# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1099786490144448512

advancedepartametno.com

# Reference: https://twitter.com/James_inthe_box/status/1126809601825918978

instalacionez.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1143875234707181568
# Reference: https://app.any.run/tasks/2ef75909-daa7-45f1-83bc-dfe3ead3ac61/

trabalhoonline.webcindario.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

/nossasrdaga/brume.php

# Reference: https://twitter.com/0bfusCat/status/1155406244062121984

descargasdocx.com

# Reference: https://twitter.com/MisterCh0c/status/1186712875743825920

leavenois.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1235558960314400768
# Reference: https://app.any.run/tasks/6cef1963-4881-4f7f-b877-198cfd7eaf17/

mab2020.duckdns.org
mundonlop.duckdns.org
newtroll-megatron.duckdns.org
pumex-new.duckdns.org

# Reference: https://twitter.com/3rg4f4/status/1270308334743289860

smsinformativo.com

# Reference: https://twitter.com/0bfusCat/status/1181529470475362304
# Reference: https://app.any.run/tasks/f6d7cc92-3215-4103-baeb-eb424016f885/

compraca.000webhostapp.com

# Reference: https://twitter.com/SoulRage6/status/1146073224045838337

http://31.207.35.50

# Reference: https://twitter.com/JAMESWT_MHT/status/1299324645787742208

http://34.95.246.154

# Reference: https://app.any.run/tasks/17349d53-0d4e-4857-90a0-9f5dd68385b2/

st-gerrard-const.com/wp-content/themes/twentyfifteen/
perfectart.com.br/ebos/

# Reference: https://app.any.run/tasks/f869690a-e3d1-43e4-a61f-18d05a948e10/

shortsalepontevedra.com/coun7/

# Reference: https://twitter.com/JAMESWT_MHT/status/1328704334721323009
# Reference: https://app.any.run/tasks/2be10df3-e594-4118-9d36-6b93041ec73c/

flsdcment.site
sededgtgoes.online

# Reference: https://twitter.com/JAMESWT_MHT/status/1328714844573413377
# Reference: https://app.any.run/tasks/d827010e-453c-4d89-8128-20b82832f5ab/
# Reference: https://www.virustotal.com/gui/file/4d45380cd5fdf967988c4f239f61827ad9a80a4d9abcfbddf6e656d9dcc50f58/detection

45.35.104.213:8989
covidezenove.online
myd9hzd8cheab.winconnection.net

# Reference: https://twitter.com/dgarcianet/status/1352235429160955904
# Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/behavior/C2AE

http://40.112.173.153

# Reference: https://twitter.com/1ZRR4H/status/1359963801819430914
# Reference: https://www.virustotal.com/gui/file/66797ef1761fd243a48829335d9e34781cbef324090497897462bf1a5ce0cb39/detection

104.214.107.176:79
gemare.com.br//conteudo/TGR/descarga.php
selfhelpwomendevelopment.com/wp-includes/images/mail/descarga.php

# Reference: https://cofense.com/blog/autohotkey-banking-trojan/
# Reference: https://www.virustotal.com/gui/file/4e69e794a688f94bd865b9905f2e8cc84bf17d282020ff08f2f56b42f1ffd305/detection

es.sslhermanos.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1385156068721012736
# Reference: https://twitter.com/D3LabIT/status/1385151472216776704
# Reference: https://app.any.run/tasks/e48dfdc7-fd3e-4d77-a03a-eeeb458bc909/

conlazionzzytz.eastus.cloudapp.azure.com
contecalculacion.eastus.cloudapp.azure.com
piazzimulobanquituto.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1386976751247634441

amlsempg.com
ilavorianmosy.eastus.cloudapp.azure.com
multipicas.eastus.cloudapp.azure.com

# Reference: https://twitter.com/ESETresearch/status/1387384460568666117
# Reference: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/
# Reference: https://twitter.com/ESETresearch/status/1387384464905547779

apssitemarquivrft.francecentral.cloudapp.azure.com
torressircontes.eastus.cloudapp.azure.com

# Reference: https://twitter.com/petrovic082/status/1388180117642432515

moveisji.com.br/archivos/

# Reference: https://twitter.com/1ZRR4H/status/1408252818272751621

jinhuidabio.com/reports/words/mail.php
arbonato.com.br/Maxx/sowns/HR13I5MD0ASC5J.php

# Reference: https://twitter.com/dgsecnet/status/1519263981231296516

http://20.233.43.99
http://20.92.88.38
meuinformativo2.serveblog.net

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-05-10_Mekotio_MTT_CL

thangloitaynguyen.com
espatron2022.est-le-patron.com
anders-wirken.de/wp-content/languages/Hs56ety2hTg011If56s.coc
bremermee.nl/wp-content/languages/MTT0001450001.zip
/lib/jquery/grood/1101/3t1x2oBj19sH33.php

# Reference: https://twitter.com/1ZRR4H/status/1537539651279405062
# Reference: https://www.virustotal.com/gui/file/980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0/detection

http://45.147.197.223
http://51.12.218.142

# Reference: https://twitter.com/pr0xylife/status/1537850595981369344

upfdigital.com
gomho.upfdigital.com
johnickowiczdds.com/wp-admin/telcel.nec
/wp-admin/01/02/gigo.php

# Reference: https://twitter.com/StopMalvertisin/status/1539171329223831552

http://20.239.69.60

# Reference: https://twitter.com/1ZRR4H/status/1540387288538120192
# Reference: https://twitter.com/Dkavalanche/status/1540113368517935104
# Reference: https://www.virustotal.com/gui/file/db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5/detection

http://20.26.198.176
http://20.91.202.137
serviceares.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1540044306068951040
# Reference: https://www.virustotal.com/gui/file/8e815b6b13c7cef7d6152ff50d07f217420e185eddcc247a9a92dbfd1787e6e9/detection

steromask.fr

# Reference: https://twitter.com/SeguInfo/status/1542234908491497472
# Reference: https://www.virustotal.com/gui/file/0d16d92c0f451848fbd8d2b255991103c05c84fafbef9978b1aac22578928e4d/detection
# Reference: https://www.virustotal.com/gui/file/5e9dc457e117fa875057e9fc29a7b9c3116efec912ccc2e4d4eab49e5e55a486/detection

http://20.91.206.86
http://51.132.148.124
pro112.dynuddns.com

# Reference: https://twitter.com/StopMalvertisin/status/1545324970246815744

hcservice.us
continentepecas.com/adm.puc
veroford.com/setup/brume.php

# Reference: https://twitter.com/StopMalvertisin/status/1546556580153688065

http://15.228.54.95
http://18.231.189.164
contactopersonas.com
ww2www.contactopersonas.com
/837617263768912/avionic.mec
/con010923/brume.php
/connnnnnnnnnntxt/config.txt
/connnnnnnnnnntxt/

# Reference: https://twitter.com/StopMalvertisin/status/1549102875829477376

sameh-advisor.com
junho2022.serveftp.org

# Reference: https://twitter.com/1ZRR4H/status/1551278194560585732

http://18.234.175.226

# Reference: https://twitter.com/StopMalvertisin/status/1556909994586808320

http://192.64.114.228
http://63.250.35.10

# Reference: https://twitter.com/StopMalvertisin/status/1570316886285623298
# Reference: https://www.virustotal.com/gui/file/e64aacfe45af89033778c8149b059c7c5acc56a3a8a89b0695d22d770384eb6b/detection

http://20.0.2.192
http://20.168.7.145
20.163.5.160:5060
titiopatas4599.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1573360173967888386
# Reference: https://www.virustotal.com/gui/file/65a08bcf5f98500a3870786cbd0688e6dc5317b440648d10cfe8a80189f26198/detection
# Reference: https://www.virustotal.com/gui/file/de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a/detection

http://20.234.231.114
http://20.254.53.47
meupixx22.hopto.org

# Reference: https://www.virustotal.com/gui/file/9a8d1314b3cbcbda7dd374fbfe7e8a1289b2d8f9d0bcce1f29febb72669c5345/detection

afcasa.hopto.org

# Reference: https://twitter.com/StopMalvertisin/status/1547495960783495168

abelcare.co.uk

# Reference: https://twitter.com/StopMalvertisin/status/1583710230940028928
# Reference: https://twitter.com/StopMalvertisin/status/1583710237319581696
# Reference: https://www.virustotal.com/gui/ip-address/64.188.27.119/relations
# Reference: https://www.virustotal.com/gui/file/081cad61936b76619df3e495b1f8edb80c32533cabee11308fbe7a1cd6dcb2a1/detection
# Reference: https://www.virustotal.com/gui/file/73709989c2bc864eaac863974a65aa50a3e740e7796daaa726f96975a33b93c3/detection
# Reference: https://www.virustotal.com/gui/file/67b0763fa0c849e0fa4e9159f48cc8adf9684dd62a55a6379d5ff1a4215af87f/detection

107.175.72.131:8889
64.188.27.119:2020
newfutura.eu
segurofuturex.ddns.net

# Reference: https://twitter.com/Dkavalanche/status/1587583140817768448

jogovirou.serveblog.net

# Reference: https://twitter.com/Dkavalanche/status/1590886788864049153

102.37.146.215:6742
20.49.180.84:4682
jobwes.3utilities.com
sulgran.servegame.com
voltasorte.3utilities.com

# Reference: https://twitter.com/Merlax_/status/1591064695066148864

fuhsufiuhfoiurfhesiryghfgfr.japaneast.cloudapp.azure.com
irihiuhfiuhiyrhguydrgh.switzerlandnorth.cloudapp.azure.com
ofishrohfourdhgiouhgiouruhff.northeurope.cloudapp.azure.com
vm3861641.25ssd.had.wf
vm3925833.1nvme.had.wf

# Reference: https://twitter.com/Merlax_/status/1589947797042008065

http://172.105.24.64
http://51.103.211.106
viwey.koreacentral.cloudapp.azure.com
/EMKT_CURSO_775-5693/47940.024663/

# Reference: https://twitter.com/Dkavalanche/status/1591208796965474304

20.49.180.84:6228
foreversoft.servegame.com

# Reference: https://twitter.com/Merlax_/status/1594080984130998273

http://45.82.69.152
http://80.85.142.64
13.67.219.10:7779
145.239.39.140:2030
20.162.195.251:7779
5.196.214.1:2020

# Reference: https://twitter.com/Dkavalanche/status/1594093798363369472

20.168.210.3:7429
20.208.43.58:4682
financeirotaller.gleeze.com
lifenova.ooguy.com

# Reference: https://twitter.com/Merlax_/status/1591436327194710016

107.175.72.131:2020
20.226.43.19:5556
globast3.s3.eu-central-1.amazonaws.com

# Reference: https://twitter.com/Merlax_/status/1598764864738033680
# Reference: https://twitter.com/Merlax_/status/1598764867770515467

http://13.67.219.10
http://145.239.39.140
http://172.173.207.185
http://191.252.100.96
http://20.162.195.251
http://20.4.226.118
185.101.93.102:5892
185.101.93.138:7779
185.101.93.170:7090
185.101.93.95:2030
37.228.132.205:2380
37.228.132.207:7779

# Reference: https://twitter.com/Merlax_/status/1602407445048983553

http://37.228.132.153
http://37.228.132.91
http://45.132.106.78
http://45.87.3.238
172.173.207.185:2380
191.252.100.96:7090

# Reference: https://twitter.com/Merlax_/status/1603057915610497029
# Reference: https://twitter.com/Merlax_/status/1603057918408097792
# Reference: https://twitter.com/Merlax_/status/1603057921138589698

20.56.98.139:5060
astyhb.eastus2.cloudapp.azure.com

# Reference: https://twitter.com/Dkavalanche/status/1603148512446873601
# Reference: https://twitter.com/Dkavalanche/status/1614626593258835970

185.101.93.181:5892
honranova.giize.com
trabajoar.theworkpc.com

# Reference: https://twitter.com/noexceptcpp/status/1606434459724795904

/2382799-06.8601.cDX.9191/clientes.php
/2382799-06.8601.cDX.9191/
/3973205-45.2022.3.00.4661-03-11-2022/4154012-20.5478.ZxY.9919.html
/3973205-45.2022.3.00.4661-03-11-2022/
/4154012-20.5478.ZxY.9919.html

# Reference: https://twitter.com/Merlax_/status/1606707407362658306

http://185.101.93.170
172.173.223.15:2382
185.101.93.181:4682
23.106.215.78:2030
4.231.106.159:7429
ufwetyz.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1612827626967638017

http://185.101.93.138
http://185.101.93.95
http://185.101.94.186
http://37.228.132.205
http://37.228.132.207
http://37.228.132.40
172.174.70.30:7779

# Reference: https://twitter.com/Merlax_/status/1612886096899366913

bastefac.uksouth.cloudapp.azure.com
honra.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Merlax_/status/1613893870827495425

sysofficereconsiderar.com

# Reference: https://twitter.com/1ZRR4H/status/1616097608887418881
# Reference: https://twitter.com/Merlax_/status/1616126832449052673
# Reference: https://www.virustotal.com/gui/file/964fbbc3b3a80e3e378e88f8c523d72e539ba06e46643ed212bc0609871fff4e/detection
# Reference: https://www.virustotal.com/gui/file/9c4b5b90c3c5f5dd0760bb40e831ef7cbbe8d0a70e3a12516151cba8d6fb0c5d/detection

15.228.46.182:5050
15.229.0.61:3081
janeiro2023.duckdns.org

# Reference: https://twitter.com/1ZRR4H/status/1614071021761339392
# Reference: https://twitter.com/Merlax_/status/1614119705018523649

alzi3ka2-4twkfsnnqq-wl.a.run.app
gamesstonert.serveirc.com

# Reference: https://twitter.com/Merlax_/status/1614765313626628096
# Reference: https://twitter.com/Merlax_/status/1614765319293177856

185.101.92.25:8090
betamixstudiomax.hopto.org

# Reference: https://twitter.com/Merlax_/status/1615090812492062722
# Reference: https://www.virustotal.com/gui/file/cceff9a60a3653478d7ea25a181b3506112f712751652ce06d4269012269b087/detection

http://185.101.92.241
20.70.210.14:3040
51.120.2.28:3030
gamesstrond2.servebeer.com

# Reference: https://twitter.com/Merlax_/status/1616163628553486346

http://18.216.179.202
20.203.201.160:5060
37.228.132.212:7779

# Refereence: https://twitter.com/Merlax_/status/1617705932116619264

http://185.101.93.178
185.101.93.102:4823
80.89.239.12:2325
jornada.uksouth.cloudapp.azure.com

# Reference: https://twitter.com/Dkavalanche/status/1622372174831951879

http://185.101.92.9
http://185.250.205.88
http://37.228.132.199

# Reference: https://twitter.com/Dkavalanche/status/1623456458464702468

185.101.93.102:4823
37.228.132.206:4823
fatura-vivo-combr.online
nelore.gleeze.com
sendonly.fatura-vivo-combr.online

# Reference: https://twitter.com/SeguInfo/status/1630325475452112898
# Reference: https://www.virustotal.com/gui/file/5e04f7e34dfb3324bc1d30d89fe1eaafd48233742b068845ce1454762742218d/detection
# Reference: https://www.virustotal.com/gui/file/33f71ae4c8eb3c46a196bb42e321fff5aed2e778912a2bacda83efea654bf447/detection

http://20.222.143.29
37.228.132.215:9999

# Reference: https://twitter.com/Dkavalanche/status/1630694677815914504

37.228.132.206:8847
erasorte.kozow.com
pyubyw.giize.com
legado.japaneast.cloudapp.azure.com

# Generic trail

/amorplus/brume.php
/guia/brume.php
/hooponopono/puma.php
/ho_oponoponoag/brume.php
/nossasrdaga/brume.php
/online/sharlins.php
/marclara/total.php
/verpra/filmes.php
/naotem/jormal.php
/anti/ideial.php
/antigo/cupla.php
/again/?oriudfjdfij88
/?oriudfjdfij88
