# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

biznesplanet-bnpparlba.com
biznesplanet-parlbabnp.com
biznesplanet-parlbas.com
biznesplanet.parlbabnp.com
bos24-logowan.com
bos24-logowanie.com
bos24-online.com
citationsherbe.at
dostawapapajohns.online
eonsabode.at
flowsrectifie.at
ibos-online24.com
ibos24-login.com
ibos24-online.com
idea-secure-login.com
login-biznesplanet.com
login-bos24.com
odatingactualiz.at
onlinepapajohns.online
papa-johns-dostawa.digital
papa-johns-dostawa.online
sso-cloud-idea.com
wallet-secure.biz
wallet-secure.me
wallet-secure.org
wallet-secure.site
wallet-secure.xyz

# Reference: https://tria.ge/211202-rttayahgan/behavioral2
# Reference: https://www.virustotal.com/gui/ip-address/194.104.136.9/relations
# Reference: https://www.virustotal.com/gui/file/32814d7581dcbcfeca8fce229bdb12bf92f006aea54c3f393cbbef341c897877/detection

193.56.146.73:52777
auth-azuread.at
authadazure.at
authazuread.at
azureauthad.at
beliale232634.at
belialp632298.at
belialq449663.at
belialr878539.at
belialw869367.at
checkingsoftwareupdate.at
checkingupdatesoftware.at
microsofte-e3eb6679a69042bea3968ecb029a669f.at
microsoftq-886ef884f3294f81a8e09ad83c63aa6b.at
microsoftr-e7014da3ab60439c951764ac28cf3735.at
microsoftw-02235fc8b7744fe6ba843e40a54ab843.at
softupdate.at
softwarecheckingupdate.at
softwareupdatechecking.at
windows433828system.at
windows526398system.at
windows694237system.at
windows998443system.at
windowssystem268877.at

# Reference: https://twitter.com/StillAzureH/status/1502486160022863874
# Reference: https://www.virustotal.com/gui/ip-address/185.250.148.209/relations

212.193.48.150:443
212.193.48.150:54398
99847956-velial-37884455info.at
allservicesystemupdate.at
allserviceupdate.at
allvelial-99865338.at
business73586763-velial-29254835.at
caqjkuufvb.at
ceqemqwerm.at
check-soft-system.at
ddpkarrosmfh.at
driverwindowsupdate.at
fgwiuyos.at
jdrbsnhwfu.at
megaupdatesystemservice.at
myupdatesystemservice.at
obnrmqct.at
oecongiuwx.at
peahhmii.at
realvelial-82995964.at
sixpccxn.at
topvelial-55623758.at
update-soft-check-system.at
update-soft-system-check.at
update-system-check-soft.at
update-system-soft-check.at
updatebd.at
updatehome.at
updatenetwork.at
updateweb.at
wayuniqs.at
windowsdriverupdate.at
yissquzaetxx.at
/asZmZK/yueoTE/XQBMcu2.php
/asZmZK/yueoTE/
/XQBMcu2.php

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt

http://190.14.37.84
193.56.146.60:443
193.56.146.60:44413
193.56.146.61:443
193.56.146.61:44413

# Reference: https://www.virustotal.com/gui/file/01ac2b3990a1cf431549d25cc7b1b280d7a9cb80c9ab3c9bdd804b19e941143a/detection

get-fun-24.com
getnek.com
toponlinefilm24.com

# Reference: https://www.virustotal.com/gui/file/004ee7c387f293638fb885c2a6faa06130382bf7960c41c6d3941cb6e297aebd/detection

fantasy-soccer-24.com
fashion-academy.net

# Reference: https://www.virustotal.com/gui/file/0013582e2fc3a977271a354b0bb64403d88969e2ca51aea9959e9e664bc332bc/detection

create-new-house-take.xyz
onenew-cloudapps.com

# Reference: https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a

azure-dbupdate.cloud
azureboot.com
azureliveapps.com
roamingslivedb.com
/BNUwRuzkgS/
/BNUwRuzkgS/auth.php
/BNUwRuzkgS/index.php
/vmagtc/njqeee/requets/index.php
/njqeee/requets/index.php

# Reference: https://twitter.com/malwrhunterteam/status/1529422038468796417
# Reference: https://www.virustotal.com/gui/ip-address/35.246.201.219/relations
# Reference: https://www.virustotal.com/gui/file/d9e6395917a1d1103c40f710310de0cf64c370d167def378e9b88f3af247a1b0/detection

azure-dbupdate.at
azure-updatedb.at
azuretelemetry.xyz
statsazure.xyz
/cAUtfkUDaptk/ZRSeiy/requets/index.php
/cAUtfkUDaptk/
/ZRSeiy/
/cAUtfkUDaptk/ZRSeiy/
/ZRSeiy/requets/index.php

# Reference: https://www.virustotal.com/gui/file/02dce7f57e4933edf84cbe525d8115defd5ecafd5b2b203be6a2ec7aa0099bc7/detection

buyinvestment24.com
negarehgallery.com

# Reference: https://twitter.com/pr0xylife/status/1537511268591992840
# Reference: https://www.joesandbox.com/analysis/1014730#iocs
# Reference: https://www.virustotal.com/gui/file/2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4/detection
# Reference: https://www.virustotal.com/gui/file/face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666/detection

213.226.114.15:443
213.226.114.15:48195
34.118.54.36:443
34.118.54.36:48195
collectiontelemetrysystem.com
telemetrysystemcollection.com

# Reference: https://www.virustotal.com/gui/ip-address/34.118.54.36/relations

internationalcservice.quest
mycommonaccess.quest

# Reference: https://www.virustotal.com/gui/ip-address/80.66.64.63/relations

amcabigieluckydomones.net
hponosdomonosdemens.net
kraledemensdpamu.net
tramerdesnomates.net

# Reference: https://github.com/pr0xylife/Matanbuchus/commit/b8a6dbcb41748ab656c6ce5a1976ae879c84f5e1
# Reference: https://www.virustotal.com/gui/ip-address/185.9.147.200/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.227/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.228/relations
# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.237/relations
# Reference: https://www.virustotal.com/gui/file/bba5a4ddc964c7cc25ce0c04eb21f5fdf6270ddbe18b7df13c4596057d87637e/detection
# Reference: https://www.virustotal.com/gui/file/d8c21ff6fe4617b22ff37e74a1d29adb08d3164d43d7ed205c207964f4313a72/detection

31.41.244.230:65383
communicationreporting.at
communicationreporting.com
servicreporting.at
servicreporting.com
slgemseller.com
telemetryreporting.at
telemetryreporting.com
telemetryservic.at
telemetryservic.com
updatesservic.at
updatesservic.com
/mtaggsM/YmQzcuM/auth.aspx
/mtaggsM/YmQzcuM/home.aspx
/mtaggsM/YmQzcuM/
/mtaggsM/
/YmQzcuM/
/KkfUWR/kFAWCs/requets/index.php
/kFAWCs/requets/index.php
/KkfUWR/kFAWCs/
/kFAWCs/
/KkfUWR/

# Reference: https://twitter.com/James_inthe_box/status/1539274565968310272
# Reference: https://gist.github.com/silence-is-best/1bc62a53c1a0ddb3a8bcdff19bc80c3e

/m8YYdu/mCQ2U9/auth.aspx
/m8YYdu/mCQ2U9/home.aspx
/m8YYdu/mCQ2U9/
/m8YYdu/
/mCQ2U9/

# Reference: https://www.virustotal.com/gui/ip-address/31.41.244.224/relations

teammanaging.at

# Reference: https://github.com/pan-unit42/tweets/blob/master/2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt

instance-manager.at

# Reference: https://www.virustotal.com/gui/file/037b340417857e618b37cfc3c6b4e6d01717ca0cedfaf57c4d98f368f432f10d/detection

noblecreativeaz.com
testdomainsdrive.com

# Reference: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

/kntwtopnbt/iqiw922vv5/AveBelial.xml
/kntwtopnbt/iqiw922vv5/gate.php
/kntwtopnbt/iqiw922vv5/
/iqiw922vv5/
/kntwtopnbt/

# Reference: https://tracker.viriback.com/dump.php (2022-07-11)

http://193.56.146.60
http://193.56.146.61
http://45.9.20.136
http://45.9.20.139
45.9.20.137:63994
azure-telemetry-software.com
checkupdate.at
statisticglors.com
telemetry-azure.com
zoomforment.com
/fBieeA/
/fBieeA/gbpGKC/
/fBieeA/gbpGKC/gataway.php
/gbpGKC/
/ktbrupvunz/

# Reference: https://otx.alienvault.com/pulse/62e3c66f3c31769773f307f7
# Reference: https://www.virustotal.com/gui/ip-address/193.56.146.62/relations
# Reference: https://www.virustotal.com/gui/ip-address/193.56.146.65/relations

http://193.56.146.62
http://193.56.146.65
193.56.146.62:443
193.56.146.65:443
193.56.146.62:48195
193.56.146.65:48195

# Generic

/GtHODfM/qilZw/YjtK.php
/qilZw/YjtK.php
/qilZw/
/GtHODfM/
/YjtK.php
/disjdifijdjifsdd.dat
