101.94.22:9992 20.5.65.48:4040 51.120.247.2:8899 novachance.giize.com # Reference: https://twitter.com/Merlax_/status/1653533786607439872 # Reference: https://www.virustotal.com/gui/file/e22a215c263b61d1b4ae976b9ec89e2f1581b32a2eaf94287cfd5420241918ec/detection # Reference: https://www.virustotal.com/gui/file/3ba67edaa6831855efcacf0460a2af52032724dafebb3a8f6e0625369cd98009/detection http://45.67.208.208 104.234.200.29:3306 104.234.200.29:5400 104.234.30.224:3306 104.234.30.224:5400 artsnetshoresaways.hopto.org /e91ea04ea2041d539540e/73640.827263/ # Reference: https://twitter.com/Merlax_/status/1654904040906530817 185.225.74.100:8847 20.239.166.4:4050 37.228.132.123:7956 4.240.84.251:4040 78.47.145.94:7070 # Reference: https://github.com/merlax/Mekotio/blob/main/IOCs_12-05-2023 http://116.203.184.213 102.37.146.123:8899 103.145.13.111:8890 15.228.13.156:9995 18.223.102.186:9988 18.231.161.239:6488 181.41.200.72:0902 188.191.106.171:9999 20.25.181.202:5050 24.152.36.75:9001 38.54.57.153:7890 45.143.223.193:7890 50.114.32.234:9002 52.67.134.119:3081 3wwzkd3svxhctsiylan.zapto.org bazuca2022.ddns.net bazuca20233.hopto.org filejurere23.hopto.org gamespursigmers.giize.com horaplus.gleeze.com louvgamersmp1.ddnsgeek.com maximlinum.xyz primeiradoano.servebeer.com segundadoano.servequake.com terceiradoano.bounceme.net zapaosnester.com # Reference: https://twitter.com/Merlax_/status/1659652152543813652 167.114.4.172:9001 18.118.78.11:3081 20.121.119.89:5050 # Reference: https://threatfox.abuse.ch/browse/malware/win.mekotio/ http://34.29.127.135 http://35.226.160.162 102.37.152.149:3040 102.37.155.46:10002 15.229.26.142:10003 185.101.93.170:80 185.101.93.178:80 185.101.94.149:10004 45.81.224.52:10100 64.44.101.158:10100 80.85.139.45:10200 newhonra.westeurope.cloudapp.azure.com yagoeallanaadegaltda.sellsyourhome.org # Reference: https://twitter.com/1ZRR4H/status/1678264825288196096 18.191.155.176:9995 /wp-content/plugins/--/online/?cid= /plugins/--/online/?cid= # Reference: https://twitter.com/Merlax_/status/1678524497702576128 http://20.206.241.68 http://52.159.123.0 20.206.241.68:6400 52.159.123.0:443 52.159.123.0:6400 mlenvioscoleta.com # Reference: https://twitter.com/1ZRR4H/status/1671846979616292864 # Reference: https://twitter.com/1ZRR4H/status/1674967428625735681 # Reference: https://twitter.com/Merlax_/status/1665820048190058504 # Reference: https://twitter.com/Merlax_/status/1665840922599518208 # Reference: https://twitter.com/Merlax_/status/1672351823703982081 # Reference: https://twitter.com/Merlax_/status/1676546469808209925 # Reference: https://twitter.com/Merlax_/status/1680026095746183168 # Reference: https://twitter.com/V3n0mStrike/status/1679535948537683986 # Reference: https://twitter.com/V3n0mStrike/status/1679543507738828812 # Reference: https://www.virustotal.com/gui/file/6dfd76c513f8c4216b7c0efeab797f22db13bb265fafffbb69d735b64801c4a8/detection # Reference: https://www.virustotal.com/gui/file/80e53958df78b0386ac91b142a6a0541240921c3b475fc27359205e212bad319/detection # Reference: https://www.virustotal.com/gui/file/969c4d790314beca402ba8cc253ceb9af856c1ed22aae512e245a9538ea86b95/detection # Reference: https://www.virustotal.com/gui/file/a9e9f807b2f8061fb98d1ceda1e2d0a1b88e1935b7592d206c0b8324c1aa6e23/detection http://5.189.204.31 103.145.13.111:9910 137.135.127.65:5603 142.44.232.43:9002 144.217.42.72:9001 148.163.126.62:5678 15.229.117.18:3081 154.49.247.76:9002 158.69.110.219:9002 158.69.167.489002 167.88.164.34:7957 172.81.61.183:5678 172.86.76.129:9999 185.101.93.178:6829 199.127.60.214:5080 213.227.155.58:9999 3.99.207.157:7957 34.210.155.57:9995 37.120.222.88:7890 37.228.132.123:8841 38.54.115.27:7777 40.121.34.71:9001 44.201.214.55:7957 50.114.32.122:5678 50.114.32.235:9099 51.222.135.161:9002 51.38.160.149:8841 89.44.9.236:9911 catrinavc.shop engeclimathi.com louvstargamp.webredirect.org messi.serveblog.net nuevogomelove.webredirect.org slrbxtjgptm3fqj6wv.com.de 2.slrbxtjgptm3fqj6wv.com.de /dasssashytsrfwewdw4w432dcadssswe32dsfwywyw67wjjehnsbvcdfreyd.php # Reference: https://twitter.com/JAMESWT_MHT/status/1687351852931624960 # Reference: https://twitter.com/reecdeep/status/1687468105633529856 # Reference: https://app.any.run/tasks/d782065e-425d-4aef-9edb-ece8c16e3802/ 146.70.24.214:4422 gamespokerstort.myftp.org # Reference: https://twitter.com/Merlax_/status/1687558327457181696 139.144.212.143:7957 15.228.16.45:3081 185.101.93.63:6829 20.38.37.160:8005 45.66.249.14:5678 # Reference: https://threatfox.abuse.ch/ioc/1137733/ # Reference: https://www.virustotal.com/gui/file/2499279a4745a9fc9a6c2dcdaf7b49fcf47453683ce58e5337cc511eece40861/detection 138.201.149.36:3456 zettafull2023.3utilities.com # Reference: https://twitter.com/V3n0mStrike/status/1688312316134117377 # Reference: https://twitter.com/dark0pcodes/status/1688370183457349632 # Reference: https://www.virustotal.com/gui/file/10f8e9219ac166f36a100ece03687d2854d42ac3a5fabca5df0df78140fd3776/detection # Reference: https://www.virustotal.com/gui/file/d5fa0182851d62cf6774a93eca11de4504e1285e11a548835fcfcf9432fbea4f/detection 172.86.70.241:6255 172.86.70.241:6566 # Reference: https://twitter.com/SeguInfo/status/1703851435077587315 # Reference: https://www.virustotal.com/gui/ip-address/94.158.244.44/relations # Reference: https://www.virustotal.com/gui/file/81d3c8fe425a2f1d0eb57ee9d0f439ed94ff051c56663ed718ad45b4d8a5c166/detection 72.167.133.152:8081 citacionadjunta2.from-oh.com comprobante20234.isa-geek.com # Reference: https://twitter.com/SeguInfo/status/1699869450038554725 # Reference: https://www.virustotal.com/gui/file/d99a73f476e37ecae997fd3eafcde81d124a82aa4acae2863a82977ccb44a383/detection http://34.176.182.245 20.244.39.91:7373 mbvcmv-qfsbndl4da-tl.a.run.app # Reference: https://twitter.com/JAMESWT_MHT/status/1704343266991178164 clientemarazul.com ja2r7.app.goo.gl # Reference: https://twitter.com/SeguInfo/status/1705308358696210620 # Reference: https://www.virustotal.com/gui/ip-address/34.133.80.206/relations # Reference: https://www.virustotal.com/gui/file/8f0af73b1eedc9859bde1077e9cce1d76946335840649b87ddf9a6771b18e476/detection # Reference: https://www.virustotal.com/gui/file/fffe7f3362ade4d911710f2c99b08c04080ea421c0d1ec8fb10658df50b2b303/detection # Reference: https://www.virustotal.com/gui/file/802c9cf7bbc61803594e23eabc5f57797326b4ef312c10b53cec12693de2644f/detection 31.192.107.193:7321 31.192.107.193:7575 servgameslupi.hopto.org 206.80.133.34.bc.googleusercontent.com # Reference: https://twitter.com/Merlax_/status/1707524461610574301 172.104.76.12:7957 20.63.74.107:6060 34.27.40.123:8007 35.232.212.112:8007 45.40.96.49:9900 # Reference: https://twitter.com/jorgemieres/status/1717930609962516745 180.169.136.34.bc.googleusercontent.com 92.253.173.34.bc.googleusercontent.com akzkar-otdxzwqz6a-uc.a.run.app /EMKT_CURSO_775-5693/47940.024665/ # Reference: https://twitter.com/jorgemieres/status/1717940842982223980 # Reference: https://www.virustotal.com/gui/ip-address/146.0.79.25/relations # Reference: https://www.virustotal.com/gui/ip-address/31.192.107.165/relations # Reference: https://www.virustotal.com/gui/file/f2a8532332e041ed0bdf99180ade2217c5eecf17d305d1705d41a7fa28a1f94f/detection # Reference: https://www.virustotal.com/gui/file/fc599a86e79ae4bb95bca1255381493e31001dc98a4fd61930d1899cd35eba25/detection 146.0.79.25:11223 gamesstartf.xyz lupgameso.xyz nuevo2gameslop.xyz # Reference: https://www.virustotal.com/gui/ip-address/146.0.79.23/relations # Reference: https://www.virustotal.com/gui/ip-address/212.237.217.189/relations # Reference: https://www.virustotal.com/gui/ip-address/91.210.107.132/relations # Reference: https://www.virustotal.com/gui/file/f9c3ebadf916ef87a80dbb0a59c6fb1b8a8b305079f3ac05791a6c7db09d262f/detection # Reference: https://www.virustotal.com/gui/file/aea0d4cd862d9f32d77d8d0b57567e2af93271940a72f403575aa7a94effb661/detection # Reference: https://www.virustotal.com/gui/file/084c7dad85f29f3088999084b2a41d305dd5a7c4c1b70558baf54283411b6be0/detection 146.0.79.23:11224 212.237.217.189:3344 212.237.217.189:3345 mxdooppcof.xyz nuevoconceti.xyz repicdominic.xyz # Reference: https://twitter.com/V3n0mStrike/status/1696926213300797787 # Reference: https://www.virustotal.com/gui/file/82dae1ad95328ee96416eeaddab66bb994035e7e4e5ec41c8eb10eff60b73063/detection 172.86.121.70:10011 neckjointservice.com # Reference: https://twitter.com/Merlax_/status/1722283882857574791 http://104.131.10.223 http://104.131.7.179 http://132.148.78.45 http://138.197.42.53 http://138.197.65.187 http://138.197.65.194 http://138.197.65.248 http://138.197.73.6 http://141.95.0.69 http://159.203.113.160 http://159.65.172.220 http://159.65.178.222 http://165.227.68.165 http://165.227.76.219 http://172.105.6.117 http://172.187.146.50 http://172.188.74.203 http://172.188.74.39 http://184.168.20.190 http://20.163.29.252 http://20.5.168.224 http://20.70.8.202 http://4.228.48.162 http://4.231.172.79 http://46.37.100.162 http://5.188.0.139 http://77.91.100.203 http://80.190.74.36 132.148.78.45:5000 5.252.176.29:5000 # Reference: https://twitter.com/Dkavalanche/status/1722254307444285470 # Reference: https://twitter.com/Dkavalanche/status/1722628044299665757 # Reference: https://twitter.com/V3n0mStrike/status/1722717944663187825 # Reference: https://app.validin.com/axon?find=132.148.78.45&type=ip # Reference: https://app.validin.com/axon?find=185.225.19.104&type=ip # Reference: https://app.validin.com/axon?find=72.167.35.199&type=ip # Reference: https://app.validin.com/axon?find=92.205.177.164&type=ip # Reference: https://www.virustotal.com/gui/file/595087831d5e1a8f306b31db4e9579806756a2bd56e3db2aa3aa714536f80866/detection 132.148.78.45:5000 92.205.178.210:9081 01advertenciactc2023.dnsdojo.com 01invoicefull234.dnsdojo.com adjuntodocument.from-in.com adjuntodocumento3.from-mt.com adjuntodocumento3224.from-mt.com adjuntodocumento4.is-a-caterer.com adjuntodocumento5.is-a-cpa.com advertenciact.from-wy.com advertenciactc2023.dnsdojo.com advertenciactc2023.from-sd.com advertenciactc2023.from-wy.com advertenciactc2023.selfip.com citaadju23nta.likes-pie.com comprobantepagoectonico.selfip.com # Reference: https://twitter.com/Dkavalanche/status/1723002138853310922 # Reference: https://app.validin.com/axon?find=185.225.19.81&type=ip # Reference: https://app.validin.com/axon?find=34.74.162.235&type=ip # Reference: https://app.validin.com/axon?find=34.74.162.249&type=ip 34.74.162.235:8007 jetmailx.ddnsguru.com maypainer.loseyourip.com myinfo2.giize.com mysystem2102account.dnsalias.com nightscoutsergi.mooo.com # Reference: https://app.validin.com/axon?find=92.205.186.100&type=ip # Reference: https://app.validin.com/axon?find=94.158.244.109&type=ip adjuntodocument.from-in.com adjuntodocumento3.from-mt.com adjuntodocumento4.is-a-caterer.com adjuntodocumento5.is-a-cpa.com # Reference: https://twitter.com/Merlax_/status/1725625082809127288 # Reference: https://raw.githubusercontent.com/merlax/Mekotio/main/IOCs_2ndW_Nov_2023 # Reference: https://www.virustotal.com/gui/ip-address/164.68.124.229/relations # Reference: https://www.virustotal.com/gui/ip-address/185.225.19.81/relations # Reference: https://www.virustotal.com/gui/ip-address/23.111.152.242/relations # Reference: https://app.validin.com/axon?find=89.40.5.144/30&type=ip4 # Reference: https://www.virustotal.com/gui/file/08fdc1d9ed2aada0b3bd2f2d1153b1800252091d2804841f11ea7ac959aa07e0/detection # Reference: https://www.virustotal.com/gui/file/0c15a51994c1bf1bc04c1b79f8e023146496890b3e688978fa51c71da28bae46/detection # Reference: https://www.virustotal.com/gui/file/101b3685fbf597ab0db6ad95fd9177bff4393bd17187f308ac16199d7c58033e/detection # Reference: https://www.virustotal.com/gui/file/1c1dc2689c97a755e42bbf13fb1818529911a60ce91cf10125f3ff6e62804ba2/detection # Reference: https://www.virustotal.com/gui/file/33b317ad728818234a7ca18a5579f9a37827c7dc52620e270bc1a75533668045/detection # Reference: https://www.virustotal.com/gui/file/52f6cf4b266820aeb9be2a46430ee5513ae6f028e0012627a3a345413987a968/detection # Reference: https://www.virustotal.com/gui/file/969a397dc0e0b93f4362127380567788a6236b9986cb682f9f3f8d07e683f077/detection # Reference: https://www.virustotal.com/gui/file/ba3f2cb647180467eb750d30eb87c0ecf0caed9bb4daee0ea008bdbb58ba24e3/detection http://104.154.160.155 http://104.198.223.56 http://143.110.229.237 http://143.110.235.132 http://143.198.209.74 http://143.198.58.70 http://15.235.166.165 http://15.235.166.206 http://159.223.203.172 http://159.223.42.2 http://159.223.42.240 http://159.223.65.166 http://159.223.65.70 http://159.223.78.129 http://159.223.78.150 http://159.223.78.221 http://161.35.101.122 http://161.35.109.171 http://161.35.98.146 http://165.22.243.78 http://165.22.245.172 http://165.22.251.142 http://165.22.253.173 http://167.99.69.215 http://167.99.74.11 http://167.99.74.192 http://167.99.78.242 http://178.128.115.173 http://178.128.119.161 http://195.234.82.54 http://24.199.97.202 http://34.121.79.117 http://34.123.155.239 http://34.132.192.242 http://34.135.203.127 http://34.136.169.180 http://34.16.123.109 http://34.173.253.92 http://34.27.34.110 http://34.28.119.214 http://34.28.138.163 http://34.28.201.51 http://34.28.99.129 http://34.70.123.114 http://34.95.236.114 http://35.184.1.91 http://35.199.68.229 http://35.225.245.224 http://35.226.181.149 http://35.226.68.157 http://35.232.65.172 http://35.247.243.80 http://45.80.209.112 http://45.80.209.115 http://45.80.209.116 http://45.80.209.117 http://45.80.209.118 http://45.80.209.119 http://45.80.209.120 http://45.80.209.129 http://45.80.209.130 http://45.80.209.131 http://45.80.209.132 http://45.80.209.133 http://45.80.209.134 http://45.80.209.135 http://45.80.209.136 http://45.80.209.137 http://45.80.209.138 http://45.80.209.139 http://45.80.209.140 http://45.80.209.16 http://45.80.209.215 http://45.80.209.216 http://45.80.209.218 http://45.80.209.219 http://45.80.209.220 http://45.80.209.221 http://45.80.209.222 http://45.80.209.223 http://45.80.209.224 http://45.80.209.47 http://45.80.209.50 http://45.80.209.51 http://45.80.209.52 http://45.80.209.56 http://45.80.209.87 http://5.188.0.181 http://5.188.0.65 http://5.8.41.190 http://5.8.41.191 http://5.8.41.195 http://5.8.41.204 http://5.8.41.211 http://5.8.41.223 http://5.8.41.225 http://5.8.41.234 http://51.15.10.118 http://51.15.167.5 http://51.15.3.140 http://51.15.5.194 http://51.15.9.162 http://51.15.9.198 http://51.159.53.127 http://68.183.225.149 http://68.183.225.47 http://68.183.230.167 http://68.183.236.225 http://84.46.236.226 http://84.46.236.227 http://84.46.236.36 http://84.46.236.38 http://84.46.239.209 http://84.46.239.95 http://86.38.216.104 http://86.38.216.46 http://89.117.0.126 http://89.117.0.127 http://89.117.0.128 http://89.117.0.129 http://89.117.0.13 http://89.117.0.130 http://89.117.0.131 139.144.213.55:9998 164.68.124.229:6090 178.128.206.214:3344 20.63.119.249:3345 62.77.153.133:9999 66.228.34.150:7957 72.167.33.172:8081 77.91.74.84:9999 89.47.160.109:8993 98.71.24.201:5585 boludo.online coltmzxcofgh.xyz comptech8a.com gordlopd.xyz fortepe.is-a-geek.com fortepe2.is-a-geek.com indianajhones.servebeer.com indiapotira.servebeer.com myinfo20235.ddnsfree.com mysystem2102a.dnsalias.com savtab34.duckdns.org strogonoff.xyz # Reference: https://twitter.com/Dkavalanche/status/1729582807666557143 cogfactmgsolucionesoinsaarme.eastus.cloudapp.azure.com # Reference: https://twitter.com/Merlax_/status/1730553580275569032 # Reference: https://www.virustotal.com/gui/file/42fcbde7055bb274807eb5cdf4fe61125582bb364e92edf598b8bacd9b0f740d/detection http://24.152.37.226 http://24.152.39.178 http://74.207.237.97 24.152.39.178:60309 # Reference: https://twitter.com/JAMESWT_MHT/status/1732719574762528804 # Reference: https://www.virustotal.com/gui/file/8d464b85a99517acba4fd431c4cb077bc5180380e21b4cb3616c573867c6e9b6/detection # Reference: https://www.virustotal.com/gui/file/17af2c468c617d4fc26c5334336f1224d3945bb4e0e984f83be439439ea6a758/detection auditoriaempresa.com # Reference: https://twitter.com/Merlax_/status/1732944960180158722 # Reference: https://www.virustotal.com/gui/file/c25dc30e13c33341aaa22ecbaa17fd28334d06089658a5521663564ee5f96b35/detection http://104.197.118.253 http://139.162.133.226 http://146.70.41.164 http://162.19.250.136 http://170.187.185.142 http://172.105.21.218 http://172.203.248.28 http://173.82.57.120 http://185.74.222.7 http://188.127.225.117 http://191.6.210.101 http://20.11.48.138 http://20.84.95.205 http://23.227.199.39 http://23.236.54.174 http://24.199.118.203 http://24.199.126.144 http://24.199.126.188 http://24.199.126.29 http://31.192.107.165 http://31.44.7.57 http://34.133.77.232 http://34.134.144.100 http://34.16.108.72 http://34.170.6.183 http://34.171.203.202 http://34.27.55.253 http://34.41.174.53 http://34.95.214.148 http://35.193.169.113 http://35.226.15.1 http://35.226.23.196 http://35.239.20.13 http://37.49.230.73 http://37.49.230.79 http://5.181.156.86 http://5.8.41.128 http://5.8.41.136 http://52.67.10.246 http://72.167.133.199 http://72.167.140.106 http://80.190.75.43 http://80.190.75.44 139.144.212.88:7957 140.99.223.103:9999 173.209.59.170:6099 20.227.191.76:10148 34.74.162.235:9988 45.40.96.241:8800 72.167.141.220:9988 88.80.187.192:8081 aboutnetworkcorporation.com azohxhfkimtelsiwsitm.homes opgubfstp.xyz pontesmiller.homes ellokodell00.hopto.org enterprese2023.is-a-hunter.com /googledocs.txt /googledocs1.txt # Reference: https://twitter.com/_boitata/status/1733683765493338128 # Reference: https://www.virustotal.com/gui/file/d8fc4f696f4bd1899ed92d8e9767646308c941cac2ea826dbdd3e64f6926db3d/detection http://185.228.72.212 # Reference: https://twitter.com/1ZRR4H/status/1734346226303176743 gongzi.one networks2024.com vmq.gongzi.one wx.gongzi.one yzf.gongzi.one # Reference: https://twitter.com/V3n0mStrike/status/1734434543774449971 http://88.80.187.192 # Reference: https://twitter.com/Merlax_/status/1737427638615183814 # Reference: https://pastebin.com/raw/NpCHYR6g http://185.189.13.243 102.37.141.218:6099 109.74.197.130:8081 15.229.1.40:3081 23.227.196.75:10149 38.54.45.105:9988 52.67.144.183:9795 confgplsiep.xyz homelpd6099.xyz # Reference: https://twitter.com/V3n0mStrike/status/1736209621839139026 http://146.70.100.113 http://45.79.11.85 45.79.11.85:8081 # Reference: https://twitter.com/V3n0mStrike/status/1740461394250641595 18.188.34.194:9795 jw-ict.nl comunicarbrasil-br.com/wp-content/upgrade/8HD712/ eccsl.lk/mah/mail/ID/UC81782/ silviza.cl/css/F12039388II/ /F12039388II/T2381OIF7/login.php /F12039388II/T2381OIF7/ /F12039388II/ /T2381OIF7/ # Reference: https://twitter.com/Merlax_/status/1743380172768784598 # Reference: https://pastebin.com/raw/yh2ePsr6 http://138.197.3.95 http://146.190.47.102 http://157.245.154.252 http://157.245.156.164 http://165.227.100.78 http://167.172.72.72 http://167.172.73.43 http://167.172.77.227 http://167.99.49.92 http://167.99.57.153 http://176.123.1.98 http://178.128.208.175 http://178.128.209.160 http://178.128.217.129 http://178.128.217.240 http://185.202.92.107 http://185.233.82.209 http://185.244.210.127 http://185.244.210.129 http://191.233.240.218 http://209.97.175.168 http://213.156.138.36 http://213.232.235.79 http://24.199.118.135 http://31.192.107.139 http://34.28.70.128 http://34.29.67.243 http://34.30.59.63 http://35.199.77.83 http://45.135.229.35 http://5.181.27.142 http://5.181.27.143 http://5.181.27.144 http://5.181.27.150 http://5.181.27.151 http://5.188.0.144 http://5.188.0.152 http://5.8.41.15 http://5.8.41.180 http://5.8.41.181 http://5.8.41.182 http://5.8.41.184 http://5.8.41.185 http://5.8.41.186 http://5.8.41.187 http://5.8.41.188 http://5.8.41.189 http://5.8.41.192 http://5.8.41.194 http://5.8.41.196 http://5.8.41.197 http://5.8.41.198 http://5.8.41.199 http://5.8.41.200 http://5.8.41.201 http://5.8.41.212 http://5.8.41.213 http://5.8.41.216 http://5.8.41.218 http://5.8.41.219 http://5.8.41.220 http://5.8.41.221 http://5.8.41.224 http://5.8.41.27 http://5.8.41.94 http://5.8.41.97 http://89.44.193.182 http://92.223.102.65 http://92.38.149.54 # Reference: https://twitter.com/Merlax_/status/1754986074881855714 184.168.127.159:7070 ea8821cf7a85ec212e7.dyndns-home.com # Reference: https://twitter.com/1ZRR4H/status/1763236603718242750 104.237.131.212:8088 104.237.139.231:8088 192.81.134.81:8088 31.192.107.162:9090 92.205.235.147:9090 # Reference: https://twitter.com/V3n0mStrike/status/1763315355299008917 # Reference: https://csirt.gob.cl/alertas/2cmv24-00447-01/ alkebucentre.org ceseinfonline.com friendlyship.org garbasrealestate.com protezeoculare.ro ptovesindo.com /factelectricidad/ /facteletricidad/ # Reference: https://twitter.com/V3n0mStrike/status/1764481627994894461 tiberiu.mt-2.ro # Reference: https://twitter.com/johnk3r/status/1767943022640058383 # Reference: https://www.virustotal.com/gui/ip-address/109.199.113.150/relations # Reference: https://www.virustotal.com/gui/file/ae66e71538e6e4a1ba24e0cc180c4a8997ac44902c6b3979428dbc3df85e801e/detection http://38.54.57.26 infojobsprotalacesso.com acessojobsportalacesso.com processoseletivojobsuniao.read-books.org # Generic trail /amorplus/brume.php /contadores/acessar.php /guia/brume.php /hooponopono/puma.php /ho_oponoponoag/brume.php /nossasrdaga/brume.php /online/sharlins.php /marclara/total.php /tampler/marcador.php /verpra/filmes.php /naotem/jormal.php /anti/ideial.php /antigo/cupla.php /again/?oriudfjdfij88 /?oriudfjdfij88