# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: meta stealer

# Reference: https://isc.sans.edu/diary/28522

193.106.191.162:1775

# Reference: https://twitter.com/r3dbU7z/status/1598702463158288384
# Reference: https://twitter.com/SinghSoodeep/status/1600821439766351872
# Reference: https://www.virustotal.com/gui/file/bde1d3e5fe7ae826dd534da40a93cb65ec35bf4e9441da62817effd10800b0ae/detection
# Reference: https://www.virustotal.com/gui/file/76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b/detection
# Reference: https://www.virustotal.com/gui/file/992c8f9fa72867910066a93163572a6feda8a9c4c6283da1042b2ba9117229c5/detection

185.200.190.185:1775
fled.store
gyaiaouyuakaeqgu.xyz
uosqysascuwmqgyk.xyz

# Reference: https://twitter.com/abuse_ch/status/1620450108134535169
# Reference: https://www.virustotal.com/gui/ip-address/185.206.145.96/relations
# Reference: https://www.virustotal.com/gui/file/58d74cb162b4d75b8857642c6ee0ff4107de8670f7b50b3c2e98c715c1555de5/detection

185.206.145.96:1775
gimptop.life
tor-brows.store
uiouaqcqqcgueweg.xyz

# Reference: https://twitter.com/AuCyble/status/1629111337203924992
# Reference: https://www.virustotal.com/gui/file/65c2dbec05a4949cc40e6817b66c3a2a3a99e73f6c500070b721107b2b09bc74/detection

45.138.74.170:12345
metamsoft.tech

# Reference: https://github.com/pan-unit42/tweets/blob/master/2023-04-13-IOCs-for-MetaStealer-infection.txt
# Reference: https://www.virustotal.com/gui/ip-address/185.172.129.192/relations

185.172.129.192:1775
mmswgeewswyyywqk.xyz
wgcuwcgociewewoo.xyz
kvckz.engineercoin.xyz

# Reference: https://twitter.com/pollo290987/status/1658230510617862147
# Reference: https://www.virustotal.com/gui/file/be23d93128af34f8a0c84faeb605c524906d7d0f1f88ee3c3e50e2419819042b/detection

167.88.12.99:1775
iqowocguasswcmca.xyz

# Reference: https://twitter.com/NexusFuzzy/status/1711714297464664556

193.233.254.218:23493
194.169.175.232:45451

# Reference: https://threatfox.abuse.ch/ioc/1196832/

194.87.31.142:3000

# Reference: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns

cewgwsyookogmmki.xyz
csyeywqwyikqaiim.xyz
iqaeaoeueeqouweo.xyz
iqwgwsigmigiqgoa.xyz
kiqewcsyeyaeusag.xyz
ockimqekmwecocug.xyz
rawnotepad.com
startworkremotely.com

# Reference: https://twitter.com/Cuser07/status/1750046361201082589
# Reference: https://www.virustotal.com/gui/ip-address/185.172.129.87/relations
# Reference: https://www.virustotal.com/gui/ip-address/89.191.234.14/relations
# Reference: https://www.virustotal.com/gui/file/710191b05ec3faf6012bad12e6d66a638301da9c6f0b6a14413b716023c1fcfb/detection
# Reference: https://www.virustotal.com/gui/file/1ed0b21cba44b2511d574d81bc328e7bd6f498c552ff0f0beaa7aad2d98e522d/detection

ikomoouessgqekmc.xyz
ikswccmqsqeswegi.xyz
kiyaqoimsiieeyqa.xyz
ssqsmisuowqcwsqo.xyz
ykqmwgsuummieaug.xyz

# Reference: https://x.com/karol_paciorek/status/1810572476012716305

http://77.105.135.39

# Generic

/tasks/get_worker
/meta2406.exe
/meta2606.exe
/meta2806.exe
