# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Note: Trail for non-classified data stealers

# Reference: https://twitter.com/petikvx/status/1591465219666153474
# Reference: https://tria.ge/221112-tmcqqagf37
# Reference: https://www.joesandbox.com/analysis/744589?idtype=analysisid#iocs
# Reference: https://app.any.run/tasks/481b8157-1049-4145-9a84-978cd7814575/
# Reference: https://www.virustotal.com/gui/file/6663b11dcecaa8077560752dd22f1a801c7aa92c0dc691d6d2cb709be55ba5b5/detection

onsapay.com/loader

# Reference: https://www.virustotal.com/gui/file/3bace89ae7816695689bffd157c4ac31b58eb66b4de0bd40ede76606d7712aab/detection

tds-packages-update.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1678849977336954880
# Reference: https://twitter.com/josh_penny/status/1679092742666825731
# Reference: https://www.virustotal.com/gui/file/d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374/detection

download-desktop-capcut.com
avatarcloud.top
cloudimages.net
editorimage.info
getavatar.top
hahaimage.info
hahaimage.top
hahaimage.xyz
heheimage.info
heheimage.top
heheimage.xyz
heyavatar.info
heyavatar.top
heyimage.info
ip-ptr.tech
justjobsnow.com
nametoimage.com
partressure.org.uk
toimageai.top
svs00.ip-ptr.tech
vs1-2_2.ip-ptr.tech

# Reference: https://www.virustotal.com/gui/file/25ed22baa1216bddb7c0588cabe791452adc9f7f668837cafe00537ff85aea82/detection

lorealis.vip

# Reference: https://twitter.com/1ZRR4H/status/1682268170168532992

managedkv.com

# Reference: https://twitter.com/hiramcoop/status/1688616244042412041

/365-stealer.py

# Reference: https://twitter.com/idclickthat/status/1692210489663905972
# Reference: https://twitter.com/fr0s7_/status/1695775953505402985
# Reference: https://tria.ge/230817-tm14bacc7s/behavioral2

kholapqua.com
shoppingvideo247.com

# Reference: https://twitter.com/k3yp0d/status/1693598087556505763
# Reference: https://www.virustotal.com/gui/file/b27d5f5a85c251ea6c603a86087233ce015f012062bf5f023e3e9a1d4b09707f/detection
# Reference: https://www.virustotal.com/gui/file/9e217a0d9a6b44b195f5ee70d38e82507c02e480430bf2508bd8afdea886d846/detection

http://34.89.79.160

# Reference: https://twitter.com/karol_paciorek/status/1696175997513564658

/stealer/Auth/Login

# Reference: https://twitter.com/idclickthat/status/1697772164831944884

secure-update-portal.com

# Reference: https://checkmarx.com/blog/an-ongoing-open-source-attack-reveals-roots-dating-back-to-2021/
# Reference: https://otx.alienvault.com/pulse/64f09d12f52704036d29d312

bind9-or-callback-server.com
cczk46g2vtc0000k68dgggx31deyyyyyb.oast.fun
ck0r1hp2vtc00007c0zggjocy3ryyyyyb.oast.fun

# Reference: https://www.virustotal.com/gui/file/65bfda9a772c6c5eab6a610446b4bf58d43bd025062a1d482cffbf9b2351fa5c/detection
# Reference: https://www.virustotal.com/gui/file/0f6e6c43df42a007f9b70482671b2fea79353e069f6260b04ed6f599abef7a5a/detection

185.130.44.113:8080
185.130.44.113:8443
93.95.229.246:8080
93.95.229.246:8443
microsoft.dynnamn.ru
mswindows.hldns.ru
rckl.hldns.ru
rcnkl.dynnamn.ru
simantec.hldns.ru
simantec.mooo.com
windowsdefender.freemyip.com
windowstelemetry.theworkpc.com

# Reference: https://www.virustotal.com/gui/file/0f61ffdbab0efe9272f1b0acf8f99fcda6461e4f6f978fbaf7f7f637778959e4/detection

log.hackcrack.io

# Reference: https://twitter.com/THProfiler/status/1702136008584900636

red-hacks.com

# Reference: https://twitter.com/ULTRAFRAUD/status/1705209115000070206
# Reference: https://www.virustotal.com/gui/file/60ba10a5bdafa65987f36aa9ba884f686e36788bea22a7f6a7026fa18cbbab1d/detection

http://46.151.29.182
46.151.29.182:443

# Reference: https://twitter.com/1ZRR4H/status/1709421805880877346
# Reference: https://www.virustotal.com/gui/file/759f68868414e8e7bf602a631d34740a125a7d8821b313330ad2469a96616e0c/detection
# Reference: https://www.virustotal.com/gui/file/51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686/detection

/oisn38dfs/
/oisn38dfs/logger.php
/oisn38dfs/loggerbad.php

# Reference: https://twitter.com/r3dbU7z/status/1710590656597352560
# Reference: https://twitter.com/Gi7w0rm/status/1711030015016505609

http://3.68.185.165
hackdev.ciaffa.net
/IP-Grabber.ps1
/Steal%20BrowserPassword.ps1
/Steal%20BrowserPasswords.ps1
/Steal%20Doc-v1.ps1
/Steal%20Doc.ps1
/Steal%Key.ps1
/Steal%Keys.ps1
/Steal_BrowserPassword.ps1
/Steal_BrowserPasswords.ps1
/Steal_Doc-v1.ps1
/Steal_Doc.ps1
/Steal_Key.ps1
/Steal_Keys.ps1

# Reference: https://www.virustotal.com/gui/file/a21b406dd4f152c0831201585a21da8e60bd1da218e801e2d7c29076dc6c2be0/detection

http://81.161.229.12

# Reference: https://twitter.com/suyog41/status/1718890969951842554
# Reference: https://www.virustotal.com/gui/ip-address/77.105.146.90/relations
# Reference: https://www.virustotal.com/gui/file/1fbeca1cd511cf894d080d7100a05c5fff0a5f4c6c3fd214f98f28c5dcb866fb/detection
# Reference: https://www.virustotal.com/gui/file/5836eec5ff95e74e21fed63519793f61dea7661a7b555d4e971074f8ab242cf8/detection

http://77.105.146.90
/Up/bistAndAuditAlarmByHandle
/Up/bounterAndPerformanceCounterdll
/Up/bounterAndPerformanceCounteral
/bistAndAuditAlarmByHandle
/bounterAndPerformanceCounteral
/bounterAndPerformanceCounterdll

# Reference: https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-in-microsoft-store-steals-768-000-in-crypto/
# Reference: https://otx.alienvault.com/pulse/654b98775dad45e59c2c2b44

ladgerlivlugio.gitbook.io

# Reference: https://www.virustotal.com/gui/file/fc596cd42b7f1237bd2686059918cbe23b752546dd820b77f91acfc99e2065a1/detection

fhaduasd.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1727754734876913736
# Reference: https://www.virustotal.com/gui/file/f7e56674caa3c0c39d0a177ce6da1063bb7ff83f0acccb5da02527ab6250826c/detection
# Reference: https://www.virustotal.com/gui/file/cc1061c7d42e18a4f987fe2563a0934e1e77322856d4d1f000e1311f1f21ef1c/detection
# Reference: https://www.virustotal.com/gui/file/90ffb9eade13d75f95e25c0b0aaa9a1f9171849cb81f1e2e9494c1fa801deee1/detection

torrecomando.com
peg3z.app.goo.gl

# Reference: https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-months-targeting-python-developers/
# Reference: https://otx.alienvault.com/pulse/65577803bd352de4281ac497

51.178.25.148:8081

# Reference: https://www.virustotal.com/gui/file/f75c5b809e07fe2bdcc52fba4ebed26c82b703acf60d1b6a725189c496ad4753/detection

webvideoshareonline.com

# Reference: https://twitter.com/banthisguy9349/status/1740371850067058701

http://91.92.241.168
htp://91.92.241.172
/batushka/twointe

# Reference: https://twitter.com/naumovax/status/1740701521736802556
# Reference: https://tria.ge/231206-mfkz7adg22/behavioral1
# Reference: https://app.any.run/tasks/0de95728-53f5-4027-9655-28d15f129718/

107.148.61.219:8080

# Reference: https://twitter.com/AnFam17/status/1748426722377146822
# Reference: https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/
# Reference: https://www.virustotal.com/gui/file/631f221da41e5f837a2b0fd44d07ae64640114b803d462688ada3efb88c98403/detection

cookieplay252511.s3.amazonaws.com
devwork9.com
kdark1.com

# Reference: https://www.virustotal.com/gui/file/062404e023a81c9be5959bb78ff149daad5be544017afb765198e8e49caf89cd/detection

http://95.163.241.63
chatgptencoder.site
millionjobs.work
moneyz.fun

# Generic

/inject-keylogger.exe
/loader0AA004BA90B
/loadermeLMEM8
/loaderrogram
/Stealer/
/StealerLogs/
/stealer_php/
/.steal/
/Token_Stealer.bat
/FormGrabber/
/HistoryStealer/
/Stealer.php
/StealerRegistration.php
