# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1099786490144448512

advancedepartametno.com

# Reference: https://twitter.com/James_inthe_box/status/1126809601825918978

instalacionez.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1143875234707181568
# Reference: https://app.any.run/tasks/2ef75909-daa7-45f1-83bc-dfe3ead3ac61/

trabalhoonline.webcindario.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

/nossasrdaga/brume.php

# Reference: https://twitter.com/0bfusCat/status/1155406244062121984

descargasdocx.com

# Reference: https://twitter.com/MisterCh0c/status/1186712875743825920

leavenois.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1235558960314400768
# Reference: https://app.any.run/tasks/6cef1963-4881-4f7f-b877-198cfd7eaf17/

mab2020.duckdns.org
mundonlop.duckdns.org
newtroll-megatron.duckdns.org
pumex-new.duckdns.org

# Reference: https://twitter.com/3rg4f4/status/1270308334743289860

smsinformativo.com

# Reference: https://twitter.com/0bfusCat/status/1181529470475362304
# Reference: https://app.any.run/tasks/f6d7cc92-3215-4103-baeb-eb424016f885/

compraca.000webhostapp.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

http://31.207.35.50

# Reference: https://twitter.com/JAMESWT_MHT/status/1299324645787742208

http://34.95.246.154

# Reference: https://app.any.run/tasks/17349d53-0d4e-4857-90a0-9f5dd68385b2/

st-gerrard-const.com/wp-content/themes/twentyfifteen/
perfectart.com.br/ebos/

# Reference: https://app.any.run/tasks/f869690a-e3d1-43e4-a61f-18d05a948e10/

shortsalepontevedra.com/coun7/

# Reference: https://twitter.com/JAMESWT_MHT/status/1328704334721323009
# Reference: https://app.any.run/tasks/2be10df3-e594-4118-9d36-6b93041ec73c/

flsdcment.site
sededgtgoes.online

# Reference: https://twitter.com/JAMESWT_MHT/status/1328714844573413377
# Reference: https://app.any.run/tasks/d827010e-453c-4d89-8128-20b82832f5ab/
# Reference: https://www.virustotal.com/gui/file/4d45380cd5fdf967988c4f239f61827ad9a80a4d9abcfbddf6e656d9dcc50f58/detection

45.35.104.213:8989
covidezenove.online
myd9hzd8cheab.winconnection.net

# Reference: https://twitter.com/dgarcianet/status/1352235429160955904
# Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/behavior/C2AE

http://40.112.173.153

# Reference: https://twitter.com/1ZRR4H/status/1359963801819430914
# Reference: https://www.virustotal.com/gui/file/66797ef1761fd243a48829335d9e34781cbef324090497897462bf1a5ce0cb39/detection

104.214.107.176:79
gemare.com.br//conteudo/TGR/descarga.php
selfhelpwomendevelopment.com/wp-includes/images/mail/descarga.php

# Reference: https://cofense.com/blog/autohotkey-banking-trojan/
# Reference: https://www.virustotal.com/gui/file/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305/detection

es.sslhermanos.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1385156068721012736
# Reference: https://twitter.com/D3LabIT/status/1385151472216776704
# Reference: https://app.any.run/tasks/e48dfdc7-fd3e-4d77-a03a-eeeb458bc909/

conlazionzzytz.eastus.cloudapp.azure.com
contecalculacion.eastus.cloudapp.azure.com
piazzimulobanquituto.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1386976751247634441

amlsempg.com
ilavorianmosy.eastus.cloudapp.azure.com
multipicas.eastus.cloudapp.azure.com

# Reference: https://twitter.com/ESETresearch/status/1387384460568666117
# Reference: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/
# Reference: https://twitter.com/ESETresearch/status/1387384464905547779

apssitemarquivrft.francecentral.cloudapp.azure.com
torressircontes.eastus.cloudapp.azure.com

# Reference: https://twitter.com/petrovic082/status/1388180117642432515

moveisji.com.br/archivos/

# Reference: https://twitter.com/1ZRR4H/status/1408252818272751621

jinhuidabio.com/reports/words/mail.php
arbonato.com.br/Maxx/sowns/HR13I5MD0ASC5J.php

# Reference: https://twitter.com/dgsecnet/status/1519263981231296516

http://20.233.43.99
http://20.92.88.38
meuinformativo2.serveblog.net

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-05-10_Mekotio_MTT_CL

thangloitaynguyen.com
espatron2022.est-le-patron.com
anders-wirken.de/wp-content/languages/Hs56ety2hTg011If56s.coc
bremermee.nl/wp-content/languages/MTT0001450001.zip
/lib/jquery/grood/1101/3t1x2oBj19sH33.php

# Reference: https://twitter.com/1ZRR4H/status/1537539651279405062
# Reference: https://www.virustotal.com/gui/file/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0/detection

http://45.147.197.223
http://51.12.218.142

# Reference: https://twitter.com/pr0xylife/status/1537850595981369344

upfdigital.com
gomho.upfdigital.com
johnickowiczdds.com/wp-admin/telcel.nec
/wp-admin/01/02/gigo.php

# Reference: https://twitter.com/StopMalvertisin/status/1539171329223831552

http://20.239.69.60

# Reference: https://twitter.com/1ZRR4H/status/1540387288538120192
# Reference: https://twitter.com/Dkavalanche/status/1540113368517935104
# Reference: https://www.virustotal.com/gui/file/db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5/detection

http://20.26.198.176
http://20.91.202.137
serviceares.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1540044306068951040
# Reference: https://www.virustotal.com/gui/file/8e815b6b13c7cef7d6152ff50d07f217420e185eddcc247a9a92dbfd1787e6e9/detection

steromask.fr

# Reference: https://twitter.com/SeguInfo/status/1542234908491497472
# Reference: https://www.virustotal.com/gui/file/0d16d92c0f451848fbd8d2b255991103c05c84fafbef9978b1aac22578928e4d/detection
# Reference: https://www.virustotal.com/gui/file/5e9dc457e117fa875057e9fc29a7b9c3116efec912ccc2e4d4eab49e5e55a486/detection

http://20.91.206.86
http://51.132.148.124
pro112.dynuddns.com

# Generic trail

/amorplus/brume.php
/guia/brume.php
/hooponopono/puma.php
/ho_oponoponoag/brume.php
/nossasrdaga/brume.php
/online/sharlins.php
/marclara/total.php
/verpra/filmes.php
/naotem/jormal.php
/anti/ideial.php
/antigo/cupla.php
/again/?oriudfjdfij88
