# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

biznesplanet-bnpparlba.com
biznesplanet-parlbabnp.com
biznesplanet-parlbas.com
biznesplanet.parlbabnp.com
bos24-logowan.com
bos24-logowanie.com
bos24-online.com
citationsherbe.at
dostawapapajohns.online
eonsabode.at
flowsrectifie.at
ibos-online24.com
ibos24-login.com
ibos24-online.com
idea-secure-login.com
login-biznesplanet.com
login-bos24.com
odatingactualiz.at
onlinepapajohns.online
papa-johns-dostawa.digital
papa-johns-dostawa.online
sso-cloud-idea.com
wallet-secure.biz
wallet-secure.me
wallet-secure.org
wallet-secure.site
wallet-secure.xyz

# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=91.203.192.125

bos-bank.com
business-start-lng.com
business-startlng.com
kbc-kbctouch.com
kbckbctouch.com
kbctouchkbc.com
lng-secure.com
online-allorbank.com
paribas-login-secure.com
paribas-logowanie.com
secure-bankgetin.com
secure-getinbank.com
sso-cloud-idea-bank.com
systemfixpc.com

# Reference: https://tria.ge/211202-rttayahgan/behavioral2
# Reference: https://www.virustotal.com/gui/ip-address/194.104.136.9/relations
# Reference: https://www.virustotal.com/gui/file/32814d7581dcbcfeca8fce229bdb12bf92f006aea54c3f393cbbef341c897877/detection

193.56.146.73:52777
auth-azuread.at
authadazure.at
authazuread.at
azureauthad.at
beliale232634.at
belialp632298.at
belialq449663.at
belialr878539.at
belialw869367.at
checkingsoftwareupdate.at
checkingupdatesoftware.at
microsofte-e3eb6679a69042bea3968ecb029a669f.at
microsoftq-886ef884f3294f81a8e09ad83c63aa6b.at
microsoftr-e7014da3ab60439c951764ac28cf3735.at
microsoftw-02235fc8b7744fe6ba843e40a54ab843.at
softupdate.at
softwarecheckingupdate.at
softwareupdatechecking.at
windows433828system.at
windows526398system.at
windows694237system.at
windows998443system.at
windowssystem268877.at

# Reference: https://twitter.com/StillAzureH/status/1502486160022863874
# Reference: https://www.virustotal.com/gui/ip-address/185.250.148.209/relations

212.193.48.150:443
212.193.48.150:54398
99847956-velial-37884455info.at
allservicesystemupdate.at
allserviceupdate.at
allvelial-99865338.at
business73586763-velial-29254835.at
caqjkuufvb.at
ceqemqwerm.at
check-soft-system.at
ddpkarrosmfh.at
driverwindowsupdate.at
fgwiuyos.at
jdrbsnhwfu.at
megaupdatesystemservice.at
myupdatesystemservice.at
obnrmqct.at
oecongiuwx.at
peahhmii.at
realvelial-82995964.at
sixpccxn.at
topvelial-55623758.at
update-soft-check-system.at
update-soft-system-check.at
update-system-check-soft.at
update-system-soft-check.at
updatebd.at
updatehome.at
updatenetwork.at
updateweb.at
wayuniqs.at
windowsdriverupdate.at
yissquzaetxx.at
/asZmZK/yueoTE/XQBMcu2.php
/asZmZK/yueoTE/
/XQBMcu2.php

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt

http://190.14.37.84
193.56.146.60:443
193.56.146.60:44413
193.56.146.61:443
193.56.146.61:44413

# Reference: https://www.virustotal.com/gui/file/01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a/detection

get-fun-24.com
getnek.com
toponlinefilm24.com

# Reference: https://www.virustotal.com/gui/file/004ee7c387f293638fb885c2a6faa06130382bf7960c41c6d3941cb6e297aebd/detection

fantasy-soccer-24.com
fashion-academy.net

# Reference: https://www.virustotal.com/gui/file/0013582e2fc3a977271a354b0bb64403d88969e2ca51aea9959e9e664bc332bc/detection

create-new-house-take.xyz
onenew-cloudapps.com

# Reference: https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a

azure-dbupdate.cloud
azureboot.com
azureliveapps.com
roamingslivedb.com
/BNUwRuzkgS/
/BNUwRuzkgS/auth.php
/BNUwRuzkgS/index.php
/vmagtc/njqeee/requets/index.php
/njqeee/requets/index.php

# Reference: https://twitter.com/malwrhunterteam/status/1529422038468796417
# Reference: https://www.virustotal.com/gui/ip-address/35.246.201.219/relations
# Reference: https://www.virustotal.com/gui/file/d9e6395917a1d1103c40f710310de0cf64c370d167def378e9b88f3af247a1b0/detection

azure-dbupdate.at
azure-updatedb.at
azuretelemetry.xyz
statsazure.xyz
/cAUtfkUDaptk/ZRSeiy/requets/index.php
/cAUtfkUDaptk/
/ZRSeiy/
/cAUtfkUDaptk/ZRSeiy/
/ZRSeiy/requets/index.php

# Reference: https://www.virustotal.com/gui/file/02dce7f57e4933edf84cbe525d8115defd5ecafd5b2b203be6a2ec7aa0099bc7/detection

buyinvestment24.com
negarehgallery.com

# Reference: https://twitter.com/pr0xylife/status/1537511268591992840
# Reference: https://www.joesandbox.com/analysis/1014730#iocs
# Reference: https://www.virustotal.com/gui/file/2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4/detection
# Reference: https://www.virustotal.com/gui/file/face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666/detection

213.226.114.15:443
213.226.114.15:48195
34.118.54.36:443
34.118.54.36:48195
collectiontelemetrysystem.com
telemetrysystemcollection.com

# Reference: https://www.virustotal.com/gui/ip-address/34.118.54.36/relations

internationalcservice.quest
mycommonaccess.quest

# Reference: https://www.virustotal.com/gui/ip-address/80.66.64.63/relations

amcabigieluckydomones.net
hponosdomonosdemens.net
kraledemensdpamu.net
tramerdesnomates.net

# Reference: https://github.com/pr0xylife/Matanbuchus/commit/b8a6dbcb41748ab656c6ce5a1976ae879c84f5e1
# Reference: https://www.virustotal.com/gui/ip-address/185.9.147.200/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.227/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.228/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.237/relations
# Reference: https://www.virustotal.com/gui/file/bba5a4ddc964c7cc25ce0c04eb21f5fdf6270ddbe18b7df13c4596057d87637e/detection
# Reference: https://www.virustotal.com/gui/file/d8c21ff6fe4617b22ff37e74a1d29adb08d3164d43d7ed205c207964f4313a72/detection

31.41.244.230:65383
communicationreporting.at
communicationreporting.com
servicreporting.at
servicreporting.com
slgemseller.com
telemetryreporting.at
telemetryreporting.com
telemetryservic.at
telemetryservic.com
updatesservic.at
updatesservic.com
/mtaggsM/YmQzcuM/auth.aspx
/mtaggsM/YmQzcuM/home.aspx
/mtaggsM/YmQzcuM/
/mtaggsM/
/YmQzcuM/
/KkfUWR/kFAWCs/requets/index.php
/kFAWCs/requets/index.php
/KkfUWR/kFAWCs/
/kFAWCs/
/KkfUWR/

# Reference: https://twitter.com/James_inthe_box/status/1539274565968310272
# Reference: https://gist.github.com/silence-is-best/1bc62a53c1a0ddb3a8bcdff19bc80c3e

/m8YYdu/mCQ2U9/auth.aspx
/m8YYdu/mCQ2U9/home.aspx
/m8YYdu/mCQ2U9/
/m8YYdu/
/mCQ2U9/

# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.224/relations

teammanaging.at

# Reference: https://github.com/pan-unit42/tweets/blob/master/2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt

instance-manager.at

# Reference: https://www.virustotal.com/gui/file/037b340417857e618b37cfc3c6b4e6d01717ca0cedfaf57c4d98f368f432f10d/detection

noblecreativeaz.com
testdomainsdrive.com

# Reference: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

/kntwtopnbt/iqiw922vv5/AveBelial.xml
/kntwtopnbt/iqiw922vv5/gate.php
/kntwtopnbt/iqiw922vv5/
/iqiw922vv5/
/kntwtopnbt/

# Reference: https://tracker.viriback.com/dump.php (2022-07-11)

http://193.56.146.60
http://193.56.146.61
http://45.9.20.136
http://45.9.20.139
45.9.20.137:63994
azure-telemetry-software.com
checkupdate.at
statisticglors.com
telemetry-azure.com
zoomforment.com
/fBieeA/
/fBieeA/gbpGKC/
/fBieeA/gbpGKC/gataway.php
/gbpGKC/
/ktbrupvunz/

# Reference: https://otx.alienvault.com/pulse/62e3c66f3c31769773f307f7
# Reference: https://www.virustotal.com/gui/ip-address/193.56.146.62/relations
# Reference: https://www.virustotal.com/gui/ip-address/193.56.146.65/relations

http://193.56.146.62
http://193.56.146.65
193.56.146.62:443
193.56.146.65:443
193.56.146.62:48195
193.56.146.65:48195

# Reference: https://twitter.com/ViriBack/status/1558806912011063297
# Reference: https://tria.ge/220814-qksglseder
# Reference: https://www.virustotal.com/gui/file/96072100adb88a4c6cf2af97325e0fae4c0a33c1ff3e973c57457588f9a6fa14/detection

162.0.232.35:17944
193.56.146.137:17944
listupdateschecks.com
listupdatescheckstime.com
/AcMZWB/MmGQYf/auth.aspx
/mZkBXKz/BzQEspX/auth.aspx
/AcMZWB/MmGQYf/
/mZkBXKz/BzQEspX/
/AcMZWB/
/BzQEspX/
/MmGQYf/
/mZkBXKz/

# Reference: https://github.com/cyberark/malware-research/blob/master/MatanbuchusLoader/IoCs.md

193.56.146.130:49356
193.56.146.133:49356
193.56.146.134:49356
193.56.146.135:49356
193.56.146.140:46273
193.56.146.141:46273
193.56.146.142:46273
193.56.146.143:46273
193.56.146.170:62008
193.56.146.171:62008
193.56.146.172:62008
193.56.146.173:62008
193.56.146.202:46921
193.56.146.203:46921
193.56.146.204:46921
193.56.146.205:46921
193.56.146.62:44413
193.56.146.65:44413
45.139.236.18:42991
45.139.236.68:42991
45.139.236.72:42991
45.139.236.88:42991
/9c9f7205d4c044fc93588012b9579c8e/c55bdcc4/xsUN.php
/c55bdcc4/xsUN.php
/MovziZNRvB/jSQEaDeuzw/ZZseYR.php
/MovziZNRvB/jSQEaDeuzw/
/MovziZNRvB/
/jSQEaDeuzw/
/a695f579464142de/qefrb.php
/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml
/d8b8d14f-6842-46ec-b254-e92ffe990498/4ad4e44f
/d8b8d14f-6842-46ec-b254-e92ffe990498/b32f9ccc
/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml
/Y2xpbnRvbjQ1.xml
/viZbYkaLLA/kpDgbe/oqas.php
/viZbYkaLLA/kpDgbe/
/viZbYkaLLA/
/kpDgbe/
/www/update/v11.0/qptqkd.php

# Reference: https://twitter.com/HaoZhixiang/status/1588460772082188289
# Reference: https://www.virustotal.com/gui/ip-address/176.113.115.219/relations
# Reference: https://www.virustotal.com/gui/ip-address/176.113.115.195/relations

176.113.115.195:47488
188.127.239.132:47488
backoffices.at
eurogov.org
firstupdates.at
gateupdates.at
messageupdate.at
softex.at
updatenetworkingloc.at
/tgJIZY/AzXviN/fpNj/index.php
/tgJIZY/AzXviN/fpNj/
/tgJIZY/AzXviN/
/AzXviN/
/tgJIZY/
/fpNj/index.php

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-12-07-IOCs-for-Qakbot-and-Matanbuchus-activity.txt

193.56.146.73:52777
193.56.146.74:52777

# Reference: https://twitter.com/malwrhunterteam/status/1591397779544625152
# Reference: https://bazaar.abuse.ch/sample/b0620f36f136d0c8e4c036a67798de2902bbd45bd21bd026102d53285d56622c/
# Reference: https://tria.ge/221109-b2yydseebj
# Reference: https://www.virustotal.com/gui/file/f8beb42baf57fb20f539d24cf9f0c5abfab951706b00c725cd05e80e3080c079/detection
# Reference: https://www.virustotal.com/gui/file/b0620f36f136d0c8e4c036a67798de2902bbd45bd21bd026102d53285d56622c/detection

206.81.11.20:81
it-south-bridge.com
/new_style/UimbTD.dll
/new_style/xMbdNh.dll
/XbnZ/XmznAcQ
/XmznAcQ

# Generic

/GtHODfM/qilZw/YjtK.php
/qilZw/YjtK.php
/qilZw/
/GtHODfM/
/YjtK.php
/disjdifijdjifsdd.dat
