# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Note: Trail for non-classified data stealers

# Reference: https://twitter.com/petikvx/status/1591465219666153474
# Reference: https://tria.ge/221112-tmcqqagf37
# Reference: https://www.joesandbox.com/analysis/744589?idtype=analysisid#iocs
# Reference: https://app.any.run/tasks/481b8157-1049-4145-9a84-978cd7814575/
# Reference: https://www.virustotal.com/gui/file/6663b11dcecaa8077560752dd22f1a801c7aa92c0dc691d6d2cb709be55ba5b5/detection

onsapay.com/loader

# Reference: https://www.virustotal.com/gui/file/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/detection

tds-packages-update.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1678849977336954880
# Reference: https://twitter.com/josh_penny/status/1679092742666825731
# Reference: https://www.virustotal.com/gui/file/d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374/detection

download-desktop-capcut.com
avatarcloud.top
cloudimages.net
editorimage.info
getavatar.top
hahaimage.info
hahaimage.top
hahaimage.xyz
heheimage.info
heheimage.top
heheimage.xyz
heyavatar.info
heyavatar.top
heyimage.info
ip-ptr.tech
justjobsnow.com
nametoimage.com
partressure.org.uk
toimageai.top
svs00.ip-ptr.tech
vs1-2_2.ip-ptr.tech

# Reference: https://www.virustotal.com/gui/file/25ed22baa1216bddb7c0588cabe791452adc9f7f668837cafe00537ff85aea82/detection

lorealis.vip

# Reference: https://twitter.com/1ZRR4H/status/1682268170168532992

managedkv.com

# Reference: https://twitter.com/hiramcoop/status/1688616244042412041

/365-stealer.py

# Reference: https://twitter.com/idclickthat/status/1692210489663905972
# Reference: https://twitter.com/fr0s7_/status/1695775953505402985
# Reference: https://tria.ge/230817-tm14bacc7s/behavioral2

kholapqua.com
shoppingvideo247.com

# Reference: https://twitter.com/k3yp0d/status/1693598087556505763
# Reference: https://www.virustotal.com/gui/file/b27d5f5a85c251ea6c603a86087233ce015f012062bf5f023e3e9a1d4b09707f/detection
# Reference: https://www.virustotal.com/gui/file/9e217a0d9a6b44b195f5ee70d38e82507c02e480430bf2508bd8afdea886d846/detection

http://34.89.79.160

# Reference: https://twitter.com/karol_paciorek/status/1696175997513564658

/stealer/Auth/Login

# Reference: https://twitter.com/idclickthat/status/1697772164831944884

secure-update-portal.com

# Reference: https://checkmarx.com/blog/an-ongoing-open-source-attack-reveals-roots-dating-back-to-2021/
# Reference: https://otx.alienvault.com/pulse/64f09d12f52704036d29d312

bind9-or-callback-server.com
cczk46g2vtc0000k68dgggx31deyyyyyb.oast.fun
ck0r1hp2vtc00007c0zggjocy3ryyyyyb.oast.fun

# Reference: https://www.virustotal.com/gui/file/65bfda9a772c6c5eab6a610446b4bf58d43bd025062a1d482cffbf9b2351fa5c/detection
# Reference: https://www.virustotal.com/gui/file/0f6e6c43df42a007f9b70482671b2fea79353e069f6260b04ed6f599abef7a5a/detection

185.130.44.113:8080
185.130.44.113:8443
93.95.229.246:8080
93.95.229.246:8443
microsoft.dynnamn.ru
mswindows.hldns.ru
rckl.hldns.ru
rcnkl.dynnamn.ru
simantec.hldns.ru
simantec.mooo.com
windowsdefender.freemyip.com
windowstelemetry.theworkpc.com

# Reference: https://www.virustotal.com/gui/file/0f61ffdbab0efe9272f1b0acf8f99fcda6461e4f6f978fbaf7f7f637778959e4/detection

log.hackcrack.io

# Reference: https://twitter.com/THProfiler/status/1702136008584900636

red-hacks.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1705209115000070206
# Reference: https://www.virustotal.com/gui/file/60ba10a5bdafa65987f36aa9ba884f686e36788bea22a7f6a7026fa18cbbab1d/detection

http://46.151.29.182
46.151.29.182:443

# Reference: https://twitter.com/1ZRR4H/status/1709421805880877346
# Reference: https://www.virustotal.com/gui/file/759f68868414e8e7bf602a631d34740a125a7d8821b313330ad2469a96616e0c/detection
# Reference: https://www.virustotal.com/gui/file/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686/detection

/oisn38dfs/
/oisn38dfs/logger.php
/oisn38dfs/loggerbad.php

# Reference: https://twitter.com/r3dbU7z/status/1710590656597352560
# Reference: https://twitter.com/Gi7w0rm/status/1711030015016505609

http://3.68.185.165
hackdev.ciaffa.net
/IP-Grabber.ps1
/Steal%20BrowserPassword.ps1
/Steal%20BrowserPasswords.ps1
/Steal%20Doc-v1.ps1
/Steal%20Doc.ps1
/Steal%Key.ps1
/Steal%Keys.ps1
/Steal_BrowserPassword.ps1
/Steal_BrowserPasswords.ps1
/Steal_Doc-v1.ps1
/Steal_Doc.ps1
/Steal_Key.ps1
/Steal_Keys.ps1

# Reference: https://www.virustotal.com/gui/file/a21b406dd4f152c0831201585a21da8e60bd1da218e801e2d7c29076dc6c2be0/detection

http://81.161.229.12

# Reference: https://twitter.com/suyog41/status/1718890969951842554
# Reference: https://www.virustotal.com/gui/ip-address/77.105.146.90/relations
# Reference: https://www.virustotal.com/gui/file/1fbeca1cd511cf894d080d7100a05c5fff0a5f4c6c3fd214f98f28c5dcb866fb/detection
# Reference: https://www.virustotal.com/gui/file/5836eec5ff95e74e21fed63519793f61dea7661a7b555d4e971074f8ab242cf8/detection

http://77.105.146.90
/Up/bistAndAuditAlarmByHandle
/Up/bounterAndPerformanceCounterdll
/Up/bounterAndPerformanceCounteral
/bistAndAuditAlarmByHandle
/bounterAndPerformanceCounteral
/bounterAndPerformanceCounterdll

# Reference: https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-in-microsoft-store-steals-768-000-in-crypto/
# Reference: https://otx.alienvault.com/pulse/654b98775dad45e59c2c2b44

ladgerlivlugio.gitbook.io

# Reference: https://www.virustotal.com/gui/file/fc596cd42b7f1237bd2686059918cbe23b752546dd820b77f91acfc99e2065a1/detection

fhaduasd.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1727754734876913736
# Reference: https://www.virustotal.com/gui/file/f7e56674caa3c0c39d0a177ce6da1063bb7ff83f0acccb5da02527ab6250826c/detection
# Reference: https://www.virustotal.com/gui/file/cc1061c7d42e18a4f987fe2563a0934e1e77322856d4d1f000e1311f1f21ef1c/detection
# Reference: https://www.virustotal.com/gui/file/90ffb9eade13d75f95e25c0b0aaa9a1f9171849cb81f1e2e9494c1fa801deee1/detection

torrecomando.com
peg3z.app.goo.gl

# Reference: https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-months-targeting-python-developers/
# Reference: https://otx.alienvault.com/pulse/65577803bd352de4281ac497

51.178.25.148:8081

# Reference: https://www.virustotal.com/gui/file/f75c5b809e07fe2bdcc52fba4ebed26c82b703acf60d1b6a725189c496ad4753/detection

webvideoshareonline.com

# Reference: https://twitter.com/banthisguy9349/status/1740371850067058701
# Reference: https://twitter.com/malwrhunterteam/status/1753511219594444907

http://5.42.65.115
http://91.92.241.168
http://91.92.241.172
/batushka/twointe

# Reference: https://twitter.com/naumovax/status/1740701521736802556
# Reference: https://tria.ge/231206-mfkz7adg22/behavioral1
# Reference: https://app.any.run/tasks/0de95728-53f5-4027-9655-28d15f129718/

107.148.61.219:8080

# Reference: https://twitter.com/AnFam17/status/1748426722377146822
# Reference: https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/
# Reference: https://www.virustotal.com/gui/file/631f221da41e5f837a2b0fd44d07ae64640114b803d462688ada3efb88c98403/detection

cookieplay252511.s3.amazonaws.com
devwork9.com
kdark1.com

# Reference: https://www.virustotal.com/gui/file/062404e023a81c9be5959bb78ff149daad5be544017afb765198e8e49caf89cd/detection

http://95.163.241.63
chatgptencoder.site
millionjobs.work
moneyz.fun

# Reference: https://twitter.com/banthisguy9349/status/1753014923796308372
# Reference: https://www.virustotal.com/gui/file/7f97aec4b235fc0fb0e404a95ea49629aaa141054d20e5d43786c210b35baaf1/detection

http://45.81.22.67

# Reference: https://twitter.com/Cuser07/status/1753027958636519425
# Reference: https://www.virustotal.com/gui/file/1cf34e9bee29c171c6a3b5cd073d02d42bd9db2bdbe0f8f9a0d1211b3b4291b7/detection
# Reference: https://www.virustotal.com/gui/file/038fe128a1b7bf6ef427ab3ce8962ebac66b7d355568d593c7d4e384b379df16/detection
# Reference: https://www.virustotal.com/gui/file/c2fa1070ed3827f96501969506926fca40e0393b0b842c62e6b4d7fce5c22135/detection

browsettings.com
desktop-tradingwiew.com
security-update.net

# Reference: https://g0njxa.medium.com/privateloader-installskey-rewind-2023-c1ce027cbe65
# Reference: https://twitter.com/ShanHolo/status/1752631749589234120

/StealerClient_Cpp.exe
/StealerClient_Cpp_1_3.exe
/StealerClient_Cpp_1_3_1.exe
/StealerClient_Cpp_1_4.exe
/StealerClient_Sharp.exe
/StealerClient_Sharp_1_3.exe
/StealerClient_Sharp_1_4.exe

# Reference: https://twitter.com/banthisguy9349/status/1754138045681385857
# Reference: https://twitter.com/banthisguy9349/status/1754135708636176601

http://91.92.241.172
http://91.92.246.98
http://94.156.66.186

# Reference: https://twitter.com/naumovax/status/1763518716027826284
# Reference: https://hybrid-analysis.com/sample/3242399d46cf45cab47cd48fd67ab27f20dcc8808364fee494ccbeed60826d23/65dd29b15367b2f8a0091dd0
# Reference: https://www.virustotal.com/gui/file/3242399d46cf45cab47cd48fd67ab27f20dcc8808364fee494ccbeed60826d23/detection

http://67.218.111.202

# Reference: https://twitter.com/DmitriyMelikov/status/1772661332904468851
# Reference: https://tria.ge/240326-rg9gdsbh74/behavioral2
# Reference: https://www.virustotal.com/gui/file/bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea/detection

http://209.182.225.225
adfhjiuyqnmahdfiuad.com

# Reference: https://twitter.com/r3dbU7z/status/1775260364084810193
# Reference: https://twitter.com/r3dbU7z/status/1775458644869435669
# Reference: https://twitter.com/r3dbU7z/status/1776981277989580899

biz.xn--yo-ska.co
deamenop.com
doggie-services.com
getmoss-go.com
getmossc.com
jobs-servers.com
miles-and-more-kreditkartes.com
miles-and-more-kredtikaret.com
reality4ukcit.com
tehnokonsts.com
van-debo.com
xn--fund-qqa.com
xn--getmos-8lc.com
xn--getplant-61a.com
xn--gtmss-lua6v.com
xn--kntist-wxa.com
xn--managr-fva.com
xn--yo-ska.co

# Reference: https://twitter.com/pollo290987/status/1776039471600877598
# Reference: https://www.virustotal.com/gui/file/bacd549a9fb3a1453738f170df3f9ca68c1b9e0a10387d4c116f3e86fe54da30/detection

fileupdatesdrive.com
zozobangpin.com

# Reference: https://twitter.com/g0njxa/status/1778499019800506856
# Reference: https://tria.ge/240411-w619jacg9y/behavioral1

ap-turbovpn.top
app-blender.store
app-fjjmara.top
app-fjjmarame.site
app-fjjmarame.top
app-monday.website
app-paarsak.site
app-paarsak.top
app-parcsak.site
app-parcsak.top
app-parsec.online
app-parsec.store
app-parsec.top
app-parzec.online
app-parzec.store
app-tarbovnp.top
app-tarbovppn.top
appmanday.top
audacityteam.app
audacityteam.cfd
audacityteam.club
audacityteam.co
audacityteam.de
audacityteam.forum
audacityteam.fun
audacityteam.info
audacityteam.life
audacityteam.link
audacityteam.net
audacityteam.online
audacityteam.pro
audacityteam.pw
audacityteam.shop
audacityteam.site
audacityteam.space
audacityteam.store
audacityteam.support
audacityteam.top
audacityteam.us
audacityteam.website
audacityteam.wiki
audacityteamq.org
audacityteams.com
audacityteams.net
audacitytem.org
audacltyteam.com
audacltyteam.net
audacltyteam.org
audactyteam.org
audcityteam.org
casaprix.com
gologin.top
turbovpn.app
turbovpn.info
turbovpnapk.com
turbovpnapk.info
turbovpnapk.net
turbovpnapk.pro
turbovpnapp.com
turbovpnapp.net
udacityteam.com
filmora.app-fjjmara.top
filmora.app-fjjmarame.site
filmora.app-fjjmarame.top
filmora.filmora-wandershare.site
p.turbovpn.info
/online/tunupd.php

# Reference: https://twitter.com/pmelson/status/1780045394627428390

enginedaemonwal.site

# Reference: https://twitter.com/biffbiffbiff/status/1779949115822223733

andaclesrealty.com

# Reference: https://twitter.com/banthisguy9349/status/1787364816505450732
# Reference: https://twitter.com/RacWatchin8872/status/1787417966176240082

103.1.40.149:280
103.1.40.159:280
103.1.40.230:280
103.183.2.202:280
103.183.2.203:280
103.183.2.204:280
103.183.2.205:280
103.183.2.206:280
137.220.146.133:280
154.212.146.164:280
154.91.195.27:280
206.238.199.221:280
206.238.199.59:280
216.83.52.115:280
216.83.58.160:280
216.83.58.162:280
216.83.58.165:280
216.83.58.171:280
216.83.58.178:280
27.124.3.116:280
27.124.3.120:280
38.181.88.110:280
38.181.88.122:280
38.181.88.125:280
38.181.88.133:280
38.181.88.199:280
38.181.88.36:280
38.181.88.53:280
38.181.88.77:280
38.181.88.7:280
38.181.88.89:280
45.195.204.114:280
45.195.204.37:280
45.195.204.48:280
45.195.204.50:280
45.195.204.57:280
45.195.204.59:280
45.195.204.76:280
45.91.226.111:280
45.91.226.112:280
45.91.226.113:280

# Reference: https://twitter.com/banthisguy9349/status/1787461959958294588
# Reference: https://www.virustotal.com/gui/file/523569940c424e1f222df0219f82cbee3e45c5588728f988d82886df765669aa/detection

mm6695.icu

# Reference: https://twitter.com/banthisguy9349/status/1788966249034080565
# Reference: https://pastebin.com/r4ceAVYg

http://103.207.166.8
124.221.217.28:8080
154.19.167.24:280
154.19.167.35:280
154.19.167.8:280
216.83.52.112:280
27.124.3.117:280
27.124.3.87:280
38.181.88.23:280
38.181.88.46:280
38.181.88.63:280
38.181.88.66:280
38.181.88.83:280
38.181.88.88:280

# Reference: https://twitter.com/r3dbU7z/status/1789237495088984225
# Reference: https://www.virustotal.com/gui/file/0e8e895d3c900ba43314b56de3d625609c73cfc5b32c166064275669605829e1/detection

tehnikaldomestos.com
xn--getmss-zxa.com

# Reference: https://x.com/ShanHolo/status/1791371254353613008
# Reference: https://x.com/r3dbU7z/status/1791429395887910965

tehnocorreos1.online
tehnocorreos2.online
tehnoyoubiz1.online
tehnoyoubiz2.online
texnodomainmoss.com
xn--weststeincrd-pcb.com

# Reference: https://x.com/Threat_Down/status/1792953041487900737
# Reference: https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/
# Reference: https://www.virustotal.com/gui/file/c2c8a50c5d813970854ace64ed0f430fccd858066daf9bef379d340a2800ccd3/detection
# Reference: https://www.virustotal.com/gui/file/5d32e38d928887077efeb73c6686edf6dbc7c7693623913b043bb7b32bbd3f9d/detection

185.156.72.18:443
185.156.72.56:443
ailrc.net
aircl.net

# Reference: https://x.com/Threat_Down/status/1792992252307865893

windirstatt.com

# Reference: https://x.com/Threat_Down/status/1793033861225456125

webetnex.com

# Reference: https://www.virustotal.com/gui/file/ef1dea9884255955e28f2bb38975b56b3de3e6abb1f427375a64c69c8d364452/detection
# Reference: https://www.virustotal.com/gui/file/0da1da4e5ec6650654f2114f8fcbbfe196085414c9768a6b72ee0ca546da13f8/detection

storagedsolutions.azurefd.net

# Reference: https://x.com/raghav127001/status/1795203991443284188
# Reference: https://www.virustotal.com/gui/file/e9632a585421432d4e228ec224093a828124c00e8ea87c0a37ed4efe5a2374a4/detection
# Reference: https://www.virustotal.com/gui/file/213d9a5442003f99273523206a023170eecdee1616d44f274f5945af57127428/detection
# Reference: https://www.virustotal.com/gui/file/1f900f090b7bba83e3d96bf64ce81375c278a19ba2f9f1f90a6595508ecbd230/detection

http://195.10.205.162
195.10.205.162:6000
195.10.205.162:9002

# Reference: https://x.com/banthisguy9349/status/1795454820108628205
# Reference: https://www.virustotal.com/gui/file/f39e8229f8deb8e945965ce4ec051ce04bd231ebcc30e4db781e92a745047724/detection

http://94.156.66.220

# Reference: https://x.com/banthisguy9349/status/1799777047969231237
# Reference: https://x.com/banthisguy9349/status/1799777813945634946

http://185.172.128.69
http://5.42.64.56
http://5.42.67.23
http://5.42.65.64

# Reference: https://x.com/morimolymoly2/status/1800422805294719405
# Reference: https://app.any.run/tasks/6752fe18-2357-458e-905f-baa254dfad17/
# Reference: https://app.any.run/tasks/9493f89b-aa5d-4edc-9e2d-7bf5bbe0da42/

http://45.77.20.249

# Reference: https://asec.ahnlab.com/ko/67509/
# Reference: https://www.virustotal.com/gui/file/f13061bcc8b0e607f463ba557130e49ef07ce7c3d749d145197554a226d75d9c/detection
# Reference: https://www.virustotal.com/gui/file/cbb265cfae15aa0f39bc67447aa82fc3ac40be6f9239a111e21e1532295eb4ed/detection

188.116.22.65:5000
imgdev.s3.eu-west-3.amazonaws.com

# Reference: https://www.virustotal.com/gui/file/10a418f349f66ed9d3ace0cf8c419724100af7cf1e2318f03977dd99186dac42/detection

46.166.160.173:5000
spy.top

# Reference: https://x.com/r3dbU7z/status/1810725087064011116
# Reference: https://www.virustotal.com/gui/file/c0c528c02762933bea32d2f01c48761e797f231d05fed3e91fdf4b05a6f845dd/detection
# Reference: https://www.virustotal.com/gui/file/57740d3e8111071bb228548c49bb1f2438f05e4f66f90015c439415da078867e/detection

http://37.114.42.89
37.114.42.89:7723
37.114.42.89:7763
interpol.cc

# Reference: https://x.com/johnk3r/status/1811507356380840061
# Reference: https://www.virustotal.com/gui/file/09352f4a540694828f687233d5daa72e7809d49b25fc659b52e79a644c0c9430/detection

codeprotectiongroup.com.au
kdarkplay.online

# Reference: https://x.com/malwrhunterteam/status/1814370019800711223
# Reference: https://www.virustotal.com/gui/file/22156f918e1777fdd502556582331118f63618cce7a16b24d2ba91eed09e85ff/detection
# Reference: https://www.virustotal.com/gui/file/832113e18b31afb0718112b130bfb301719785b1cf175c6737321ab50c62a6f5/detection

http://5.8.38.130
5.8.38.130:8000

# Reference: https://x.com/RacWatchin8872/status/1815685905325191270

http://198.46.178.229

# Reference: https://www.virustotal.com/gui/file/7043433a6cdd317c99eb1bfc68d5d56b7e55e73358f9cc5a1c9c89d710abeb54/detection

http://45.9.74.189

# Reference: https://www.virustotal.com/gui/file/604ea692ed8e041b45cf1961fb7439e269720de29f9052bf081b71767506a92e/detection

impersuasiblyredeliveranceunspleened.com
/v5/ehsq.php?amnf=

# Reference: https://x.com/malwrhunterteam/status/1818912801873637575
# Reference: https://tria.ge/240801-j4dz1a1arj/behavioral1
# Reference: https://www.virustotal.com/gui/file/5bfb6fa39e146a1ac1780c4bc8bdfa1f820e7b61bc2c60c6c13b440fb26616f5/detection
# Reference: https://www.virustotal.com/gui/file/bbbfdf66e9c773bcad95c6cd2e89a596620f417175de712269689b08f2643a40/detection

http://91.92.255.73
/v9/qlmz.php?mfgb=

# Reference: https://x.com/EncapsulateJ/status/1823063698220646760

/HELPFUL_STEAL
/HELPFUL_STEALER

# Reference: https://x.com/r3dbU7z/status/1827916313995485488
# Reference: https://app.validin.com/detail?type=dom&find=maintenance.exe
# Reference: https://www.virustotal.com/gui/file/1dda45d4075ff24afb934506c6b554c1f1db725daeb5974883183c6844b59a2a/detection

109.234.165.215:21
109.234.165.215:54430
109.234.165.215:61457
109.234.165.215:64815
qiza8384.odns.fr
addon-scarlet-analytics.com.qiza8384.odns.fr
ftp.qiza8384.odns.fr
mail.qiza8384.odns.fr
mail.scarlet-analytics.com
scarlet-analytics.com

# Reference: https://x.com/ShanHolo/status/1828371581707387242
# Reference: https://www.virustotal.com/gui/file/05ded1c8dda1a6773fdf0fb455ebf60cf45fcd46d9728a6392ee44cdbf5c9c08/detection

/kabeleblan591c

# Reference: https://www.virustotal.com/gui/file/51d9264e591df98e96eb17cc0fc735cbcd32a4448c2c5497d51924ad95fc9a6d/detection

spy-ware-dudu.squareweb.app

# Reference: https://x.com/0Dayhta/status/1828461255784378562
# Reference: https://search.censys.io/search?q=services.ssh.server_host_key.fingerprint_sha256%3A+0d09ffc6b420774fabce1148e90d9e0d0f1ca5ead4a1bdb0e754341b6826c401&resource=hosts

104.200.16.74:8090
158.140.133.56:8090
186.7.118.9:8090
50.207.70.160:8090

# Reference: https://x.com/iam_rajhans/status/1830957234660032815
# Reference: https://search.censys.io/search?q=services.http.response.html_title%3D%22Stealer%22&resource=hosts

http://91.227.62.102
http://91.227.62.103
52.208.202.196:3000

# Reference: https://x.com/SquiblydooBlog/status/1831323335306953164
# Reference: https://www.virustotal.com/gui/file/0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21/detection
# Reference: https://www.virustotal.com/gui/file/269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d/detection
# Reference: https://www.virustotal.com/gui/file/b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa/detection

analfucker.lol

# Reference: https://x.com/malwrhunterteam/status/1833429879569760417
# Reference: https://www.virustotal.com/gui/file/ed5b0e8df751ad94212b080f4c94275f333c2aee169bd10c8341579923a88cb3/detection
# Reference: https://www.virustotal.com/gui/file/16d2e5a617f5ab0170c869dbfe68087d21d4e6923d60e0ea58cc6cabe353da0c/detection
# Reference: https://www.virustotal.com/gui/file/0f4824bc494dc0898196f7ff2b775a35b25a34bc1758501b8f8f6f56f19829a3/detection

194.135.104.214:443

# Reference: https://x.com/cyberfeeddigest/status/1834203974498496743
# Reference: https://www.virustotal.com/gui/file/10722f907c8382a48cbcc2ddda289db6e890280adc953f44091ea12877625e25/detection

data1.mlinkplanner.com

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt

gzipdot.com
/api/machine/injections?uuid=
/machine/injections?uuid=
/injections?uuid=

# Generic

/inject-keylogger.exe
/loader0AA004BA90B
/loadermeLMEM8
/loaderrogram
/Stealer/
/StealerLogs/
/stealer_php/
/.steal/
/Token_Stealer.bat
/FormGrabber/
/HistoryStealer/
/rust-stealer-public.exe
/rust-stealer-xss.exe
/Stealer.php
/StealerRegistration.php
