# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ESETresearch/status/1438827056037613570
# Reference: https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/
# Reference: https://github.com/eset/malware-ioc/tree/master/numando#cc-servers
# Reference: https://otx.alienvault.com/pulse/6148684ff8845c58799c8287

138.91.168.205:733
20.195.196.231:733
20.197.228.40:779
enjoyds.s3.us-east-2.amazonaws.com
lksluthe.s3.us-east-2.amazonaws.com
procjdcals.s3.us-east-2.amazonaws.com
rmber.s3.ap-southeast-2.amazonaws.com
sucessmaker.s3.us-east-2.amazonaws.com
trbnjust.s3.us-east-2.amazonaws.com
webstrage.s3.us-east-2.amazonaws.com

# Reference: https://twitter.com/johnk3r/status/1484606460814413825
# Reference: https://bazaar.abuse.ch/sample/ee75f3b76903886f1a333afd9d8b882020e51b5960d480f1afb0424c4264dfe3/#iocs
# Reference: https://tria.ge/220121-xmhhraagb2/behavioral1

http://18.230.24.96
paiondelivery.duckdns.org
/01/postUP.php
/bBW6tMsYA.css

# Reference: https://github.com/pan-unit42/tweets/blob/master/2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt
# Reference: https://www.virustotal.com/gui/domain/gnjghnmjhgnjmgh.from-pr.com/detection

clientes.is-saved.org
gnjghnmjhgnjmgh.from-pr.com
nfe5.doomdns.org
nfe6.dyndns.ws
plugtree.duckdns.org
download2.go.dyndns.org
/clientes/postUP.php

# Reference: https://www.virustotal.com/gui/domain/gufhoifpd.is-an-artist.com/detection

gufhoifpd.is-an-artist.com

# Reference: https://www.virustotal.com/gui/domain/nota-fiscal.is-a-doctor.com/detection

nota-fiscal.is-a-doctor.com

# Reference: https://www.virustotal.com/gui/domain/orcamento2022.from-mi.com/detection

orcamento2022.from-mi.com

# Reference: https://www.virustotal.com/gui/domain/nota-fiscal-eletronica.servebbs.com/detection

nota-fiscal-eletronica.servebbs.com
