# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: arcom, jacard, javali, ousaban

# Reference: https://twitter.com/dark0pcodes/status/1338708528777859072
# Reference: https://pastebin.com/qrZiZRKf

40.65.192.150:6668
52.152.169.124:6668

# Reference: https://www.virustotal.com/gui/file/66d134dfc4861f114dc74feb61f7847fbe3ed42a3c5c25fa65770a64ab2912b2/detection
# Reference: https://www.virustotal.com/gui/file/214379b16b39f5698cf392e470eda4a0544346110b151e3921346d805bc877e7/detection

http://52.183.44.152
/shount/pixel.php
/zecountshount/pixel.php

# Reference: https://twitter.com/dark0pcodes/status/1339571862070845440

webzedomainplus.brazilsouth.cloudapp.azure.com

# Reference: https://twitter.com/dark0pcodes/status/1346172045869133825
# Reference: https://www.virustotal.com/gui/file/98f18d2e9f7f238479e854b4315ab2d3a9b42b80d914fe04f7928b662ca54376/detection
# Reference: https://www.virustotal.com/gui/file/d2574361932291bfb75f018a348ed67c3510e2893ba213cd32bad9e1828bdf1f/detection

137.135.93.161:60015
mixiricaman.duckdns.org

# Reference: https://www.virustotal.com/gui/file/e6a56ddd8fa5cbdf924353f9e9f1399893d62cbb095d4233c4837fd633874853/detection

149.28.109.229:60010
meckilloprt.org

# Reference: https://twitter.com/dark0pcodes/status/1346539733959192576

papramister.org
pumaman.ddns.net
/MEGATRONX1/MSHPOOX1.php
/MEGATRONX1/
/MSHPOOX1.php

# Reference: https://twitter.com/dark0pcodes/status/1346539881137369102

feliz2021.1gb.ru
mixiricameleca.ddns.net

# Reference: https://www.virustotal.com/gui/file/3cb3a6f1b6ecbe1b8dd818033a6153782fada2f75e777cf4898c3e6282dc939b/detection

flordeliskm26.com.br

# Reference: https://twitter.com/dark0pcodes/status/1354598005010292737

primo1982.1gb.ru
primomiguel.ddns.net
primomiguel.duckdns.org

# Reference: https://twitter.com/MalwareConfig/status/1361266524628123653
# Reference: https://malwareconfig.com/config/722aaceda2f590d2d5f9d929f6360c00
# Reference: https://www.virustotal.com/gui/file/eb82bd54113dfdb84b95670dc3e462b56312b4096abc28869802e489be6f20a0/detection

185.17.1.158:1819
/arcom/get.php

# Reference: https://www.virustotal.com/gui/file/6d8f2c652d6121e773ee605016bde18250b8708faf66e695c7346b9341008fc3/detection

cvbopmklopc.hopto.org

# Reference: https://twitter.com/ESETresearch/status/1376490539240075264

pumax2021.1gb.ru
/ZP/MIKV.php

# Reference: https://twitter.com/jumpnotzer0/status/1381888385841782789
# Reference: https://twitter.com/jumpnotzer0/status/1381887489158316034

gaspnewkailf.s3-us-west-1.amazonaws.com
kalifax01.westus2.cloudapp.azure.com
/MIXWIN33.php

# Reference: https://www.virustotal.com/gui/file/ab74425d49087265b99a17c2aee87f5f79f7a8f203b4d74dc605c0a7d0ffcbda/detection

190.200.1.227:8992
halamartini.hopto.org

# Reference: https://twitter.com/James_inthe_box/status/1422654605163307008
# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1422910986160418819
# Reference: https://app.any.run/tasks/3d3b4f8e-1232-4fb7-a561-6fa033e89085/
# Reference: https://app.any.run/tasks/ec6a8740-d85b-4d65-9ee0-01f36f529cca/
# Reference: https://gist.github.com/silence-is-best/b784f56771b2556ec26edc9d6dc3ab2d

http://20.197.233.196
campeonato-brasileiro.duckdns.org
clientes-times.duckdns.org
opdahora2021.duckdns.org
opdahora2022.duckdns.org
pedrexavisos2.duckdns.org
pedrexavisos.duckdns.org
pedrexpgbl.duckdns.org
puma-avisos-2021.duckdns.org
puma-op-001.duckdns.org
tjamigodovini.duckdns.org
tjdosavisos.duckdns.org

# Reference: https://twitter.com/StopMalvertisin/status/1438231010576011266

http://20.108.64.214

# Reference: https://www.virustotal.com/gui/file/5e65b34a5b54b0941a9ebe1b5db91950bbf38b088b9f731f572d048f1f10ae7e/detection

cubajunio.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3f9b5880b0076a4451cdfa5292f8b839c14fc7d9d1a88910fc5d6f66cf363322/detection

r0melte.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ed8eb254b2eeba5ea8a26af90aabe261ed3f5ff7471afbae05b0505f53b550f5/detection

godindocss.duckdns.org

# Reference: https://www.virustotal.com/gui/ip-address/40.74.228.28/relations
# Reference: https://www.virustotal.com/gui/ip-address/52.171.194.225/relations

bolabanksn.duckdns.org
cubajunio.duckdns.org
danilinhos.duckdns.org
lubagalord.duckdns.org
mydocss.duckdns.org
primosprimas.duckdns.org
urubis.duckdns.org
xalitasma.duckdns.org

# Reference: https://twitter.com/ffforward/status/1462570328618643460
# Reference: https://twitter.com/1ZRR4H/status/1462798120681627659
# Reference: https://app.any.run/tasks/81ef3ca1-c543-47dc-8873-28d9b88a66af/

webchatpyxx12gt.com

# Reference: https://twitter.com/noexceptcpp/status/1463099875663491073
# Reference: https://www.virustotal.com/gui/file/cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1/detection

nbanamend.com
save.nbanamend.com

# Reference: https://www.virustotal.com/gui/file/577675f7309edc08a6ad52679446d73c50c2d82b50edce544a4b5784ee17128c/detection

bulevas.duckdns.org
/r74MVcV.css

# Reference: https://twitter.com/JAMESWT_MHT/status/1356993036874563586
# Reference: https://app.any.run/tasks/1564c004-a4d3-4892-8dba-e310f5c45f09/

http://3.86.56.191
artenge.com.br

# Reference: https://twitter.com/1ZRR4H/status/1489643863446736901

vspentrebasonline.com

# Reference: https://twitter.com/dodo_sec/status/1513920321707024386
# Reference: https://tria.ge/220412-t4r7qsdfgn/behavioral1

april140420022xx.s3.sa-east-1.amazonaws.com
pdf-nfe82234018756.northcentralus.cloudapp.azure.com

# Reference: https://twitter.com/dodo_sec/status/1519353319818416129

isfactorytox.duckdns.org
restituicaodevalores-irf.canadaeast.cloudapp.azure.com

# Reference: https://www.virustotal.com/gui/file/3035765b178260f7df87be80fde1391bedc5997c9e83621d47d1d79216a9fe4b/detection
# Reference: https://www.virustotal.com/gui/file/00286bed05e99217e33ec5b564dd3fdbce80effc233616bab21a26814d8e7009/detection
# Reference: https://www.virustotal.com/gui/file/082fc24b477c8096d398562422441349c882ceacf8471f1b4623ac341f8d2839/detection

191.88.250.98:3005
11defebrero.duckdns.org
18denero.con-ip.com
20deenero.con-ip.com
26deenero.duckdns.org
2defebrero.con-ip.com
bendecido.con-ip.com
bendicionesamil.con-ip.com
delamanodedios.con-ip.com
diosdameabundancia.con-ip.com
diosesamor.con-ip.com
diosesamora.con-ip.com
diosesmaravilloso.con-ip.com
diosesmifortaleza.con-ip.com
diosesmifortalezaa.con-ip.com
diosestaconmigo.con-ip.com
lluviadebendicones.con-ip.com
masbendecidoquenunca.con-ip.com
millonesbless.duckdns.org
multiplesbendiciones.con-ip.com
nuevocomienzo.con-ip.com
porfavorquedense.duckdns.org
positivoooooo.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ec0101b196018772c8fc1ff87dd3e882a7db435fcabeb81ef52937ce138e5a9c/detection

179.14.168.120:2022
guasonmedallo.con-ip.com

# Reference: https://twitter.com/n0p1shing/status/1536021665288704001

cisco-update.ac

# Reference: https://twitter.com/StopMalvertisin/status/1540393252901486592
# Reference: https://seguranca-informatica.pt/latin-american-javali-trojan-weaponizing-avira-antivirus-legitimate-injector-to-implant-malware/

http://51.103.136.92
191.232.170.1:35730
191.232.170.12:35730
191.232.177.237:35730

# Reference: https://twitter.com/StopMalvertisin/status/1541330510085263360
# Reference: https://bazaar.abuse.ch/sample/2c4a8c0692ae68a80c1db0a0144a6e7b420fdb136a359562182b5b9eece33bea/
# Reference: https://www.virustotal.com/gui/file/2c4a8c0692ae68a80c1db0a0144a6e7b420fdb136a359562182b5b9eece33bea/detection

20.216.146.52:4431

# Reference: https://twitter.com/StopMalvertisin/status/1542189457931399168
# Reference: https://www.virustotal.com/gui/file/8f959360dd3f24ab27b4a371f53123568261bacb896a121c0660fd9d69dbddcf/detection

http://20.89.168.249
/meucontador/inspecionando.php

# Reference: https://twitter.com/StopMalvertisin/status/1542525440392577024
# Reference: https://github.com/brad-duncan/IOCs/blob/main/2022-07-01-IOCs-from-Brazil-malware-infection.txt

177.149.163.123:50095
6rtrgfdf.from-ak.com
correios-sedex1.is-a-musician.com
correios2.isa-geek.net
d4nin.duckdns.org
malhandofirme.duckdns.org
minosmy.duckdns.org
/idgsdgsyuifgsuio98489f489f498f489f4g5fsdssds/
/clientes/inspecionando.php
/novidades/inspecionando.php

# Reference: https://twitter.com/StopMalvertisin/status/1543177683286491136

http://20.213.91.85

# Reference: https://twitter.com/StopMalvertisin/status/1543980678123257856

20.74.212.228:44331

# Reference: https://twitter.com/invoke_eric/status/1545039261421944832

casadoacai249.ddns.net
skylo0rdss.duckdns.org

# Reference: https://twitter.com/StopMalvertisin/status/1545336853695700992

app-sac-seguro.com
sala02.zapto.org
/clony/inspecionando.php

# Reference: https://bazaar.abuse.ch/sample/5276fdfec19c0ee03d6ee4fc7b7d9417be4c7f82e3af747211fecc4d065d40e1/

pgmailfin.azurewebsites.net

# Reference: https://twitter.com/StopMalvertisin/status/1545467850734718976
# Reference: https://twitter.com/StopMalvertisin/status/1545468174107541504
# Reference: https://www.virustotal.com/gui/file/4d4c9df4acc64bf5f457de7d0290a74199b2495fac31d5f322e1e8ff816d207f/detection

18.230.151.19:60340
amigosdoback.duckdns.org
ioqdwueh9ifdygwuqybquiwsdbqweu9ydgwe8utd.duckdns.org
/icJs12llDZoohuJ/
/news/inspecionando.php

# Reference: https://twitter.com/malwrhunterteam/status/1547583978290286593

/inverno234/santana11.vbs

# Reference: https://twitter.com/StopMalvertisin/status/1549423049455587329
# Reference: https://tria.ge/220719-s51ptsfaf9/behavioral1

http://54.84.222.106
/contador-mega/inspecionando.php

# Reference: https://twitter.com/StopMalvertisin/status/1550642473185480704

http://168.61.184.94
linucxvertxxpstuaertpervbgt.swedencentral.cloudapp.azure.com
sumplerx2007.s3.amazonaws.com
/800/mgthjytyty12.php
/mgsp/marcador.php
/mgthjytyty12.php

# Reference: https://twitter.com/StopMalvertisin/status/1551719484691718144

arquivos.westus3.cloudapp.azure.com
cadastroclientes.southafricanorth.cloudapp.azure.com

# Generic
# Reference: https://twitter.com/StopMalvertisin/status/1541472473514147840

/$rdgate.$CLI-CRYPT
/$rdgate.$CLI-OBJM
