# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1193539893000986624
# Reference: https://www.virustotal.com/gui/ip-address/130.185.238.32/relations
# Reference: https://www.virustotal.com/gui/file/179349534f184774b18b7dbcf7442a537fe640e373f5c4cc6b39d3076240c11b/detection
# Reference: https://www.virustotal.com/gui/file/9cc448001e8ed355520e26c328d33f1b8031b26796923608cdf920fb6617dbb2/detection
# Reference: https://www.virustotal.com/gui/file/b078b3cba73f7dc905d395b014f610000ab37cc1500be00d64ce48c7cd9378b2/detection

http://130.185.238.32
coinstolkbr79.dyndns.org

# Reference: https://twitter.com/reecdeep/status/1291002877633331201
# Reference: https://app.any.run/tasks/1c5c1fef-a022-4143-b3d8-e365a38b8a20/
# Reference: https://www.virustotal.com/gui/file/8df61999996b08c2f77e53869f75e2ea399f1bad5a5dc5d5969f4b5e9d8d5751/detection

142.11.212.211:8081
pizzacircusbarcelona.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1291013627680624642

167.114.217.220:9090

# Reference: https://twitter.com/Dashowl/status/1296886074053099520

http://173.0.54.19

# Reference: https://twitter.com/JAMESWT_MHT/status/1303248634507657216

155.138.137.44:3030

# Reference: https://twitter.com/K_N1kolenko/status/1328605692643713025

146.59.193.20:1948

# Reference: https://twitter.com/ESETresearch/status/1390263927859208193
# Reference: https://twitter.com/ESETresearch/status/1390263930833063938

binanceassistance.com
spotifyannounce.com

# Reference: https://twitter.com/johnk3r/status/1524847789766852630

24.152.38.130:4398

# Reference: https://twitter.com/da_667/status/1530296455981936646
# Reference: https://www.virustotal.com/gui/ip-address/167.114.88.99/relations
# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/

167.114.43.27:4433
belfaro.com.br
iuc1tab1tatitbw.freedynamicdns.org
iuc1tag1sjsdtbb.freedynamicdns.org
iuc1tan1xatmtkk.freedynamicdns.org
iuc1tan1xqs4tjf.freedynamicdns.org
iuc1tas1satjtjo.freedynamicdns.org
iuc1tas1xao3taf.freedynamicdns.org
iuc1tbb0sqpmtak.freedynamicdns.org
iuc1tbs0taoztjw.freedynamicdns.org
iuc1tbw0sasztjb.freedynamicdns.org
iuc1tbw1xjoztko.freedynamicdns.org
iuc1tjf0satltbs.freedynamicdns.org
iuc1tjj0uas0tbs.freedynamicdns.org
iuc1tjk0sqpltbo.freedynamicdns.org
iuc1tjk0xqpltbo.freedynamicdns.org
iuc1tko1sqs5tjg.freedynamicdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1531566144594841601

http://20.187.91.219
20.187.91.219:44441

# Reference: https://twitter.com/1ZRR4H/status/1549261002725679105
# Reference: https://www.virustotal.com/gui/ip-address/20.70.2.177/relations

http://20.70.2.177
a404140024b44.servehalflife.com
a40494449.servehalflife.com
a4049475a475955.servehalflife.com
a404e4306.servecounterstrike.com
a40595c5747595c.servehalflife.com
a41534548.servequake.com
a425b4159455043.zapto.org
a44504159455043.zapto.org
a44504605.zapto.org
a44504959.zapto.org
a44524358475241.servehalflife.com
a4452435e475959.servehalflife.com
a445b525b.zapto.org
a454b4603.zapto.org
a45504205455053.zapto.org
a45504603.zapto.org
a455b5303.zapto.org
a455b5e02455b42.zapto.org
a46404600.zapto.org
a46405259.zapto.org
a46405e00455b5a.zapto.org
a464b4205455a5a.zapto.org
a464b534b.zapto.org
a46524b5b.servehalflife.com
a46594b5a.servehalflife.com
a4742475f475858.servehalflife.com
a49405305.zapto.org
a4940534b.zapto.org
a495b5258.zapto.org
a4a585057.servequake.com
a4b42435b475155.servehalflife.com
a4b424b5a.servehalflife.com
a4b42505f.servehalflife.com
a4b425c57475144.servehalflife.com
a4b52505a.servehalflife.com
a4b525c06475151.servehalflife.com
a4b59505f.servehalflife.com
a4c454c5d.servecounterstrike.com
ftpbtag1sjoztbf.freedynamicdns.org
ftpbtao1sztitjf.freedynamicdns.org
ftpbtbs0uatmtko.freedynamicdns.org
ftpbtjw0xaphtaw.freedynamicdns.org
ftpxtak1wqo1tjk.freedynamicdns.org
ftpxtan0xas5tab.freedynamicdns.org
ftpxtjj0uaphtar.freedynamicdns.org
iuc1tbw0tas4tab.freedynamicdns.org
iuc1tjg0xjsftbo.freedynamicdns.org
iuc1tjn1tjo3tjs.freedynamicdns.org
iuc1tjs0xasftbo.freedynamicdns.org
xacjtjozxaw3.freedynamicdns.org
xaxhtbkzsqcm.freedynamicdns.org

# Reference: https://twitter.com/ankit_anubhav/status/1555521068734902272

premierecombate.eastus.cloudapp.azure.com

# Reference: https://twitter.com/ankit_anubhav/status/1555815597769863168
# Reference: https://www.virustotal.com/gui/ip-address/20.115.83.63/relations

http://54.39.194.67
amixtubinemasterx.com
beacocosmasterx.top
centroempresarialkutsni.com
customdefivewrs.top
dextelmacwordsx.top
domanekiewex.top
empresarialkutsni.com
empresarialkutsnicorp.com
empresarialmixtur.ml
empresarialmixtur.tk
empresarialwebcustom.top
mixtubinemasterx.com
mixtubinemasterxnet.com
/$NOTADIGITALFISCAL

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-08-05_Grandoreiro

http://20.10.3.196
http://20.197.31.100
http://20.226.27.45
http://209.127.179.58
http://54.39.194.67
amixtubinemasterx.com
beacocosmasterx.top
dextelmacwordsx.top
domanekiewex.top
empresarialkutsni.com
empresarialkutsnicorp.com
empresarialwebcustom.top
mixtubinemasterx.com
mixtubinemasterxnet.com

# Reference: https://twitter.com/reecdeep/status/1291717803385520128

142.11.213.42:8081

# Reference: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals

http://15.188.63.127
http://18.231.180.92
http://35.180.117.32
http://35.181.59.254
http://52.67.27.173
http://54.232.38.61
15.188.63.127:36992
assesorattlas.me
atlasassessorcontabilidade.com
barusgorlerat.me
damacenapirescontab.com
mantersaols.com
perfomacepnneu.me
vamosparaonde.com
premiercombate.eastus.cloudapp.azure.com
chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org
ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org
jmllmedvhgmhldjgmhvmmlljhvgdzvzz.dynns.com
odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com
pcbbcrjcgbcghjpbcgkccbjorkhhjcjj.fantasyleague.cc
/$FISCALIGENERAL3489213839012

# Reference: https://twitter.com/1ZRR4H/status/1570233170997694466

20.206.121.215:4144
procedimentos09092022.blob.core.windows.net

# Reference: https://app.any.run/tasks/74ed9bfb-68d7-492a-8c2a-4236fe2589c6/

java-update.online
mymodulop2pcar.servehttp.com
/Bv3wF1uHKG/counter.php
/Bv3wF1uHKG/

# Reference: https://www.virustotal.com/gui/file/fd00307c2ea5313be921b31b2c9ddad5a5cd0df4bcf81814d07243fdf24fbc49/detection

http://108.62.118.17

# Reference: https://hybrid-analysis.com/sample/f8991e3f7b524edc26a64543b57dd3f7cd69a2f8b04ce934d9334bf8ade8b396

sgd.servehttp.com

# Reference: https://twitter.com/StopMalvertisin/status/1575427033504501760
# Reference: https://www.virustotal.com/gui/file/0a9d7369a1c4cb32172404abd4e1a6c5aa35a674b4bfdcca81dc909b0f047b65/detection

filestorel.eastus.cloudapp.azure.com

# Reference: https://twitter.com/noexceptcpp/status/1578403486181560322
# Reference: https://app.any.run/tasks/218fcddb-49f5-4eaa-9ea3-8d22535c2a1d/

http://20.70.3.186
104.129.205.92.host.secureserver.net
nmp20887a02021498.s3.amazonaws.com
/contgmx/clientes.php
/.Nfe1456345340/

# Reference: https://twitter.com/1ZRR4H/status/1592906505363542016

http://185.191.228.227
18.231.179.202:65535
192.95.55.50:28322
192.95.55.50:45774

# Reference: https://twitter.com/Merlax_/status/1594862075897339904

http://192.95.6.196

# Reference: https://twitter.com/Merlax_/status/1594862079734857728

http://138.99.74.213
http://170.82.181.99
http://185.153.176.148
http://186.249.213.178
http://191.96.4.160
http://191.96.5.221

# Reference: https://twitter.com/Merlax_/status/1598875723602989056

http://138.99.74.21
http://186.249.213.225

# Reference: https://twitter.com/Merlax_/status/1603854200605184035

http://138.99.74.212
http://15.235.193.43
http://186.249.213.221
http://201.14.45.23

# Reference: https://twitter.com/Merlax_/status/1619666797879255041

http://149.56.91.172
http://177.73.101.138
http://186.249.213.39
http://188.121.116.157
http://52.67.94.240
http://54.221.142.212
http://89.223.88.138
54.221.142.212:28551
/eliteseguros/autorizar.php

# Reference: https://twitter.com/Merlax_/status/1624239435033329665

http://20.68.30.50
maxfoxchatdestfalouro.com
thylachatmarcamarketin.com
minha-faturaecurit-vivoinforma.securitytactics.com

# Reference: https://twitter.com/malwrhunterteam/status/1625055108273676293
# Reference: https://twitter.com/1ZRR4H/status/1625163730081263622

cortafogoempresarial.shop
contratacao.blob.core.windows.net
/calcaseroupasbr/qabzchxbp4pfpkr
/calcaseroupasbr/
/qabzchxbp4pfpkr

# Reference: https://twitter.com/petrovic082/status/1641357912361558017
# Reference: https://twitter.com/JAMESWT_MHT/status/1641367455300714496
# Reference: https://app.any.run/tasks/e38d130b-4e0b-4ea3-a540-33e88a766bed/

4.204.223.50:4389

# Reference: https://twitter.com/StopMalvertisin/status/1653317890131763201
# Reference: https://www.virustotal.com/gui/file/079ee055b833a515f7fb0d5e7964ebf4f78457de7215f44e3d14a8a0b01a41fc/detection

http://20.14.172.115

# Reference: https://twitter.com/Dkavalanche/status/1659931870807638017
# Reference: https://twitter.com/Merlax_/status/1659939922168496129

104.234.200.30:443
20.121.15.3:3894
factura-mail.hopp.to
factura.hopp.to
facturapdf.hopp.to
facturaxml.hopp.to

# Reference: https://twitter.com/Dkavalanche/status/1669440086776205345

15.228.233.242:9719
18.228.23.145:7969
18.230.134.37:14866
54.233.246.105:40881
54.233.246.105:9515
olikes.likes-pie.com
ompimorpgsflofb.for-the.biz
rolosoolgjosflofb.health-carereform.com

# Generic

/Adkflgog30.iso
/dyngcdnefn_03.iso
/nivyjlzhdj_04.iso
/nnkokysdggit.iso
/obmkumjoxq_05.iso
/ugqvhozczb_04.iso
/yqcnfempzc.iso
/ronivon.txt
/BR01?NF-eBR102822MY91822BT1
/BR02?NF-eBR102822MY91822BT1
/BR01/?NF-eBR102822MY91822BT1
/BR02/?NF-eBR102822MY91822BT1
/?NF-eBR102822MY91822BT1
