# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

biznesplanet-bnpparlba.com
biznesplanet-parlbabnp.com
biznesplanet-parlbas.com
biznesplanet.parlbabnp.com
bos24-logowan.com
bos24-logowanie.com
bos24-online.com
citationsherbe.at
dostawapapajohns.online
eonsabode.at
flowsrectifie.at
ibos-online24.com
ibos24-login.com
ibos24-online.com
idea-secure-login.com
login-biznesplanet.com
login-bos24.com
odatingactualiz.at
onlinepapajohns.online
papa-johns-dostawa.digital
papa-johns-dostawa.online
sso-cloud-idea.com
wallet-secure.biz
wallet-secure.me
wallet-secure.org
wallet-secure.site
wallet-secure.xyz

# Reference: https://tria.ge/211202-rttayahgan/behavioral2
# Reference: https://www.virustotal.com/gui/ip-address/194.104.136.9/relations
# Reference: https://www.virustotal.com/gui/file/32814d7581dcbcfeca8fce229bdb12bf92f006aea54c3f393cbbef341c897877/detection

193.56.146.73:52777
auth-azuread.at
authadazure.at
authazuread.at
azureauthad.at
beliale232634.at
belialp632298.at
belialq449663.at
belialr878539.at
belialw869367.at
checkingsoftwareupdate.at
checkingupdatesoftware.at
microsofte-e3eb6679a69042bea3968ecb029a669f.at
microsoftq-886ef884f3294f81a8e09ad83c63aa6b.at
microsoftr-e7014da3ab60439c951764ac28cf3735.at
microsoftw-02235fc8b7744fe6ba843e40a54ab843.at
softupdate.at
softwarecheckingupdate.at
softwareupdatechecking.at
windows433828system.at
windows526398system.at
windows694237system.at
windows998443system.at
windowssystem268877.at

# Reference: https://twitter.com/StillAzureH/status/1502486160022863874
# Reference: https://www.virustotal.com/gui/ip-address/185.250.148.209/relations

212.193.48.150:443
212.193.48.150:54398
99847956-velial-37884455info.at
allservicesystemupdate.at
allserviceupdate.at
allvelial-99865338.at
business73586763-velial-29254835.at
caqjkuufvb.at
ceqemqwerm.at
check-soft-system.at
ddpkarrosmfh.at
driverwindowsupdate.at
fgwiuyos.at
jdrbsnhwfu.at
megaupdatesystemservice.at
myupdatesystemservice.at
obnrmqct.at
oecongiuwx.at
peahhmii.at
realvelial-82995964.at
sixpccxn.at
topvelial-55623758.at
update-soft-check-system.at
update-soft-system-check.at
update-system-check-soft.at
update-system-soft-check.at
updatebd.at
updatehome.at
updatenetwork.at
updateweb.at
wayuniqs.at
windowsdriverupdate.at
yissquzaetxx.at
/asZmZK/yueoTE/XQBMcu2.php
/asZmZK/yueoTE/
/XQBMcu2.php

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt

http://190.14.37.84
193.56.146.60:443
193.56.146.60:44413
193.56.146.61:443
193.56.146.61:44413

# Reference: https://www.virustotal.com/gui/file/01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a/detection

get-fun-24.com
getnek.com
toponlinefilm24.com

# Reference: https://www.virustotal.com/gui/file/004ee7c387f293638fb885c2a6faa06130382bf7960c41c6d3941cb6e297aebd/detection

fantasy-soccer-24.com
fashion-academy.net

# Reference: https://www.virustotal.com/gui/file/0013582e2fc3a977271a354b0bb64403d88969e2ca51aea9959e9e664bc332bc/detection

create-new-house-take.xyz
onenew-cloudapps.com

# Generic

/GtHODfM/qilZw/YjtK.php
/qilZw/YjtK.php
/qilZw/
/GtHODfM/
/YjtK.php
/disjdifijdjifsdd.dat
