# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1193539893000986624
# Reference: https://www.virustotal.com/gui/ip-address/130.185.238.32/relations
# Reference: https://www.virustotal.com/gui/file/179349534f184774b18b7dbcf7442a537fe640e373f5c4cc6b39d3076240c11b/detection
# Reference: https://www.virustotal.com/gui/file/9cc448001e8ed355520e26c328d33f1b8031b26796923608cdf920fb6617dbb2/detection
# Reference: https://www.virustotal.com/gui/file/b078b3cba73f7dc905d395b014f610000ab37cc1500be00d64ce48c7cd9378b2/detection

http://130.185.238.32
coinstolkbr79.dyndns.org

# Reference: https://twitter.com/reecdeep/status/1291002877633331201
# Reference: https://app.any.run/tasks/1c5c1fef-a022-4143-b3d8-e365a38b8a20/
# Reference: https://www.virustotal.com/gui/file/8df61999996b08c2f77e53869f75e2ea399f1bad5a5dc5d5969f4b5e9d8d5751/detection

142.11.212.211:8081
pizzacircusbarcelona.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1291013627680624642

167.114.217.220:9090

# Reference: https://twitter.com/Dashowl/status/1296886074053099520

http://173.0.54.19

# Reference: https://twitter.com/JAMESWT_MHT/status/1303248634507657216

155.138.137.44:3030

# Reference: https://twitter.com/K_N1kolenko/status/1328605692643713025

146.59.193.20:1948

# Reference: https://twitter.com/ESETresearch/status/1390263927859208193
# Reference: https://twitter.com/ESETresearch/status/1390263930833063938

binanceassistance.com
spotifyannounce.com

# Reference: https://twitter.com/johnk3r/status/1524847789766852630

24.152.38.130:4398

# Reference: https://twitter.com/da_667/status/1530296455981936646
# Reference: https://www.virustotal.com/gui/ip-address/167.114.88.99/relations
# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/

167.114.43.27:4433
belfaro.com.br
iuc1tab1tatitbw.freedynamicdns.org
iuc1tag1sjsdtbb.freedynamicdns.org
iuc1tan1xatmtkk.freedynamicdns.org
iuc1tan1xqs4tjf.freedynamicdns.org
iuc1tas1satjtjo.freedynamicdns.org
iuc1tas1xao3taf.freedynamicdns.org
iuc1tbb0sqpmtak.freedynamicdns.org
iuc1tbs0taoztjw.freedynamicdns.org
iuc1tbw0sasztjb.freedynamicdns.org
iuc1tbw1xjoztko.freedynamicdns.org
iuc1tjf0satltbs.freedynamicdns.org
iuc1tjj0uas0tbs.freedynamicdns.org
iuc1tjk0sqpltbo.freedynamicdns.org
iuc1tjk0xqpltbo.freedynamicdns.org
iuc1tko1sqs5tjg.freedynamicdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1531566144594841601

http://20.187.91.219
20.187.91.219:44441

# Reference: https://twitter.com/1ZRR4H/status/1549261002725679105
# Reference: https://www.virustotal.com/gui/ip-address/20.70.2.177/relations

http://20.70.2.177
a404140024b44.servehalflife.com
a40494449.servehalflife.com
a4049475a475955.servehalflife.com
a404e4306.servecounterstrike.com
a40595c5747595c.servehalflife.com
a41534548.servequake.com
a425b4159455043.zapto.org
a44504159455043.zapto.org
a44504605.zapto.org
a44504959.zapto.org
a44524358475241.servehalflife.com
a4452435e475959.servehalflife.com
a445b525b.zapto.org
a454b4603.zapto.org
a45504205455053.zapto.org
a45504603.zapto.org
a455b5303.zapto.org
a455b5e02455b42.zapto.org
a46404600.zapto.org
a46405259.zapto.org
a46405e00455b5a.zapto.org
a464b4205455a5a.zapto.org
a464b534b.zapto.org
a46524b5b.servehalflife.com
a46594b5a.servehalflife.com
a4742475f475858.servehalflife.com
a49405305.zapto.org
a4940534b.zapto.org
a495b5258.zapto.org
a4a585057.servequake.com
a4b42435b475155.servehalflife.com
a4b424b5a.servehalflife.com
a4b42505f.servehalflife.com
a4b425c57475144.servehalflife.com
a4b52505a.servehalflife.com
a4b525c06475151.servehalflife.com
a4b59505f.servehalflife.com
a4c454c5d.servecounterstrike.com
ftpbtag1sjoztbf.freedynamicdns.org
ftpbtao1sztitjf.freedynamicdns.org
ftpbtbs0uatmtko.freedynamicdns.org
ftpbtjw0xaphtaw.freedynamicdns.org
ftpxtak1wqo1tjk.freedynamicdns.org
ftpxtan0xas5tab.freedynamicdns.org
ftpxtjj0uaphtar.freedynamicdns.org
iuc1tbw0tas4tab.freedynamicdns.org
iuc1tjg0xjsftbo.freedynamicdns.org
iuc1tjn1tjo3tjs.freedynamicdns.org
iuc1tjs0xasftbo.freedynamicdns.org
xacjtjozxaw3.freedynamicdns.org
xaxhtbkzsqcm.freedynamicdns.org

# Reference: https://twitter.com/ankit_anubhav/status/1555521068734902272

premierecombate.eastus.cloudapp.azure.com

# Reference: https://twitter.com/ankit_anubhav/status/1555815597769863168
# Reference: https://www.virustotal.com/gui/ip-address/20.115.83.63/relations

http://54.39.194.67
amixtubinemasterx.com
beacocosmasterx.top
centroempresarialkutsni.com
customdefivewrs.top
dextelmacwordsx.top
domanekiewex.top
empresarialkutsni.com
empresarialkutsnicorp.com
empresarialmixtur.ml
empresarialmixtur.tk
empresarialwebcustom.top
mixtubinemasterx.com
mixtubinemasterxnet.com
/$NOTADIGITALFISCAL

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-08-05_Grandoreiro

http://20.10.3.196
http://20.197.31.100
http://20.226.27.45
http://209.127.179.58
http://54.39.194.67
amixtubinemasterx.com
beacocosmasterx.top
dextelmacwordsx.top
domanekiewex.top
empresarialkutsni.com
empresarialkutsnicorp.com
empresarialwebcustom.top
mixtubinemasterx.com
mixtubinemasterxnet.com

# Reference: https://twitter.com/reecdeep/status/1291717803385520128

142.11.213.42:8081

# Reference: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals

http://15.188.63.127
http://18.231.180.92
http://35.180.117.32
http://35.181.59.254
http://52.67.27.173
http://54.232.38.61
15.188.63.127:36992
assesorattlas.me
atlasassessorcontabilidade.com
barusgorlerat.me
damacenapirescontab.com
mantersaols.com
perfomacepnneu.me
vamosparaonde.com
premiercombate.eastus.cloudapp.azure.com
chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org
ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org
jmllmedvhgmhldjgmhvmmlljhvgdzvzz.dynns.com
odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com
pcbbcrjcgbcghjpbcgkccbjorkhhjcjj.fantasyleague.cc
/$FISCALIGENERAL3489213839012

# Reference: https://twitter.com/1ZRR4H/status/1570233170997694466

20.206.121.215:4144
procedimentos09092022.blob.core.windows.net

# Reference: https://app.any.run/tasks/74ed9bfb-68d7-492a-8c2a-4236fe2589c6/

java-update.online
mymodulop2pcar.servehttp.com
/Bv3wF1uHKG/counter.php
/Bv3wF1uHKG/

# Reference: https://www.virustotal.com/gui/file/fd00307c2ea5313be921b31b2c9ddad5a5cd0df4bcf81814d07243fdf24fbc49/detection

http://108.62.118.17

# Reference: https://hybrid-analysis.com/sample/f8991e3f7b524edc26a64543b57dd3f7cd69a2f8b04ce934d9334bf8ade8b396

sgd.servehttp.com

# Reference: https://twitter.com/StopMalvertisin/status/1575427033504501760
# Reference: https://www.virustotal.com/gui/file/0a9d7369a1c4cb32172404abd4e1a6c5aa35a674b4bfdcca81dc909b0f047b65/detection

filestorel.eastus.cloudapp.azure.com

# Reference: https://twitter.com/noexceptcpp/status/1578403486181560322
# Reference: https://app.any.run/tasks/218fcddb-49f5-4eaa-9ea3-8d22535c2a1d/

http://20.70.3.186
104.129.205.92.host.secureserver.net
nmp20887a02021498.s3.amazonaws.com
/contgmx/clientes.php
/.Nfe1456345340/

# Reference: https://twitter.com/1ZRR4H/status/1592906505363542016

http://185.191.228.227
18.231.179.202:65535
192.95.55.50:28322
192.95.55.50:45774

# Reference: https://twitter.com/Merlax_/status/1594862075897339904

http://192.95.6.196

# Reference: https://twitter.com/Merlax_/status/1594862079734857728

http://138.99.74.213
http://170.82.181.99
http://185.153.176.148
http://186.249.213.178
http://191.96.4.160
http://191.96.5.221

# Reference: https://twitter.com/Merlax_/status/1598875723602989056

http://138.99.74.21
http://186.249.213.225

# Reference: https://twitter.com/Merlax_/status/1603854200605184035

http://138.99.74.212
http://15.235.193.43
http://186.249.213.221
http://201.14.45.23

# Reference: https://twitter.com/Merlax_/status/1619666797879255041

http://149.56.91.172
http://177.73.101.138
http://186.249.213.39
http://188.121.116.157
http://52.67.94.240
http://54.221.142.212
http://89.223.88.138
54.221.142.212:28551
/eliteseguros/autorizar.php

# Reference: https://twitter.com/Merlax_/status/1624239435033329665

http://20.68.30.50
maxfoxchatdestfalouro.com
thylachatmarcamarketin.com
minha-faturaecurit-vivoinforma.securitytactics.com

# Reference: https://twitter.com/malwrhunterteam/status/1625055108273676293
# Reference: https://twitter.com/1ZRR4H/status/1625163730081263622

cortafogoempresarial.shop
contratacao.blob.core.windows.net
/calcaseroupasbr/qabzchxbp4pfpkr
/calcaseroupasbr/
/qabzchxbp4pfpkr

# Reference: https://twitter.com/petrovic082/status/1641357912361558017
# Reference: https://twitter.com/JAMESWT_MHT/status/1641367455300714496
# Reference: https://app.any.run/tasks/e38d130b-4e0b-4ea3-a540-33e88a766bed/

4.204.223.50:4389

# Reference: https://twitter.com/StopMalvertisin/status/1653317890131763201
# Reference: https://www.virustotal.com/gui/file/079ee055b833a515f7fb0d5e7964ebf4f78457de7215f44e3d14a8a0b01a41fc/detection

http://20.14.172.115

# Reference: https://twitter.com/Dkavalanche/status/1659931870807638017
# Reference: https://twitter.com/Merlax_/status/1659939922168496129

104.234.200.30:443
20.121.15.3:3894
factura-mail.hopp.to
factura.hopp.to
facturapdf.hopp.to
facturaxml.hopp.to

# Reference: https://twitter.com/Dkavalanche/status/1669440086776205345

15.228.233.242:9719
18.228.23.145:7969
18.230.134.37:14866
54.233.246.105:40881
54.233.246.105:9515
olikes.likes-pie.com
ompimorpgsflofb.for-the.biz
rolosoolgjosflofb.health-carereform.com

# Reference: https://twitter.com/Ttargaryen1/status/1691555443875655949
# Reference: https://twitter.com/Ttargaryen1/status/1691556540606513248
# Reference: https://app.any.run/tasks/a7dbd8b8-87d6-47f3-b570-9e032c446bd7/

18.229.123.232:41005
18.229.123.232:9519
18.231.112.86:9515
54.232.20.194:8815
bjejofphrsflrmm.merseine.com
gbfhpspdljfsflrmm.mysecuritycamera.org
projetosam.page.link
rinafluvialytproducciones.australiasoutheast.cloudapp.azure.com
rolosoolgjosflrmm.mysecuritycamera.org
thantv.worse-than.tv
/OnrlcTEc.xml

# Reference: https://twitter.com/Ttargaryen1/status/1641133397325017088
# Reference: https://www.virustotal.com/gui/file/ad13b322af32b0966edc156beb9ca83d82a0bbc6c6cf49d10cc77ebdace76fa3/detection

fastcomerciouniverso.com
savanachatdelivery.northeurope.cloudapp.azure.com

# Reference: https://twitter.com/James_inthe_box/status/1702061706028175853
# Reference: https://app.any.run/tasks/78d2c46f-2627-4b9b-89ed-e44c12362dee/

18.231.102.112:4318
18.231.112.86:4318
18.229.136.62:157
18.229.136.62:26978
18.229.136.62:4317
soluttionacorreougr.westus3.cloudapp.azure.com

# Reference: https://twitter.com/James_inthe_box/status/1706358071336096123
# Reference: https://app.any.run/tasks/d8906703-56da-446c-ad4c-a43c8885b666/

177.71.234.117:4261
177.71.234.117:18451
/idgIzsnF.xml

# Reference: https://www.virustotal.com/gui/file/3824b4153dfc569de86f3a1935423eb6035dc73974d06b41bea7b8aee00b37d1/detection
# Reference: https://www.virustotal.com/gui/file/ff1c50b1292266ee0ee9c607397071c011ac45b557a48404c81e62cad6c4b195/detection

18.230.74.51:4318
18.230.74.51:4899
remember-and.forgot.her.name

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1722186209760350394
# Reference: https://www.virustotal.com/gui/file/0037802d70239004a03345d4f4519a25ae7fe733d762a0383db90fc317cb6193/detection

nuestraseguridadmxgob.eastus2.cloudapp.azure.com

# Reference: https://twitter.com/N4hualH/status/1725981871514030423
# Reference: https://tria.ge/231118-ayr51aga78/behavioral1
# Reference: https://www.virustotal.com/gui/file/3f84e3c84b232bf415e2306ff0a65b1a2b5bd61badb4228e16ba520e7c098f2b/detection

http://62.113.116.144
http://62.113.119.202

# Reference: https://twitter.com/1ZRR4H/status/1728138606173188567

portalvisualizacionseguro.southafricanorth.cloudapp.azure.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware

http://62.84.98.5
http://77.246.104.202

# Reference: https://twitter.com/Dkavalanche/status/1729582807666557143

cogfactmgsolucionesoinsaarme.eastus.cloudapp.azure.com

# Reference: https://twitter.com/Dkavalanche/status/1729638073707696471

18.230.131.153:4318
jiniahfngggbggb.office-on-the.net

# Reference: https://twitter.com/1ZRR4H/status/1729732946611851648

15.228.54.44:157
15.228.54.44:19661
15.228.54.44:4917
18.231.148.254:62169

# Reference: https://github.com/eset/malware-ioc/tree/master/grandoreiro
# Reference: https://www.virustotal.com/gui/ip-address/185.228.72.38/relations
# Reference: https://www.virustotal.com/gui/ip-address/167.114.138.249/relations
# Reference: https://www.virustotal.com/gui/ip-address/20.151.89.252/relations
# Reference: https://www.virustotal.com/gui/ip-address/66.70.160.251/relations
# Reference: https://www.virustotal.com/gui/file/2c01734ff63d041a91d10acdb302ef4ffc400396e34140335e4faa2e3f002dbe/detection
# Reference: https://www.virustotal.com/gui/file/305e220e1f1cb506c32bb509f246515e3cba7ec1dabae95298f358d26654bfa6/detection
# Reference: https://www.virustotal.com/gui/file/0d5028f8c064b0eea4b7217bfedbfb91bb1c0f8968e7d970c7ed68d47936fb9a/detection

http://178.20.45.23
http://62.84.100.225
http://88.210.12.135
http://91.142.72.194
http://50.114.32.81
50.114.32.81:2020
1254-santander.duckdns.org
amadeos.no-ip.net
atendimentoos.duckdns.org
baiaknew.ddns.net
f3kstab1uaoetjg.freedynamicdns.org
f3kstbw0tjphtjk.freedynamicdns.org
f3kstkk1wao2tar.freedynamicdns.org
f3kstkk1wqo2tar.freedynamicdns.org
ftpxtab1sqtltjg.freedynamicdns.org
ftpxtaf1sjs4taj.freedynamicdns.org
ftpxtar1ujtjtak.freedynamicdns.org
ftpxtas1wzo2tbo.freedynamicdns.org
ftpxtaw1xqs3tag.freedynamicdns.org
ftpxtbo1uatltjk.freedynamicdns.org
ftpxtbs0tzthtkw.freedynamicdns.org
ftpxtbw0sathtjo.freedynamicdns.org
ftpxtjf1sqo4tbf.freedynamicdns.org
ftpxtjf1tqtitkb.freedynamicdns.org
ftpxtjg0sas2taj.freedynamicdns.org
ftpxtjn1tzoftjb.freedynamicdns.org
ftpxtjw0sapktar.freedynamicdns.org
ftpxtjw0xqpktbs.freedynamicdns.org
ftpxtkk1sqo1tjw.freedynamicdns.org
ftpxtko1wqoftjb.freedynamicdns.org
ies2tbw0sas2taf.freedynamicdns.org
j2xutar1xqtmtak.freedynamicdns.org
j2xutbb0uas4tab.freedynamicdns.org
j2xutbf0wqs5taf.freedynamicdns.org
j2xutjb0xjpjtbs.freedynamicdns.org
knsxtaj1wao1tjw.freedynamicdns.org
knsxtaw1xqoetjj.freedynamicdns.org
knsxtjk0sqs3tbw.freedynamicdns.org
knsxtkk1sao4tbf.freedynamicdns.org
ldaztao1sqtltag.freedynamicdns.org
ldaztao1szo3tbk.freedynamicdns.org
ldaztas1xatktjk.freedynamicdns.org
ldaztjk0wzs3tbw.freedynamicdns.org
ouvidoria.duckdns.org
santander-br.duckdns.org
santanderday.duckdns.org
valtarga.ddns.net

# Reference: https://twitter.com/Dkavalanche/status/1752425961876779408
# Reference: https://app.any.run/tasks/862f9c7e-213f-4351-ba06-b2f1de53de0c/

15.229.116.173:18556
15.229.116.173:4917

# Reference: https://twitter.com/Merlax_/status/1752509628347216132
# Reference: https://app.any.run/tasks/1b25da9f-dd38-45ab-9137-aeae29464431/

15.228.255.38:157
15.228.255.38:4917
15.228.255.38:50814
54.207.104.144:52256

# Reference: https://twitter.com/1ZRR4H/status/1755999160862482926

afipconsudeclaracioncontrib.westus3.cloudapp.azure.com
buzntribtacion.italynorth.cloudapp.azure.com
chwzfacservconsudigitales.switzerlandnorth.cloudapp.azure.com
efacdigitalservonsultcris.westus3.cloudapp.azure.com
eyedocservicioconserfec.westus3.cloudapp.azure.com
lvetfacdigitalservconsultibsc.westus3.cloudapp.azure.com
stoconecservstalcloudytz.westus3.cloudapp.azure.com
sycleanservicioconsultc.swedencentral.cloudapp.azure.com
sycleanservicioconsultcon.westus3.cloudapp.azure.com
tocmacipd.australiaeast.cloudapp.azure.com
upohfacdigitalservconsultiyun.swedencentral.cloudapp.azure.com
wattservicioconsulcroncl.swedencentral.cloudapp.azure.com
yunfacdigitalservconsultbls.swedencentral.cloudapp.azure.com

# Reference: https://twitter.com/1ZRR4H/status/1755949113646981557
# Reference: https://www.virustotal.com/gui/ip-address/15.228.167.91/relations

camerahousebusiness.dvrcam.info
ctifacdigitservconsulentif.westus3.cloudapp.azure.com
pcuippbjcopfoplfb.access.ly
f3kstan1tas0tkk.freedynamicdns.org
f3kstbw0tqsdtjn.freedynamicdns.org
j2xutaf1xqo4tjk.freedynamicdns.org
j2xutkk1wqpltjg.freedynamicdns.org
ldaztaw1xqsztas.freedynamicdns.org
ldaztjb0xao2tbk.freedynamicdns.org

# Reference: https://twitter.com/seguridadyredes/status/1757675287137972595
# Reference: https://www.virustotal.com/gui/ip-address/198.50.222.174/relations
# Reference: https://www.virustotal.com/gui/file/297b92d9c014268213e15ef7c1adde58879eff0c2c8d9239ebfaa49ef7f6ec65/detection

http://198.50.222.174
a424b5e0045505b.zapto.org
ftpxtbf0szo1taj.freedynamicdns.org
/Scdfr5.zip

# Reference: https://twitter.com/1ZRR4H/status/1757954866813563300
# Reference: https://twitter.com/voidm4p/status/1758102818236338393
# Reference: https://twitter.com/johnk3r/status/1760014996854247552

18.230.211.48:30657
18.230.211.48:4318
edrfacdigitservconsulospl.westus3.cloudapp.azure.com
health.health-carereform.com
icafacdigitservconsulgarc.swedencentral.cloudapp.azure.com
/BFQcxLymGo.xml

# Reference: https://twitter.com/V3n0mStrike/status/1773450543056257447
# Reference: https://twitter.com/pollo290987/status/1773504555763855426

18.228.118.198:34950
18.228.224.29:157
18.228.224.29:4317
18.228.224.29:55842
18.230.202.197:15375
aenfacdigitaclav.switzerlandnorth.cloudapp.azure.com
aljfacdigitastr.norwayeast.cloudapp.azure.com
efranfacdigitaanglur.norwayeast.cloudapp.azure.com
hamfacdigitasto.swedencentral.cloudapp.azure.com
kwifacdigitntca.switzerlandnorth.cloudapp.azure.com
lsuppfacdigitafiscaligy.swedencentral.cloudapp.azure.com
portabledocformat.uksouth.cloudapp.azure.com
tplfacdigitaoperacion.switzerlandnorth.cloudapp.azure.com

# Reference: https://twitter.com/naumovax/status/1778800582943269320

18.228.11.86:30916
18.228.11.86:4317
/bOAKHjDym.xml
/edMvIyYJH.xml

# Reference: https://gbhackers.com/grandoreiro-malware-outlook-phishing/

15.228.49.78:55842

# Reference: https://x.com/johnk3r/status/1793852075689804027
# Reference: https://www.virustotal.com/gui/file/bd4f77fab5f0b23d7bdd4fc59eda4ea29888c049acbae9293b02ea9bb90c2947/detection
# Reference: https://www.virustotal.com/gui/file/508292fd99403b21f547bf985b847c4db1445200d3c91989bdd19be7d65dbd03/detection

http://45.61.149.27

# Reference: https://x.com/Merlax_/status/1790890717596024863

http://51.120.240.117
18.230.124.104:39054
18.230.186.145:36044
54.233.206.70:40817
/BNceD0ttGfG.txt
/WaveEdgeNRzyoSecureSphereDevice.xml

# Reference: https://x.com/johnk3r/status/1798142646936088678
# Reference: https://www.virustotal.com/gui/file/a8e34860b9d3e0b66504616984a17e2a3bb125bc11bad04e148dead9577b9954/detection

http://172.86.77.40
http://45.61.154.19

# Reference: https://x.com/SeguInfo/status/1806796348122935529
# Reference: https://www.virustotal.com/gui/file/41a1c32b03fbeb3a59151896025b664224a625bf6bee2b44a333155e303fe874/detection

facturas.duratex.com.mx

# Reference: https://x.com/pollo290987/status/1828665738317406603
# Reference: https://www.virustotal.com/gui/ip-address/198.50.255.229/relations
# Reference: https://www.virustotal.com/gui/file/f11e0cd1f8fcf1d24efe1067799e02536ca443521160bb28d8fcb12ec606bc15/detection
# Reference: https://www.virustotal.com/gui/file/79bda3c6e152d6a0e585237fb8b3257937c7e0ad7f550c80af4ab6e0072d1000/detection
# Reference: https://www.virustotal.com/gui/file/eb7c7d70847016dd873676e804d50f6b2818d1494a134cc78399478b0387a08b/detection
# Reference: https://www.virustotal.com/gui/file/cc32bbf39f81bfb956fef4120cb3ca82b30eeda1538fea79ece3e3680892b9cf/detection
# Reference: https://www.virustotal.com/gui/file/fe0a490eb6d5f3ade44edbc73017ea7c935fdda96ce52cac173f46f7a63c0a90/detection

danfajuda.com
downnloads.store
fileondemandd.site
nfeprefeituraspgovbr.com
contador.danfajuda.com
danffiles.000webhostapp.com
pingservice.blogdns.com

# Reference: https://app.validin.com/detail?find=e5e9ffdc2bf4df525b305986cdbffde7&type=hash&ref_id=abf72f595b4

sia-remote.dyndns.org
sia1-remote.ddns.net

# Reference: https://x.com/1ZRR4H/status/1828565987589042650
# Reference: https://www.virustotal.com/gui/file/0d153acd727616dc6fc34fe224a3b654b8a657a25edf7c98705d8deabe88a6d5/detection
# Reference: https://www.virustotal.com/gui/file/132307f1c2b4dcc60e0bf0e350a4aeec4807af7fdf5c186ae5836d817e470746/detection
# Reference: https://www.virustotal.com/gui/file/270e15f19715468d625c2ede1a9b4e63e78359100b1f9329bf77b333b1a1380a/detection
# Reference: https://www.virustotal.com/gui/file/43718a5a982bf17107bc7f620ae709f796e65193ac07310120198b78e4046c7d/detection
# Reference: https://www.virustotal.com/gui/file/a75287cc1412efff5df14e6e8a59cf38bdb3e2fbd60f19126671fe5493cee47b/detection

http://147.45.116.5
http://206.183.128.95
http://45.61.160.61
http://88.218.61.240
http://91.142.75.196
http://94.103.87.4

# Reference: https://x.com/RacWatchin8872/status/1851765016845852735
# Reference: https://www.virustotal.com/gui/ip-address/193.149.129.241/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.214.157.102/relations
# Reference: https://app.validin.com/detail?find=Descarga%20Iniciada&type=raw&ref_id=9b0ed851131#tab=host_pairs
# Reference: https://www.virustotal.com/gui/file/ef282debde7f5233b34eabc2abfd24706b85f4943e3f4cbce3879cce1e8b28ad/detection
# Reference: https://www.virustotal.com/gui/file/e8a7386e05f1531ce397516e56909b712a0a440545a24307091d97b623573421/detection
# Reference: https://www.virustotal.com/gui/file/4a1711e860d6f53ea4edab36550407f5c9ac0ae5464f1cc4ac5be37e1e6d4673/detection
# Reference: https://www.virustotal.com/gui/file/36fce44391fd2e8718210caf1330f6c7851164163d857e632f1f8cac70dd052a/detection
# Reference: https://www.virustotal.com/gui/file/e0c97051934fd820ab4a35ca38e703db29f1fac09762e20947c0f53032646879/detection
# Reference: https://www.virustotal.com/gui/file/fe9e543f230297999847066712a889d11086f9400897ad82bcb8c99e479786ff/detection
# Reference: https://www.virustotal.com/gui/file/4c18cd37371d87890597d67b8df77c5c9b64f123f62d738519edecd32d6a8004/detection
# Reference: https://www.virustotal.com/gui/file/1344ee19cf27b5bb9163baf8c59077d425c3872a77eaf4cf3facafd0d4796ecc/detection
# Reference: https://www.virustotal.com/gui/file/c3eb39ac0ccb66ea217341a15febbb11017601aed5144455595c5a13e1073922/detection
# Reference: https://www.virustotal.com/gui/file/9ee958f524098bd39e12f579ef1418d22f979740ee39d825e87618be92bbd41a/detection
# Reference: https://www.virustotal.com/gui/file/8c50bc53dc72f15370999ece06798a6be2b7cc61347718afaeab395536440f95/detection
# Reference: https://www.virustotal.com/gui/file/b2988af5c58ae32d7ff3e1afad0c52198639a2a7552a13565cf1c2ff01c601dc/detection

http://109.234.39.156
http://185.212.47.111
http://147.45.116.7
http://195.85.115.208
http://45.11.180.77
http://70.34.247.142
http://78.138.9.153
http://80.77.23.10
http://80.77.23.221
185.212.47.111:443
acess.mailcffemx.com
admin.nvisioncorp.com
annadegismen.com
appscfe.mailcffemx.com
bytez.cloud
clubhuh.com
d1ce43581ba1b425.store
descargassdownloadmx.pro
down16mxcooommx.info
download-archive.online
download1003.info
downloadaps.com
downloadfactura.online
downloadfactura.pro
downloadfactura.site
dvv46402458.servegame.com
eglobalmxdown.online
endesa.click
file-download.bytez.cloud
gbo5000.cloud
hireprad-co-uk.nvisioncorp.com
id924243883.gbo5000.cloud
infopublic67.online
m.nvisioncorp.com
mailcffemx.com
nguzxyb74hbis4.top
nvisioncorp.com
pko-download.kagyouth.co.ke
sadalienhde.xyz
seguro.clubhuh.com
send-spaces.com
send-space.womendevelopmentcentre.org
serviemchile.cl
space24hde.xyz
stormseguridad.online
stratorechung.serviemchile.cl
stratorechung.supervivencias.cl
supervivencias.cl
suport.stormseguridad.online
tighhbusu4hb3.top
u-ua.cloud
www1.u-ua.cloud
/uploadmaisl.php

# Reference: https://app.validin.com/detail?find=FactuDescarga&type=raw&ref_id=c0dc2e8de1d#tab=host_pairs (# 2024-12-17)

factudescarga.com
swiss24parler.net
telegroupch.net
bottest.factudescarga.com

# Reference: https://app.validin.com/detail?find=Descarga%20Iniciada&type=raw#tab=host_pairs (# 2024-12-28)

http://45.11.180.56
0ct0pu5.com
alesia.cloud
node.0ct0pu5.com
herunterladen-spark.alesia.cloud

# Reference: https://app.validin.com/detail?find=Descarga%20Iniciada&type=raw#tab=host_pairs (# 2025-01-17)

http://185.158.251.74
kavrajassociates.com
datei.kavrajassociates.com

# Reference: https://x.com/Merlax_/status/1893073216400248974

18.220.143.143:30612
3.135.202.169:50112

# Reference: https://x.com/Dkavalanche/status/1894470031473275214
# Reference: https://app.any.run/tasks/384df9b8-e127-4dc7-bc7c-fb4fbd98fe68

13.40.6.93:157
13.40.6.93:21520
13.40.6.93:4626

# Reference: https://x.com/Dkavalanche/status/1895142243188494510
# Reference: https://app.any.run/tasks/020898be-4d19-4842-94fe-f0ad77a35d98

98.81.116.14:25164
98.81.116.14:6531

# Reference: https://x.com/V3n0mStrike/status/1897658338222932415
# Reference: https://app.any.run/tasks/d222d40c-d4b6-47a8-b9ea-061a22f218bf
# Reference: https://www.virustotal.com/gui/file/d6bc76ad60a27011145809ec70aa0d58b9339b71fb81f7031238bf83147d13cd/detection

34.230.5.139:157
34.230.5.139:25194
34.230.5.139:5418

# Reference: https://x.com/anyrun_app/status/1905264946864140732
# Reference: https://app.any.run/tasks/02ea5d54-4060-4d51-9466-17983fc9f79e/

54.226.106.181:157
54.226.106.181:20051
54.226.106.181:9417
vmi2511209.contaboserver.net
/oqinZqigNleJi0PD0W/BHeBIAmX0HD0t.html
/oqinZqigNleJi0PD0W/bLMsQNKhckI01I.png
/oqinZqigNleJi0PD0W/fNMXRkuIgDS01Q.js
/oqinZqigNleJi0PD0W/eFvgwoMQLrP05n.php
/oqinZqigNleJi0PD0W/iRbTEgavP04u.php
/oqinZqigNleJi0PD0W/yKwCeawQP06c.php
/BHeBIAmX0HD0t.html
/oqinZqigNleJi0PD0W/
/bLMsQNKhckI01I.png
/fNMXRkuIgDS01Q.js
/eFvgwoMQLrP05n.php
/iRbTEgavP04u.php
/yKwCeawQP06c.php

# Reference: https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain

18.212.216.95:42195
98.81.92.194:30154
vmi2492020.contaboserver.net
vmi2500223.contaboserver.net
vmi2511206.contaboserver.net
vmi2511216.contaboserver.net
vmi2526272.contaboserver.net
vmi2527550.contaboserver.net
vmi2529183.contaboserver.net

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-04-11-v10903/2618

airforce1.mmafan.biz
bayerischemotorenwerke.nflfan.org
camsobservations.nhlfan.net
flightradar.mymediapc.net
mapfre.homesecuritypc.com
marronfiveshows.serveexchange.com
mercedesbenz.mysecuritycamera.net
michaeljacksontribute.mmafan.biz
renault.hosthampster.com
simpsonsbartmovies.stufftoread.com

# Reference: https://x.com/Merlax_/status/1969159566555324422

http://31.220.84.31
31.220.84.31:443
3.8.132.27:30516
thelordoftheringsbusiness.quicksytes.com
vmi2815219.contaboserver.net

# Reference: https://x.com/Merlax_/status/1971700135496503548

http://164.68.106.78
http://173.249.58.7
http://213.199.36.218
vmi2809039.contaboserver.net
vmi2821758.contaboserver.net
vmi2819229.contaboserver.net

# Generic

/Adkflgog30.iso
/dyngcdnefn_03.iso
/nivyjlzhdj_04.iso
/nnkokysdggit.iso
/obmkumjoxq_05.iso
/ugqvhozczb_04.iso
/yqcnfempzc.iso
/ronivon.txt
/BR01?NF-eBR102822MY91822BT1
/BR02?NF-eBR102822MY91822BT1
/BR01/?NF-eBR102822MY91822BT1
/BR02/?NF-eBR102822MY91822BT1
/?NF-eBR102822MY91822BT1
