# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: koi loader, koi stealer

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-04-IOCs-from-Koi-Loader-Stealer-activity.txt
# Reference: https://app.validin.com/detail?find=em-p.com&type=raw&ref_id=4601439c6e9#tab=host_pairs

http://195.123.218.28
http://195.123.218.36
http://195.123.218.37
http://195.123.218.40
http://195.123.218.46

# Reference: https://x.com/1ZRR4H/status/1797809897800687796
# Reference: https://x.com/1ZRR4H/status/1798023836186632394
# Reference: https://x.com/V3n0mStrike/status/1798040558646317552
# Reference: https://www.virustotal.com/gui/file/b6cd42853c9f137da206ed6dfd50f8b2d1e02c11279893410ff410a9bd505682/detection

http://81.19.141.115
dsestimation.com/wp-content/uploads/2015/10/
shalom.pt/50/
/azoxyphenetole04.php
/filenoncontrabandsvb1.ps1
/filepiemagli2x6.ps1
/inadvisable34.ps1
/overtalkerf4yri.php
/perikarya30lv.php
/triacidsIO.ps1

# Reference: https://x.com/V3n0mStrike/status/1798053456168824917

http://45.86.162.187
crowcrm.eu/adserver/docs/images/
/forefacesCHi.php
/innomineOG57P.ps1
/politerl3.ps1
/smileful9Zm.php

# Reference: https://x.com/V3n0mStrike/status/1800549934975869433

http://89.251.22.227
lechiavetteusb.it/imgs/usb/logo/
/khesariQUXH.ps1
/andantezWA.php
/arteriomalacia4hc.php
/wizeninglYZn.ps1

# Reference: https://x.com/V3n0mStrike/status/1803576931763274162
# Reference: https://www.virustotal.com/gui/file/df9551c24b9cc63454b309c7ccf46b6e8120b78a296f955b509a570d7fb4f5ee/detection

http://176.10.111.71
/bitteredXD3.php
/eriocomiXQ.ps1
/incarcerative7iEA.php
/zietrisikiteFtK.ps1

# Reference: https://x.com/V3n0mStrike/status/1804262773058343263
# Reference: https://www.virustotal.com/gui/file/950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab/detection

http://195.54.160.202
/nyctalopicAWm.ps1
/pinspotterEtbYF.php
/untormentedXz.php

# Reference: https://x.com/malware_traffic/status/1804280281026957668

http://78.142.29.113

# Generic

/index.php?id=&subid=Xtxgn5mh
