# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ViriBack/status/1035683053459460098

3dchesmellltda.club

# Reference: https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/

compra-da-sorte.com
vemsorte2015.com

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banloa-CRQ/detailed-analysis.aspx

triocar.web1629.kinghost.net
www.inducar.kinghost.net

# Reference: https://twitter.com/pancak3lullz/status/1040343104564473865

beladoces.online/wp/wp-includes/brazilkrisemundial/index.php

# Reference: https://twitter.com/James_inthe_box/status/1242573224006696961

/AppCounter20032020-001/index.php

# Reference: https://twitter.com/1ZRR4H/status/1243178915507703810

seguridadsucursal.online
tma8sjw.myftp.org

# Reference: https://blog.scilabs.mx/blog/2019/12/06/campana-cosmic-banker-sigue-activa-y-revela-vinculo-con-banload/
# Reference: https://www.virustotal.com/gui/ip-address/51.79.31.28/relations

http://51.79.31.28
comprobantes.sytes.net
dgi1b2n3m4.ddns.net
/RO3473I4R4Y.php

# Reference: https://twitter.com/James_inthe_box/status/1245427754977263617

receitafazenda.webcindario.com
/primo/verifique.php

# Reference: https://twitter.com/NtSetDefault/status/1253292071877820416

4up4.com/uploads/file_2020-04-13_031927.jpg

# Reference: https://twitter.com/Bank_Security/status/1258359587729813504
# Reference: https://seguranca-informatica.pt/brazilian-trojan-banker-is-targeting-portuguese-users-using-browser-overlay/
# Reference: https://www.virustotal.com/gui/file/ed1e2a3767b575cce54e13e05112f30156590cc080a0d0865aaf85686c4e51be/detection

23.108.57.243:3389
http://23.106.124.20/avs/img1/index.php

# Reference: https://twitter.com/sevenofnull/status/1275342947068915713
# Reference: https://app.any.run/tasks/141db5f3-0e93-43c3-96e9-ebf0e69bccda/ (# MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload))
# Reference: https://www.virustotal.com/gui/ip-address/104.154.43.185/relations
# Reference: https://www.virustotal.com/gui/file/b22f8eaf82e15fe8118617cd7db703486696a82924dbafcbc31d8ce1262fcdb5/detection
# Reference: https://www.virustotal.com/gui/file/2f4db2bd529b5705308afd647b26d1a172d34b31d3382da57bac67aa3373a43c/detection
# Reference: https://www.virustotal.com/gui/file/507b299b76133f4ee7a30c12e23e45fa6fe9a1990ac87cb39136c25cc015e011/detection

104.154.43.185:60001

# Reference: https://twitter.com/NtSetDefault/status/1282277236423512065
# Reference: https://www.virustotal.com/gui/file/bc0073b75adda338d994361b4ebc1bc964197826ee75cf790948f128785780bc/detection
# Reference: https://app.any.run/tasks/637f560b-00da-442c-aef5-6ebc990a0646/

outlook39923.autodesk360.com

# Reference: https://twitter.com/NtSetDefault/status/1285909036815323136
# Reference: https://twitter.com/NtSetDefault/status/1285914518095302656
# Reference: https://app.any.run/tasks/599e1eb9-a1c9-4d80-b33d-281cd619cc6c/

correiosbrasilsedex.serveftp.org
enviocorreios.serveftp.org
sendcorreiosbr.serveftp.org
seusedexrapido.serveftp.org
m0380933669.s3-us-west-1.amazonaws.com
u3028903369.s3-us-west-1.amazonaws.com

# Reference: https://twitter.com/NtSetDefault/status/1273040649542131713

emissaocontadigital.eastus.cloudapp.azure.com

# Reference: https://twitter.com/sirpedrotavares/status/1305076741107519488
# Reference: https://www.virustotal.com/gui/file/e6cbaf9d2d01467048c758ba5e6ef3b68e624f67ece32dd68ebfeab235ed7ce5/detection
# Reference: https://www.virustotal.com/gui/file/cd878cd53b60f3bd950dc84ca731e07b4b49e18aed28f7e5d0bb39e5ab9c4ae7/detection
# Reference: https://www.virustotal.com/gui/file/373386e10c2e71329f0e8b4f51bef1fc0c4eb716f459cdf8a93941cff336b89b/detection
# Reference: https://www.virustotal.com/gui/file/8e9e5c2e16c8712f9e1ebfd4c295a1afe9373b95580ca73352f32e37d07408b6/detection
# Reference: https://www.virustotal.com/gui/file/4227332820fffcae05ae9d12a0e0b20f2291eb7b6bf8982b5301f24caadfbe8e/detection
# Reference: https://www.virustotal.com/gui/file/c05e9c1b155559d500ed0a2b3ca4c02d2a679db4191a7b35b9c44c2bdd61210d/detection
# Reference: https://www.virustotal.com/gui/file/985485888ef165eba912578cceb76981e9e5841bf928db739afbf472ea09deff/detection
# Reference: https://www.virustotal.com/gui/file/23892054f9494f0ee6f4aa8749ab3ee6ac13741a0455e189596edfcdf96416b3/detection
# Reference: https://www.virustotal.com/gui/ip-address/191.235.99.13/relations
# Reference: https://www.virustotal.com/gui/ip-address/52.91.227.152/relations

http://191.235.99.13
http://52.91.227.152

# Reference: https://otx.alienvault.com/pulse/5f75c5efcce31cfc583bafaa

58sky.com
wdx.go890.com
khelpdesk.com.br
go890.com
mg.5636.com
master.khelpdesk.com.br

# Reference: https://www.virustotal.com/gui/ip-address/31.220.59.65/relations
# Reference: https://www.virustotal.com/gui/file/3c23a8a65d78c035753bc0a437ed1bcab53f4a981608c10dbf936de28be4f3e3/detection
# Reference: https://www.virustotal.com/gui/file/99ba789471d2df7249bddf5741a0d5fa58147af4e3865490a93fcd1ea609c3ec/detection
# Reference: https://www.virustotal.com/gui/file/8aff76bef1eaed56b46d983051e8a817a893905c82cda79573316adc823baa54/detection
# Reference: https://www.virustotal.com/gui/file/1e6aaee1a283c652812fec6a70f8d1759de53a723af4ea415d3a4fa2ea083166/detection

defaqw.duckdns.org
fyjftn.duckdns.org
hsjkse.duckdns.org
jddrtj.duckdns.org
lokj.duckdns.org
xcgt.duckdns.org
xder.duckdns.org
xeida.duckdns.org
yiydk.duckdns.org
zere.duckdns.org
zxcw.duckdns.org

# Reference: https://www.virustotal.com/gui/domain/novelsim.shacknet.us/relation
# Reference: https://www.virustotal.com/gui/file/7ca842d8f2c83eddf6bd393415c4cff54ec7fa5c51f34738bb6aa1114714c6ec/detection

novelsim.shacknet.us
/troBEROamkr0192013.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1329728270326247425
# Reference: https://bazaar.abuse.ch/sample/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/
# Reference: https://www.virustotal.com/gui/file/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/detection
# Reference: https://analyze.intezer.com/analyses/55ad918a-ba00-497f-a2c5-262c957aa52f/sub/dc9bf2d0-cfce-46e1-8b22-6034f5df3d68

217.8.117.74:8364

# Reference: https://twitter.com/wwp96/status/1337112340001681411

gassmp.podzone.org
/Bebroms29129MSKEdrf.php

# Reference: https://www.virustotal.com/gui/file/3f15a5000fe56acf94ddaf281bbb634cc14d0d84ffed7b244ac38f97c4b23a0c/detection

lojinha-deroupas.com.br
/muralavisos.php

# Reference: https://www.virustotal.com/gui/file/9d4e819a148f6f3ba4d205cf7f3e383ba5c1e6510e34968c38f192dc0e8b3e07/detection

guardasnoturnos.com.br

# Reference: https://otx.alienvault.com/pulse/5ffc3ef208af976d9393d1e2
# Reference: https://www.virustotal.com/gui/domain/cp2.sanandresplazza.com/relations
# Reference: https://www.virustotal.com/gui/file/87c87de35dcd8832043ead5aee4d937ad57f60eb7b68506bd2d976c52d694f3a/detection
# Reference: https://www.virustotal.com/gui/file/cb28fb0cd8281caab59fd57ed18619d9d8c41cfbd01e6e8ed1b35399d2d36d73/detection

astylo.net
guiama.is
/plugins/authentication/ldap/Des_x_.png

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz
# Reference: https://www.virustotal.com/gui/domain/lucas.digitaldesk.biz/relations

lucas.digitaldesk.biz
prepara.biricell.com.br

# Reference: https://www.virustotal.com/gui/file/02131c8c30c6852ea1094661960d8cd697e014c2327582b9bbfc8440100d08ef/detection

casting.diamondhostess.hu
uslugi-ryazan.ru

# Reference: https://www.virustotal.com/gui/file/f8d9e056bfaa7ee2d74c2fcd5411de3868f47c1301e1cf55a0180b774df1d348/detection
# Reference: https://www.virustotal.com/gui/file/42575b866129035b28068456fa9d988ff86d5573e86a8138ba63c0b3423f6820/detection

mssql.maurosouza9899.kinghost.net

# Reference: https://twitter.com/dgarcianet/status/1352235429160955904

web.groupe-convergence.com

# Reference: https://www.virustotal.com/gui/file/34e16a68835f05ec748e2928409c3f07bdc5268eae0916cfef8a182e031cf6d1/detection
# Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/detection
# Reference: https://www.virustotal.com/gui/file/43ea536308e35b15858237ff4b4b565ca70c1434af0b40dc7336c90c5362e99d/detection

critichotshot.com

# Reference: https://otx.alienvault.com/pulse/6023cbfddb978ba4bf15730b

5636.com
58sky.com
go890.com
jxwan.com
wanyouxi7.com
lordstark.dynamic-dns.net

# Reference: https://twitter.com/Unit42_Intel/status/1369043270429466634
# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-03-08-IOCs-from-Banload-infection.txt

arquivomes03.brazilsouth.cloudapp.azure.com
casaprodutosportal.net
hirotrindade.webcindario.com
shonitrohifi.com

# Reference: https://www.virustotal.com/gui/file/8e95a0564b92cc9285ab0f74076c2aa5c666658a3933ceeaa9942d1a3823a7e2/detection

nwdnydxxxeo.hosthampster.com

# Reference: https://www.virustotal.com/gui/file/a9045a3692c91964dcb62966c7d44f6c00344bf11b5784374b7b64eef9c3ed31/detection

br12jh87te87lkre63a.servepics.com
/hhrytn35/lw1.php

# Reference: https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html (# Win.Downloader.Banload-9861199-0)

brasilcargas.space
cabanadosol.net

# Reference: https://www.virustotal.com/gui/file/d51886e1555a1a94472f639a4cc9d670993011eafa7be4a3ea93219cd2a7b975/detection

http://74.125.230.247
http://98.137.201.117
deliverycards.sytes.net
rdsbox.no-ip.info

# Reference: https://www.virustotal.com/gui/file/e62d5c2402f3455766839f357ae4a4c9ff48cb82451e7a06329fe7186dc9fbcc/detection

41.100.82.137:1891
salah-dz.no-ip.biz

# Reference: https://www.virustotal.com/gui/file/48739c53c560536f074d4b4ad5e98e6be128ea137ecf6658d31fb4dbe98a1038/detection

http://3.96.187.180
/zebudega/5CG46H2J8740503TR.php
/5CG46H2J8740503TR.php

# Reference: https://www.virustotal.com/gui/domain/universal101.com/relations

universal101.com

# Reference: https://www.virustotal.com/gui/file/5a0d1b0431f975ee227c77a951711e749095cf872b2761c3370e3cdb7726d003/detection

raimundex.no-ip.biz
raimundex.no-ip.biz.ovh.net

# Reference: https://www.virustotal.com/gui/file/07eb52e969a2bfb9181e132b235e161516264934edd24a197d7f09505a24c4e0/detection

187.113.20.62:11891
klinspect3.no-ip.info

# Reference: https://www.virustotal.com/gui/file/455f4167f9f057c160956e9e1a27e662dfc5abd820cfe1be99c7728403af67b4/detection

ret.space

# Reference: https://www.virustotal.com/gui/file/ec124a8ed148e2f6943dffc8cc2b072ae2ef887aa2ce87de5c93e4006bc9a846/detection

172.105.155.183:7777
getmalware.com

# Reference: https://www.virustotal.com/gui/file/85ee41bba3c7946de4d8b807a6aa07019fa27bdd7d923906773135f541c893b9/detection

myserverok.myftp.org

# Reference: https://www.virustotal.com/gui/domain/upsvcm.myftp.org/detection

upsvcm.myftp.org

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil
# Reference: https://otx.alienvault.com/pulse/617bc3fe39fce40899c10840

http://13.36.240.208
http://15.237.27.77
http://15.237.60.133
http://52.47.163.237
centralcfconsulta.net
centreldaconsulta.com
/ando998.002
/carindodone.ways
/esperanca.lig2
/esperanca.liga
/microsft.crts
/msftq.doge
/nanananao.uooo

# Reference: https://twitter.com/r3dbU7z/status/1456797053317701633
# Reference: https://twitter.com/r3dbU7z/status/1489192209119387649
# Reference: https://twitter.com/r3dbU7z/status/1489548681154076676
# Reference: https://www.virustotal.com/gui/file/d97e54139ae34a8aeefff4d5ac760caa5b8cbb1a91af6fa5d725a0cfba6dfeb0/detection

147.182.207.189:8000
googlyconnect.tk
googlyconnect.xyz
ngetconnect.tk
tatamagicexpress.tk

# Reference: https://twitter.com/ffforward/status/1490419292202012677

lamboarrived.com
lamboarrivesssd.com

# Reference: https://www.virustotal.com/gui/file/e46f8a434d8935182491ccb8cd4d17e120458af5821b12613931ee3bb826c706/detection

scan-x9.gleeze.com

# Reference: https://twitter.com/abuse_ch/status/1491102298642157569

http://18.222.122.216

# Reference: https://twitter.com/JAMESWT_MHT/status/1511574103316221952
# Reference: https://twitter.com/1ZRR4H/status/1511588774618169350
# Reference: https://twitter.com/pr0xylife/status/1511753527827353606

filtrosefioseletricosd.eastus.cloudapp.azure.com
pdf-nfe82234018756.australiaeast.cloudapp.azure.com
toystorehuewjir2341234.norwayeast.cloudapp.azure.com

# Reference: https://twitter.com/malwrhunterteam/status/1512501726410166280
# Reference: https://www.virustotal.com/gui/file/c07afe27b4f94dbeb6a21e23deb331a3ede658975471c689226162fda28325e0/detection

bussines.click

# Reference: http://blog.talosintelligence.com/2022/04/threat-roundup-0408-0415.html (# Win.Downloader.Banload-9943209-0)
# Reference: https://www.virustotal.com/gui/file/6e88c0fc568192968be1ea2c0242bce09141b8b151b469a9d378b66c32909207/detection
# Reference: https://www.virustotal.com/gui/file/f4dc20793b32c7fe417de28cbe15e158f6e71e984dae1aaca9fd0d6db91b3bbb/detection
# Reference: https://www.virustotal.com/gui/file/ab52085f0cb9a9466f526defcc6535793ea415eea35c9bd89afdd2250f61f4da/detection
# Reference: https://www.virustotal.com/gui/file/197218e9d34b526633f525d0b4287cb2a7822b5eca468706861e9305975001f2/detection
# Reference: https://www.virustotal.com/gui/file/357e7e3938085403df07804b7df5bfb204383383e471dcc8fadc621e0827fae6/detection

acreunagoias.com.br
arquivos2011.net
bamcodedados.com
bancodados.com
ceyfad.com
divixonde.com.br
encontragoiania.com.br

# Reference: https://twitter.com/b3ard3dav3ng3r/status/1522554429836509185

http://135.148.155.27

# Reference: https://www.virustotal.com/gui/file/157650a417bac6874b180b9e1603ce39347940c605ec3229d99771992c394ea5/detection
# Reference: https://www.virustotal.com/gui/file/ef8457a60771b1eefdbd53cf09b30b546d96736748db2e3e325b26993abe1afe/detection

193.124.22.17:23520

# Reference: https://www.virustotal.com/gui/file/c192c4a8647935e35a756e0e9cb71a2b4536f927bee108ec1580e6d31fcca785/detection

http://193.124.22.17

# Reference: https://twitter.com/James_inthe_box/status/1562089001124708354
# Reference: https://twitter.com/Computeus7/status/1562108381187522561
# Reference: https://app.any.run/tasks/10bd0f91-2556-4574-8acb-bdf67441a276/

51.161.108.106:44233

# Reference: https://www.virustotal.com/gui/file/c94d2ab86cd34531f591a849b3b4a7349e9c57ab7eb53dd58f4aa9a69e1eff0e/detection

lordgunz.com.br

# Reference: https://twitter.com/Merlax_/status/1614742984943181824
# Reference: https://www.virustotal.com/gui/file/2f04292fac6ce3a8ab250dc256894f037e302f82912f365d93f915cb184ed3f7/detection
# Reference: https://www.virustotal.com/gui/file/4b9fc4775b932ff14eab52b990e61e7a2277b4d53c6cf3ac38902ceec8e55101/detection
# Reference: https://www.virustotal.com/gui/file/56f827c9a7df7f2ad1666ff803f79a99bc2005591a7095b1d36f65c2e2c46ecd/detection
# Reference: https://www.virustotal.com/gui/file/414acda5515a33333d51720b26fd80f51d15840294502fe253320c0aa49cbd8b/detection

http://194.180.191.50
http://51.77.193.20
comiteradvogadosbr.com
adsshfitletgowchatwi.ukwest.cloudapp.azure.com
aniversarioagostovw.servesarcasm.com
hown1301.s3.us-east-2.amazonaws.com
imobiliariapacheco.ciscofreak.com
modonlineservletgowads.southafricanorth.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1617673017181736960

http://20.226.125.180
joliedocescapnhalida.com
hownter2301.blob.core.windows.net
/brumnx2301fff/
/KKKK/nmhjhghhhjh.php
/nmhjhghhhjh.php

# Reference: https://www.virustotal.com/gui/file/9c1732d555a02453ad01c3a2555980d2722a2e49a5c58385ca91efc3af54a526/detection

4.235.112.145:30000

# Reference: https://www.virustotal.com/gui/file/863dbdb4a47448c7ed262700f0e5f7dbae552c196ffdd906a6407717789b3873/detection

162.33.178.82:4411

# Reference: https://twitter.com/0xToxin/status/1655558045810688001
# Reference: https://twitter.com/0xToxin/status/1655568340520148992
# Reference: https://app.validin.com/axon?type=ip&limit=100&find=161.35.75.27
# Reference: https://www.virustotal.com/gui/ip-address/161.35.75.27/relations
# Reference: https://tria.ge/230508-p2pavacd8v/behavioral2
# Reference: https://www.virustotal.com/gui/file/009744efc6add254a302d5f13316dbc3e949210a50ad284e8f74f9a83436b494/detection
# Reference: https://www.virustotal.com/gui/file/8dd25b5662494e16c5a0926aa0439a249fe99eda604f86e2f523bb7404ccd476/detection
# Reference: https://www.virustotal.com/gui/file/76cc21b1dfe2b839f5bba0e90a2c3cb9ce3d29f9b5e70c50d04f69bf9c21f1e1/detection
# Reference: https://www.virustotal.com/gui/file/3c758a47e63a69f826091543c4b3ebe8198f4928f769cdf571b3b3ffdf9cea9b/detection

194.15.216.218:11940
alemaoautopecas.com
arquivosclientes.online
atendimento-arquivos.com
contatosclientes.services
fantasiacinematica.online
cartolabrasil.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1686693663600959488
# Reference: https://www.virustotal.com/gui/ip-address/38.60.216.75/relations
# Reference: https://app.any.run/tasks/e493067a-3c2b-480e-9d4d-fe7dee17b16e/
# Reference: https://www.virustotal.com/gui/file/eb7422a5e1d44906531dc6e5357468200c57eeb616bb288acd9b9e4d526b5c49/detection

espinafrehome.com

# Reference: https://twitter.com/ThreatBookLabs/status/1688184398653382656
# Reference: https://www.virustotal.com/gui/file/59fc50d5d9400a0402cd5510d7a0158d20d1cf9a566e8c65b4045a46ef257839/detection

kingalem.no-ip.org

# Reference: https://www.virustotal.com/gui/file/bee71f38e39043227cd2454d3fbc1a9f260248c92c797ef404ca90669a2e24f2/detection

novossim.com
cc23c237.thaieasydns.com
mastercash237237.servehttp.com
mastercash237238.servehttp.com
mastercash237239.servehttp.com
nostra23770.thaieasydns.com

# Reference: https://threatfox.abuse.ch/browse/malware/jar.banload/

bagnovo.duckdns.org
felfacturas.serveexchange.com
pancinhabrasil.duckdns.org

# Reference: https://www.virustotal.com/gui/ip-address/4.228.57.28/relations
# Reference: https://www.virustotal.com/gui/file/102d058393d47801d714fa7af1d7a68280984f325f2af731dfaa80d3757d1ba6/detection
# Reference: https://www.virustotal.com/gui/file/96eee4f2533216ed17187439a80704beb001458772a51253a00c385605f7caed/detection

contabilidade3irmaos.com
marmitariasaobernado.com

# Reference: https://www.virustotal.com/gui/file/1608dc13532992176305dd7ee7e5574d1750edd20bd7481b145566d2771fdef4/detection

27.124.36.23:12345
27.124.36.23:8080
jnybf.gotdns.com
xdks.selfip.com

# Reference: https://www.virustotal.com/gui/file/e83d77bc8516a2b79979e15193f29293f81ddede663babdffadda31b6816c378/detection

carcarah.game-server.cc

# Reference: https://www.virustotal.com/gui/file/d2359d42fb8b0b4dcd4ad2fba4239440600b31b2fcf1e9c70997024e808fd2d5/detection

avisos-kalitop.duckdns.org
/bnmyj35/lw1.php

# Reference: https://www.virustotal.com/gui/file/61e2b01ecd0591e16907a64e0064bb25305cf2714898af952767500d77373920/detection

servidoressmtps.sytes.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1729109795905413587
# Reference: https://www.virustotal.com/gui/file/cefcb2def056527eb0f8c63019b0fb1f080cb430fabc345cd5784c7d71439fe2/detection

jf27z.app.goo.gl

# Reference: https://www.virustotal.com/gui/file/0269114cddff224ac896111843a7a4c7d61696933ce1d8b9d0940e46c43511b4/detection

thekiwi.club
petitbrun1.websiteseguro.com

# Reference: https://threatfox.abuse.ch/ioc/1211203/

arenterprese2023.is-a-caterer.com

# Reference: https://www.virustotal.com/gui/file/11f7dd1f31a21800737152a2146f25f4f19ebe1399351dc8f93da0960ab59c01/detection

srv434307.hstgr.cloud

# Reference: https://twitter.com/naumovax/status/1783157180482330859
# Reference: https://www.virustotal.com/gui/file/21ea08b654bff294ac1266fdac15711e1436f66a29053117b4128e48226f247f/detection
# Reference: https://www.virustotal.com/gui/file/25517d74909089984bc23d6ed441fad051fa75919efe31a59e28c0adef7a65f0/detection

http://67.23.231.76
/bbs/.dc/infecteds.php
/bbs/.dc/infecteds.php?&vit=
/bbs/.dc/phpiespana.php
/bbs/.dc/phpiespana.php?&vit=

# Reference: https://twitter.com/banthisguy9349/status/1783064442210513213
# Reference: https://www.virustotal.com/gui/file/bafd74790fa95d49afac2710dd231ec413dfd0078b57efd75e20704e28a36fe8/detection
# Reference: https://www.virustotal.com/gui/file/9baba9e4c8cbdc25b71ed0ab4ea7586c6bc3f0639b6a96c828a52a5dafe16c9a/detection
# Reference: https://www.virustotal.com/gui/file/06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757/detection

45.88.90.32:5000
45.88.90.68:5000
dsahgduoi.ddns.net

# Reference: https://twitter.com/naumovax/status/1783461745954013309
# Reference: https://www.virustotal.com/gui/file/f1dfdb145e5eaa6dbdc6e5b15ef04832476f5602aab19262e28552e11dcd6e7d/detection
# Reference: https://www.virustotal.com/gui/file/d97e3271b25dacc5bba07b56524fb72586efdd34e09732331efed207ac98fb4e/detection
# Reference: https://www.virustotal.com/gui/file/ba75a09cb2c7a3bdce016eef3ff72d4a8035842716ddc1b1b73fa18b08ad9804/detection

ormskirkhistoricalsociety.co.uk/site/content/users/themes/index1.php

# Reference: https://www.virustotal.com/gui/file/d394f24125e3d4bb8efc5a09be3b43cbe7c48519a641b998d91b34dd6f0a0386/detection

tsil.xyz

# Reference: https://x.com/malwrhunterteam/status/1818749021902848418
# Reference: https://www.virustotal.com/gui/file/a52c992d733d2d1b7b6cead217dd75121a3b25ec4c97747eeef9e0647b33ffde/detection
# Reference: https://www.virustotal.com/gui/file/6a03346444779ce622dfff7c6797f325a196777d8df8c40c667e7dce6ad2c12a/detection

http://91.92.248.168

# Reference: https://x.com/1ZRR4H/status/1828314898683646309
# Reference: https://www.virustotal.com/gui/file/ae920c4b5dffeee77b84412ecf076d8f536770a71a4f71e29caff6182b6729ec/detection
# Reference: https://www.virustotal.com/gui/file/968fb68f27657aff6230a96641d1761dcc77d8d5f593f716e406ac7638a41f24/detection

http://157.245.91.85
http://170.238.45.64
http://184.168.31.104
http://68.178.202.77
http://85.198.108.68
104.31.168.184.host.secureserver.net
77.202.178.68.host.secureserver.net
fsistviewer.online
starlinkmini-planos.online
learn.kungfu-taichi.ca
cpanel.learn.kungfu-taichi.ca
mail.learn.kungfu-taichi.ca
webdisk.learn.kungfu-taichi.ca

# Reference: https://x.com/johnk3r/status/1828539602849685966
# Reference: https://search.censys.io/hosts/191.101.131.244
# Reference: https://www.virustotal.com/gui/file/4d9fd02f8a969b2b3a3ecccb5569a5948ebc0e09ba588c09079f26f7477ca7a7/detection
# Reference: https://www.virustotal.com/gui/file/a98e3725e67617856e80da1d29ce39d491f0f56f7f832b949825749d02b8225e/detection
# Reference: https://www.virustotal.com/gui/file/8a076222fcbe733eb3e729f12117a23a3062642f47e9bde0aca1712e1996e568/detection

http://191.101.131.244
191.101.131.244:443
191.101.131.244:445
191.101.131.244:47001
191.101.131.244:5395

# Reference: https://x.com/johnk3r/status/1836466799518384279
# Reference: https://search.censys.io/hosts/4.228.227.50

4.228.227.50:3389
4.228.227.50:4194

# Reference: https://x.com/johnk3r/status/1842388967322251455
# Reference: https://x.com/johnk3r/status/1842390498641690735
# Reference: https://www.virustotal.com/gui/file/4ecd197919beb808c5e60247dae7bdaabfdab659dce65af626e41bf729ff032a/detection

circulomaximo.com
nvidrive.com

# Reference: https://app.validin.com/detail?find=Nota%20Fiscal&type=raw&ref_id=5663d651f5d#tab=host_pairs

ment-notafiscal.online
notasfiscaisbr.online
ofertagridz.store
pay.ment-notafiscal.online

# Reference: https://x.com/johnk3r/status/1907837072750063687
# Reference: https://x.com/johnk3r/status/1907837075451433005
# Reference: https://x.com/johnk3r/status/1907925793336078675
# Reference: https://www.virustotal.com/gui/file/51ed2115debb9d3ae34bbc2660bbc8c7930482ccc378a06175b24d3fba7af874/detection
# Reference: https://www.virustotal.com/gui/file/89be5190f71185821d657f9df2c1112f61099ad23c8c668bb4d03ccfbed28430/detection
# Reference: https://www.virustotal.com/gui/file/508a4646dbf7deaa99eee8db6b21e36c14c1570f627b31a264e8fa84e7db063b/detection

http://18.231.162.77
accioretmoi.fr
adlabs.live
agenciametadesign.com
apixlogistica.it
arkutec.cl
artamnet.ir
atlas-dental.kz
avr.pl
avvakumovanata.com
aydintepeheritage.com
aznar.ir
bestbikeshopsinamerica.com
cashellkitchensandbaths.com
cercledesoie.fr
chefderarmee.ch
clientepj.com
clinicadentalargarate.com
connectingdisorders.org
damadesign.co
danke2.com
dinosvault.com
ekoclima.cl
eurotrain71.ru
explosionwebs.com
foraj-piloti.ro
futebolmilionario.com
gemherald.com
global4web.com
grahamtrott.com
helpvenezuelanow.com
htmedia.net
imen44.com
itmind.lk
jknewsnation.com
koalahouse.com.vn
koalahouse.edu.vn
lescoeurssains.fr
macskavar.hu
malhasvitoria.com.br
mmcsitalia.com
mykorsaa.online
newcovenantoffaithchurch.org
nicholasmarley.com
notalone.online
nuk.vn
olivierweiter.eu
plaridge.com
playstacja.pl
pousadacasabonita.com.br
proexcorp.com
ranchocentral.com
rdonkk.com.ua
rerum.lt
rnpapeles.com
rnpapeles.site
samerelsharkawy.net
savannaplaza.com
sellodeempresa.com
sellodeempresa.es
sepidehbakht.com
sharlot.com.co
sika-dealer.ru
smartworkafrica.com
staffsound.com.mx
treomay.vn
usmiku.cz
vchot.ru
villasol.pl
vinucuoitretho.org
wiusbso.com
zumangn.com
almeida.clientepj.com
clien.ranchocentral.com
enota.clientepj.com
/almeida/contador.php

# Reference: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/operation-phantom-enigma

atual2025.com
computadorpj.com
financial-executive.com
nf-eletronica.org
nfe-fiscal.com
relay.lombrelone.com
servidor2025.com
syarousi-search.com
webrelayapi.online

# Reference: https://x.com/JAMESWT_WT/status/1910556202045411823

vmi2471669.contaboserver.net
pt-app.link
emitirnf.pt-app.link
notasfiscais.pt-app.link

# Reference: https://x.com/malwrhunterteam/status/1912398777341583423
# Reference: https://app.validin.com/detail?find=avisos-sat.com.mx&type=raw&ref_id=377814eea86#tab=host_pairs (# 2025-04-17)
# Reference: https://app.validin.com/detail?find=5d1a275870f739288cee8cef951b54df074a83aa&type=hash&ref_id=377814eea86#tab=host_pairs (# 2025-04-17)
# Reference: https://www.virustotal.com/gui/file/78f081bc44c2fc5e4bf90a316332368ccbcc91985c1e79b48f50cf351c358f1a/detection
# Reference: https://www.virustotal.com/gui/file/b1cad3b4ac48ee249fbfbcef539387bf452c1a065002b916b930cef527288040/detection

http://46.101.106.166
elquecreeenmiviviraporsiempre.xyz
servw092msm2.com
servw092msm2.online
servw092msm2.xyz
diosesmipastorynadamefaltara.elquecreeenmiviviraporsiempre.xyz
windows-update-microsoft.mx-acceso9l73i1.com
/ufidwowifbgreowdnweirfjoibfgeiosndwiefmoshifg/contar.php
/ufidwowifbgreowdnweirfjoibfgeiosndwiefmoshifg/

# Reference: https://x.com/ShadowOpCode/status/1960708643344576873
# Reference: https://www.virustotal.com/gui/ip-address/209.159.144.13/relations
# Reference: https://www.virustotal.com/gui/file/07edfb9644cad117abc6f44b4c23b80ae70ff549482df56fe4682a62e32a828f/detection

181.214.48.127:443
209.159.144.13:3020
casabahia.servicos.ws
ducksmicro.servicos.ws
ne12bradesconet.servicos.ws

# Reference: https://x.com/smica83/status/1966107477084115364
# Reference: https://www.virustotal.com/gui/file/f923b0328ee554f561786ad191bde6e3feb41f60264448607c76ff472506a056/detection
# Reference: https://www.virustotal.com/gui/file/0f97e480b161a69d5be0757297610f157fdb35616fa787486bac051313995e21/detection
# Reference: https://www.virustotal.com/gui/file/28b63bdf38debd7a2157a5fa14496c6030d200a1bed6b575e12650b0e78a61f7/detection
# Reference: https://www.virustotal.com/gui/file/39ad440793031f3940b78de07db91b1939829146f2680215a0f223d761144bc1/detection
# Reference: https://www.virustotal.com/gui/file/43ae7ceeffbfdad00a0403ca7d158ca3fee63850dc9f07cdde9c3c30113eebf8/detection
# Reference: https://www.virustotal.com/gui/file/47d71b3cb701dedb904ddf3982a11f25efd4ad1f34fb5afe740255751c9a2f0f/detection
# Reference: https://www.virustotal.com/gui/file/486935a47fbbff02ae9796a73029c60430515bd1aba17f1e54144279a2134bf6/detection
# Reference: https://www.virustotal.com/gui/file/4a37dc314cbab306d03c7309ba082ad82c868aac5ecc1318c2e9507320fdd409/detection
# Reference: https://www.virustotal.com/gui/file/4c510bf711c34e51e0cfffc57bedd6b59245e94db15b4bd4b4fb4cbd6d24f53f/detection
# Reference: https://www.virustotal.com/gui/file/71bd115560ff11f812f43054bf0a09a6a5eaf326fa0f274ef7653c2a4d976f89/detection
# Reference: https://www.virustotal.com/gui/file/f762996390fe28608b7cba99639e1988579222c7faed04a53824f10f1f51fe12/detection
# Reference: https://www.virustotal.com/gui/file/ee133d2b90ff4232d44aec26dd1638d258f0dd8e51e92c99fe2e809b185ab5c4/detection
# Reference: https://www.virustotal.com/gui/file/e7e77f74b464a0e4ca55c77898099b3053e1223ca5779cc747a837054cbee1aa/detection
# Reference: https://www.virustotal.com/gui/file/e62403cc687e624d63c1f0ea3a160f2a3998bd2cd444785d6dd3c909f48a4850/detection
# Reference: https://www.virustotal.com/gui/file/e44a989cd9baaf1e8910e9444bbf0177d9a6dc60edbd35952b36de1fc87ef5b5/detection
# Reference: https://www.virustotal.com/gui/file/dd2bc1e19068d6e6a44bfdf4ff683e04c174029edc153802aff52e2f3c41e2e0/detection
# Reference: https://www.virustotal.com/gui/file/d8a72b9089870f33c2fd99b2d8360f194325ef3ab3d8364890bbe763b1f0c248/detection
# Reference: https://www.virustotal.com/gui/file/d7baaf973cc81dcf44ece7951c0cca434b72721ea5fcc1ce4c9640b19254c072/detection
# Reference: https://www.virustotal.com/gui/file/cc3836043b8d93f786c3ed24de56e049083439642195a5f4426e9b9dd737b289/detection
# Reference: https://www.virustotal.com/gui/file/c95a23327088470145080ba1be35c14cd4bfa2d47390fb2ab1e5d1be725ad4f3/detection
# Reference: https://www.virustotal.com/gui/file/b96f45b26450c7afdae07f66f71f84c09b61b4e20af02f9d0e13923cb3536254/detection
# Reference: https://www.virustotal.com/gui/file/9a4f32591e1e887ddaf2f9765769f4f15a3e17821a2fb34d61bc6e272b7d5989/detection
# Reference: https://www.virustotal.com/gui/file/76c981c7dd88c647dabe6fca780ef6dfa2419f949b5e7be6636be1a74f1c90ca/detection
# Reference: https://www.virustotal.com/gui/file/757c49b2496acf938d5b69c2dc1223ea7030063ed239c9fca492fec6b02e4a27/detection
# Reference: https://www.virustotal.com/gui/file/754e5a0ba5a031d63600495adbe3bb72fe49ba5cf1c19414d6c56877170f7bb8/detection
# Reference: https://www.virustotal.com/gui/file/7082f7a3fa388f56addad6f44b9dcee2f613017e57186e1aa3a55cdf24e42b3e/detection
# Reference: https://www.virustotal.com/gui/file/6ef5b898d95e96415ff8159c495d802d9b47b5a9726f0a3b1d2e0ffa12594241/detection
# Reference: https://www.virustotal.com/gui/file/5f185ba431e3a8037f78d77884dc5112d7c32d4955f82c184030260e0d01fed0/detection
# Reference: https://www.virustotal.com/gui/file/334dfbaefbf7e6301d2385f95d861eb6dae9018c48fb298a2cbf5f364fbcdb2d/detection
# Reference: https://www.virustotal.com/gui/file/2141d5521dbf28c3dcbfa25d9639d56949e1a6ebaac19ee9c5c0b02b7da0c1de/detection
# Reference: https://www.virustotal.com/gui/file/1681c3b88ed315543ac1bf07d258d560cf2f85bfd26c10471d71700eaeb57fb3/detection
# Reference: https://www.virustotal.com/gui/file/11de5317e59464ef9f8a92b41502b4931adc66aa8c61babe7a9b0983ec42ec9e/detection
# Reference: https://www.virustotal.com/gui/file/08eb58f939cf8e741426b38e23b71ea06cf0a968b1884d5a34a722280d4034dd/detection

http://16.171.23.221
http://18.116.63.61
http://18.118.151.132
http://18.191.234.137
http://18.216.19.212
http://18.216.206.166
http://18.217.122.187
http://18.219.75.181
http://18.216.78.94
http://18.226.150.56
http://18.216.229.168
http://3.12.155.9
http://3.128.172.139
http://3.133.160.140
http://3.138.101.180
http://3.138.36.108
http://3.141.44.186
http://3.142.40.36
http://3.143.108.123
http://3.144.37.134
http://3.145.157.180
http://3.17.187.152
http://34.238.115.205
http://44.203.132.140
http://44.204.79.28
http://54.147.44.233
at-portaldasfinancas.org
atportal-das-financas.com
autoridade-tributaria-pt.com
autoridade-tributaria-pt.org
autoridade-tributaria.org
autoridadetributaria.org
inde-faturas.com
indebt-faturas.com
portaldasfinancas.org
ld-2403-p.s3.us-east-2.amazonaws.com
lg-1002-g.s3.us-east-2.amazonaws.com
likeg.s3.us-east-2.amazonaws.com

# Reference: https://x.com/smica83/status/1967150448084988368
# Reference: https://www.virustotal.com/gui/file/250211575c54473201b735e38d410ad8ce4a38492d565f14ed993bd5e12711ae/detection
# Reference: https://www.virustotal.com/gui/file/4c76c0a3a00690785fce0189cd7c6f92b93c49a4790f140a1d4aa7e1bb8005cc/detection
# Reference: https://www.virustotal.com/gui/file/8931fc2ae9a8a215471d841242717809fbb0132dba4b13b0dabcca13fafb4156/detection
# Reference: https://www.virustotal.com/gui/file/894c2045934fa8df2dca86772746522469b9706bfdb8c35ae47aa3e7c44a1d8d/detection

baa4ts.is-a-good.dev

# Reference: https://x.com/smica83/status/1970599463648743501
# Reference: https://tria.ge/250923-z4lylswwew/behavioral1

bebidasbrener.icu
crifer.bebidasbrener.icu
tridiz.bebidasbrener.icu

# Reference: https://x.com/smica83/status/1973484424563138704
# Reference: https://www.virustotal.com/gui/file/2ee8446db11ef44dee1093b90f8020f9b3a5eda3c4b42fe26575c7584d26939e/detection
# Reference: https://www.virustotal.com/gui/file/71a061e6be9d52d004f18dbeebdacf64a04596b4bfdd33bad1a08b2a8dd263bf/detection
# Reference: https://www.virustotal.com/gui/file/900e9a21413f74241e67fd9d0d6538992bfb7ad08e1d8c6ab326b9f0f8c4edd3/detection
# Reference: https://www.virustotal.com/gui/file/e388cabfef2ca40bb97f17810f478a16f2ff4e464bffe00b4b0691bf35c68f7a/detection
# Reference: https://www.virustotal.com/gui/file/f7cf519e446015dc443fdc27a844404aaf9b619fab5e04c6db80c5fb51cd28d5/detection

bebidasbrener.homes
vazinbanmol28.bebidasbrener.homes

# Generic

/ezemeneotewdoiazbi.djx
/ezemeneroaelenozi.djx
