chartingshow / crypto-firewall Goto Github PK

🎁 Blocks browser-based crypto mining, cryptojacking, banking and crypto malware and phishing websites, apps and hackers command-and-control (C2) servers.

License: GNU General Public License v3.0

PHP 17.63% JavaScript 13.28% Shell 12.74% Python 56.35%

adblocker filterlist hosts ublock ublock-filters-rules ublock-origin adblock crypto-miner cryptocurrencies cryptocurrency

crypto-firewall's People

Contributors

Stargazers

Watchers

crypto-firewall's Issues

Block `FAKEUPDATES` aka `FakeUpdate, SocGholish` malware

Enhancement idea

Block FAKEUPDATES aka FakeUpdate, SocGholish malware

Description

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER and AZORULT.

FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.

Links

https://threatfox.abuse.ch/browse/malware/js.fakeupdates/

IOC

URL's

artwork.siddavisart.com
form.haysllc.net

Domains

7c5xek1a1pe7nnn.top
9xkcaayaagvr1p2.top
96roafw91vs3hqv.top
98ygdjhdvuhj.com
921hapudyqwdvy.com
abogados.services
aflomusic.com
ahmgbgjhdlmmlnf.top
aiys71ubj6cbeqg.com
aiys71ubj6cbeqg.fun
aiys71ubj6cbeqg.top
alliantlaw.us
architech3.com
asfgze.fun
autonerdmobilerepairs.com
awesomepotions.com
ayitiexpo.com
barclayledsolutions.com
biggreenlimes.org
blueecho88.com
bluegaslamp.org
bodyandsoulmassage.com
bodyguardchicago.com
boka-rem.com
bookchrono8273.com
bpjoieohzmhegwegmmuew.online
c3c73sqbsxtwssv.top
cancelledfirestarter.org
cczqyvuy812jdy.com
cdn-new-dwnl.site
chestedband.org
cmbefalcljjblia.top
credit-volta.com
cristinaamaro.com
dailytickyclock.org
dawarel3mda.com
deeplakes.org
deeptrickday.org
defcon1.us
deltavis.net
draggedline.org
drilledgas.org
eastcoastmotorhomes.co.uk
eduvisuo.com
efjcfmbnnmnhkdn.top
esteticalocarno.com
everyadpaysmefirst.com
ewkekezmwzfevwvwvvmmmmmmwfwf.site
expressyourselfesthetics.com
faseries.com
feooa21nl5o8j4o.com
feooa21nl5o8j4o.fun
feooa21nl5o8j4o.top
finanpress.com
firstmillionaires.com
friendsofthefolsomlibrary.org
gammalambdalambda.org
gctatick.com
getquery.org
gkrokbmrkmrxtmxrxr.space
google-analytiks.com
googlestates.com
googletagmanagar.com
greedyclowns.org
greedyfines.org
greenpapers.org
gstatick.com
gutesherz.org
humandesigns.com
iglesiaelarca.com
iglesiaelarca.org
ilinkads.com
indogevro22tevra.com
invertirenmercados.com
ioiubby73b1n.com
ipocla.org
jdlaytongrademaker.com
jqueryj.com
kinchcorp.com
kjniuby621edoo.com
krafttopia.net
laytonroadconstruction.com
lemonicecold.org
libertader.org
limonpart.org
linedgreen.org
linedloop.org
lintingdaun.com
livinginthenowbook.info
lminoeubybyvq.com
loloalexander.com
macayafoundation.org
machinetext.org
mansaentertainment.com
marcborowy.com
mathgeniusa.com
mathgeniusacademy.com
mnnoiuiuyttczchgv265d.com
mobileautorepairmechanic.com
moraver.com
myjesusloves.me
nbjhllilknbjldk.top
nbvyrxry216vy.com
neworderspath.org
ngvcfrttgyu512vgv.net
nilselsholz.com
nodirtyelectricity.com
nvize.com
o1gpxolsxcnfz4y.top
oekofkkfkoeefkefbnhgtrq.space
oiouhvtybh291.com
oiuugyfytvgb22h.com
oiuytyfvq621mb.org
ojhggnfbcy62.com
ojhggnfbcy62.com/
ojiwojdiuuywdnbhcby.com
onepercentage.org
opkfijuifbuyynyny.com
owkdzodqzodqjefjnnejenefe.site
oystergardener.net
pixelbase.com
pklkknj89bygvczvi.com
poqwjoemqzmemzgqegzqzf.online
porchlightcs.org
propertytax4less.com
pwwqkppwqkezqer.site
q-dent.com
qnv5ufhs524zc6d.top
quaryget.org
r89kq6esetljq7r.fun
r89kq6esetljq7r.top
rankinfiles.com
rationallifestyleconsulting.org
redsnowynose.org
reedx51mut.com
resourcehost.net
roadmap.jufp.com
rpacx.com
rpacxtaxappeal.com
saltminecomics.com
sammyhallam.com
sevenpunches.org
shopperstreets.com
siliconvalleyga.com
sioaiuhsdguywqgyuhuiqw.org
slurpslimes.org
smartmetereducationnetwork.com
stats-best.site
surelytheme.org
symposiumhaiti.com
teachmemoney.net
teamupnetwork.org
theamericasfashionfest.com
throatpills.org
transversallearning.com
tre100.in
tropipackfood.com
ttnznxatnj23395.com
ttnznxatnj23395.fun
ttnznxatnj23395.top
ug62r67uiijo2.com
univisuo.com
updateadobeflash.website
uygftdrvtygnyuhi8.com
vanquicktech.com
vcrwtttywuuidqioppn1.com
visionofvivaldi.org
vvooowkdqddcqcqcdqggggl.site
w4zgt6l5hrxgvlz.top
waterlinesheet.org
webappclick.net
whitedrill.org
windowlight.org
wudugf.top
yogayield.net
ypdvqxh5qie08md.top
ytntf5hvtn2vgcxxq.com
zasexdrc13ftvg.com
zitoprohealth.com
ziucsugcbfyfbyccbasy.com
znqjdnqzdqzfqmfqmkfq.site
zurvio.com

IP's

5.79.66.100
5.79.66.123
5.182.207.83
8.211.4.118
23.146.184.29
35.176.231.198
37.221.67.161
45.77.195.105
45.90.57.160
45.130.201.23
45.130.201.24
47.91.94.97
47.251.55.14
57.128.164.245
66.63.188.104
77.246.99.5
77.246.109.146
80.66.64.101
85.239.33.72
88.119.169.145
88.119.169.146
91.103.253.14
91.201.113.154
91.203.193.55
91.203.193.81
91.208.184.14
94.131.96.55
94.156.6.203
95.179.128.92
95.214.26.29
95.214.26.35
98.142.254.70
102.223.180.164
109.248.206.49
109.248.206.83
109.248.206.101
109.248.206.118
128.140.14.253
176.123.2.25
176.124.192.124
179.43.141.177
185.163.204.214
185.225.70.190
185.251.91.59
185.252.179.64
192.236.208.50
193.106.174.54
193.106.175.61
193.106.175.77
193.124.125.110
194.28.226.92
194.50.153.19
194.169.175.229
206.71.148.110
213.252.247.146
216.189.145.169

Block `Anatsa` banking Trojan

Enhancement idea

Block Anatsa banking Trojan.

Links

https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign

https://threatfox.abuse.ch/browse/malware/apk.anatsa/

IOC

Domains

comixsel.com
conversions.appsflyer.com
device-api.urbanairship.com
inapps.appsflyer.com
oinregoinroseg.xyz

IP's

34.120.195.249
51.38.166.150
51.38.166.153
62.182.81.71
91.243.34.26
93.158.209.15
138.201.166.127
164.132.201.232
185.215.113.31
185.215.113.39
195.201.70.80

Block `ERMAC` banking malware

Enhancement idea

Block ERMAC banking malware.

Links

https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn

https://threatfox.abuse.ch/browse/malware/apk.ermac/

IOC

Domains

n/a

IP's

5.42.199.3
5.42.199.22
5.42.199.91
45.93.201.92
62.204.41.98
91.215.85.213
91.228.10.228
92.243.88.25
176.113.115.66
176.113.115.67
178.132.6.150
185.215.113.42
185.215.113.81
185.215.113.94
185.225.75.134

Block `TeaBot` banking malware

Enhancement idea

Block TeaBot banking malware.

Links

https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe

IOC

Block	Description
https://github.com/leroynathanielxnlw	GitHub repository (proxy)
https://github.com/feleanicusor	GitHub repository (hosting multiple TeaBot samples)
185.215.113.31	C2 Server

Block `NjRAT` aka `Bladabindi, Lime-Worm` malware

Enhancement idea

Block NjRAT aka Bladabindi, Lime-Worm malware.

Description

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

Links

https://threatfox.abuse.ch/browse/malware/win.njrat/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

at.ply.gg
hacker1236.hoto.org
jumpy-advice.auto.playit.gg
saw4.playit.gg
tell-academic.at.playit.gg
weak-edge.auto.playit.gg

Domains

808080.ml
access.ly
biliianstore.com
blogsyte.com
bo-ip.biz
capeturk.com
codns.com
ddns.com
hackcrack.io
hopper.pw
hopt.org
internetdocss.com
libya2020.com.ly
linkpc.net
loca.lt
myftp.org
myq-see.com
n-e.kr
ndplc.gq
nerdpol.ovh
no-ip.com
no.ip-biz
no_ip.biz
officeee.tk
p-e.kr
pktriot.net
portmap.host
rrshost.in
securitymessures.com
servecounterstrike.com
servehalflife.com
servehttp.com
servep2p.com
servequake.com
spdns.eu
system-ns.net
thddns.net
urlcuts.com
waely.com
whmfix009.cf
xxxerer.com

IP's

3.124.142.205
3.125.102.39
3.125.209.94
3.126.224.214
18.192.31.165
18.229.146.63
18.229.248.167
20.197.231.178
46.246.6.7
46.246.82.16
147.50.253.101
147.185.221.16
193.27.72.137

Emails

n/a

Wallet Addresses

n/a

Block `EugenLoader` malware

Enhancement idea

Block EugenLoader malware.

Description

Malvertising.

Links

https://threatfox.abuse.ch/browse/tag/EugenLoader/

https://intel471.com/blog/malvertising-surges-to-distribute-malware

IOC

URL's

n/a

Domains

9sta9rt4.store
623start.site
682start.store
994safeweb.store
994super.site
2478dotfarm.site
ads-info.ru
aipanelnew.ru
cdn-prok.site
clk-brom.site
clk-brood.top
clk-info.ru
clk-info.site
cornbascet.site
fresh-prok.ru
fresh-prok.site
mega378-fon.site
new-prok.ru
newvision682.store
next-traf623.site
prkl-ads.ru
prkl-ads.site
start-up-plus.site
super56fall.online
top789market.online
trill-gone123.site
trust-flare.ru
trust-flare.site

IP's

n/a

Block fake `Dependabot` malware

Enhancement idea

Block fake Dependabot malware.

Links

https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/

IOC

Domains

wagateway.pro

IP's

n/a

Block Agniane Stealer: Dark Web’s Crypto Threat

Enhancement idea

Block Agniane Stealer: Dark Web’s Crypto Threat

Agniane Stealer fraudulently takes credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information.

Link:
https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat

Indicators of Compromise (IOCs)

DOMAIN	DESCRIPTION
Central-cee-doja.ru	Host Name

Block `Deimos` malware

Enhancement idea

Block Deimos malware.

Description

Described by Elastic as being associated with solarmarker malware, and being used in the context of initial access, persistence, and C&C capabilities.

Links

https://threatfox.abuse.ch/browse/malware/win.deimos/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

n/a

IP's

3.78.199.107
3.139.182.36
3.140.170.199
3.209.12.178
8.129.77.150
8.217.217.243
8.218.26.114
13.33.49.168
13.245.163.162
14.29.118.239
18.162.155.202
18.162.193.120
34.81.252.215
34.91.254.205
34.147.114.77
35.71.185.24
36.95.131.171
36.138.134.148
39.106.36.96
42.247.11.53
43.198.73.212
44.216.250.133
44.230.201.248
45.77.7.58
47.97.166.129
54.68.113.254
54.151.143.251
58.250.32.16
58.251.128.87
58.251.128.117
58.251.128.148
59.46.210.116
61.121.83.152
61.121.83.153
61.121.83.154
61.216.149.32
64.254.19.142
64.254.28.121
64.254.28.122
65.153.151.175
75.2.27.176
79.137.203.70
80.2.242.3
80.240.131.27
81.70.24.179
81.200.47.66
87.122.216.200
87.122.219.215
88.99.17.2
88.99.17.3
88.99.17.5
88.99.17.6
88.130.127.16
92.116.24.76
92.116.88.238
92.116.89.167
97.69.224.172
103.44.253.115
104.196.56.239
106.75.229.132
109.192.42.61
112.29.177.3
112.29.177.4
112.29.177.5
112.29.177.6
112.29.177.7
112.29.177.8
112.29.177.9
112.29.177.10
112.29.177.11
112.29.177.12
112.29.177.13
112.29.177.14
112.29.177.15
112.29.177.17
112.29.177.19
112.29.177.20
112.29.177.22
112.29.177.23
112.29.177.27
112.29.177.29
112.29.177.30
112.29.177.31
112.29.177.32
112.29.177.37
112.29.177.39
112.29.177.40
112.29.177.41
112.29.177.42
112.29.177.46
112.29.177.48
112.29.177.49
112.29.177.50
112.29.177.51
112.29.177.52
112.29.177.53
112.29.177.56
112.29.177.59
112.29.177.62
112.29.177.66
112.29.177.68
112.29.177.69
112.29.177.70
112.29.177.71
112.29.177.73
112.29.177.74
112.29.177.75
112.29.177.76
112.29.177.77
112.29.177.78
112.29.177.79
112.29.177.80
112.29.177.81
112.29.177.82
112.29.177.83
112.29.177.84
112.29.177.85
112.29.177.87
112.29.177.90
112.29.177.91
112.29.177.92
112.29.177.93
112.29.177.94
112.29.177.95
112.29.177.96
112.29.177.97
112.29.177.98
112.29.177.99
112.29.177.100
112.29.177.101
112.29.177.103
112.29.177.104
112.29.177.105
112.29.177.107
112.29.177.108
112.29.177.109
112.29.177.110
112.29.177.111
112.29.177.112
112.29.177.114
112.29.177.115
112.29.177.116
112.29.177.117
112.29.177.118
112.29.177.120
112.29.177.123
112.29.177.199
112.29.177.205
112.29.177.207
112.29.177.209
112.29.177.210
112.29.177.211
112.29.177.212
112.29.177.213
112.29.177.215
112.29.177.216
112.29.177.217
112.29.177.218
112.29.177.219
112.29.177.220
112.29.177.221
112.29.177.222
112.29.177.223
112.29.177.226
112.29.177.227
112.29.177.228
112.29.177.229
112.29.177.230
112.29.177.231
112.29.177.232
112.29.177.233
112.29.177.234
112.29.177.235
112.29.177.236
112.29.177.237
112.29.177.238
112.29.177.241
112.29.177.242
112.29.177.243
112.29.177.249
112.29.177.250
112.29.177.251
112.29.177.252
112.29.177.253
112.29.180.7
112.29.180.8
112.29.180.9
112.29.180.11
112.29.180.15
112.29.180.17
112.29.180.19
112.29.180.20
112.29.180.23
112.29.180.25
112.29.180.29
112.29.180.35
112.29.180.36
112.29.180.37
112.29.180.38
112.29.180.42
112.29.180.45
112.29.180.46
112.29.180.47
112.29.180.48
112.29.180.49
112.29.180.53
112.29.180.54
112.29.180.55
112.29.180.57
112.29.180.60
113.108.52.214
115.178.77.142
115.178.77.145
118.128.205.8
120.196.99.51
120.196.99.59
120.196.99.65
120.196.99.89
124.24.58.252
129.159.88.174
134.79.106.208
134.79.106.212
134.79.106.213
134.79.129.88
134.79.129.96
134.79.129.112
134.79.129.122
134.79.129.123
150.136.195.7
150.230.194.159
152.70.165.103
153.127.6.127
153.127.33.186
156.59.88.32
165.227.45.251
167.172.100.213
173.242.121.206
176.122.155.194
183.36.40.98
184.97.46.154
185.142.98.14
196.188.31.81
202.98.224.206
202.98.224.210
202.98.224.214
202.98.224.218
202.98.224.222
202.98.226.202
202.98.226.206
202.98.226.210
202.98.226.214
202.98.226.218
202.105.134.43
204.13.154.239
208.70.48.31
208.93.103.205
211.95.133.19
212.227.191.42
213.155.247.7
213.246.183.28
220.130.28.152
222.204.197.12

Emails

n/a

Wallet Addresses

n/a

Block `AsyncRAT` malware

Enhancement idea

Block AsyncRAT malware.

Description

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

Links

https://threatfox.abuse.ch/browse/malware/win.asyncrat/

IOC

URL's

n/a

Domains

Free DNS/Hosting

con-ip.com
ddns.net
duckdns.org
hopto.org
myiphost.com
myvnc.com
mywire.org
noip.com
servebbs.net
thruhere.net
ydns.eu

Custom

accesscam.org
amafo.cc
awsmppl.com
capitalizerutc.com
dynv6.net
ewoiutz9dt9bzo89tz.com
f88vbv8b8erht8baos.com
kozow.com
localto.net
mrbonus.com
myftp.biz
mysynology.net
nbnf43456httpshost.online
niceone20.cn
ooguy.com
ply.gg
saefigozower.fun
sdfubuzoeoeiv.top
selfip.biz
seuriouhvhusr.cn
spdns.de
tamera.ug
telachapesu.com
v6.rocks
webhop.net
webwhatsapp.cc
work.gd

Sub-domains

frp1.freefrp.net

IP's

1.14.103.49
1.117.82.177
2.56.62.12
2.58.149.98
2.59.119.56
2.59.254.111
3.67.161.133
3.69.157.220
3.124.67.191
3.126.37.18
3.127.59.75
3.127.138.57
3.128.29.88
3.131.190.22
3.135.234.129
4.151.131.10
5.104.84.227
5.152.206.196
5.231.208.228
5.249.163.45
6.6.54.46
13.68.249.188
13.72.68.255
13.77.164.68
13.81.84.141
13.82.134.169
13.235.23.234
13.235.76.244
14.5.119.153
15.235.10.108
15.235.130.74
18.156.13.209
18.157.68.73
18.158.249.75
18.192.93.86
18.197.239.5
18.197.239.109
18.212.29.200
18.222.33.57
18.222.208.120
18.223.28.97
20.36.21.13
20.52.139.127
20.84.181.62
20.86.129.162
20.106.79.151
20.112.14.182
20.115.143.128
20.172.137.101
20.172.182.62
20.188.60.159
20.224.56.152
23.92.209.138
23.95.13.157
23.95.44.214
23.105.131.169
23.105.131.201
23.106.223.244
23.254.161.249
23.254.225.164
24.254.43.171
27.124.4.139
27.124.12.12
27.254.163.62
31.17.132.37
31.41.244.235
31.150.163.112
31.223.35.146
34.91.242.34
34.223.60.188
35.177.119.94
37.8.111.210
37.19.210.29
37.75.98.113
37.120.208.37
38.46.13.242
38.55.205.246
38.132.124.138
40.74.229.0
40.75.8.74
40.90.168.244
40.113.56.160
42.51.40.184
42.192.139.42
43.137.15.104
43.138.142.86
43.140.202.229
43.142.15.215
43.143.12.71
43.143.249.228
43.152.225.81
43.249.8.248
43.249.8.250
45.12.253.77
45.12.253.146
45.14.185.127
45.32.48.250
45.35.158.173
45.63.42.221
45.66.230.191
45.76.50.199
45.76.219.163
45.77.101.153
45.80.158.113
45.91.92.112
45.95.168.116
45.95.168.166
45.132.1.226
45.133.174.122
45.137.20.108
45.137.65.94
45.139.202.55
45.139.202.202
45.143.223.34
45.145.22.142
45.145.185.245
45.153.243.96
45.154.98.42
45.204.126.250
45.227.255.194
46.153.20.70
46.183.223.29
47.54.37.55
47.100.84.12
47.111.31.251
47.242.89.34
49.232.230.111
50.27.35.75
51.79.197.196
51.81.241.89
51.89.12.10
51.89.204.75
51.103.217.70
51.138.76.245
51.140.15.13
51.141.172.115
51.141.178.162
51.178.8.228
51.178.148.147
51.195.37.2
51.195.200.153
51.254.27.116
52.42.85.68
52.156.134.11
52.191.174.30
52.233.66.100
54.36.220.171
54.89.93.238
54.236.46.72
54.246.188.45
58.221.46.155
58.221.58.124
61.139.65.135
61.160.213.14
62.37.96.229
62.106.84.215
62.108.37.42
62.122.170.171
62.234.33.152
62.234.35.139
65.21.177.234
65.109.196.96
66.63.162.20
66.168.88.41
68.235.44.53
69.30.227.43
70.125.175.238
72.176.161.178
73.140.59.149
73.168.2.231
74.119.194.180
74.133.86.50
74.141.196.43
74.208.105.80
74.208.157.153
76.223.249.60
77.68.4.186
77.73.133.38
78.140.241.23
78.171.102.209
79.86.49.168
79.134.225.18
79.134.225.35
79.134.225.36
79.134.225.50
79.134.225.52
79.134.225.59
79.134.225.69
79.134.225.71
79.134.225.78
79.134.225.82
79.134.225.85
79.134.225.92
79.134.225.95
79.134.225.99
79.134.225.115
79.134.225.117
79.134.225.125
80.76.51.237
80.85.153.152
80.89.230.176
80.178.10.107
80.232.93.176
80.232.93.177
81.161.229.73
81.161.229.121
82.2.147.149
82.84.85.59
82.102.28.107
82.147.85.168
82.197.208.225
82.202.167.226
84.21.172.33
84.27.151.14
84.51.52.166
84.210.40.80
85.31.45.6
85.187.94.142
85.192.40.255
87.4.136.146
87.249.134.33
88.80.224.150
88.119.174.117
88.121.6.16
88.138.252.119
88.198.101.59
88.198.101.62
88.248.18.120
89.23.101.38
89.117.21.143
89.208.103.42
89.212.152.239
89.223.125.80
89.252.176.182
90.62.249.133
90.100.176.56
91.92.136.123
91.103.252.215
91.105.195.23
91.116.253.83
91.134.150.151
91.134.187.25
91.134.214.15
91.192.100.61
91.193.75.146
91.211.250.207
92.205.184.19
93.82.44.26
93.95.27.97
94.46.187.194
94.156.6.65
94.156.6.224
94.177.245.135
95.68.162.99
95.93.127.180
95.169.210.148
95.179.128.208
95.214.24.134
95.214.27.6
95.216.52.21
101.33.208.151
101.34.3.12
101.42.20.213
101.42.137.105
101.43.254.90
103.20.221.33
103.38.236.46
103.39.109.48
103.39.109.63
103.42.30.227
103.42.31.134
103.42.31.140
103.42.31.180
103.88.35.24
103.108.66.216
103.108.66.222
103.108.66.225
103.127.236.137
103.138.108.71
103.142.218.222
103.148.186.105
103.149.201.155
103.149.201.162
103.149.201.212
103.167.90.172
103.207.39.83
103.207.39.131
103.231.254.62
103.233.253.101
103.233.253.118
103.235.175.244
103.239.244.27
103.254.108.50
104.3.77.123
104.129.26.162
104.194.156.4
104.233.228.116
105.103.106.56
107.148.8.176
107.148.13.135
107.150.4.162
107.213.221.23
109.120.188.95
109.195.94.247
110.238.105.105
111.67.201.24
111.92.241.239
112.150.137.53
112.213.110.66
114.132.125.213
114.134.188.218
118.195.199.246
120.78.151.171
121.45.37.175
123.99.200.153
123.99.200.175
123.215.61.198
124.248.66.139
124.248.66.140
124.248.66.144
124.248.229.210
134.122.167.65
134.195.91.47
134.255.254.224
135.181.53.40
135.181.226.133
140.143.167.227
141.95.84.40
141.98.11.72
141.98.252.169
144.48.222.103
144.202.75.107
144.217.68.78
145.239.201.157
147.185.221.16
147.185.221.161
147.185.221.180
147.185.221.181
147.185.221.212
147.185.221.223
147.189.169.11
148.163.80.217
149.28.173.200
149.104.148.244
151.248.122.243
154.12.86.189
154.12.87.239
154.12.90.2
154.12.90.13
154.12.90.31
154.12.90.49
154.12.230.109
154.19.203.208
154.23.176.93
154.40.36.190
154.47.25.194
154.53.45.95
154.61.71.12
154.61.71.13
154.91.227.35
154.127.53.26
154.221.24.181
155.94.129.4
156.254.127.78
162.14.197.20
162.246.187.245
163.123.143.164
164.155.129.86
165.227.168.205
167.71.56.116
168.62.160.75
172.0.0.1
172.93.181.21
172.93.222.156
172.94.14.239
172.94.47.80
172.111.200.225
172.111.252.131
173.31.169.124
176.113.115.123
178.209.51.192
178.211.139.47
179.43.139.10
179.43.140.175
181.162.213.36
184.75.221.59
185.16.39.143
185.17.0.246
185.19.85.143
185.19.85.155
185.19.85.177
185.19.85.179
185.22.154.160
185.25.51.99
185.33.234.71
185.33.234.204
185.65.134.165
185.70.187.145
185.81.157.7
185.81.157.19
185.81.157.46
185.81.157.117
185.81.157.150
185.81.157.153
185.81.157.154
185.81.157.169
185.81.157.209
185.106.94.165
185.112.83.111
185.112.146.237
185.117.91.202
185.136.161.11
185.140.53.41
185.140.53.68
185.140.53.213
185.140.53.227
185.150.24.5
185.165.153.43
185.165.153.140
185.165.153.209
185.165.153.215
185.165.153.249
185.165.153.251
185.172.111.229
185.183.33.129
185.183.35.122
185.213.26.169
185.214.10.196
185.219.221.55
185.221.67.3
185.222.57.203
185.225.73.105
185.225.73.221
185.239.242.74
185.239.242.166
185.241.208.97
185.244.26.198
185.244.30.112
185.244.30.121
185.244.30.253
185.246.222.249
185.250.204.245
188.32.117.137
188.72.112.72
191.96.236.162
191.101.193.202
191.234.193.127
192.210.214.230
192.253.237.23
192.253.255.182
193.27.13.52
193.27.13.57
193.29.104.186
193.56.28.20
193.142.146.204
193.149.185.169
193.161.193.99
193.164.7.105
193.218.118.85
193.233.233.154
193.239.147.40
193.239.147.156
193.239.147.169
193.239.147.231
194.5.97.6
194.5.97.21
194.5.97.84
194.5.97.85
194.5.97.249
194.5.98.16
194.5.98.17
194.5.98.46
194.5.98.81
194.5.98.129
194.5.98.196
194.5.99.181
194.26.192.154
194.33.45.109
194.49.94.163
194.49.94.227
194.58.71.17
194.62.157.177
194.147.140.145
194.156.98.161
194.180.48.177
194.180.49.190
194.233.92.247
194.233.169.93
195.78.54.247
195.85.201.65
195.85.205.219
195.133.18.181
195.174.142.168
195.174.209.145
195.178.120.137
195.206.105.12
198.44.165.77
198.44.167.128
198.44.168.227
198.44.168.246
198.44.184.40
198.44.186.222
198.46.141.251
199.195.253.181
201.97.129.143
201.111.223.252
202.95.14.199
203.115.24.234
203.186.44.219
206.53.55.186
206.123.129.103
206.123.141.239
206.189.76.209
206.189.139.209
207.32.216.106
207.32.218.231
209.25.141.180
209.25.141.181
209.25.141.212
209.127.186.228
209.145.56.157
209.205.141.181
211.47.109.200
212.192.246.207
213.226.119.28
213.226.119.226
216.170.126.139
216.250.252.148
216.250.254.208
222.211.72.47
222.211.73.251

Block some fake crypto exchange giveaway scam websites

Enhancement idea

Block some fake crypto exchange giveaway scam websites.

Domains

bitoxies.com
moonexio.com
altgetxio.com
cratopex.com

Details of the scam

https://github.com/Summer-CMS-Vendor-Packages/sc-block-bad-crypto-filter-lists/blob/master/docs/scams/fake-exchange-giveaways.md

Block `IcedID` aka `BokBot, IceID` malware

Enhancement idea

Block IcedID aka BokBot, IceID malware.

Description

IcedID, also known as BokBot, is a modular banking trojan that targets user financial information and is capable of acting as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information, including login credentials for online banking sessions. Once it successfully completes its initial attack, it uses the stolen information to take over banking accounts and automate fraudulent transactions. IcedID is primarily dropped as a secondary payload from other malware, most notably Emotet, in addition to its own malspam campaigns. IcedID uses multiple injection methods to evade antivirus and other malware detection methods, such as injecting itself into operating system (OS) memory and regular processes. The malware authors are known to update IcedID to increase persistence and evade new detection efforts.

Links

https://threatfox.abuse.ch/browse/malware/win.icedid/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

laurellkhamilton.shubhmishra.com

Domains

abigelofraj.com
aeloderton.com
aerilaponawki.com
aerobrabusvoc.com
affiksmaali.com
aflercoopert.com
afrakonla.com
africnouzor.com
afrodizajoy.com
airnaftokampa.com
aitoblelorn.com
akedhorrorr.com
alefwizador.com
alicaskotchers.com
alishabrindeader.com
alishaskainz.com
alishopelec.com
alistokusta.com
allienhasiwert.com
alohaplinayagot.com
alomegodarks.com
aloowpromis.com
ameliachoi.autos
amirkofeefour.com
animalmedicalclinicofbutte.com
animamagaznaf.com
anscowerbrut.com
antwanpittman.autos
aoureskindzet.com
aoysnakert.com
aplinormalde.com
apoligazanattions.com
appkasnofert.com
applicatwindomz.com
archiboldon.com
archiparist.com
architrinm.com
arliapples.com
askamoshopsi.com
astrawwinzo.homes
atomaresto.com
auronavtimor.com
autohouzepick.com
autokamertos.com
autokoza.tattoo
avianeikop.com
avroralikhaem.com
awindakizend.com
aytomerilnaz.com
baskamioitali.com
biglygirle.com
birungor.com
bizonexpressyet.com
bnreadgoning.com
boomstortyil.com
boordopad.com
borkatrostys.com
brakoairnis.com
bronxadoskep.com
cajaminoretino.ru
carindeza.com
carsfootyelo.com
carsmarcetwrld.com
carsruitkan.com
catnagulsk.com
cheenzocan.com
childhauster.com
clainsrimauto.com
crushter.info
ddockeers.space
deadwinston.com
debinatorforka.com
deelstokty.cloud
derhmajuzi.com
dionaolesjob.com
dkepostnatures.com
dockeerw.site
dockeruscom.top
dollarsbink.com
dolscapche.com
doockerq.site
dooker.space
dtreetbenks.com
eloasammer.com
elokijjonaut.com
erailopaf.com
everynght.org
evinakortu.com
ewacootili.com
ewyersbetter.com
fanclubsdcomics.com
farelfif.com
feekstokandy.com
feeltravelstok.com
findertoues.com
fireplotcann.com
fisheredwards.autos
flarkonafaero.com
fleurdetarbs.com
flimonikadarchoz.com
fliskmanon.com
flixstotpy.com
foasseropgh.net
fraktomaam.com
frechezup.com
frutmossert.com
fustindor.com
futerimek.com
gabrikxuira.com
gazeraftop.com
gerbatoilst.com
gerkablop.com
gliinjoyae.com
gravitoperka.com
grilkavok.com
grixuma.com
grofertnaz.com
groovetsan.com
groowstatb.com
grozilur.com
gualazaskanti.com
gurdubigoma.com
gyxplonto.com
halicopnow.com
halifmagzoom.com
halinshopyelo.com
handsinworld.com
hechizuops.com
hellowwwday.co
hloyagorepa.com
hofsaalos.com
hretbornshops.com
ilioskajyzi.com
illboardinj.com
innolarenta.com
iskazorety.com
italinakaret.com
jerryposter.com
jilosrawet.com
jinofroyka.com
jinoparterves.com
jinowera.com
jiuzuzyew.com
jizzygamgp.com
jizzynaf.com
jkbarmossen.com
joekairbos.com
kaheshanpa.com
kalimboosta.com
kanomapsfuter.com
kaspimension.com
kechizlarey.com
kefsocksmag.com
kevinbrawiewu.com
keyzishaptu.com
khalilhunter.autos
kimsoupg.com
klindriverfor.com
kojgimagi.com
kokphiladefvoid.com
kondarimno.com
krepradoshaps.com
krishalvarado.autos
kropnagursa.com
lasergathe.com
lergochatep.com
liguspotforsit.com
liopalsdrom.com
lohmotarufos.com
loliapitudet.com
lolibong.xyz
magiketchinn.com
magiraptoy.com
magizanqomo.com
magsashkedfold.com
majzolimka.com
manamagazano.com
manderatapple.com
maskarbloom.com
meaninggods.com
microsofteamsus.top
mineskateroff.com
minesotkarpid.com
miniprukerw.com
mintatrizza.com
mmaymsoffrter.com
mokililsan.com
momtretaskan.com
monkey-lab.net
moontraps.com
mrassociattes.com
murlakoperre.com
naturechese.com
naturetrtwentond.com
natursaker.com
nbastione.org
neaachar.com
necgatinh.com
nechgoper.com
nedromeagi.com
needfradka.com
needsomsital.com
neefolkrd.com
neelrocap.com
neelsmagofter.com
neelsquelo.com
negerotar.com
nemchaprues.com
neonmilkustaers.com
nerfgamesarche.com
netswaerty.com
nextpozziotions.com
nezgoakker.com
nikertimeshaft.com
nimezidhalxa.com
nixbachinga.com
nizanigrola.com
nizzapizzakor.com
nothithoeredum.com
nydkaalis.com
offetknauzhad.com
oilbookongestate.com
olifamagaznov.com
olponetox.com
ospertoolsbo.com
paesoitalon.com
palesreapor.com
panamaplanert.com
patricammote.com
pearuchemilk.com
perdimount.com
pertanezer.com
pichervoip.com
pikcherstoka.com
pilamilko.com
pinchersoftqum.com
pingwiskot.com
pinitosaki.com
pintoolonamon.com
piomasocks.com
pireltotus.com
pitrinoaoil.com
plastcmoont.com
playertinid.com
plehvioda.com
plesbrilllian.com
pleylqox.com
plintarueza.com
plurescandistika.com
podiumstrtss.com
pokerstorstool.com
prahmatorn.com
prasketfostert.com
priklosta.com
procompeser.com
promtrainmoping.com
qertoplast.com
qoipaboni.com
qonavlecher.com
quelopaskal.com
rbcverif.com
rbcverif.link
renomesolar.com
reraitper.com
restorahlith.com
rinotrackingg.com
rpgmagglader.com
rsescolumbus.org
rutapaapps.com
sajimadurop.com
salipjuino.com
sarenmarki.pics
satifayban.com
scauditora.cl
scoulnafirtajoy.com
seahloperd.com
serdtacoolte.com
sevenfrogsx.com
shalwolonzy.com
shankarmallapur.com
shoopsihas.com
silmofaid.com
sithoparka.com
skamusdeadin.com
skanerhavio.com
skansnekssky.com
skayfingertawr.com
skazifrant.com
skeletoheltha.com
skepartisol.com
sketiopaag.com
skofilldrom.com
skootershopenf.com
skrechelres.com
smacktoloapert.com
smakizelkopp.com
smplemente.net
snapservarior.com
snilpmagazfor.com
snipelhafer.com
snofermild.com
softwinmeod.com
spakernakurs.com
speedfatoppam.com
sporteatinom.com
stakingmask.com
stapcovert.com
staringgeipod.com
startinghpot.com
stathorrientd.com
statifaronta.com
statikfootbol.com
statiskalreon.com
statoparkof.com
stdtplast.com
stefilockjiza.com
stegaporto.com
stelkaret.com
stimulspitrauk.com
strastkamenhoop.com
strindcommer.com
stringspakert.com
sucksonouch.com
sumnutrionm.com
svoykbragudern.com
taisaautodorf.com
team-viewercom.top
teams-mss.online
tempsolutionsde.com
thondorbird.com
thunnderbilp.space
thuunderbilb.space
thuunderbils.space
tiulycon.com
tourdeworldsport.com
tracautomatitspow.com
tradicop.com
trainpolkstaet.com
tramikora.com
tremethaj.com
trentimarsop.com
treylercompandium.com
triopahom.com
trizdriama.com
trodaviatrokaw.com
troffyfrutlot.com
trofpokertak.com
tromkalkadio.com
tronkaprofa.com
tronpafet.com
troslaiet.com
trustyox.cloud
tthunderbilp.space
tthunderbir.space
tuslounech.com
tytsoftikor.com
ultrafoks.com
ultrascihictur.com
ultrasnafpor.com
umoxlopator.com
us-thunderbird-soft.com
villageskaier.com
villysnapsy.com
viskocompetr.com
vocesdelatinoamerica.com
voesallientak.com
vrondafarih.com
vvv-docker-us.top
wazxlerasta.com
webprimosloja.shop
wendoqolta.com
weranaelliots.com
werandotrek.com
wgamershyh.com
wistaropa.com
wisthardem.wiki
wnoykaaloha.com
workedstarcop.com
worrtekbor.com
wvv-basecamp-us.top
wvw-docker-us.com
wvw-webex-us.top
wvw-whalsapp-us.top
www-irs-form.top
yelkafeelind.com
yellorquli.com
yelsopotre.com
yewopeuropaus.com
yhorneedminf.com
yozadading.com
zeroportozoo.com
zikrammo.tech
zillafrogss.com
zonanullpoker.com
zoykolmena.com
zusmodert.com

IP's

2.56.177.14
2.56.177.122
2.56.177.183
3.82.225.224
3.95.241.204
3.104.41.163
3.105.92.116
5.61.37.224
5.61.61.35
5.181.159.39
5.181.159.41
5.181.159.51
5.181.159.54
5.181.159.55
5.230.57.30
5.230.57.194
5.230.66.157
5.230.68.66
5.230.68.190
5.230.70.135
5.230.70.140
5.230.72.37
5.230.73.61
5.230.73.139
5.230.73.157
5.230.73.244
5.230.74.202
5.230.75.134
5.230.76.44
5.230.76.198
5.230.78.208
5.255.98.126
5.255.99.21
5.255.99.51
5.255.100.32
5.255.102.88
5.255.102.167
5.255.103.108
5.255.104.11
5.255.104.45
5.255.104.145
5.255.104.153
5.255.104.233
5.255.105.55
5.255.105.239
5.255.106.72
5.255.106.78
5.255.106.136
5.255.109.46
5.255.109.175
5.255.110.177
5.255.111.220
5.255.113.157
5.255.115.226
5.255.119.21
5.255.120.33
5.255.122.79
5.255.124.55
13.52.121.66
13.57.55.155
13.237.1.27
13.237.195.116
23.254.224.148
23.254.226.152
37.235.56.30
37.235.56.37
37.252.6.77
38.180.0.89
38.180.8.107
38.180.8.169
38.180.34.14
39.104.16.102
39.104.17.212
39.104.23.152
39.104.27.24
39.104.72.59
39.104.94.83
39.104.164.115
45.8.158.140
45.11.182.61
45.11.182.114
45.11.182.115
45.11.182.117
45.11.182.118
45.11.182.119
45.11.182.120
45.11.182.121
45.12.109.136
45.12.139.90
45.61.136.6
45.61.136.22
45.61.136.193
45.61.137.95
45.61.137.119
45.61.137.159
45.61.137.220
45.61.137.225
45.61.138.12
45.61.138.171
45.61.138.181
45.61.139.138
45.61.139.144
45.61.139.179
45.61.139.196
45.61.139.232
45.61.139.235
45.61.139.243
45.66.248.7
45.66.248.64
45.82.247.121
45.82.247.148
45.82.251.36
45.82.251.44
45.86.230.141
45.88.221.211
45.89.98.138
45.92.162.84
45.92.163.123
45.92.163.233
45.92.163.238
45.129.199.13
45.129.199.26
45.129.199.67
45.129.199.92
45.144.178.236
46.21.153.153
46.101.16.86
46.101.194.92
46.101.237.100
46.149.75.148
46.151.29.201
51.250.91.99
52.52.160.6
52.65.231.93
54.66.136.198
54.67.19.155
54.67.100.168
54.79.125.231
54.151.68.59
54.151.74.195
54.176.193.133
54.241.197.226
54.252.13.186
64.94.214.200
64.226.86.179
64.226.104.11
64.227.48.93
64.227.131.33
64.227.134.130
64.227.146.71
66.63.168.126
66.63.188.5
66.63.188.6
66.63.188.18
66.63.188.76
66.151.51.32
68.183.6.108
68.183.77.223
68.183.93.101
68.183.175.39
68.183.198.18
69.164.208.254
74.201.30.4
74.201.30.84
80.66.88.40
80.66.88.42
80.66.88.67
80.66.88.71
80.66.88.72
80.66.88.145
80.66.88.148
80.66.88.162
81.19.141.20
84.54.47.75
85.192.40.160
85.239.52.234
85.239.63.218
86.38.217.131
87.251.64.208
87.251.64.211
87.251.67.42
87.251.67.46
87.251.67.49
87.251.67.52
87.251.67.75
87.251.67.166
87.251.67.168
87.251.67.175
87.251.67.181
87.251.67.219
89.23.107.26
89.23.107.39
89.117.88.249
89.117.89.105
91.149.221.245
91.149.232.174
91.193.18.49
91.193.18.135
91.193.18.205
91.193.43.161
91.193.43.217
91.235.234.72
91.235.234.135
91.235.234.217
91.235.234.233
91.238.50.105
94.140.114.48
94.140.114.121
94.158.245.178
94.232.41.107
94.232.46.63
94.232.46.65
94.232.46.201
94.232.46.217
94.232.46.225
94.232.46.231
98.142.251.189
103.208.86.81
103.208.86.118
104.129.21.197
104.129.21.204
104.129.21.254
104.168.53.11
104.168.53.13
104.168.53.18
104.168.53.70
104.168.59.4
104.168.59.9
104.168.59.68
104.168.59.69
104.168.59.73
104.168.70.14
104.168.132.147
104.168.144.138
104.168.152.22
104.168.198.16
104.168.236.183
104.168.250.197
104.219.233.41
104.219.233.149
104.223.118.109
104.248.21.165
104.248.81.48
104.248.223.35
104.248.242.189
108.174.196.120
108.174.196.152
123.30.137.194
128.199.3.164
128.199.99.24
128.199.151.179
128.199.206.238
134.122.62.178
134.122.75.104
134.209.109.146
134.209.110.138
134.209.157.203
135.148.217.85
137.184.164.28
137.184.172.23
138.68.244.54
138.197.138.46
138.197.146.18
138.197.168.142
138.197.177.26
139.59.13.97
139.59.19.114
139.59.26.99
139.59.29.78
139.59.29.86
139.59.29.151
139.59.30.28
139.59.33.128
139.59.67.109
139.59.72.105
139.59.73.85
139.59.186.140
139.162.6.236
140.99.2.194
140.99.3.12
140.99.4.3
140.99.32.199
140.99.32.203
140.99.32.219
140.99.159.159
140.99.221.138
140.210.94.185
142.11.206.160
142.93.217.201
143.110.209.116
143.110.210.71
143.110.241.178
143.110.245.38
143.198.36.172
143.244.140.238
146.190.28.193
146.190.242.204
147.182.156.64
149.154.152.58
149.154.152.217
149.154.153.110
149.154.154.214
149.202.29.169
149.248.77.53
151.236.8.73
151.236.9.24
151.236.9.57
151.236.9.101
151.236.9.107
151.236.9.111
151.236.9.166
151.236.9.176
151.236.9.187
151.236.9.203
151.236.9.205
151.236.9.206
151.236.9.237
151.236.13.44
151.236.30.57
151.236.30.131
151.236.30.192
151.236.30.214
151.236.30.222
151.236.30.246
157.245.102.160
157.245.104.223
157.245.106.203
157.245.147.16
158.255.211.62
158.255.211.85
158.255.211.133
158.255.212.81
158.255.212.150
158.255.212.175
159.89.116.11
159.89.124.188
159.203.5.115
159.203.8.183
159.203.20.194
159.203.22.84
159.223.95.82
161.35.166.97
162.33.177.47
162.33.177.137
162.33.178.40
162.33.179.33
162.33.179.35
162.33.179.136
162.33.179.145
162.33.179.158
162.33.179.202
162.33.179.218
162.33.179.240
164.90.238.94
164.92.144.116
164.92.190.54
164.92.241.101
165.22.220.20
165.227.31.225
165.232.175.216
167.71.35.189
167.71.62.175
167.71.197.217
167.99.180.17
167.99.240.150
167.99.248.131
167.172.169.229
168.100.8.203
168.100.8.213
168.100.9.109
168.100.9.127
168.100.9.203
168.100.9.218
168.100.9.230
168.100.10.28
168.100.10.51
168.100.10.149
168.100.10.214
168.100.11.100
168.100.11.123
168.100.11.128
168.100.11.144
168.100.11.151
168.100.11.167
169.239.128.143
170.130.55.140
170.130.55.187
170.130.55.195
170.130.55.199
170.130.55.228
170.130.165.61
170.130.165.62
170.130.165.83
170.130.165.89
170.130.165.246
170.130.165.247
170.130.165.250
172.86.75.50
172.86.75.64
172.86.75.88
172.86.75.157
172.86.75.159
172.86.75.189
172.86.75.233
172.86.75.236
172.104.42.176
173.44.141.224
173.232.146.10
173.232.146.11
174.138.15.211
176.31.90.131
176.124.32.10
176.124.32.30
176.124.32.108
176.124.32.116
176.124.32.124
176.124.32.164
178.77.217.61
184.169.214.156
184.169.223.42
185.73.124.8
185.73.124.161
185.99.132.16
185.99.132.18
185.99.133.17
185.99.133.58
185.99.133.84
185.99.133.164
185.121.168.152
185.123.53.150
185.123.53.211
185.140.231.8
185.153.182.156
185.161.70.6
185.161.70.44
185.161.70.195
185.205.187.140
185.213.167.163
192.3.76.146
192.119.68.151
192.119.110.253
192.153.57.24
192.153.57.82
192.153.57.96
192.153.57.109
192.153.57.110
192.153.57.134
192.153.57.157
192.153.57.172
192.153.57.191
192.153.57.233
192.236.146.34
192.236.154.108
192.236.162.26
192.236.162.108
192.236.193.209
192.236.198.7
193.37.69.113
193.42.36.41
193.43.104.28
193.109.120.27
193.109.120.30
193.109.120.108
193.109.120.119
193.124.22.41
193.124.22.170
193.124.46.116
193.149.129.12
193.149.129.25
193.149.129.48
193.149.129.50
193.149.129.53
193.149.129.59
193.149.129.81
193.149.129.87
193.149.129.152
193.149.129.177
193.149.129.191
193.149.129.231
193.149.129.238
193.149.176.100
193.149.176.133
193.149.176.198
193.149.180.16
193.149.187.7
193.149.187.158
193.149.189.7
193.149.189.254
193.149.190.239
193.168.141.15
193.168.141.76
193.168.143.15
193.168.143.106
193.168.143.109
193.168.143.111
193.168.143.119
193.168.143.121
193.168.143.131
193.168.143.138
193.239.85.16
194.58.68.187
195.20.17.21
195.20.17.62
195.20.17.64
195.20.17.133
195.20.17.176
195.85.115.72
195.85.115.188
195.133.52.11
206.53.55.5
206.166.251.33
206.166.251.62
206.166.251.101
206.166.251.139
206.166.251.177
206.188.196.120
206.188.196.136
206.188.196.238
206.188.197.91
206.188.197.120
206.188.197.251
206.189.15.112
206.189.30.163
206.189.128.12
206.189.138.24
207.154.203.203
209.38.220.183
209.54.96.100
213.59.118.120
213.59.118.207
216.73.159.20
216.73.159.44
216.73.159.53
216.73.159.57
216.73.159.63
217.199.103.232
217.199.121.56
217.199.121.211

Emails

n/a

Wallet Addresses

n/a

Block `STRRAT` Malware

Enhancement idea

Block STRRAT Malware.

Description

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

Links

https://threatfox.abuse.ch/browse/malware/jar.strrat/

IOC

URL's

fileshaaringdocumseign.pages.dev
idgerowner.duckdns.org
streelifes.duckdns.org

Domains

ddns.net
dns.army
dynamic-dns.net
jetos.com
shivfurnishings.com
str-master.pw
ydns.eu

IP's

2.59.254.145
5.206.224.194
15.235.10.108
23.29.115.152
23.81.246.239
23.105.131.181
23.105.131.243
23.108.57.10
23.146.242.147
23.227.196.162
23.227.196.195
23.229.34.104
31.210.20.37
31.210.20.38
31.210.20.96
31.210.20.160
31.210.20.164
31.210.20.226
31.210.21.99
37.0.8.76
37.0.8.217
37.0.11.154
37.0.11.241
37.0.14.195
37.0.14.205
37.120.141.147
37.120.206.74
37.120.247.13
37.139.129.115
37.221.114.90
45.9.168.40
45.12.253.130
45.61.168.73
45.66.230.68
45.66.230.138
45.87.61.211
45.88.67.63
45.88.67.229
45.95.169.160
45.133.1.47
45.133.1.72
45.133.174.157
45.137.22.62
45.137.22.89
45.137.22.108
45.137.22.131
45.137.22.141
45.137.22.150
45.137.22.170
45.137.22.251
45.138.16.101
45.139.105.174
45.144.225.151
45.144.225.159
45.144.225.174
45.144.225.236
45.153.243.121
51.161.197.23
51.255.83.207
54.39.43.116
54.218.207.65
62.102.148.154
62.197.136.74
62.197.136.159
64.188.13.141
79.110.49.9
79.110.49.161
79.124.8.16
79.134.225.17
79.134.225.22
79.134.225.25
79.134.225.26
79.134.225.31
79.134.225.42
79.134.225.43
79.134.225.52
79.134.225.70
79.134.225.71
79.134.225.76
79.134.225.100
79.134.225.104
80.76.51.117
80.85.153.166
81.161.229.226
83.137.157.228
84.38.132.108
84.54.50.69
84.54.50.148
85.31.46.220
85.209.135.243
85.217.144.229
87.98.245.48
91.192.100.27
91.192.100.28
91.192.100.42
91.192.100.49
91.193.75.131
91.193.75.134
91.193.75.135
91.193.75.168
91.193.75.197
94.198.40.34
95.168.174.51
95.214.27.111
95.214.27.146
96.47.233.13
103.47.144.14
103.47.144.50
103.47.144.68
103.125.189.187
103.133.104.124
103.133.105.29
103.133.108.219
103.133.109.176
103.133.110.221
103.133.111.176
103.151.123.132
103.156.90.52
103.156.91.56
103.169.35.120
103.207.36.177
103.212.81.154
103.212.81.155
103.212.81.157
103.212.81.158
103.212.81.160
103.232.55.27
104.161.42.236
104.168.47.105
104.171.113.195
104.236.223.230
105.109.211.84
105.110.181.161
109.206.242.32
109.206.243.106
134.19.177.37
134.19.177.46
134.19.177.60
135.148.89.246
136.243.214.49
139.180.178.254
141.98.6.36
141.98.6.246
141.98.6.252
141.101.134.47
144.168.231.6
147.124.212.162
156.96.60.167
156.96.62.59
158.69.53.93
163.123.143.119
167.99.118.70
172.93.163.149
172.93.181.199
172.93.193.117
172.93.201.199
172.93.220.135
172.94.88.126
172.98.202.98
172.111.141.64
172.111.141.114
172.245.163.161
185.19.85.176
185.29.8.13
185.29.8.57
185.29.8.111
185.29.8.112
185.38.142.241
185.91.69.172
185.102.170.72
185.130.104.144
185.140.53.4
185.140.53.68
185.140.53.131
185.140.53.188
185.140.53.196
185.140.53.207
185.140.53.238
185.157.162.75
185.174.101.254
185.203.119.28
185.205.210.108
185.206.145.122
185.222.57.85
185.222.57.218
185.222.57.237
185.222.58.58
185.222.58.68
185.222.58.84
185.222.58.106
185.222.58.124
185.222.58.147
185.222.58.242
185.222.58.245
185.236.231.195
185.244.25.227
185.244.30.11
185.244.30.213
185.246.220.173
185.246.221.12
185.252.179.108
185.254.37.71
185.254.37.72
192.3.24.181
192.169.6.4
192.188.88.234
192.236.193.63
193.42.32.210
193.42.32.233
193.42.33.11
193.142.146.203
193.218.118.85
194.5.97.4
194.5.97.18
194.5.97.87
194.5.98.8
194.5.98.38
194.5.98.45
194.5.98.117
194.5.98.239
194.5.98.243
194.26.192.231
194.31.98.38
194.33.45.132
194.37.97.161
194.55.224.148
194.85.248.87
194.85.248.228
194.85.248.253
194.87.151.97
194.87.151.236
194.147.140.211
194.147.140.223
194.147.140.252
194.180.49.225
198.12.81.63
198.27.77.242
202.55.135.127
204.44.127.151
209.127.180.215
212.192.241.175
212.192.241.242
212.192.246.32
212.192.246.56
212.192.246.69
212.192.246.124
212.192.246.127
212.192.246.143
212.192.246.178
212.193.30.54
212.193.30.110
212.193.30.181
212.193.30.230
217.64.149.171

Add updated `uptobox` server rules

Enhancement idea

Add updated uptobox server rules

Since uptobox.com has been blocked at DNS level in France, Uptobox has also set up new urls:

uptobox.eu
uptobox.fr
uptobox.link

Add blocking to `Xenomorph` Android malware now targets 400+ U.S. banks and crypto wallets

Enhancement idea

Add blocking to Xenomorph Android malware now targets 400+ U.S. banks and crypto wallets.

Links

https://www.threatfabric.com/blogs/xenomorph

https://threatfox.abuse.ch/browse/malware/apk.xenomorph/

IOC

SERVER URL/IP	ROLE
airlinesimulator.io	Overlay Server
fobocontentplus.online	C2 Server
fobocontentplus.top	C2 Server
fobocontentplus.site	C2 Server
92l.info	Phishing Server

Domains:

92l.info
airlinesimulator.io
cofi.hk
dedeperesere.xyz
fobocontentplus.online
fobocontentplus.site
fobocontentplus.top
had0.live
mi1kyway.tech
vldeolan.com

URL's:

https://t.me/xxtetammi1k
https://t.me/n3w3rras

Block `IRATA` Malware

Enhancement idea

Block IRATA Malware.

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

Links

n/a

IOC

Domains

2waky.com
ahrom-app.website
authorizeddns.net
authorizeddns.org
authorizeddns.us
bax-teko.com
camdvr.org
concentration1234.com
dachhost.top
dns04.com
dns05.com
dns2.us
dnsrd.com
duia.ro
edalatsod-ir.tk
edsync.site
faqserv.com
fartit.com
fcmbroker.info
featchaddress.lat
fusagov.xyz
gettrials.com
got-game.org
hadespanel.online
hell0-w0rld.eu
helloworld.market
https443.org
incmanapp.rest
instanthq.com
inthenameofnull.site
iownyour.org
iredsahm.com
irsaham1402.site
isasecret.com
itsaol.com
jetos.com
jkub.com
jsouywoq.tk
jwuygwk.cf
maxtor.monster
mefound.com
mowuqn.ga
mowuqn.ml
mrbasic.com
mrbonus.com
mrface.com
mrkorosh.site
my03.com
mynetav.org
nestbirdie.site
otzo.com
puyejqj.ml
qhigh.com
qpoe.com
remotemake.xyz
sahameli1402.site
ssd-vip.website
toythieves.com
trickip.org
trpihgram.space
uilscvnzdds.shop
vizvaz.com
whi.ir
wikaba.com
witheveryregistration.click
wwwhost.biz
xstarv2.store
yourtrap.com
zlc.ir
zzux.com

IP's

5.144.130.58
5.161.202.99
5.255.117.149
5.255.126.184
23.94.28.187
46.4.98.104
49.12.8.157
172.172.236.36
185.206.95.12

Block `Coper` part of the `Exobot` family of banking trojans

Enhancement idea

Block Coper part of the Exobot family of banking trojans.

Link

https://www.threatfabric.com/blogs/octo-new-odf-banking-trojan

IOC

Domains:

dsfiu133ds52231232fdnsjds.top
dsfiu733ds42231232fdnsjds.top
dsfiu733ds52231232fdnsjds.top
equisdeperson.space
ifn1h8ag1g.com
s22231232fdnsjds.top
s32231232fdnsjds.top
s42231232fdnsjds.top
smartcontractlicense.info
xipxesip.design

IP's:

190.211.255.218

Block `BrasDex` A new Brazilian ATS Android Banker with ties to Desktop malware

Enhancement idea

Block BrasDex A new Brazilian ATS Android Banker with ties to Desktop malware.

Links

https://www.threatfabric.com/blogs/double-trouble-in-latam

IOC

Domains

brasdex.com

IP's

n/a

Block `Meterpreter` malware

Enhancement idea

Block Meterpreter malware.

Description

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process, from which it can migrate to other running processes. As a result, the forensic footprint of an attack is very limited.

Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that alarms may be triggered when a new process starts in the target system.

Metepreter was originally written for Metasploit 2.x by Skape, a hacker moniker used by Matt Miller. Common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3.

Links

https://threatfox.abuse.ch/browse/malware/win.meterpreter/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

ctfwiki.workers.dev
d25bm6hkar6nys.cloudfront.net
d3731p845gjiu3.cloudfront.net
dazqc4f140wtl.cloudfront.net
ec2-18-222-171-22.us-east-2.compute.amazonaws.com
plt-descartes.googlecode.com
redhack.uksouth.cloudapp.azure.com
sscweb.dyndns.info
t1.misu.se
time.api.chinabm.cn
upd23.vxux.icu
vittoriocas137.workers.dev
web.danger.net
worried-trigonometry-gw.aws-euw2.cloud-ara.tyk.io

Domains

1nevadasports.com
778899aabb.ml
akamtechnologies.com
aliyuncs.info
aspnetcenter.com
ateam-qax-sec.tk
axione-gear.com
backup-leader.com
backupslive.com
bakcup-monster.com
bernacchichambers.xyz
bestserviceupdate.com
bookworld-langchao.work
bratbg.eu
brovserupescheck.info
bugsbunnyy.com
ccfelomvhk.com
checkecc.com
chrome-up.date
clearyourtextupdaterslover.xyz
cleponditailthingerprofing.xyz
cloudflareo.club
coopdate.com
croperdate.com
ctfd.top
culunk.com
cylenceprotect.com
d4rkn3ss.tk
date-windows.com
defenr.com
digitalcertvalidation.space
dns52.vip
driverjumper.com
driversna.com
duckdns.org
dynamic-dns.net
dyndns-at-home.com
earth.li
ematome.com
expresscrack.xyz
firewall-gateway.com
flashdiaoyu.pw
foobar.de
fussion1.com
gamesmetaa.com
gk-stst.ru
globalpressinfo.com
goodgish.com
groupbzs.com
h4ck0ps.cc
huorong.cn
icavernae.com
iml-bank.info
impulse-static.com
intlsdcn.com
itshealthpro.com
jchen.tk
jobscur.com
jslibc.com
kaslose.com
kungfupandasa.com
lastmorgoth.com
londonteea.com
loosesadora.xyz
loweld.com
lsback.com
madgoblin.net
malware430.com
microport.com.cn
microsof.work
micrrosoft.net
mndacdt.monster
moveleiros.com.br
msdncss.com
mynoisestory.com
namenetmanagecore.com
njerseysports.com
noip.me
office-update.net
oha.io
onealaskasport.com
pagekite.me
phishing-training.com
pingfitting.jp
powershell.services
raws1.net
redirectme.net
redlist.cyou
restcdn.com
rosebrides.com
salofu.com
serveirc.com
servicegungster.com
servicext.com
sheparc.com
shinyobjects.birds
silenceel.com
skyblueav.com
soccerfila.com
soyojogala.co
sprinthunter.com
systemdata.club
sytes.net
tcpsessionsconnect.com
tekdefense.com
tencentcs.com
thedonald.win
thyssenkrupp-marinesystems.org
tiancaii.com
topservicebooster.com
trainbit.com
viowi.org
vlps7.xyz
vmware.center
werewolves.su
windowsupdatesc.com
xinchen.space
yalafix.com
yootypes.com
z652.com
zapto.org
zoroxeku.com

IP's

1.13.5.159
1.13.23.211
1.13.253.132
1.15.12.73
1.15.178.39
1.16.5.62
1.117.93.65
1.180.204.161
2.56.62.81
2.185.141.176
2.185.148.243
2.225.139.211
3.6.115.182
3.10.251.35
3.13.191.225
3.17.7.232
3.19.130.43
3.20.98.123
3.22.53.161
3.60.11.44
3.98.71.71
3.110.135.114
3.121.188.41
3.123.24.80
3.126.37.18
3.131.147.49
3.131.207.170
3.133.207.110
3.134.39.220
3.134.125.175
3.136.65.236
3.138.45.170
4.194.155.161
5.8.18.118
5.39.216.203
5.39.217.156
5.61.59.234
5.141.82.14
5.188.87.2
5.189.184.60
5.199.170.149
5.230.72.64
5.252.179.227
6.6.6.101
8.136.210.194
8.142.11.136
8.210.39.131
8.210.181.149
8.210.246.55
13.37.73.137
13.38.57.254
13.59.15.185
13.233.233.161
14.0.21.109
14.165.213.101
15.204.49.129
16.170.40.227
18.58.8.13
18.139.9.214
18.158.249.75
18.163.190.116
18.180.199.201
18.189.106.45
18.192.31.165
18.197.94.76
18.197.239.5
18.205.2.150
18.236.192.6
18.237.162.188
20.83.148.22
20.84.114.52
20.187.113.223
20.194.196.40
20.219.131.67
23.106.160.180
23.227.194.35
23.227.194.115
23.251.52.242
24.9.12.117
24.205.5.129
27.102.114.63
27.102.127.240
28.0.4.29
31.14.40.134
31.44.184.48
31.44.184.50
31.44.184.56
31.44.184.84
31.44.184.123
31.44.184.131
31.168.84.153
31.168.144.18
31.220.78.160
34.89.129.194
34.92.108.241
34.92.125.242
34.122.216.213
34.142.247.189
34.143.208.106
34.170.249.238
34.220.41.64
34.229.92.232
34.234.67.250
34.238.123.45
34.238.192.43
34.244.205.242
34.248.5.0
35.181.137.4
35.200.48.195
35.202.167.95
35.246.15.72
36.102.212.98
37.1.209.130
37.17.172.72
37.77.51.178
37.187.217.154
38.6.155.219
39.99.34.219
39.102.64.207
39.108.12.1
39.108.60.64
40.113.230.218
41.34.124.243
41.200.64.139
41.225.218.141
42.51.67.111
42.56.76.11
42.192.149.244
42.193.108.137
42.193.118.132
42.193.229.33
42.194.199.231
43.132.121.67
43.136.102.148
43.138.26.158
43.139.19.125
43.139.167.77
43.142.105.191
43.143.66.207
43.143.112.69
43.143.115.63
43.143.121.198
43.207.166.142
43.240.156.5
43.242.201.222
44.202.87.103
45.9.148.138
45.32.146.181
45.33.10.51
45.33.88.161
45.61.138.109
45.62.244.32
45.76.96.233
45.76.111.188
45.76.128.165
45.77.11.25
45.77.23.209
45.77.174.98
45.79.42.155
45.79.56.153
45.80.191.125
45.83.122.166
45.89.127.226
45.92.1.153
45.124.64.53
45.128.128.45
45.129.2.67
45.140.17.74
45.140.17.75
45.153.241.0
45.153.241.2
45.154.13.94
45.155.169.231
45.227.253.62
45.227.253.66
46.1.65.145
46.4.114.111
46.22.120.82
46.109.191.247
46.166.161.123
46.166.188.32
46.228.178.197
46.246.12.28
46.246.163.216
46.249.92.185
47.52.113.152
47.52.204.241
47.57.142.30
47.91.237.42
47.92.198.4
47.93.16.255
47.93.63.179
47.93.254.49
47.94.236.117
47.95.205.52
47.96.9.164
47.96.116.171
47.96.122.196
47.96.174.24
47.98.51.47
47.99.151.68
47.100.190.135
47.100.249.61
47.101.33.96
47.101.162.41
47.104.98.253
47.105.143.181
47.106.217.103
47.107.79.90
47.108.79.21
47.108.137.190
47.115.43.112
47.115.156.41
47.116.128.244
47.116.131.188
47.117.127.175
47.240.45.183
47.242.164.33
47.242.243.134
47.245.98.191
49.233.73.185
49.233.89.89
49.235.233.13
51.38.230.212
51.79.158.48
51.222.29.60
52.10.18.99
52.14.18.129
52.14.61.47
52.15.72.79
52.15.183.149
52.15.194.28
52.29.221.72
52.34.148.96
52.36.116.91
52.37.215.154
52.174.238.59
52.232.41.30
54.82.27.84
54.83.198.76
54.234.214.221
54.243.216.99
58.215.145.112
59.110.53.17
60.191.16.106
60.204.220.236
61.7.151.20
61.78.62.22
62.72.7.102
62.171.133.12
62.171.141.54
62.171.159.243
62.204.41.45
62.234.46.238
62.234.206.247
62.234.214.106
64.27.23.140
64.69.57.213
64.225.54.125
64.254.247.154
65.0.185.16
66.42.39.79
66.42.44.124
66.42.103.222
66.42.113.186
66.131.212.24
67.207.84.16
68.183.36.18
68.187.235.69
69.30.232.138
69.50.64.20
70.32.39.219
70.32.91.85
70.181.180.186
70.251.211.113
71.185.195.36
75.119.149.251
77.78.103.238
77.109.131.9
77.167.108.65
77.193.37.99
77.204.205.204
77.231.72.102
77.248.56.182
78.142.18.157
78.177.255.151
79.21.107.93
79.87.82.124
79.107.78.168
79.133.41.237
79.133.41.248
79.206.220.149
80.85.156.184
80.255.3.112
81.19.136.59
81.68.67.216
81.69.42.250
81.69.248.69
81.70.7.243
81.82.231.25
81.182.202.210
82.56.183.110
82.146.52.149
82.156.7.151
82.156.31.137
82.157.144.148
82.157.161.99
82.157.186.143
82.224.43.206
82.241.211.9
82.250.195.218
83.181.104.208
84.11.146.62
84.30.178.241
84.228.136.34
86.108.116.96
86.250.252.195
88.19.148.53
88.119.175.129
88.119.175.137
88.149.121.29
88.150.160.149
88.177.1.195
88.190.48.112
88.190.215.7
88.214.26.9
88.214.26.28
89.38.98.120
89.107.60.11
89.145.164.98
89.248.172.44
91.92.136.154
91.208.184.78
91.232.105.248
91.235.168.149
91.235.168.155
91.235.168.228
91.240.118.207
91.241.19.207
92.38.135.132
92.58.196.31
92.63.196.45
92.63.196.46
92.63.196.47
92.63.196.48
92.222.158.49
92.255.85.143
93.115.22.196
93.148.115.197
93.188.163.111
94.131.108.208
94.131.111.223
94.140.114.160
94.228.164.19
95.159.9.186
95.211.104.253
95.211.198.48
95.211.240.166
96.31.77.62
97.104.181.187
98.142.141.43
99.240.189.173
100.120.100.90
101.33.211.161
101.34.187.223
101.34.249.226
101.35.235.73
101.37.15.184
101.42.175.89
101.43.2.116
101.43.16.149
101.43.25.84
101.88.77.198
101.132.33.79
101.200.201.114
103.1.103.27
103.17.117.90
103.29.68.92
103.75.197.126
103.114.162.131
103.146.179.77
103.158.190.58
103.231.91.59
104.238.35.163
104.238.134.63
104.238.184.252
106.15.106.246
106.52.38.217
106.52.236.88
106.53.143.61
106.53.151.127
106.55.51.55
107.151.252.121
107.172.78.188
107.174.144.153
108.62.141.34
108.129.46.13
108.177.235.180
109.28.228.14
109.92.125.166
109.163.233.4
109.205.61.95
109.232.220.248
109.235.70.99
110.40.137.64
110.41.189.19
110.157.231.33
111.90.146.221
111.230.15.118
111.231.1.221
112.74.167.28
114.55.35.173
114.67.98.102
114.67.110.37
114.96.104.177
114.116.45.171
115.211.102.107
116.63.181.150
116.202.251.16
116.203.91.41
116.204.121.193
117.229.167.112
118.25.153.212
118.31.60.46
118.31.166.104
118.89.59.179
118.107.41.40
118.107.41.104
118.178.89.110
119.8.50.113
119.45.183.69
119.96.194.181
120.26.87.95
120.26.177.10
120.48.28.188
120.77.18.249
120.79.51.94
120.86.125.92
120.221.245.149
121.4.62.215
121.5.147.57
121.5.236.127
121.36.149.225
121.36.218.110
121.36.250.124
121.37.139.238
121.40.98.24
121.127.33.9
121.196.105.181
121.196.200.127
121.199.166.71
121.204.159.10
122.9.157.122
122.114.162.219
123.17.158.155
123.51.185.75
123.57.235.194
123.60.18.108
123.60.171.65
123.206.7.138
123.207.143.211
124.22.64.203
124.70.1.140
124.71.29.227
124.71.45.28
124.220.205.10
124.221.0.93
124.221.70.199
124.221.206.123
124.222.128.73
124.222.220.126
124.223.216.170
124.223.217.107
128.199.6.246
128.199.72.106
128.199.154.189
129.151.210.233
129.159.151.146
129.204.227.27
129.211.16.123
130.0.233.64
130.193.41.58
134.195.90.65
136.244.111.22
137.220.180.39
138.68.161.104
139.60.161.53
139.99.75.208
139.99.178.86
139.144.201.154
139.180.137.107
139.196.86.87
139.198.169.126
141.98.82.243
141.98.83.139
141.255.157.12
141.255.158.4
142.234.157.151
143.42.126.67
143.110.225.14
143.198.78.128
144.48.9.115
144.85.149.179
144.91.68.22
144.202.122.22
146.0.77.110
146.56.118.137
146.70.24.186
146.70.101.97
146.190.48.229
147.135.210.135
147.182.240.155
147.237.76.106
149.28.232.134
149.210.227.43
149.248.6.193
150.109.111.208
150.158.15.32
150.158.23.95
150.158.139.244
151.15.43.167
151.75.205.232
151.236.14.53
152.32.192.134
152.32.254.206
152.136.104.49
154.92.16.126
154.124.62.110
154.222.29.211
155.138.204.193
156.155.222.30
156.198.230.149
157.230.184.142
157.230.244.240
158.247.218.177
159.15.82.56
159.65.21.154
159.89.145.235
159.203.228.45
161.35.99.117
161.97.131.62
161.246.67.165
162.14.107.218
162.14.110.99
164.92.79.228
165.22.98.128
165.22.150.126
165.232.92.27
167.86.87.27
167.86.108.26
167.99.214.15
167.114.158.77
167.172.112.232
167.250.49.155
168.152.101.234
172.86.98.236
172.86.124.157
172.98.192.214
172.104.107.30
172.104.151.130
172.104.184.53
172.173.150.115
172.245.153.150
173.80.248.234
173.82.192.38
173.179.223.195
173.194.116.132
173.212.219.45
173.214.164.132
174.107.159.230
175.24.32.228
175.24.68.66
175.27.236.117
175.41.170.10
175.178.239.127
175.178.242.201
176.103.56.89
176.105.255.194
176.121.14.231
177.76.22.91
177.89.155.49
177.131.77.198
177.193.118.49
178.21.132.133
178.61.174.243
178.62.34.112
178.62.211.57
178.79.130.185
178.79.153.63
178.220.253.16
178.238.147.19
179.187.240.47
180.94.73.147
180.215.223.168
182.42.109.217
182.61.6.63
182.92.155.100
182.92.169.148
182.183.251.0
182.254.234.28
183.60.219.35
183.80.181.135
183.191.40.147
184.76.106.102
185.14.28.232
185.22.154.160
185.63.90.137
185.69.160.234
185.81.157.124
185.99.135.115
185.112.146.165
185.147.14.248
185.149.146.1
185.150.117.189
185.150.119.157
185.153.197.179
185.153.199.161
185.153.199.166
185.163.45.199
185.166.163.97
185.177.59.65
185.186.245.171
185.202.174.36
185.203.117.79
185.219.52.229
185.223.235.19
185.239.226.39
185.247.118.91
186.95.209.178
186.111.2.173
186.120.10.62
186.128.148.219
186.144.187.234
187.221.74.84
188.40.44.119
188.55.89.37
188.78.118.42
188.84.244.173
188.119.113.80
188.119.149.108
188.153.250.86
188.230.154.73
190.114.254.116
191.101.42.179
192.151.154.122
192.161.51.191
193.36.119.89
193.37.215.110
193.37.254.27
193.42.32.67
193.56.146.99
193.112.99.77
193.117.208.106
193.117.208.107
193.117.208.109
193.117.208.147
193.117.208.148
193.161.193.99
193.178.169.74
193.201.9.212
194.15.112.119
194.33.45.85
194.147.32.224
194.163.175.163
194.180.48.152
194.180.224.124
195.3.146.182
195.123.219.112
195.123.243.235
195.162.165.76
195.211.98.91
196.41.191.82
196.206.133.125
196.210.70.104
196.219.94.142
197.0.234.50
197.6.32.76
197.205.93.188
197.207.217.172
197.253.176.200
198.12.124.66
198.23.229.132
198.51.100.1
199.83.134.186
199.203.245.119
199.204.215.60
200.84.69.108
200.136.252.20
200.171.231.146
200.200.200.2
201.110.145.206
202.59.79.131
202.182.125.24
203.0.113.99
206.81.23.173
206.189.45.148
206.189.69.35
206.189.100.222
209.6.159.178
209.25.141.180
209.40.204.137
209.126.119.186
209.239.115.91
209.250.246.79
210.41.224.83
211.23.119.163
212.64.87.3
212.73.150.159
212.83.163.95
212.114.52.203
212.179.206.233
212.192.241.155
213.7.104.181
213.59.127.205
213.164.204.7
213.186.35.153
213.227.154.92
216.75.56.188
216.155.135.111
217.12.218.46
217.12.218.109
217.31.72.45
218.11.133.33
219.150.121.100
220.130.40.8
223.223.141.101

Emails

n/a

Wallet Addresses

n/a

Block `PhoenixMiner` and `lolMiner`

Enhancement idea

Block PhoenixMiner and lolMiner.

More Info

A legitimate Windows programme named "Advanced Installer" is being used by cybercriminals to install cryptocurrency miners on graphic designers' machines. Through likely unethical search engine optimisation methods, the attackers advertise installs for well-known 3D modelling and graphic design programmes including Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro.

Links

https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/

Domains and IP's to Block

Type	Name	Description
Domain	eu1-etc.ethermine.org:4444	Ethash Pool address
Domain	ssl://eu1-etc.ethermine.org:5555	Failover ethash pool address
Domain	educu.xyz:9999	Mining pool to mine
Domain	Sysnod.duckdns.org	C2 server
Ip	51.178.39.184	Malicious download server in France

Block `AlienBot` Malware

Enhancement idea

Block AlienBot Malware.

Links

https://threatfox.abuse.ch/browse/malware/apk.alien/

IOC

Scraped.

Block `Agent Tesla` aka `AgenTesla, AgentTesla, Negasteal` malware

Enhancement idea

Block Agent Tesla aka AgenTesla, AgentTesla, Negasteal malware.

Description

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

Links

https://threatfox.abuse.ch/browse/malware/win.agent_tesla/

IOC

IPFS

ipfs.io/ipfs/QmQBPuPxy3nZjK2yVspsUJVhutajAfRQpnjc58RAcUJFrh

URL's

api.telegram.org/bot1836400811
api.telegram.org/bot1884223853
api.telegram.org/bot1900392974
api.telegram.org/bot2100759405
api.telegram.org/bot2100759405
api.telegram.org/bot2107727636
api.telegram.org/bot2134979594
api.telegram.org/bot5054839999
api.telegram.org/bot5148862528
api.telegram.org/bot5159960936
api.telegram.org/bot5305653894
api.telegram.org/bot5316506483
api.telegram.org/bot5322219147
api.telegram.org/bot5387517837
api.telegram.org/bot5392288455
api.telegram.org/bot5473903116
api.telegram.org/bot5607774642
api.telegram.org/bot5638171634
api.telegram.org/bot5663632223
api.telegram.org/bot5678941731
api.telegram.org/bot5814058627
api.telegram.org/bot5932003035
api.telegram.org/bot6019964522
api.telegram.org/bot6094661519
api.telegram.org/bot6120421924
api.telegram.org/bot6145149580
api.telegram.org/bot6164895911
api.telegram.org/bot6174413593
api.telegram.org/bot6185777927
api.telegram.org/bot6203672982
api.telegram.org/bot6205694016
api.telegram.org/bot6236057808
api.telegram.org/bot6260905292
api.telegram.org/bot6272036226
api.telegram.org/bot6277254729
api.telegram.org/bot6356925433
api.telegram.org/bot6381763542

Folders

bitbucket.org/!api/2.0/snippets/rikimartinplace/
firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/
cdn.discordapp.com/attachments/739397897157738570/
cdn.discordapp.com/attachments/1070589251781136486/
discord.com/api/webhooks/1084897738958843984/
discord.com/api/webhooks/1109078597697802400/
discord.com/api/webhooks/1127497008349991052/
discordapp.com/api/webhooks/1126428541945393192/

Sub-Domains

buzalotr.blogspot.com
cbasep23.blogspot.com
cp5ua.hyperhost.ua
d9e1c3dd-1fee-48c1-9089-09a70580408e.usrfiles.com
greukrainy.duckdns.org
idropbux.blogspot.com
incentiveswidget.appspot.com
otherbizzunus.blogspot.com
otherbusinesssep23.blogspot.com

Domains

airnicoltd.biz
alpatrik.com
catknock.com
chasamloriger.su
chestermachinetools.me
clamprite.ga
cletonmy.com
cretenom.ga
gatchweekly.com
gfbags.co
houseandhoundcare.com
lku7.tk
lostheaven.com.cn
miklinhotels.com
mnbvcxzus.com
montanapremiersenggigi.com
morabitur.com
noctorships.ga
obynnehhhan.com
originweb.ga
oshi.at
panelone.xyz
publicvm.com
rakishev.org
samberii.com
sqsendy.shop
suchitanandanmahavidyalaya.org
terrazzaitaliana.mx
tijunaitiene.lt
transfer.sh
tunamusavirlik.com
unclebobsbears.com
upadte-reviewer-online.live
valerehandstand.com
valvulasthermovalve.cl

IP's

2.58.149.219
5.253.38.46
20.7.14.99
23.95.128.195
31.210.20.150
31.220.40.22
37.0.8.144
37.49.225.185
37.139.129.142
45.133.1.41
45.133.174.121
45.155.165.63
47.87.211.157
62.197.136.167
67.225.131.68
74.201.28.111
78.138.105.142
79.133.41.250
80.85.153.31
80.85.156.9
81.161.229.151
85.31.46.78
85.202.169.159
87.121.221.212
95.140.125.76
95.214.27.98
104.168.33.12
107.174.138.192
107.182.129.59
107.189.4.253
136.144.41.76
137.184.5.20
139.99.153.90
141.98.6.75
162.222.225.29
163.123.142.161
171.22.30.147
171.22.30.164
172.174.176.153
172.245.163.174
185.225.74.69
185.246.220.60
185.246.220.133
185.252.178.63
185.252.179.22
190.107.177.239
193.151.180.20
193.233.187.19
195.178.120.24
195.178.120.64
195.178.120.72
198.12.91.239
198.12.91.249
198.23.174.115
198.23.187.143
198.23.213.57
198.23.251.5
198.98.55.114
208.67.105.159
208.67.106.111
209.141.53.247
212.192.246.220

Block `Medusa` and `Cabassous` Banking Trojans

Enhancement idea

Block Medusa and Cabassous Banking Trojans.

Link

https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous

https://threatfox.abuse.ch/browse/malware/win.medusa/

IOC

Medusa C2 Domains:

asfsafsakjfkjsa.xyz
essesessssssss.top
nmnmnmfsamsfan.xyz
pembesir.xyz
unknknknnkknkknnk.xyz

Medusa IP's:

5.42.78.61
5.61.49.177
45.15.157.16
64.52.80.13
77.105.146.254
77.105.147.1
77.105.147.140
79.137.199.199
79.137.202.24
79.137.207.226
89.208.103.72
89.208.107.158
162.33.179.114
185.46.46.133
185.112.83.36
193.233.133.97
193.233.133.153
193.233.133.198
193.233.133.243

Cabassous C2 Domains:

fpuacswjcgpcxoe.ru
ueihtnoujbedjiu.ru
umxkexskgtctvws.cn

Block `Havoc` aka `Havokiz` malware

Enhancement idea

Block Havoc aka Havokiz malware.

Description

Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

Links

https://threatfox.abuse.ch/browse/malware/win.havoc/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

n/a

IP's

2.56.10.6
2.58.14.26
2.59.254.20
3.6.98.232
3.8.184.124
3.17.156.183
3.26.10.74
3.67.64.179
3.71.188.11
3.72.1.193
3.72.106.201
3.72.110.16
3.85.21.250
3.87.213.122
3.105.246.81
3.215.181.98
3.249.31.242
4.196.211.113
4.231.105.17
5.44.42.124
5.53.125.31
5.61.41.71
5.161.197.230
5.182.37.3
5.188.87.39
5.252.178.146
5.252.178.157
5.255.97.196
8.208.95.78
8.210.103.41
8.210.104.188
8.217.13.6
8.217.111.67
8.222.230.219
13.39.48.10
13.39.237.2
13.41.55.238
13.48.45.227
13.93.75.195
13.125.17.253
13.213.147.86
13.214.204.113
13.244.111.157
13.244.144.1
13.246.26.24
16.170.217.78
16.171.56.119
16.171.60.36
16.171.237.4
16.171.242.239
16.171.254.242
18.134.161.59
18.140.234.35
18.157.84.230
18.158.68.206
18.185.111.207
18.195.241.171
18.196.203.78
18.204.35.247
18.208.213.147
18.214.99.112
18.219.102.188
18.224.73.25
20.12.180.13
20.15.162.87
20.52.249.198
20.67.246.154
20.74.236.100
20.92.20.220
20.94.83.139
20.109.45.183
20.115.112.114
20.126.20.79
20.158.49.49
20.160.143.1
20.224.91.188
20.235.26.66
23.83.133.160
23.83.133.164
23.94.59.56
23.95.44.80
23.105.212.89
23.106.215.192
24.99.36.214
24.199.106.201
27.124.44.241
31.187.76.237
31.220.89.214
31.223.16.23
34.18.9.224
34.92.127.28
34.93.29.231
34.100.240.82
34.116.228.55
34.136.114.164
34.227.89.96
34.229.221.1
34.231.34.198
34.231.97.149
34.235.159.186
34.243.164.16
35.75.17.242
35.90.217.46
35.136.215.120
35.158.109.72
35.198.216.30
35.202.166.59
35.207.109.124
35.226.91.165
37.120.239.175
37.187.123.146
38.6.163.12
38.47.107.170
38.54.107.202
39.99.45.71
39.100.87.25
40.76.236.54
40.117.129.162
42.193.116.134
43.131.252.233
43.132.172.77
43.133.22.48
43.135.138.227
43.142.149.130
43.153.87.78
43.153.184.17
43.153.193.220
44.192.60.164
44.200.59.2
44.202.151.94
44.202.199.164
44.202.218.193
44.203.114.48
44.212.22.10
45.8.251.210
45.9.149.144
45.9.150.150
45.12.253.239
45.56.76.86
45.61.136.107
45.61.169.102
45.77.74.229
45.77.233.83
45.77.254.85
45.79.90.123
45.79.238.141
45.81.34.65
45.92.1.60
45.93.28.77
45.117.81.126
45.125.67.100
45.125.67.117
45.125.67.244
45.131.3.18
45.135.135.107
45.138.16.248
45.144.30.143
45.144.31.129
45.153.242.73
45.183.247.131
45.195.204.20
45.195.204.29
45.195.204.53
46.29.234.73
46.101.79.16
46.101.97.100
46.161.53.217
46.183.184.149
47.90.254.130
47.96.174.148
47.100.30.74
47.109.41.48
47.122.21.21
47.245.42.208
47.245.126.218
50.255.107.170
50.255.107.171
51.15.59.83
51.15.133.32
51.15.195.71
51.16.9.5
51.68.148.48
51.68.148.55
51.68.169.167
51.83.182.155
51.158.77.242
51.158.107.162
51.210.243.250
51.255.45.74
52.19.114.156
52.76.227.205
52.88.128.181
52.147.196.140
52.157.71.131
52.192.111.170
52.194.222.149
52.202.108.119
52.211.176.121
54.64.152.213
54.78.24.98
54.144.152.176
54.160.113.74
54.202.46.22
54.211.1.105
54.246.21.155
54.251.23.219
54.255.154.71
61.4.102.37
62.234.185.181
64.176.34.205
64.176.39.146
64.176.47.227
64.176.211.167
64.226.81.144
64.226.111.133
64.227.8.84
64.227.79.229
64.227.130.114
64.227.130.238
65.20.75.178
65.21.56.40
65.21.105.102
66.55.65.150
66.94.109.152
66.135.16.39
68.183.185.231
70.29.173.138
73.196.213.146
74.119.193.28
74.207.237.246
74.207.242.75
74.234.230.67
76.65.175.53
77.74.208.123
77.91.68.133
77.91.73.143
77.139.130.110
77.223.122.145
78.135.73.140
78.157.163.36
80.85.152.108
80.158.37.73
80.249.147.147
81.161.229.45
82.66.183.37
82.223.64.37
85.206.172.192
86.82.10.130
88.99.28.233
89.58.33.82
89.147.108.250
90.107.73.133
90.212.33.49
91.90.192.233
91.92.128.200
92.39.211.142
94.102.49.165
94.128.22.194
94.131.102.61
94.131.110.14
94.131.112.139
95.164.47.3
98.252.137.125
99.238.119.93
100.25.164.220
100.26.241.235
101.33.116.17
101.42.246.105
101.99.91.224
103.101.205.215
103.214.157.66
103.253.43.146
104.168.237.121
104.200.20.89
104.248.120.60
104.248.149.186
106.55.228.192
107.172.90.146
107.174.95.55
108.174.57.187
108.177.235.191
108.177.235.233
109.63.232.77
109.94.110.94
109.105.198.141
109.106.255.148
109.172.44.233
109.228.61.245
114.117.244.233
117.50.178.24
118.31.66.10
123.249.38.254
124.156.167.196
128.199.88.129
128.199.207.220
129.150.46.86
129.151.170.99
129.151.233.130
129.158.249.215
134.122.45.166
134.122.54.122
134.195.198.40
134.209.147.35
136.244.80.185
137.74.253.250
137.184.100.52
138.68.69.79
138.68.103.181
138.68.174.88
139.59.227.34
139.99.66.96
139.144.22.116
139.144.39.22
139.144.57.50
139.162.52.150
139.180.144.171
139.180.158.92
139.180.212.188
140.238.217.117
141.136.44.52
141.164.45.80
142.93.45.33
142.93.154.140
143.42.110.206
143.198.53.218
143.198.62.146
143.198.105.62
143.198.136.12
143.198.218.5
144.126.202.135
146.59.10.45
146.70.35.170
146.70.87.109
146.70.145.212
146.190.29.203
146.190.48.229
146.190.67.179
146.190.104.255
146.190.113.107
146.190.120.225
147.182.241.180
149.28.207.18
149.40.63.23
151.236.25.237
151.236.216.137
152.89.198.175
152.228.170.254
157.245.47.66
157.245.55.19
157.245.199.109
157.254.195.51
158.101.169.125
158.247.223.37
158.247.243.219
159.65.149.47
159.203.122.205
159.223.202.160
159.223.205.33
159.223.250.77
161.97.156.7
162.0.231.130
163.172.140.159
164.90.162.240
164.92.134.166
164.92.241.44
164.132.229.221
164.215.103.86
164.215.103.105
164.215.103.173
165.22.12.239
165.22.21.249
165.22.58.208
165.154.231.221
165.227.106.175
165.232.123.47
165.232.151.90
166.88.77.16
167.56.66.27
167.56.66.214
167.56.104.241
167.56.105.95
167.56.112.216
167.56.122.29
167.56.122.192
167.56.194.219
167.56.196.20
167.56.198.48
167.56.198.150
167.56.203.196
167.58.233.226
167.58.245.20
167.59.76.50
167.59.76.141
167.99.147.192
167.99.194.51
167.114.115.246
167.172.86.3
167.172.106.238
168.100.10.213
168.100.11.139
168.138.174.173
170.187.142.23
170.187.207.78
170.187.232.126
172.86.78.127
172.93.165.118
172.105.66.217
172.105.92.100
172.105.139.42
172.233.67.65
173.212.236.170
173.254.204.109
174.138.28.5
175.27.146.212
175.178.226.246
176.31.163.140
176.123.8.200
176.124.32.160
177.67.71.17
178.62.57.69
178.128.48.128
178.128.122.128
179.25.216.69
179.25.221.138
179.25.222.247
181.164.204.99
182.61.19.90
184.73.53.214
185.32.126.34
185.39.204.47
185.64.247.201
185.74.222.204
185.112.144.20
185.158.94.217
185.158.248.34
185.163.45.65
185.163.45.244
185.163.204.32
185.203.118.50
185.216.71.178
185.225.74.223
185.239.225.17
185.243.114.106
185.243.115.154
185.243.115.252
185.246.189.72
185.247.224.13
187.95.25.167
188.166.159.86
188.166.170.1
188.166.251.121
188.191.106.34
188.191.106.251
190.133.129.34
190.133.130.250
190.133.139.168
190.133.143.80
190.133.150.121
190.133.150.206
190.133.155.21
190.133.159.153
190.133.232.69
190.133.235.6
190.133.236.207
190.133.237.30
190.133.238.68
190.134.43.116
190.134.50.10
190.134.139.110
190.134.148.138
190.134.155.238
190.134.200.111
190.134.202.117
190.135.124.228
190.135.126.109
190.135.168.212
190.135.176.171
190.135.177.179
190.135.182.53
190.135.184.127
190.135.186.92
190.135.209.12
190.135.233.148
192.46.211.76
192.53.171.76
192.99.223.135
192.121.163.90
192.144.211.13
192.153.57.73
192.153.57.181
192.153.57.227
193.37.69.123
193.43.94.63
193.117.208.108
193.149.190.230
193.218.118.143
193.233.48.14
194.4.51.90
194.26.192.110
194.58.98.232
194.87.218.16
194.135.33.127
195.24.66.110
195.85.114.214
195.123.241.72
198.148.112.58
198.211.102.42
202.162.108.120
203.150.243.176
204.48.29.223
205.185.113.85
206.71.148.79
206.71.148.148
206.166.251.95
206.188.197.20
206.189.22.24
206.189.143.81
207.148.127.136
207.244.226.182
209.38.212.101
209.38.225.63
209.38.232.99
209.38.240.41
209.79.69.200
209.141.50.192
209.151.155.42
209.250.255.119
212.87.204.177
212.227.9.150
217.6.46.91
217.182.199.147

Emails

n/a

Wallet Addresses

n/a

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

circleci

.circleci/config.yml

circleci/php 8.0-fpm-node-browsers

github-actions

.github/workflows/prettier.yml

actions/checkout v4

.github/workflows/remove-old-artifacts.yml

c-hive/gha-remove-artifacts v1

.github/workflows/update-module-assets.yml

actions/checkout v4

Check this box to trigger a request for Renovate to run again on this repository

Block `Hook` a banking and crypto malware

Enhancement idea

Block Hook a banking and crypto malware.

Links

https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilitie

https://threatfox.abuse.ch/browse/malware/apk.hook/

IOC

Domains

n/a

IP's

5.42.199.22
91.215.85.23
91.215.85.37
91.215.85.223
94.156.253.67
185.186.246.69
193.233.196.2

Block `Brute Ratel C4` aka `BruteRatel` malware

Enhancement idea

Block Brute Ratel C4 aka BruteRatel malware.

Description

Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation

SMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.

Built-in debugger to detect EDR userland hooks.
Ability to keep memory artifacts hidden from EDRs and AV.
Direct Windows SYS calls on the fly.

Links

https://threatfox.abuse.ch/browse/malware/win.brute_ratel_c4/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

auditprosec.com
near-org.top
sentisupport.com
symantecuptimehost.com
systemresync.com
teenieshopus.com
wsibc.com

IP's

3.19.120.166
3.28.39.6
3.99.59.202
3.112.185.142
3.115.144.47
3.221.126.84
5.188.87.50
8.219.217.130
8.222.133.105
13.82.141.216
13.112.226.27
13.113.45.138
13.114.48.174
13.114.78.162
13.114.110.144
13.230.243.50
13.231.24.246
15.164.245.79
15.206.79.179
16.16.162.142
18.134.141.72
18.163.6.122
18.176.20.234
18.176.35.161
18.177.226.88
18.178.161.19
18.178.244.246
18.180.64.43
18.181.114.13
18.182.126.252
18.188.54.77
18.193.106.166
18.208.87.99
20.212.219.56
23.92.22.235
23.254.167.32
24.199.89.40
24.199.114.243
24.199.115.9
24.199.118.20
31.42.189.61
34.206.147.4
35.72.0.113
35.72.94.12
35.72.100.201
35.73.220.65
35.74.154.31
35.75.27.89
35.75.94.192
35.75.220.206
35.76.16.247
35.78.13.37
35.79.109.52
37.119.57.169
37.119.57.195
38.55.96.159
38.126.114.218
43.207.8.102
43.207.23.110
44.204.63.95
45.89.55.81
45.123.191.15
45.133.195.58
45.140.17.42
45.147.230.225
47.115.215.203
47.252.28.13
50.16.83.73
50.116.29.40
51.77.112.254
52.68.31.77
52.192.109.110
52.192.166.233
52.193.2.2
52.193.175.78
52.193.185.144
52.193.188.236
52.193.203.8
52.194.85.123
52.194.178.19
52.196.8.3
52.196.36.24
52.196.50.60
52.197.43.5
52.197.222.201
52.198.154.115
52.198.193.213
54.65.8.67
54.65.93.113
54.92.24.114
54.95.222.110
54.150.80.3
54.155.238.133
54.168.95.3
54.168.127.93
54.171.30.223
54.178.188.94
54.199.58.143
54.211.243.10
54.235.16.137
54.238.135.178
54.238.205.126
54.238.220.105
54.238.220.242
54.248.35.92
54.248.102.18
54.248.200.60
54.249.26.2
54.249.130.36
54.249.158.59
54.249.200.119
54.249.216.44
64.190.113.179
64.226.109.199
74.234.98.215
74.235.81.74
77.246.103.180
82.84.39.65
83.97.73.90
84.32.131.78
87.121.221.22
88.218.61.244
91.103.253.43
91.223.208.155
94.102.49.64
94.198.97.58
103.25.188.178
104.168.59.22
104.168.117.105
104.207.132.71
104.234.118.123
104.234.239.217
107.148.9.252
107.148.27.54
107.191.60.134
112.213.121.7
112.213.121.11
112.213.121.20
116.62.139.1
118.107.43.96
118.107.43.98
118.107.43.100
138.68.135.52
139.59.169.19
139.59.211.172
139.162.242.79
139.224.234.194
140.82.46.164
142.93.7.24
142.93.31.106
143.92.58.179
143.92.58.182
143.92.58.183
143.198.176.115
143.198.239.130
144.91.97.213
146.190.65.47
146.190.219.130
146.190.229.227
149.28.251.203
149.154.158.184
154.26.154.154
154.202.59.96
157.254.195.201
162.216.240.61
164.90.217.130
164.92.145.128
165.227.224.30
165.232.151.8
167.71.60.103
167.71.62.156
167.99.137.218
168.100.10.117
170.64.169.229
172.86.123.8
172.105.71.205
175.41.221.5
176.113.115.53
178.33.38.76
179.43.144.250
185.239.173.42
185.239.173.43
185.239.173.44
188.166.72.93
193.149.180.84
193.149.190.194
206.81.1.31
207.148.113.47
212.71.235.150
213.219.214.113
213.227.155.115
217.25.91.146
217.76.52.219
217.182.54.211

Emails

n/a

Wallet Addresses

n/a

Block `Anatsa`, `Brunhilda` and `Gymdrop` banking malware

Enhancement idea

Block Anatsa, Brunhilda and Gymdrop banking malware.

Links

https://www.threatfabric.com/blogs/google-play-droppers

https://threatfox.abuse.ch/browse/malware/apk.anatsa/

IOC

Domains

Gymdrop Dropper C2 Domain:

onlinefitnessanalysis.com

Brunhilda Dropper C2 Domains:

protectionguardapp.club
readyqrscanner.club
flowdivison.club
multifuctionscanner.club

IP's

Anatsa Dropper C2 IP's:

195.201.70.88
178.63.27.179
91.242.229.85
195.201.70.89

Block `Get2` aka `FRIENDSPEAK, GetandGo` malware

Enhancement idea

Block Get2 aka FRIENDSPEAK, GetandGo malware.

Description

Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.

Links

https://threatfox.abuse.ch/browse/malware/win.get2/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

docs-downloading.com
ms-debug-services.com
ms-pipes-service.com

IP's

27.101.221.227
101.78.26.130
110.15.243.148
124.243.53.149
125.141.144.228
125.141.145.164
125.141.145.165
125.141.145.174
125.141.145.175
125.141.145.241
125.141.145.252
133.186.222.87
180.210.112.158
188.160.7.36
202.211.4.65
203.252.173.121
210.90.168.17610
220.69.33.44
220.69.33.51
220.69.33.111

Emails

n/a

Wallet Addresses

n/a

Block `Nanocore RAT` aka `Nancrat, NanoCore` malware

Enhancement idea

Block Nanocore RAT aka Nancrat, NanoCore malware.

Description

Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

Links

https://threatfox.abuse.ch/browse/malware/win.nanocore/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

chivalrous-condition.auto.playit.gg
involved-stars.at.playit.gg
this-france.at.playit.gg
warm-voyage.auto.playit.gg
woebegone-smoke.auto.playit.gg

Domains

3utilities.com
accesscam.org
agent47.vip
airdns.org
airvpn.org
akamaitechnologies.info
andesal.com.au
anondns.net
awsmppl.com
blueheartsmed.com
bounceme.net
branderhostx.bid
cable-modem.org
camdvr.org
canarybeachhotel.sa
casacam.net
changeip.net
chickenkiller.com
chiguserver.ml
cloudns.nz
complex-server.xyz
coris-bank.fr
cornrnscope.com
crabdance.com
ddnsgeek.com
ddnsking.com
ddnsw.net
dns-cloud.net
dns.net
dnsabr.com
duia.ro
dyndns-remote.com
dyndns-server.com
dyndns.biz
dyndns.org
dynu.com
fcuked.me.uk
fe100.net
fedex-shipping.xyz
finlandmc.com
firewall-gateway.com
fishdns.com
free.fr
freeddns.org
freemyip.com
from-de.com
from-ms.com
fspy.cf
fullstrap.tech
geekgalaxy.com
gleeze.com
gotdns.ch
hacked.jp
here-for-more.info
homelinux.net
homingbeacon.net
hopper.pw
hoptp.org
icodework.com
ignorelist.com
insidedns.com
ix.tc
jumpingcrab.com
keenetic.link
kjwoconfigwindows.xyz
kozow.com
kro.kr
libfoobar.com
linkpc.net
loseyourip.com
mbplc.xyz
mooo.com
mssdlc.pw
myddns.me
myddns.rocks
myftp.biz
myq-see.com
net-freaks.com
no-ip.biz
no-ip.ca
no-ip.de
no-ip.info
no-ip.net
no-ip.org
noanvaruncorekumar.cf
nsupdate.info
off.li
onmypc.us
onthewifi.com
ooguy.com
pdns.cz
pktriot.net
ply.gg
port0.org
portmap.host
portmap.io
publicvm.com
rapiddns.ru
rootlayer.net
selfhost.de
selfhost.tk
servebbs.org
servebeer.com
serveftp.com
serveftp.org
servegame.org
serveminecraft.net
servepics.com
shtf.pw
sinsincity.com
spamcannibal.xyz
ssfn.site
strangled.net
tecktalk.org
theworkpc.com
twilightparadox.com
us.to
v6.rocks
vipsms101.com
warzonedns.com
webhop.info
webhop.me
webredirect.org
xeliteme.us
xxxpornstory.xyz
zz.am

IP's

2.59.254.205
45.66.230.22
45.67.229.4
81.161.229.107
104.250.181.155

Emails

n/a

Wallet Addresses

n/a

Block `Houdini` aka `Hworm, Jenxcus, Kognito, Njw0rm, WSHRAT, dinihou, dunihi` malware

Enhancement idea

e.g. Add this to firewall or virus definitions

Description

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

Links

https://threatfox.abuse.ch/browse/malware/win.houdini/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

2waky.com
3utilities.com
camdvr.org
con-ip.com
ddnsfree.com
dynamic-dns.net
giize.com
home-webserver.de
hopto.org
huntebez.xyz
jetos.com
kasowiitz.com
killwhenabusing1.xyz
kozow.com
linkpc.net
longmusic.com
misecure.com
mywire.org
ngrok.io
otzo.com
publicvm.com
stevenpartners.com
sytes.net
wikaba.com

IP's

2.59.254.111
37.0.8.115
37.0.14.195
37.0.14.198
41.216.188.103
45.12.253.77
45.90.222.125
45.90.222.131
45.139.105.174
45.141.237.3
62.102.148.154
62.197.136.69
66.154.98.209
79.134.225.5
79.134.225.91
80.76.51.33
80.76.51.124
80.85.154.247
80.85.157.37
83.59.236.231
84.21.172.33
84.38.130.210
88.8.171.41
91.193.75.135
91.193.75.192
94.177.123.162
103.47.144.42
104.161.42.236
107.182.129.16
109.206.240.41
109.206.242.32
109.248.144.235
111.90.149.115
134.122.118.122
137.184.6.37
139.177.146.154
139.177.146.165
140.150.226.225
140.228.29.190
141.98.6.239
142.202.191.243
142.202.242.176
147.182.232.67
154.127.53.102
155.94.209.44
159.89.232.243
172.93.181.188
172.245.40.82
185.19.85.164
185.136.159.253
185.140.53.71
185.140.53.183
185.140.53.207
185.222.57.147
185.246.220.208
185.252.178.17
191.101.130.186
192.3.53.74
193.233.185.89
193.233.191.96
194.5.97.17
194.5.97.26
194.5.98.20
194.5.98.96
194.5.98.198
194.5.98.212
194.87.84.43
194.147.140.4
195.133.40.111
198.55.119.109
212.193.30.230
213.226.123.91

Emails

n/a

Wallet Addresses

n/a

Block `Lumma Stealer` aka `LummaC2 Stealer` malware

Enhancement idea

Block Lumma Stealer aka LummaC2 Stealer malware.

Description

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

Links

https://threatfox.abuse.ch/browse/malware/win.lumma/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

1private.pro
2flowers-my.xyz
acecnouwglass.xyz
acexoss.xyz
acsfoodthegood.fun
activlessor.fun
adavefrees.xyz
afterburnermsi.info
agustfreeday-my.xyz
aloowforest.xyz
artificialleath.fun
arvimon.fun
assacurajob.fun
astrolco.fun
bacloud.info
bakedmatela.fun
balancebordrt.xyz
balancelag.xyz
bearboll.fun
beerword.xyz
begonblom.fun
blessdeckite.fun
blingaspireojhau.online
blockall-my.xyz
blockigro.xyz
blockspam-my.xyz
bloomhome.xyz
bondappeal.xyz
boothroundupdow.fun
booxshistr.xyz
bottlewattoh.fun
boxclod.xyz
boxhappines.xyz
brockerby.xyz
buyerbrand.xyz
campphotos.xyz
castomdroms.xyz
catfoodbio.xyz
cfgy8uj.click
checkgoods.xyz
chocomeat.fun
choserowboatfly.fun
cleanvr.xyz
clonecloud-my.xyz
closhemone.fun
cloudsaled.xyz
cloudsnike-my.xyz
coinflore-my.xyz
coldwinded.fun
colomna.xyz
colomndead.xyz
coolfingers.xyz
coolvtf.xyz
coolworks.xyz
coolworkss.xyz
cosmosvr3d.xyz
costexcise.xyz
coursenote.xyz
crazypictures.xyz
culturalevenings.xyz
curtainjors.fun
cvadrobox.xyz
damageagio.xyz
dashminimaltokens.xyz
deadpip.xyz
dedoxtrone.fun
deeppoetry.xyz
demanddeal.xyz
demomoves.xyz
dermrtv.fun
diavellipromo-my.xyz
divineservicecity.fun
dodgeavay.xyz
doggyguffy.fun
dogshanter.xyz
doorblu.xyz
downloaddedattre.fun
downloadfiles-my.xyz
dromautocar.xyz
dropfiles-my.xyz
ducklingibises.fun
ellifotolive.xyz
equestrianjumpingfrog.fun
erorblackday.xyz
exfillrar.xyz
exitfile.xyz
exitlife.xyz
extrasofts.org
faircoupon.xyz
fartyfun.fun
fastcloudlife-my.xyz
feathspacesaf.fun
fiancejiveimp.fun
fibrodoorsbig.fun
fibrodoorsbig.xyz
fileforex.xyz
findyhuman.fun
fingerstile.xyz
fireworld.fun
firmpanacewa.fun
fisholl.xyz
flashpool.xyz
flaydoor.xyz
flowers-my.xyz
follovertv.fun
footfetishlol.xyz
footslou.fun
formiklass.fun
freeace.xyz
freesco.xyz
freesoftportal.xyz
frogswordsale.xyz
fullppc.xyz
funnycox.fun
gamefoods.xyz
gapi-alpha.io
gapi-node.io
gaspatchommm.fun
gbbsoft.xyz
gitarlessonfinger.xyz
glaziercarde.fun
glinkgik-7.com
glitchmoon.xyz
glowesbrones.xyz
glowesbrons.xyz
gogobad.fun
goldenwalstk.xyz
goldsboxss.xyz
goldtokensool.xyz
gougeflying.fun
grossvp.xyz
gservice-node.io
gstatic-node.io
gunstormonl.fun
hedgedecay.xyz
hinkli-5.com
housegrommy.fun
jlinkjk-6.com
jobsvac.xyz
jonesleming.xyz
jornesfree.xyz
jumperstad.fun
kellmda.click
kneesockrod.fun
kpsshistoryone.xyz
kudoflowers.xyz
labourcakefrt.fun
lackbasinmu.fun
laynchcontrol.xyz
leaseagent.xyz
linesroom.xyz
link76h.com
link234-33.com
link5467.com
link43897.com
linked-42.com
linked-66.com
linked-88.com
linkers-92.com
linkhj764.com
linkjshw-4.com
linkll-2.com
linkll-11.com
linko8457y.com
linkqksi-3.com
liveswords.xyz
lockguard.xyz
loufuelscom.fun
loufuelscom.xyz
lowwesprion.xyz
lpsserversonlene.xyz
luidelyator.xyz
magaway.fun
malenursenect.fun
many-verses.xyz
marketsale.xyz
markuschop.fun
mensmoment.xyz
microflawersj.xyz
milkwithlacto.fun
modifesistem.xyz
momsikret.xyz
morefilmsfree.fun
mrcrubsaf.fun
netforyou.xyz
noisemakjelly.fun
notion-download.pro
notions-download.com
npskudlu.com
orkograkula.fun
parrotorsk.fun
pearlbarleyhit.fun
petsgamess.xyz
phonevronlene.xyz
piplexm.xyz
pizzasison.xyz
politicuseles.fun
portlandcor.fun
potatomeatball.fun
pregnantflowers.fun
private-cloud-server.pro
privategame.xyz
productionbio.fun
programmbox.xyz
promocar.xyz
promomilk.xyz
proxyindex.xyz
quotamoney.xyz
rarefood.fun
reconphotocolor.xyz
recordbell.fun
resistangroupee.fun
rollbeamone.fun
rosaryconbo.fun
rovengold.fun
royalpantss.fun
satanakop.fun
sausagerollraisin.fun
scandimyth.xyz
scoollovers.xyz
scruffymapleflat.fun
seededraisinlilinglov.fun
sendcyniaforeign.fun
seobrokerstv.fun
seobrokerstv.xyz
sevenzk.xyz
shoppervik.fun
sieratools.xyz
simesmile.xyz
singlesfree.xyz
sinopticday.xyz
sisadmin-my.xyz
skicloud-my.xyz
slading.xyz
slimtvsocico.fun
sloumitionvideos.xyz
sloumotion.xyz
socialmadness.fun
sodafountainpr.fun
solopodvip-my.xyz
sonyabest.xyz
speedtestip.xyz
starold.xyz
startablekor.fun
statehaller.fun
stoppublick.xyz
stoptme.xyz
stormwumen.xyz
superyupp.fun
survviv.xyz
svaproot.fun
talkinwhitepod.fun
thuspulllig.fun
titanaquaplus.xyz
toastmastone.fun
tobeornottobe.fun
toysforchild.fun
traftech.pro
trapmusics.xyz
treepledeeple.fun
tritonbody.fun
tuberoseprod.fun
usdseancer.fun
usdseancer.xyz
valleydod.fun
veinsmoter.fun
videolan-web.org
viemon.xyz
vipcloud-my.xyz
walmart.lc
warnger.xyz
waterparkedone.fun
weaselplacerif.fun
webex-download.com
welcometv.fun
westwork-my.xyz
withdrawlecterns.fun
woldwidesage.fun
wolffunny.fun
woodcat.xyz
worldofpoetry.xyz
worldtopnews.fun
xwomencalor.xyz
yachtracingopt.fun
zetmountsqr.fun

IP's

5.161.155.121
23.254.225.133
45.8.146.130
45.8.146.213
45.8.146.227
45.9.74.78
45.15.25.190
77.73.134.51
77.73.134.68
78.46.190.160
79.137.203.190
82.117.255.80
82.117.255.127
82.117.255.128
82.118.23.50
85.239.62.218
89.116.255.182
91.215.85.210
94.142.138.26
94.142.138.78
94.158.244.69
109.105.198.114
144.76.173.247
157.90.248.179
168.119.4.83
185.99.132.51
185.99.133.246
192.236.233.253
195.123.227.138
213.252.244.62
217.12.206.230
217.25.91.15

Emails

n/a

Wallet Addresses

n/a

Block `S.O.V.A.` banking and crypto malware

Enhancement idea

Block S.O.V.A. banking and crypto malware.

Links

https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions

https://threatfox.abuse.ch/browse/malware/apk.sova/

IOC

Domains

l8j1nsk3j5h1msal973nk37.fun
a0545193.xsph.ru

IP's

5.161.16.85
5.161.22.241
5.161.105.24
5.161.116.222
5.161.189.178
45.81.243.180
45.81.243.181
45.81.243.203
45.81.243.204
85.31.45.128
85.31.45.130
109.206.240.7
176.107.160.28
176.107.160.64

Block `GootLoader` malware

Enhancement idea

Block GootLoader malware.

Description

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

Links

https://threatfox.abuse.ch/browse/malware/js.gootloader/

IOC

URL's

abe.bethmcmillian.com
accessi.altaroma.it
acuicultura.ihcantabria.com
adila.sabluxgroup.com
afschools.vermilion.com
amg.rmutk.ac.th
api-help.100px.com
beta.voxpublica.no
bfa.csrcpall.com
bildwein.pieroth.de
blog.progamma.com
fas.wyb.ac.lk
fisika.uad.ac.id
heike.teofilius.de
images.cjp.mx
imas.uk.com
lacocinadefrabisa.lavozdegalicia.es
marketdriven.chevronmarcom.com

Domains

1c-kursy.online
1fc-muelheim.de
5esaison.ch
7x3.jp
8659design.se
a6uat.co.uk
aaa-studios.de
aadesignstudio.it
aandjaudhali.com
abbazia.hu
abdmedia.online
aboveandbeyondmovers.com
abt.hu
adamolam.co.il
adamsarhan.com
aderbuild.com.au
adriaticdeluxeapartments.com
adsparkdev.com
aerotechcaps.com
aidemy.net
airtechsystem.co.jp
akademos.com.ar
aktoto.eu
alabuscnc.com
alarmz.co
alaynabowman.com
albertoferreira.art.br
alethium.com
alexeasytechnology.co.za
alfabets.pl
almazova.space
alsalamatryon.com
alteronreit.com
alumbramento.com.br
amaseon.com
amatosport.pl
ambersdogwise.nl
amthanhthongbao.com
ancrages.ca
anee.ee
annett.ca
anphatedu.com
antoun.com.au
apostocatering.gr
apparences-magazine.be
apuestagolf.com
artidesign.studio
artisanvinegar.co.uk
askyadoc.org
atelierceline.fr
atlantacreditrepair.info
atopicschool.co.il
audreylyllian.com.br
augustynbaran.pl
avindustry.org
avls.com.ph
azitgroup.com.au
bagat24.de
baltimorecreditrepair.info
bams.co
bannisterministry.org
baohomnay365.com
barakaconsultants.com
barwyszkla.pl
bassanglersofmichigan.com
bbqaddicts.fr
bctambore.com.br
bddlandscaping.com
bellevue-tourtour.com
benettonrugby.it
benlloc.es
bergenadvokatene.no
bestervergleich24.de
bfasa.co.za
bialpro.pl
bigbobspizza.com
biozek.com
birbeslenme.com
biyuu.net
blakwaveproductions.com
bluefrontmagnetics.com
boyarskymurphy.com
bulog.jp
cercledeyoga.fr
cerebelum.net
cpbrandindia.com
ddpipreview.nl
defouw.org
demodemo.link
denelan.com
dogsfun.net
dozecomunicacao.com.br
drammensadvokatene.no
drewhuddleston.com
druczki.pl
duinbehoud.nl
dwe.amaseon.com
easiestbatteryrepair.com
ecomuseodellegrigne.it
eiradio.com
elektrykstaszow.pl
elmartecnologia.com.br
encompassproperties.com
energiemc2.com
erdalcengiz.com
espacoememoria.org
estarque.com.br
ets2.gr
eucontab.com.br
euskaljakintza.com
existeraboutdeplume.fr
expoteam.ro
eyu.net
fahrschulethomas.com
farbenspiel-trier.de
farwestlandscape.net
ffsimv.gr
fincompara.co
firmenakademie.com
foblesproject.pl
freeintalk.co
freeintalk.com
freshcreative.com.au
freudeundheilung.de
fysiotherapie-panken.nl
gabycampo.com.ar
gasperinieps.it
gbgrid.com
gebruederbild.com
gehrels.info
gghengineers.com
ggse.us
ghandchifamily.com
ghostapp.co.uk
giccmedical.com
glaudio.com.au
glendonlee.com
gremlin.net
gullkorndesign.com
gullkorndesign.de
gutesherz.or
hadleymothersclub.org
hair-med-krakow.pl
heartwoodproperties.com
heatherwoodpta.org
heldenfutter.de
hockeycorner.net
hslawcorp.com
ibirtm.pl
ikhwarn.com
ikwilvanmijnpoloaf.nl
ilovealtona.org
ilpiccolocampo.it
imonitorsoft.com
inerino.co.za
informatyczny.expert
inprojexautomotive.com
insource.nz
inspiration4fitness.de
interstrand.com
ipac.edu.ec
ippm.dk
iprommark.com.ua
iuic.de
jacksworkspace.com
johnryan.ie
jonathanbartz.com
jonfarrell.io
jphilippeau.com
junk-bros.com
jvasky.com
kantarellstigen1.se
kapsalonbrand.nl
karbonaudit.cf
karlshamnsfotoklubb.se
kavoshpos.com
keltek.co.uk
kendalwills.co.uk
kiezradler.de
kizys.net
kwagalafoundation.nl
ladygym.ro
lakelandartassociation.org
lakeside-fishandchips.com
lazyls.co
lenovob2bportal.com
lepanam.com
lesriceysimports.com
lha.co.ke
limbus-holding.de
livesports.co
manfredritschard.com
marketing-flash.dd
marketing-flash.de
maxguenter.de
merkuriusz.pl
moussokouma.de
my-game.biz
needeepindesign.com.au
odrtechinc.com
passionstaging.co.uk
pillardeploymentretreat.com
rfstaging.co.uk
satoyamasafu.com
secora.cl
seektobe.com.au
setman.es
seyhanaluminyum.com
sheffieldcoronarysociety.org.uk
sicilyin.com
silpa.co.in
slimdiet.eu
smartcontracts.nl
spyadviser.com
srdemolition.com
szipe.org
talentree.fi
tavernelentrepot.be
tframe.de
thediarytours.com
thekyhomeinspector.org
thexroadz.com
tillit-hjarta.se
tvsguides.com
twoviewsmovies.com
vacanzenelmediterraneo.com
valaprime.com.ng
valentinhenning.de
vasktextil.com
verlaghausundmarkt.de
vojens-trailerudlejning.dk
vrouwenversierentips.org
webdesignbrabant.net
werbefirma.hamburg
wiccinigeria.org
wo365.com
wonderfulegypttours.com
worpswede-blog.de
wtcomms.co.uk
xaderbuild.com.au
yec.edu.mm
ykasandbox.com
ysdong.top
za-co-za.co.za
zen-altitude.fr
zhongguotese.net

IP's

5.8.18.7
5.8.18.159
138.197.222.36

Block `SharkBot` banking malware

Enhancement idea

Block SharkBot banking malware.

Links

https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/

https://threatfox.abuse.ch/browse/malware/apk.sharkbot/

IOC

SharkBotDropper C2:

statscodicefiscale.xyz

‘Auto/Direct Reply’ URL used to distribute the malware:

https://bit.ly/34ArUxI

C2 servers/Domains for SharkBot:

n3bvakjjouxir0zkzmd.xyz
mjayoxbvakjjouxir0z.xyz

C2 servers/IP for SharkBot:

185.219.221.99

Add Blocking `EventBot` A New Mobile Banking and Crypto Trojan

Enhancement idea

Add Blocking EventBot A New Mobile Banking and Crypto Trojan.

Link

https://www.cybereason.com/blog/research/eventbot-a-new-mobile-banking-trojan-is-born

https://www.cybereason.com/hubfs/EVENTBOT%20IOCs.pdf

IOC

Domains EventBot C2

blindsidefantasy.com
carlaarrabitoarchitetto.com
martatovaglieri.it
rxcoordinator.com
studiolegalebasili.com
themoil.site
welcometothepub.com

IP's EventBot C2

31.214.157.6
50.63.202.81
185.158.248.102
185.158.249.141
208.91.197.91

Block `Mirai` aka `Katana` Malware

Enhancement idea

Block Mirai aka Katana Malware.

Description

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

Links

https://threatfox.abuse.ch/browse/malware/elf.mirai/

IOC

URL's

ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion

Domains

badworldgama.top
cantdown.space
catnetwork.online
chalntz.top
chatgenie.co.uk
chipbf.com
condi.network
corh.cf
ddns.net
dfgy.shop
dfvzfvd.help
doved.top
duc3k.com
gay.energy
ggm.pw
hamsterrace.space
infectedchink.cat
jiggaboojones.tech
kintaro.cc
layer7.fun
maizhangyu.top
mmone.online
nekololis.wtf
nguyentatthanh.ml
nulling.to
opewu.homes
orxy.space
powerfull-skid.com
pqahzam.ink
quanxx.site
sjyddos4.top
skyline2006.xyz
softdetails.in
stress.wtf
tcprestt.top
timestop.online
wq.gy
xiaojue02.top
zu0x.com
zvub.us

IP's

2.58.113.45
2.59.254.79
2.59.255.30
2.59.255.135
2.59.255.213
2.61.141.54
5.25.25.175
5.42.87.102
5.42.95.232
5.81.186.34
5.135.191.94
5.165.208.35
5.181.80.102
5.181.80.120
5.181.80.126
5.181.80.130
5.181.80.134
5.181.80.141
5.181.80.148
5.181.159.147
5.206.227.169
5.249.164.42
5.252.176.80
5.255.100.65
5.255.120.80
8.219.246.185
8.222.168.53
8.222.187.109
15.235.33.231
15.235.47.158
15.235.180.234
20.48.39.152
23.234.237.147
24.4.56.145
24.212.176.217
27.59.48.171
31.166.227.210
34.91.223.10
37.48.111.210
37.59.65.43
37.113.105.166
37.220.86.29
37.221.92.195
37.221.92.198
37.221.92.199
37.221.92.200
37.221.92.203
37.221.92.204
37.221.92.205
38.6.178.253
38.92.49.124
41.216.181.42
41.216.181.70
41.216.182.160
42.96.0.18
43.248.116.123
45.7.2.129
45.9.5.132
45.11.0.184
45.12.109.103
45.12.253.228
45.61.186.98
45.66.230.32
45.66.230.36
45.66.230.47
45.66.230.64
45.66.230.105
45.66.230.161
45.66.230.173
45.67.230.5
45.81.39.111
45.81.234.229
45.81.243.38
45.88.90.152
45.90.14.172
45.90.161.73
45.91.116.104
45.93.30.228
45.95.169.175
45.95.169.181
45.95.169.247
45.95.232.69
45.128.232.86
45.128.232.121
45.128.232.130
45.128.232.143
45.128.232.180
45.128.232.186
45.131.111.241
45.132.241.71
45.134.225.245
45.137.117.81
45.138.74.220
45.138.157.9
45.142.107.233
45.142.114.233
45.143.4.45
45.143.223.215
45.147.46.125
45.148.116.48
45.148.119.123
45.148.244.224
45.150.108.215
45.155.220.254
45.158.22.161
46.3.113.208
46.3.113.238
46.19.137.90
46.232.211.96
46.232.211.110
46.232.211.168
47.87.129.156
47.87.131.126
47.87.139.248
47.87.142.47
47.87.153.243
47.87.161.30
47.87.199.173
47.188.173.6
47.246.0.171
49.229.246.2
49.236.208.231
50.115.165.101
51.15.13.91
51.15.20.118
51.79.51.171
51.81.85.213
51.81.149.60
51.89.240.11
51.91.154.4
51.222.43.110
51.250.83.119
52.174.1.97
57.128.164.115
58.23.82.231
59.88.227.84
59.93.16.106
59.93.30.98
59.94.205.38
59.99.136.191
61.1.227.221
61.3.96.169
61.3.102.127
61.3.180.37
61.221.29.19
62.69.239.30
62.113.117.232
64.226.122.208
64.227.65.235
65.108.121.237
66.228.45.120
66.242.156.33
67.168.48.97
68.149.228.87
68.183.19.243
70.80.249.217
71.233.41.235
72.167.251.220
72.209.178.21
74.201.30.45
74.208.188.16
74.208.206.241
75.119.146.125
76.69.197.54
77.91.75.228
77.91.85.194
77.105.146.198
77.105.147.194
78.153.130.217
79.110.49.5
79.110.49.16
79.110.49.53
79.110.49.85
79.110.49.217
79.110.62.186
79.125.66.85
80.64.218.145
80.178.222.97
81.30.194.250
81.134.50.243
81.161.229.36
81.161.229.251
81.163.128.184
81.171.1.52
81.171.9.208
82.76.88.103
82.165.167.92
82.180.161.30
84.53.229.40
84.54.50.20
84.54.50.99
84.54.50.198
84.54.50.230
84.54.51.82
84.54.51.103
85.99.49.144
85.202.87.162
85.208.139.32
85.208.139.73
85.208.139.122
85.217.144.14
85.217.144.35
85.217.144.71
85.217.144.86
85.217.144.91
85.217.144.136
85.217.144.141
85.217.144.182
85.217.144.191
85.217.144.218
86.107.179.130
87.117.159.121
87.120.88.208
87.121.47.67
87.121.113.2
87.121.113.85
87.121.113.107
87.121.113.145
87.121.113.160
87.121.221.61
87.121.221.67
87.121.221.169
87.121.221.196
87.236.85.110
88.214.20.105
88.214.56.14
89.23.88.54
89.149.202.16
89.208.106.135
90.249.86.117
91.83.92.228
91.150.20.235
91.202.247.1
91.202.247.2
91.202.247.3
91.202.247.4
91.202.247.5
91.202.247.6
91.202.247.7
91.202.247.8
91.202.247.9
91.202.247.10
91.202.247.11
91.202.247.12
91.202.247.13
91.202.247.14
91.202.247.15
91.202.247.16
91.202.247.17
91.202.247.18
91.202.247.19
91.202.247.20
91.202.247.21
91.202.247.22
91.202.247.23
91.202.247.24
91.202.247.25
91.202.247.26
91.202.247.27
91.202.247.28
91.202.247.29
91.202.247.30
91.202.247.31
91.202.247.32
91.202.247.33
91.202.247.34
91.202.247.35
91.202.247.36
91.202.247.37
91.202.247.38
91.202.247.39
91.202.247.40
91.202.247.41
91.202.247.42
91.202.247.43
91.202.247.44
91.202.247.45
91.202.247.46
91.202.247.47
91.202.247.48
91.202.247.49
91.202.247.50
91.202.247.51
91.202.247.52
91.202.247.53
91.202.247.54
91.202.247.55
91.202.247.56
91.202.247.57
91.202.247.58
91.202.247.59
91.202.247.60
91.202.247.61
91.202.247.62
91.202.247.63
91.202.247.64
91.202.247.65
91.202.247.66
91.202.247.67
91.202.247.68
91.202.247.69
91.202.247.70
91.202.247.71
91.202.247.72
91.202.247.73
91.202.247.74
91.202.247.75
91.202.247.76
91.202.247.77
91.202.247.78
91.202.247.79
91.202.247.80
91.202.247.81
91.202.247.82
91.202.247.83
91.202.247.84
91.202.247.85
91.202.247.86
91.202.247.87
91.202.247.88
91.202.247.89
91.202.247.90
91.202.247.91
91.202.247.92
91.202.247.93
91.202.247.94
91.202.247.95
91.202.247.96
91.202.247.97
91.202.247.98
91.202.247.99
91.202.247.100
91.202.247.101
91.202.247.102
91.202.247.103
91.202.247.104
91.202.247.105
91.202.247.106
91.202.247.107
91.202.247.108
91.202.247.109
91.202.247.110
91.202.247.111
91.202.247.112
91.202.247.113
91.202.247.114
91.202.247.115
91.202.247.116
91.202.247.117
91.202.247.118
91.202.247.119
91.202.247.120
91.202.247.121
91.202.247.122
91.202.247.123
91.202.247.124
91.202.247.125
91.202.247.126
91.202.247.127
91.202.247.128
91.202.247.129
91.202.247.130
91.202.247.131
91.202.247.132
91.202.247.133
91.202.247.134
91.202.247.135
91.202.247.136
91.202.247.137
91.202.247.138
91.202.247.139
91.202.247.140
91.202.247.141
91.202.247.142
91.202.247.143
91.202.247.144
91.202.247.145
91.202.247.146
91.202.247.147
91.202.247.148
91.202.247.149
91.202.247.150
91.202.247.151
91.202.247.152
91.202.247.153
91.202.247.154
91.202.247.155
91.202.247.156
91.202.247.157
91.202.247.158
91.202.247.159
91.202.247.160
91.202.247.161
91.202.247.162
91.202.247.163
91.202.247.164
91.202.247.165
91.202.247.166
91.202.247.167
91.202.247.168
91.202.247.169
91.202.247.170
91.202.247.171
91.202.247.172
91.202.247.173
91.202.247.174
91.202.247.175
91.202.247.176
91.202.247.177
91.202.247.178
91.202.247.179
91.202.247.180
91.202.247.181
91.202.247.182
91.202.247.183
91.202.247.184
91.202.247.185
91.202.247.186
91.202.247.187
91.202.247.188
91.202.247.189
91.202.247.190
91.202.247.191
91.202.247.192
91.202.247.193
91.202.247.194
91.202.247.195
91.202.247.196
91.202.247.197
91.202.247.198
91.202.247.199
91.202.247.200
91.202.247.201
91.202.247.202
91.202.247.203
91.202.247.204
91.202.247.205
91.202.247.206
91.202.247.207
91.202.247.208
91.202.247.209
91.202.247.210
91.202.247.211
91.202.247.212
91.202.247.213
91.202.247.214
91.202.247.215
91.202.247.216
91.202.247.217
91.202.247.218
91.202.247.219
91.202.247.220
91.202.247.221
91.202.247.222
91.202.247.223
91.202.247.224
91.202.247.225
91.202.247.226
91.202.247.227
91.202.247.228
91.202.247.229
91.202.247.230
91.202.247.231
91.202.247.232
91.202.247.233
91.202.247.234
91.202.247.235
91.202.247.236
91.202.247.237
91.202.247.238
91.202.247.239
91.202.247.240
91.202.247.241
91.202.247.242
91.202.247.243
91.202.247.244
91.202.247.245
91.202.247.246
91.202.247.247
91.202.247.248
91.202.247.249
91.202.247.250
91.202.247.251
91.202.247.252
91.202.247.253
91.202.247.254
91.202.247.255
91.202.248.0
91.208.206.170
91.215.110.21
91.219.188.40
91.229.239.77
91.234.99.110
91.235.234.81
92.204.243.155
92.222.237.231
93.80.67.122
93.94.223.42
94.1.208.8
94.66.214.157
94.131.113.221
94.156.102.209
94.228.162.150
95.10.201.104
95.139.107.236
95.214.24.125
95.214.26.87
95.214.27.3
95.214.27.45
95.214.27.52
95.214.27.53
95.214.27.76
95.214.27.136
95.214.27.160
95.214.27.161
95.214.27.201
95.214.27.202
95.214.27.248
95.214.53.112
95.216.14.254
98.159.98.113
98.159.100.33
98.159.100.91
101.71.125.86
102.129.215.7
103.16.161.29
103.82.21.240
103.82.22.249
103.82.25.198
103.82.25.250
103.91.9.106
103.110.33.162
103.110.33.164
103.118.30.141
103.131.57.59
103.145.60.159
103.160.3.10
103.164.138.99
103.164.139.229
103.166.183.123
103.166.185.17
103.178.229.220
103.178.232.12
103.179.188.48
103.179.188.130
103.179.189.80
103.180.137.4
103.195.236.140
103.255.177.11
104.128.127.203
104.168.24.213
104.238.189.68
104.244.74.239
106.211.151.133
107.167.6.70
107.173.209.253
107.189.3.153
107.189.3.174
107.189.4.143
107.189.13.11
107.189.13.105
107.189.29.5
107.189.29.121
107.189.29.157
107.210.122.226
108.60.219.162
108.61.211.73
108.177.122.127
109.122.221.38
109.122.221.146
109.184.57.214
109.205.213.3
109.205.213.7
109.230.203.157
110.39.43.218
111.61.191.211
114.254.44.57
115.36.215.150
115.48.149.117
115.207.10.49
116.206.75.169
117.194.148.144
117.194.163.136
117.196.59.65
117.208.207.28
117.208.239.134
117.212.173.186
117.213.6.12
117.213.41.252
117.217.234.106
117.219.125.199
117.223.189.186
117.241.184.6
117.245.92.40
117.247.113.60
117.248.62.158
117.253.103.144
117.253.109.162
117.255.190.184
118.106.16.239
118.166.146.54
119.123.224.4
120.211.137.179
124.6.16.234
124.142.122.112
125.82.182.44
128.199.22.114
128.199.80.79
128.199.151.207
129.226.204.213
130.193.40.103
134.209.230.71
135.125.114.164
135.148.57.150
135.148.100.57
136.175.200.142
136.175.200.177
137.66.28.90
137.74.95.182
137.184.49.114
137.184.228.241
138.197.127.249
139.59.209.121
139.177.188.99
141.98.6.81
141.98.6.106
141.98.6.123
141.98.6.124
141.98.6.137
141.98.6.142
141.98.6.143
141.98.6.145
141.98.6.149
141.98.6.151
141.98.6.222
141.98.6.249
141.98.10.34
141.98.10.40
141.98.10.44
141.98.10.59
141.98.10.75
141.98.24.135
142.93.203.178
142.93.210.135
143.47.183.129
144.172.80.85
144.208.127.119
146.19.168.217
146.19.191.229
147.46.173.115
147.182.144.194
147.182.145.144
149.56.78.215
149.56.246.85
149.255.222.9
152.30.213.102
154.9.29.106
154.12.57.120
154.13.6.152
154.26.133.134
154.37.152.66
154.45.216.220
154.64.225.69
155.94.178.83
155.94.235.216
155.100.78.22
156.206.140.22
156.230.130.69
157.48.150.0
157.90.23.220
157.97.105.189
157.230.184.88
157.230.213.165
157.245.149.3
157.254.166.232
158.101.18.193
158.101.199.107
158.160.13.185
159.28.179.93
159.65.56.68
159.89.202.36
159.100.30.60
162.19.145.38
162.19.161.214
162.19.227.81
162.157.94.49
162.248.224.46
163.123.142.194
164.90.201.190
164.92.141.56
166.88.210.252
167.71.40.197
167.99.179.6
168.119.241.162
168.187.19.51
169.155.49.133
170.0.56.83
170.187.228.34
172.104.213.137
172.105.96.226
172.111.10.182
172.245.135.175
173.82.142.226
173.212.205.73
173.255.225.17
176.99.175.241
176.111.173.27
176.120.203.230
176.124.32.84
178.72.70.130
178.72.81.217
178.78.41.94
178.141.211.58
179.43.142.79
179.43.155.209
179.43.162.124
179.43.182.188
179.93.214.34
179.109.39.65
180.190.80.61
181.200.7.84
182.59.255.130
183.14.212.99
185.17.0.201
185.21.217.75
185.101.139.100
185.102.174.109
185.102.174.187
185.131.52.220
185.144.156.81
185.150.26.248
185.163.45.39
185.174.136.230
185.196.220.64
185.224.128.110
185.225.74.79
185.225.74.131
185.225.74.155
185.225.74.159
185.225.74.160
185.225.74.193
185.228.81.141
185.246.220.136
185.252.179.190
185.254.18.2
185.254.37.3
185.254.37.81
186.23.28.47
186.29.32.140
186.57.243.235
187.148.28.150
188.32.93.32
188.93.233.29
188.127.254.243
188.165.194.214
188.166.248.148
189.217.91.114
190.109.229.46
190.211.252.19
190.211.252.22
190.211.252.50
191.190.215.47
192.187.109.243
193.29.189.14
193.29.189.37
193.29.189.74
193.35.18.35
193.35.18.37
193.35.18.53
193.35.18.56
193.35.18.62
193.35.18.64
193.35.18.109
193.35.18.147
193.42.32.40
193.42.32.124
193.42.32.174
193.42.32.198
193.42.32.207
193.42.32.240
193.47.61.47
193.111.198.59
193.111.248.175
193.149.176.198
193.151.146.131
193.233.18.179
193.233.232.72
194.15.36.24
194.26.229.157
194.34.132.186
194.37.80.97
194.37.80.211
194.38.21.21
194.41.47.197
194.55.224.35
194.55.224.149
194.55.224.182
194.59.31.34
194.59.31.108
194.59.31.121
194.87.151.56
194.87.151.120
194.87.151.135
194.87.151.244
194.87.216.140
194.110.247.20
194.110.247.198
194.169.175.190
194.180.48.60
194.180.48.69
194.180.48.84
194.180.48.108
194.180.48.149
194.180.48.158
194.233.175.76
195.2.74.10
195.3.223.177
195.58.39.227
195.154.220.30
195.178.120.181
196.89.34.233
197.49.155.159
197.203.142.119
198.55.103.124
198.98.52.145
198.98.53.159
198.98.53.236
198.98.58.12
198.98.60.57
198.98.62.142
199.195.251.104
200.74.109.153
200.106.214.155
201.187.159.95
202.14.121.237
202.92.6.102
202.189.6.234
204.44.71.71
204.44.76.117
204.44.109.81
205.185.116.126
205.185.118.82
205.185.123.50
206.189.155.244
206.217.205.20
207.154.192.237
207.180.192.46
209.38.225.88
209.105.243.162
209.126.1.176
209.141.36.28
209.141.36.87
209.141.46.106
211.101.236.121
211.114.224.93
212.87.213.148
212.102.240.243
212.113.119.121
212.227.212.40
212.250.71.34
213.232.112.203
213.232.115.140
216.118.230.197
217.26.55.50
217.76.48.204
217.79.184.40
217.160.192.182
218.212.63.52
219.106.208.57
219.110.67.181
220.89.226.43
220.146.70.185
222.14.209.81
222.227.199.208
223.130.30.55
223.130.30.98
223.130.30.104

Block DreamBus Botnet a Monero Crypto Miner

Enhancement idea

Block DreamBus Botnet a Monero Crypto Miner.

While the primary DreamBus malware payload is an open source Monero cryptocurrency miner known as XMRig, the threat actor can potentially pivot in the future to carrying out more destructive activities, such as ransomware or stealing an organization’s data and holding it hostage.

Link:
https://www.zscaler.com/blogs/security-research/dreambus-botnet-technical-analysis

Network Indicators

Domain / IP Address	Description
dreambusweduybcp.onion	TOR domain for commands
qsts2vqotnlh2h5xwa7fp3iopb7h7cngknjjo4f4sxhrwcqgughipxid.onion	TOR domain for modules
i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad.onion	TOR domain for modules
nssnkct6udyyx6zlv4l6jhqr5jdf643shyerk246fs27ksrdehl2z3qd.onion	TOR domain for modules
ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion	TOR domain for modules
ji55jjplpknk7eayxxtb5o3ulxuevntutsdanov5dp3wya7l7btjv4qd.onion	TOR domain for modules
bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd.onion	TOR domain for modules
4iucigxvlfx4vcqn5sordersaa3a3ztjcaoszptxxo5b3pbn6nlwsfad.onion	TOR domain for modules
sg722jwocbvedckhd4dptpqfek5fsbmx3v57qg6lzhuo56np73mb3zyd.onion	TOR domain for modules
25wlksd35c2fs55rnhlcfz3jjaujxmbmfkvrxeu7tkgnnesdhh3gghqd.onion	TOR domain for modules
164.132.105.114	Monero mining pool
136.243.90.99	Monero mining pool
94.176.237.229	Monero mining pool
153.127.216.132	Monero mining pool
94.237.85.89	Hosts various DreamBus components

Block `Bashlite` aka `gayfgt, Gafgyt, qbot, torlus, lizkebab` malware

Enhancement idea

Block Bashlite aka gayfgt, Gafgyt, qbot, torlus, lizkebab malware.

Description

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Links

https://threatfox.abuse.ch/browse/malware/elf.bashlite/

IOC

URLs

n/a

Domains

n/a

IP's

2.56.56.94
2.57.122.117
2.58.149.40
2.58.149.173
3.69.60.58
3.75.95.184
3.143.112.92
5.2.70.22
5.2.73.241
5.154.181.68
5.181.80.13
5.181.80.18
5.181.80.102
5.181.80.119
5.181.80.141
5.181.80.188
5.181.159.19
5.181.159.128
5.182.210.145
5.188.6.139
5.189.141.159
5.199.169.12
5.199.169.21
5.206.227.11
5.206.227.77
5.206.227.132
5.249.161.98
5.249.162.136
5.252.199.138
5.255.98.75
5.255.101.135
13.250.126.74
15.204.49.165
15.235.131.10
20.25.153.134
20.63.103.150
20.106.163.35
23.88.113.7
23.94.7.153
23.94.7.197
23.94.22.112
23.94.24.109
23.94.26.138
23.94.27.204
23.94.36.134
23.94.77.150
23.94.138.109
23.94.182.29
23.94.190.149
23.94.245.9
23.95.9.231
23.95.128.195
23.95.213.111
23.95.222.185
23.95.226.100
23.95.230.108
23.160.192.157
23.160.193.38
23.160.193.99
23.160.193.123
23.183.81.112
23.224.189.182
23.225.14.201
23.225.14.209
23.227.146.106
23.227.184.194
31.7.62.22
31.42.186.52
31.42.186.77
31.210.20.60
31.214.243.29
31.214.243.99
31.220.51.145
31.222.202.229
34.127.55.77
35.72.132.42
35.204.65.246
37.0.10.182
37.0.10.210
37.0.10.214
37.44.238.169
37.44.238.172
37.44.238.182
37.44.238.191
37.44.238.234
37.49.229.52
37.49.230.83
37.49.230.122
37.221.65.77
37.221.65.228
37.221.92.202
38.48.123.55
38.60.81.66
41.216.182.17
41.216.182.42
41.216.182.131
41.216.182.140
41.216.182.144
41.216.182.203
41.216.182.214
43.153.37.45
43.204.217.160
45.9.168.102
45.11.181.37
45.12.253.38
45.14.226.72
45.32.202.111
45.33.63.122
45.56.96.91
45.61.144.146
45.61.184.126
45.61.186.4
45.61.187.108
45.61.188.118
45.61.188.150
45.61.188.220
45.66.230.89
45.66.230.173
45.76.253.113
45.77.46.118
45.79.127.90
45.79.207.123
45.81.39.172
45.81.234.229
45.85.90.172
45.88.66.177
45.90.14.172
45.90.160.173
45.90.161.73
45.90.161.92
45.90.162.184
45.95.55.54
45.95.55.232
45.95.169.115
45.95.169.119
45.95.169.133
45.124.84.253
45.128.153.154
45.128.232.144
45.128.232.180
45.128.234.72
45.132.88.184
45.134.10.88
45.134.11.110
45.137.206.188
45.140.188.33
45.140.188.40
45.140.188.109
45.141.239.114
45.142.107.167
45.144.29.99
45.144.179.23
45.145.226.64
45.148.10.76
45.148.10.243
45.148.120.80
45.148.120.171
45.148.120.226
45.148.121.228
45.148.123.10
45.148.123.58
45.150.128.182
45.156.21.213
45.159.189.101
46.101.134.104
46.101.172.62
46.101.223.83
46.166.185.38
46.243.187.18
46.249.32.66
46.249.32.109
46.249.32.128
46.249.32.215
47.87.131.128
47.87.138.189
47.87.139.127
47.87.161.172
47.87.163.214
47.87.215.121
47.87.218.20
47.87.230.233
49.12.34.17
49.12.200.229
49.12.214.66
50.7.232.90
50.7.239.226
50.115.170.112
50.115.174.119
50.115.175.128
50.116.35.248
51.15.189.176
51.68.127.202
51.68.165.13
51.68.202.107
51.75.166.195
51.79.56.180
51.79.85.22
51.81.8.35
51.81.38.251
51.89.134.84
51.89.213.135
51.89.223.6
51.89.223.7
51.89.240.11
51.89.247.17
51.159.54.29
51.161.64.194
51.195.91.119
51.195.155.220
51.195.194.83
51.195.217.90
51.210.149.255
51.222.234.64
54.39.209.225
57.128.168.187
62.3.58.154
62.33.2.50
62.197.136.60
62.197.136.231
63.250.59.100
64.226.111.37
64.226.122.45
65.21.178.89
65.108.81.182
66.70.188.177
66.70.198.232
67.205.135.39
67.205.164.37
68.183.117.138
68.183.196.213
69.162.86.229
71.27.48.14
74.201.30.210
74.208.25.33
74.208.247.243
74.208.253.211
75.119.154.167
77.73.131.165
77.91.122.37
77.91.122.114
77.247.178.7
78.47.230.250
78.142.228.151
79.110.62.20
79.110.63.9
79.124.78.155
79.133.41.114
79.137.33.37
79.137.207.119
80.76.51.189
80.91.223.133
81.161.229.94
81.169.145.175
82.117.253.43
82.165.54.214
83.229.67.31
83.229.115.93
84.32.188.55
84.54.50.8
84.54.50.170
85.204.116.28
85.204.116.32
85.204.116.33
85.204.116.121
85.204.116.179
85.209.2.163
85.217.144.59
85.237.217.143
85.237.217.174
85.239.33.192
85.239.55.238
87.120.88.118
87.121.113.2
87.121.221.67
87.121.221.107
87.121.221.229
88.208.199.38
88.214.20.184
88.218.227.141
89.43.107.94
89.107.57.43
91.132.167.13
91.208.197.66
91.208.206.146
91.208.206.205
91.212.121.97
91.234.99.218
91.243.121.19
92.38.184.248
92.118.237.177
93.188.162.146
95.179.132.17
95.214.26.108
96.8.118.142
98.159.98.37
103.66.57.47
103.79.142.215
103.82.25.131
103.119.112.34
103.136.41.110
103.136.43.143
103.142.26.181
103.161.17.72
103.161.17.201
103.161.17.233
103.162.30.118
103.179.172.2
103.180.137.4
103.195.237.238
104.43.244.94
104.131.4.244
104.131.121.49
104.156.227.75
104.168.46.22
104.168.47.214
104.168.52.153
104.168.102.14
104.168.170.155
104.193.255.117
104.206.252.100
104.217.249.182
104.237.142.77
104.238.220.38
104.244.72.234
104.244.74.239
104.248.47.1
104.248.49.108
104.248.232.242
104.248.251.231
107.167.2.174
107.172.0.117
107.172.0.199
107.172.79.52
107.172.79.248
107.172.102.161
107.172.137.175
107.172.140.104
107.172.141.135
107.172.156.136
107.172.156.158
107.172.196.111
107.172.197.100
107.172.197.192
107.172.201.217
107.172.248.140
107.172.248.202
107.173.49.29
107.173.141.175
107.173.176.7
107.173.176.113
107.173.176.144
107.173.176.183
107.173.181.13
107.173.181.135
107.173.255.198
107.174.14.229
107.174.35.229
107.174.46.89
107.174.68.38
107.174.144.231
107.174.250.15
107.175.21.222
107.175.64.119
107.175.87.159
107.175.87.164
107.175.123.57
107.175.196.13
107.175.215.195
107.182.129.239
107.189.10.234
107.189.11.231
107.189.13.139
108.61.208.92
109.71.254.181
109.206.243.105
109.206.243.183
109.206.243.200
124.156.2.226
128.199.29.170
128.199.40.220
129.158.216.189
134.122.33.137
134.122.45.28
134.122.55.195
134.122.66.33
134.122.121.150
134.209.157.41
134.209.244.239
135.125.210.161
135.148.46.76
135.148.152.157
135.181.98.1
136.144.41.117
136.175.200.142
137.184.30.219
137.184.38.105
137.184.63.226
137.184.84.112
137.184.94.156
137.184.104.63
137.184.124.163
137.220.52.165
138.3.250.75
138.68.76.71
138.68.81.110
138.68.174.56
138.124.186.54
138.124.186.96
138.197.166.6
138.201.192.217
139.59.140.224
139.59.165.186
139.99.135.131
139.99.161.143
139.162.221.59
139.177.192.32
139.177.202.27
141.94.124.121
141.95.84.78
141.95.214.149
141.136.44.9
142.4.196.193
142.4.196.195
142.44.236.6
142.44.240.149
142.93.165.5
142.93.243.70
142.202.189.114
143.110.146.241
143.198.71.184
143.198.112.33
143.198.115.46
143.198.116.230
143.198.155.142
143.198.157.92
143.198.157.131
143.198.189.89
143.244.134.207
143.244.181.120
144.172.70.166
144.217.147.254
146.0.36.62
146.19.173.32
146.66.220.59
147.182.140.37
147.182.221.123
147.182.223.129
148.251.238.46
149.56.35.183
149.56.114.180
149.56.164.192
149.57.168.225
149.57.170.179
149.57.210.56
149.57.210.157
149.100.154.55
149.129.132.93
154.16.118.34
154.16.118.84
154.39.244.171
155.138.239.74
155.138.252.212
156.96.157.117
156.234.211.155
157.245.75.82
157.245.93.119
157.245.93.157
157.245.108.193
157.245.143.43
157.245.158.246
158.51.96.28
158.51.124.114
158.69.124.146
159.65.25.30
159.65.117.231
159.65.221.234
159.89.17.205
159.89.198.93
159.89.226.85
159.203.21.230
159.203.72.143
159.223.1.239
159.223.107.144
159.223.135.220
160.20.146.54
161.35.25.184
161.35.85.160
161.97.80.232
161.97.118.175
162.55.142.8
162.55.165.178
162.240.30.112
162.240.105.54
162.240.105.57
162.243.172.46
163.123.142.194
163.123.143.81
163.123.143.216
163.172.82.219
164.90.189.252
164.90.206.206
164.92.184.121
164.92.211.51
164.92.226.96
164.92.242.51
164.92.254.170
165.227.152.223
165.232.132.216
165.232.146.240
165.232.146.246
166.0.133.106
166.0.133.125
167.88.12.77
167.99.35.197
167.99.177.145
167.99.254.203
167.114.27.123
167.172.72.193
167.172.99.133
167.172.148.13
167.235.35.123
170.64.130.205
171.22.30.175
172.81.41.196
172.93.129.227
172.98.14.94
172.104.44.216
172.104.182.243
172.104.244.136
172.105.23.74
172.105.37.233
172.105.94.82
172.105.119.145
172.105.152.103
172.107.236.133
172.111.10.182
172.111.10.220
172.245.5.201
172.245.7.14
172.245.8.243
172.245.36.108
172.245.142.15
172.245.184.103
172.245.184.130
172.245.185.117
172.245.186.149
172.245.210.119
173.82.206.235
173.212.249.232
173.232.146.125
173.249.0.42
176.58.121.232
176.111.173.27
176.123.5.44
176.123.6.43
176.123.6.48
176.123.6.160
176.123.6.196
176.123.10.9
176.126.175.205
178.33.159.135
178.62.79.170
178.62.253.153
178.128.110.165
178.128.164.227
178.128.193.205
179.43.162.124
179.43.187.169
179.43.187.230
179.61.251.89
179.61.251.251
181.214.231.41
185.10.68.127
185.17.0.167
185.28.39.15
185.38.142.103
185.44.81.78
185.64.104.181
185.101.107.55
185.107.195.203
185.110.190.83
185.112.83.232
185.117.3.107
185.120.144.174
185.126.117.236
185.145.245.55
185.153.180.80
185.154.13.88
185.158.112.239
185.172.114.157
185.177.57.45
185.186.244.183
185.189.51.86
185.212.44.240
185.213.27.2
185.216.71.116
185.219.221.161
185.225.73.130
185.225.74.3
185.225.74.67
185.225.74.175
185.225.75.206
185.234.13.129
185.236.228.145
185.237.96.86
185.244.129.29
185.244.129.67
185.246.221.138
185.252.178.159
188.127.231.132
188.127.239.36
188.127.251.1
188.165.170.24
188.213.7.44
188.227.106.34
191.96.165.103
192.3.15.116
192.3.15.119
192.3.80.128
192.3.80.137
192.3.118.107
192.3.228.148
192.3.231.100
192.95.50.228
192.99.169.203
192.210.163.112
192.210.163.130
192.210.163.166
192.210.226.183
192.210.239.176
192.227.131.134
192.236.147.78
193.26.22.107
193.35.18.57
193.35.18.171
193.35.18.212
193.35.18.220
193.42.32.175
193.42.33.14
193.42.33.81
193.42.33.214
193.84.88.86
193.105.134.119
193.169.253.161
193.200.16.112
193.201.126.75
193.233.185.59
194.34.132.186
194.37.80.116
194.55.186.118
194.55.224.126
194.59.31.34
194.62.157.35
194.85.248.128
194.85.249.3
194.85.249.7
194.85.249.9
194.85.250.154
194.87.106.36
194.87.138.18
194.87.138.136
194.87.138.146
194.87.138.169
194.87.138.171
194.87.197.237
194.147.142.169
194.147.149.3
194.163.34.162
194.163.148.138
194.180.48.22
194.180.48.30
194.180.48.69
194.195.117.185
194.195.246.14
194.233.90.81
195.58.38.210
195.58.39.18
195.58.39.200
195.58.39.206
195.58.39.207
195.58.39.231
195.58.39.250
195.133.5.119
195.133.40.45
195.178.120.151
195.249.159.167
195.249.159.187
195.249.159.195
197.26.112.165
198.12.113.239
198.12.120.177
198.12.123.196
198.23.214.174
198.23.255.14
198.46.148.130
198.46.188.140
198.46.202.103
198.46.223.161
198.50.242.126
198.58.123.77
198.98.48.39
198.98.54.27
198.98.54.38
198.98.55.220
198.98.62.168
198.244.189.90
198.244.193.25
199.19.226.142
199.195.249.90
199.195.253.121
204.76.203.84
205.147.101.170
205.185.115.101
205.185.115.164
205.185.118.192
205.185.119.11
205.185.121.251
205.185.122.29
205.185.124.91
205.185.124.167
206.83.40.53
206.83.40.162
206.189.234.6
208.58.102.71
208.67.104.67
208.67.104.94
209.25.141.194
209.25.141.223
209.25.141.229
209.126.73.248
209.141.32.221
209.141.33.136
209.141.34.151
209.141.36.110
209.141.37.70
209.141.40.33
209.141.40.107
209.141.41.11
209.141.42.178
209.141.46.223
209.141.48.229
209.141.51.34
209.141.56.206
209.141.57.91
209.141.60.62
209.141.61.201
212.24.110.70
212.90.123.3
212.129.56.171
212.192.216.31
212.192.216.78
212.192.241.44
212.192.241.221
212.193.30.219
212.193.30.245
212.227.3.102
216.173.119.164

Block `DCRat` aka `DarkCrystal RAT` malware

Enhancement idea

Block DCRat aka DarkCrystal RAT malware.

Description

DCRat is a typical RAT that has been around since at least June 2019.

Links

https://threatfox.abuse.ch/browse/malware/win.dcrat/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

akamaitechcdns.com
asyx.ru
banjaro.de
bookintosh.com
castlehost.ru
chernobyl-hack.online
craft-host.ru
dcbiorlov.shop
dccr.ru
dccrk.top
dcrack.ru
devil137.ru
dreadhack.ru
haivo.co.zw
haskers.ru
hostland.pro
justns.ru
klopware.space
kriptnhosting.ru
kriptonhosting.store
limfunsto.site
n9shteam1.top
neverchurka.ml
newdfhfgdjmfgjm.store
nftbanger.ru
nyashkoon.top
nyashnyash.top
nyasht.ml
nyashteam.ru
nyashteam.top
nyashtop.top
nyashtyan.top
pococox.cc
regruhosting.ru
rfewkfnr234.cf
rocketchange.xyz
samp-loader.ru
sclad.network
softportal.tk
svinlasf.ru
test-hf.su
theworkpc.com
tmweb.ru
tw1.ru
vbhfghgfjjfgd.online
viewdns.net
vnh.wtf
webaitech.xyz
whatipedia.org
whiteproducts.ru
xsph.ru
xxhdftgjftgkjfgk.site

IP's

1.165.96.128
1.242.139.44
3.6.30.85
5.42.65.49
5.42.77.211
5.42.85.163
5.42.92.132
5.63.154.100
5.63.159.156
5.161.143.111
5.178.3.191
5.252.118.26
15.188.64.143
15.207.54.166
20.199.18.38
20.199.64.106
20.199.65.155
20.199.73.159
20.216.162.185
20.216.165.135
20.216.178.113
20.223.128.97
23.137.249.17
31.24.87.18
31.41.221.82
31.129.22.12
31.210.55.202
34.92.66.146
37.18.62.18
37.46.128.31
37.46.129.39
37.46.130.3
37.46.134.156
37.46.134.225
37.187.222.230
37.220.86.127
37.220.87.84
37.230.112.51
37.230.113.82
37.230.116.57
37.230.116.166
38.242.133.44
38.242.139.217
38.242.207.140
40.87.50.159
40.114.223.144
41.62.221.74
43.243.111.229
43.248.188.196
45.8.159.53
45.8.230.157
45.12.221.10
45.12.238.157
45.15.157.1
45.15.157.11
45.32.74.105
45.61.188.238
45.63.74.55
45.67.231.91
45.74.7.10
45.77.34.211
45.77.175.130
45.82.13.18
45.83.194.100
45.83.194.102
45.86.229.156
45.91.8.171
45.92.1.155
45.93.200.140
45.95.19.170
45.95.19.172
45.95.19.173
45.95.19.174
45.124.115.20
45.128.234.216
45.132.1.186
45.132.18.133
45.137.65.70
45.140.147.119
45.140.147.214
45.141.79.87
45.142.36.241
45.144.154.62
45.144.233.162
45.153.68.9
45.156.84.108
46.3.197.86
46.18.107.229
46.23.96.131
46.30.45.25
46.148.114.84
46.149.77.33
46.151.30.40
46.175.146.110
46.175.150.73
46.246.14.20
47.96.64.30
47.106.131.255
47.254.75.102
49.12.227.111
51.38.163.64
51.120.245.251
51.161.64.200
51.210.69.65
52.152.223.228
52.186.31.169
62.84.97.90
62.109.0.205
62.109.0.255
62.109.5.68
62.109.5.72
62.109.7.0
62.109.8.21
62.109.8.37
62.109.9.201
62.109.10.87
62.109.12.5
62.109.13.186
62.109.17.54
62.109.20.14
62.109.21.205
62.109.22.191
62.109.23.37
62.109.25.12
62.109.26.135
62.109.27.71
62.109.27.119
62.109.27.122
62.109.28.7
62.109.28.158
62.109.30.213
62.109.31.35
62.109.31.200
62.113.96.239
63.143.47.135
64.44.166.203
64.176.43.239
64.225.102.136
65.21.251.86
65.109.63.235
77.55.208.121
77.73.131.120
77.73.133.58
77.73.133.75
77.91.68.78
77.91.72.151
77.91.77.179
77.91.124.111
77.91.124.246
77.92.154.211
77.246.107.91
78.24.216.186
78.24.221.170
78.24.222.9
78.24.223.53
78.141.213.103
79.124.56.6
79.132.140.15
79.137.196.92
79.137.202.118
79.137.202.179
79.137.203.186
79.137.207.211
79.137.248.10
79.174.13.54
80.66.64.164
80.66.79.39
80.78.247.142
80.78.251.51
80.87.192.174
80.87.192.227
80.87.194.58
80.87.198.76
80.87.202.7
80.90.185.107
81.200.152.41
81.218.45.223
82.115.223.17
82.115.223.92
82.146.33.148
82.146.34.244
82.146.35.75
82.146.36.3
82.146.42.247
82.146.43.250
82.146.46.51
82.146.47.144
82.146.48.182
82.146.48.243
82.146.52.24
82.146.52.151
82.146.52.200
82.146.52.217
82.146.53.241
82.146.54.148
82.146.54.219
82.146.58.86
82.146.60.81
82.146.60.137
82.146.61.207
82.146.62.116
82.147.85.228
82.148.30.111
82.156.141.121
82.165.114.107
83.136.232.155
83.136.232.228
83.220.168.32
83.220.169.211
83.220.172.137
83.220.172.179
83.220.173.145
83.220.174.44
83.229.83.102
85.31.46.137
85.192.41.4
85.192.63.134
87.121.221.220
87.251.77.205
88.210.9.215
89.23.96.74
89.23.96.202
89.23.97.43
89.23.97.74
89.23.97.153
89.23.101.37
89.23.110.215
89.41.182.81
89.108.88.227
89.108.115.110
89.185.85.106
89.185.85.200
89.191.228.213
89.211.209.74
91.134.150.156
91.151.88.63
91.201.112.111
91.219.62.158
91.227.113.154
91.228.155.244
91.240.86.94
92.51.36.155
92.53.71.105
92.63.96.83
92.63.97.36
92.63.97.158
92.63.97.185
92.63.99.234
92.63.101.56
92.63.104.30
92.63.104.96
92.63.104.240
92.63.106.16
92.63.107.173
92.63.107.224
92.63.189.63
92.63.193.81
92.63.193.111
92.255.107.38
92.255.107.243
93.123.118.74
94.103.92.207
94.124.192.220
94.131.96.44
94.131.112.154
94.142.138.30
94.142.142.6
94.156.102.214
94.156.253.218
94.228.126.154
94.250.250.160
94.250.252.221
94.250.252.243
94.250.254.158
94.250.255.214
95.163.233.217
95.179.128.208
95.214.26.63
95.214.26.66
95.214.26.67
95.214.26.88
95.214.26.89
95.214.27.6
95.214.53.31
95.217.3.189
95.217.99.28
95.222.241.139
103.38.83.176
103.39.78.162
103.144.148.219
103.146.78.130
103.162.14.197
103.170.118.35
103.186.108.229
103.231.254.144
104.219.234.167
109.107.189.197
109.172.44.182
109.172.83.121
109.195.94.247
111.229.139.47
112.213.98.87
113.30.150.52
114.96.73.0
118.89.85.106
119.91.99.194
120.78.151.171
121.40.81.65
124.72.246.78
134.255.216.148
135.181.99.197
135.181.106.220
135.181.164.113
138.128.242.147
139.180.143.50
141.95.11.145
141.95.84.40
142.202.242.168
144.126.230.14
145.239.27.225
146.19.24.118
147.185.221.181
149.154.64.5
149.154.64.92
149.154.66.74
149.154.68.117
149.154.69.62
149.154.71.81
150.107.2.176
150.107.2.178
150.107.2.180
151.248.117.210
151.248.121.68
154.12.254.215
154.49.137.173
154.53.42.53
159.65.31.64
159.65.235.56
159.69.64.122
159.89.232.82
162.55.33.151
164.92.181.85
166.88.209.105
167.88.170.23
168.119.148.218
172.94.103.16
172.94.103.112
172.94.103.171
172.104.4.99
172.111.236.107
176.37.97.210
176.96.137.221
176.113.82.46
176.126.103.159
177.255.88.252
177.255.90.40
178.250.156.2
178.250.156.30
178.250.156.210
178.250.158.26
178.250.158.47
178.250.158.55
178.250.159.46
178.250.159.50
178.250.159.206
179.43.142.36
179.43.154.184
179.43.163.120
179.61.251.188
180.12.159.131
181.235.12.82
185.5.248.148
185.16.38.98
185.20.227.154
185.43.4.203
185.46.10.199
185.46.46.139
185.60.134.186
185.63.191.134
185.92.149.245
185.104.113.225
185.104.248.184
185.106.92.110
185.112.83.11
185.112.144.202
185.139.230.98
185.143.220.212
185.146.156.56
185.146.156.144
185.146.157.98
185.146.157.245
185.149.146.185
185.158.251.88
185.161.251.195
185.174.136.187
185.182.111.66
185.183.94.24
185.189.12.109
185.189.181.87
185.196.8.91
185.197.75.85
185.213.211.238
185.221.67.22
185.225.18.110
185.241.208.121
185.246.65.20
185.246.67.84
185.246.222.117
186.169.68.32
188.120.224.186
188.120.225.216
188.120.226.231
188.120.227.150
188.120.231.63
188.120.231.113
188.120.233.42
188.120.233.131
188.120.233.146
188.120.236.114
188.120.237.72
188.120.241.206
188.120.242.207
188.120.243.11
188.120.244.227
188.120.246.49
188.120.246.154
188.120.251.253
188.120.253.98
188.120.253.147
188.127.231.139
188.132.197.93
188.132.197.104
188.225.58.206
188.225.58.220
190.211.255.106
191.101.3.50
192.99.10.207
192.154.229.64
193.37.71.142
193.42.32.159
193.124.92.72
193.188.23.169
193.233.49.76
193.233.164.54
194.5.78.193
194.26.192.203
194.40.243.101
194.58.92.23
194.59.31.109
194.61.52.49
194.67.67.43
194.67.67.104
194.67.74.169
194.67.87.32
194.67.92.230
194.67.111.145
194.87.62.41
194.87.82.229
194.87.101.56
194.87.186.10
194.87.199.77
194.87.214.216
194.87.218.64
194.87.219.243
194.87.237.68
194.147.90.111
194.156.88.152
194.226.121.83
194.226.121.128
194.226.121.164
195.3.223.35
195.3.223.79
195.3.223.218
195.133.75.27
195.133.75.174
195.133.75.213
198.23.212.148
202.146.218.35
206.238.221.30
209.25.142.180
212.109.192.100
212.109.194.187
212.109.195.44
212.109.195.187
212.109.199.150
212.113.116.24
212.118.36.238
212.224.113.92
213.159.208.46
213.159.208.100
213.238.182.19
216.83.38.252
217.25.95.234
217.144.103.11
217.144.103.26
217.196.96.4
223.26.57.45

Emails

n/a

Wallet Addresses

n/a

Block `SpyNote` Spyware with RAT capabilities targeting Financial Institutions

Enhancement idea

Block SpyNote Spyware with RAT capabilities targeting Financial Institutions.

Links

https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions

https://threatfox.abuse.ch/browse/malware/apk.spynote/

IOC

Domains

16clouds.com
1105181.com
1213454.com
1213455.com
1213457.com
1213458.com
1215466.com
1239988.com
1319510.com
1319551.cc
1319553.com
1319554.com
1319556.com
1319557.com
1319558.com
1319559.cc
1416233.com
1518644.com
adnankara1.ddns.net
amazonapp.space
beautyforyou.top
bizebiz.myftp.org
buy-n-go.info
c6ih1t.com
charge-web.info
csx22.top
deluxe-mall.info
dorila.top
eco-mall.info
ecomall.info
flamefork3.com
freedomly.top
heishitanfan.online
lapassover.site
m10688.com
m18888.com
m158663.com
megamalll.info
mining8.cc
mitaoapp.space
msmartb.com
msmartc.com
msmartd.com
msmartf.com
msmartg.com
msmarti.com
msmartj.com
msmartk.com
msmartl.com
msmartm.com
mtymall.info
peninsula3.com
petrus4.com
posngoappg.com
posngoappk.com
posngoappm.com
posngoappp.com
posngoapps.com
posngoappu.com
posngoappx.com
posngovipappa.com
recruitment59.com
recruitment60.com
recruitment61.com
recruitment62.com
server.aztecvds.com
shangri3.com
silent911-44688.portmap.io
skeptictyson.com
stripchat15.com
stripchat70.com
the-maids.info
video01.dorila.top
warwickyouth.com
zer0-dust.com

IP's

8.219.143.100
104.233.210.35
107.148.37.15
107.148.37.21
107.148.37.120
107.148.37.180
107.148.37.181
107.148.37.182
107.148.37.234
107.148.37.236
107.148.37.237
137.220.135.71
154.211.96.78
159.203.126.35
185.247.137.28

Block `Letscall` banking malware

Enhancement idea

Block Letscall banking malware.

Links

https://www.threatfabric.com/blogs/letscall-new-sophisticated-vishing-toolset

IOC

Domains

finda.buzz
fss-app.live
letscall.39nat.com
letscall.fyi
letscall.ltd
letscall.today
nicetv.live

IP's

35.243.122.211
45.43.215.98
45.43.215.106
137.220.142.149
137.220.142.160
137.220.179.112
143.92.34.8
143.92.34.22
143.92.34.44
154.215.238.195

Next major release into a stable version

Enhancement idea

Extras to add to block lists:

drop-dogecoin.com
moneylion.com
dokidoki.finance
uniswap.homes
virtoken.top
bx.exchange
pas-capital.com

To be added to Whitelists

Common Short Links (to remove):

t.ly
t.me

Common Social Media Links (to remove):

m.youtube.com
youtube.com
instagram.com
z-p15.www.instagram.com
facebook.com
twitter.com

Use URL and not domains for the following:

https://docs.google.com/forms/*
https://github.com/*
https://translated.turbopages.org/*
*.amazonaws.com
*.azurewebsites.net
*.blogspot.co.za
*.blogspot.com
*.bluehosting.cz
*.bravesites.com
*.business.site
*.cprapid.com
*.easterndns.com
*.fleek.co
*.firebaseapp.com
*.github.io
*.glitch.me
*.godaddysites.com
*.host.secureserver.net
*.infinityfreeapp.com
*.liveblog365.com
*.netlify.app
*.ngrok-free.app
*.nimbusweb.me
*.pages.dev
*.pantheonsite.io
*.repl.co
*.sitebeat.crazydomains.com
*.translate.goog
*.vercel.app
*.w3spaces.com
*.web.app
*.webflow.io
*.weeblysite.com
*.wikidot.com
*.windows.net
*.wixsite.com
*.wordpress.com
*.workers.dev
*.yolasite.com
*.zendesk.com

Above are free hosting domains etc.

Tor Websites

.onion

I2P Websites

.i2p

IPFS Links

*.ipfs.*

Link: https://docs.ipfs.tech/how-to/address-ipfs-on-web/#subdomain-gateway

Block `Loki Password Stealer (PWS)` aka `Burkina, Loki, LokiBot, LokiPWS` malware

Enhancement idea

Block Loki Password Stealer (PWS) aka Burkina, Loki, LokiBot, LokiPWS malware.

Description

Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.

Links

https://threatfox.abuse.ch/browse/malware/win.lokipws/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

ab-services.ma
abjkad.com
aerostarmodel.buzz
allfamax.com
aluminprodu.top
andrebadi.top
apoxnew.com
areen.top
asbogadajuli.tk
assaggip.cf
assaggip.ga
assaggip.gq
assaggip.ml
assaggip.tk
batlxt.org
binatbless.me
blacklifestyle.net
blaztech.us
bobby1.xyz
caesarsgroup.top
cantebo.buzz
chilok.us
chinacarbonfiber.buzz
civcxs.xyz
cretenom.ga
dadatiles.com.au
darls.us
dhabigroup.top
dnuocc.com
dopilnram.cf
dopilnram.ga
dopilnram.gq
dopilnram.ml
dopilnram.tk
drinz.us
duckdns.org
ebelk.us
ebnsina.top
edtagproducts.buzz
edulinkr.com
efvsx.cf
efvsx.ga
efvsx.gq
efvsx.ml
efvsx.tk
ekens.top
ekens.us
eleronixzkt.cf
eleronixzkt.ga
eleronixzkt.gq
eleronixzkt.ml
eleronixzkt.tk
entracollc.top
esplogem.ga
eventovirtualbdb.com
eyecos.ga
eyeofbangladesh.com
fengpower.buzz
fufux.xyz
gensis-advpg.com
hghfe.cf
hghfe.tk
hmsd.us
hncelectric.cf
holinamet.us
hosseinsoltani.ir
iklok.us
impexawards.com
ironoreprod.top
jackmoynehan.com
jithiadaproperties.com
jojohats.co.uk
julypc.ga
julypc.gq
julypc.ml
julypc.tk
kene.us
lasloki.us
lazarovs.cf
lazarovs.ga
lazarovs.ml
lazarovs.tk
loki5.info
lokiz.org
lomboster.top
mainpage-auth.ml
manaman.xyz
matbin.com
maylnk.gq
mecharnise.ir
megared.buzz
meyervanderwalt.top
microsoft-webpage-auth.ml
midlandpaper.icu
mnbvcxz.biz
nice-can.cf
office-webpage-auth.ml
oilrig.sbs
oracover.buzz
ornivska.cf
parpee.com
payypal.info
pearlgroup.icu
pelsotin.buzz
penairs.ml
phoenixcreation.in
predictindia.co
profirst.com.vn
publicspeaking.co.id
pvcfloorco.com
qtd8gcdoplav737wretjqmaiy.tk
redirectme.net
rnileniaexpress.com
rotf.tk
s3rv.me
satrading.us
sedesadre.cf
sedesadre.ga
sedesadre.gq
sedesadre.ml
sedesadre.tk
segoremlolgv.cf
segoremlolgv.ga
segoremlolgv.gq
segoremlolgv.ml
segoremlolgv.tk
sempersim.su
shunfengpower.buzz
siiigroup.com
simcoes.top
smrtp.ru
solariseng.icu
solefex.com
spec.ir
spencerstuartllc.top
stardoors.com.br
svmarketingindia.com
sytes.net
teleportstation.gq
teleportstation.tk
telexmint.me
tetiquila.me
thammyvienanthea.com
tiscali.buzz
tixfilmz.cf
tixfilmz.ga
tixfilmz.gq
tixfilmz.ml
tixfilmz.tk
tjfr.ga
tompsup.me
topendpower.top
uipmcenter.net
umulok.us
usa.cc
vlascx.xyz
walinstitute.com
webhop.me
wexno.us
xhvbzueifhdbjdfywete4y8va.cf
xpznl.click
ziuxte.online
zjvvymy.com

IP's

2.56.57.50
2.59.254.19
23.94.159.226
23.95.132.48
23.239.31.197
23.254.128.166
31.220.2.120
31.220.2.200
31.220.40.22
37.0.11.227
37.139.128.94
45.61.169.32
45.77.76.224
45.133.1.20
45.133.1.45
45.139.105.181
45.155.165.70
46.21.147.34
62.108.40.64
62.197.136.176
63.250.44.84
64.227.48.212
66.29.145.162
68.183.13.128
79.110.48.215
79.110.49.21
79.110.62.142
80.208.226.98
80.209.231.24
85.31.46.94
85.31.46.190
85.202.169.172
87.121.47.132
91.223.82.29
93.188.165.64
94.131.105.161
95.164.23.2
95.179.142.132
103.133.107.162
103.139.44.52
103.156.90.111
103.167.85.164
103.207.39.127
103.219.154.200
104.156.227.195
104.168.166.188
137.74.157.83
138.68.56.139
141.98.6.162
141.98.6.249
142.11.211.144
146.19.233.219
157.245.36.27
159.89.118.162
161.35.102.56
162.0.223.13
162.213.249.190
163.123.143.202
163.123.143.204
163.123.143.215
163.123.143.216
163.123.143.217
171.22.30.147
171.22.30.164
173.208.204.37
179.43.149.50
185.102.170.20
185.162.10.145
185.165.31.194
185.216.71.207
185.227.139.18
185.246.220.60
185.246.220.85
185.246.220.212
192.64.118.167
192.227.168.194
193.42.32.209
194.49.94.97
194.55.224.9
194.55.224.10
194.55.224.11
194.55.224.15
194.55.224.16
194.180.48.58
195.133.19.4
195.154.34.135
198.12.89.174
198.98.54.161
198.187.30.47
208.67.105.148
208.67.105.161
208.67.105.162
208.67.105.179
212.192.246.61
216.128.145.196

Emails

n/a

Wallet Addresses

n/a

Block `FluBot` Android malware

Enhancement idea

Block FluBot Android malware.

Links

https://www.politie.nl/nieuws/2022/juni/1/02-politie-stopt-internationaal-verspreiding-flubot-malware.html

https://github.com/prodaft/malware-ioc/blob/master/FluBot/FluBot.pdf

IOC

Domains C&C Server:

afhckrfcucjbpln.com
aogedvhwqhuokpd.ru
bmpfkgsottkswfh.com
dmkpheoqsfuvwxo.ru
egusnkbawrrmqvj.ru
lnnrpwtstcbmdhn.com
mbhpikampombehi.com
muqgllmqtyllhwn.com
nfiuerwftasnuk.com
nfiuerwtftasnuk.com
obunryugtpfyssw.ru
wenkgefmpgfumtk.com
xjnwqdospderqtk.ru

IP's:

72.26.218.86
87.106.18.146
162.217.98.146
178.162.203.202
178.162.203.226
178.162.217.107

Block `SpiderLabs Responder` malware

Enhancement idea

Block SpiderLabs Responder malware.

Description

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Links

https://threatfox.abuse.ch/browse/malware/py.responder/

IOC

URL's

n/a

Domains

n/a

IP's

3.10.119.204
3.12.70.77
3.12.70.100
3.12.113.100
3.13.105.185
3.13.133.182
3.13.245.246
3.14.171.147
3.15.47.174
3.16.18.205
3.17.157.166
3.18.216.192
3.19.132.170
3.20.75.110
3.20.119.106
3.20.119.241
3.20.179.134
3.21.148.106
3.21.214.24
3.22.49.14
3.22.216.255
3.85.247.12
3.88.28.39
3.101.47.74
3.104.43.231
3.121.141.12
3.128.165.237
3.128.194.55
3.128.252.159
3.129.81.0
3.129.141.104
3.129.240.162
3.130.196.221
3.131.44.28
3.131.218.223
3.131.227.105
3.131.231.5
3.132.29.83
3.132.94.5
3.132.230.8
3.132.237.169
3.133.158.78
3.134.130.179
3.134.198.51
3.135.83.21
3.135.207.47
3.137.67.123
3.137.106.230
3.138.120.116
3.138.212.37
3.139.196.148
3.139.254.8
3.140.57.4
3.140.83.98
3.141.41.197
3.141.100.76
3.141.110.210
3.142.101.254
3.143.46.79
3.143.53.4
3.143.166.127
3.144.141.97
3.144.162.158
3.144.230.147
3.216.91.201
3.218.78.81
3.249.44.94
3.249.151.135
3.249.212.201
3.249.217.223
3.250.59.127
3.250.73.156
3.250.81.251
3.250.85.71
3.250.135.63
3.250.180.210
3.252.35.178
3.252.219.5
3.253.111.92
3.253.126.198
3.253.165.48
4.236.181.211
5.78.75.82
5.161.227.219
12.181.65.210
12.181.120.250
12.215.33.182
13.39.125.197
13.58.85.225
13.58.96.172
13.59.8.92
13.59.76.247
13.59.98.191
13.59.198.138
13.59.226.24
13.87.92.152
13.90.242.103
13.127.51.101
13.211.145.235
15.200.170.168
15.222.6.75
18.116.0.119
18.117.104.228
18.117.150.53
18.117.230.23
18.118.134.58
18.118.140.42
18.119.78.203
18.119.148.147
18.133.125.105
18.143.148.26
18.184.92.206
18.188.0.172
18.188.83.124
18.189.1.24
18.189.170.215
18.189.207.77
18.190.16.172
18.190.55.0
18.190.70.155
18.190.105.56
18.191.16.224
18.191.220.246
18.202.28.86
18.202.77.193
18.203.66.157
18.203.66.192
18.203.232.101
18.204.142.71
18.204.143.31
18.209.87.127
18.217.73.143
18.217.220.11
18.218.161.182
18.219.194.184
18.221.8.108
18.221.8.178
18.221.36.131
18.221.160.80
18.222.81.233
18.222.116.178
18.222.127.73
18.223.65.54
18.223.99.152
18.223.139.17
18.224.23.33
18.236.65.63
18.236.83.77
20.13.154.2
20.49.161.22
20.49.161.31
20.51.172.81
20.66.12.220
20.74.179.106
20.89.239.154
20.114.233.45
20.125.105.211
20.171.239.247
20.199.126.16
20.204.156.0
20.218.135.30
20.223.231.108
20.229.106.61
20.232.138.101
20.242.52.93
20.248.170.105
24.112.21.157
34.88.222.181
34.89.32.20
34.107.117.33
34.125.68.109
34.132.176.70
34.170.8.133
34.200.246.53
34.239.254.99
34.240.177.115
34.244.155.135
34.244.225.146
34.245.228.37
34.245.235.157
34.247.178.39
34.247.180.46
34.252.59.180
34.254.66.161
34.254.92.89
34.254.99.129
34.255.136.190
35.88.74.16
35.153.31.255
35.171.153.152
35.178.178.143
35.179.16.154
35.183.112.212
35.192.152.195
35.207.206.133
36.139.7.145
37.139.20.46
38.64.65.8
38.107.146.136
38.180.26.172
38.180.74.55
38.242.21.30
43.159.46.228
44.195.147.254
44.203.207.207
44.204.136.58
44.206.141.197
45.32.252.66
45.33.66.128
45.33.105.239
45.33.113.57
45.55.68.230
45.55.131.52
45.77.63.93
45.79.46.240
45.79.190.124
45.95.202.23
45.135.135.132
45.137.117.144
45.138.74.77
45.152.66.95
45.152.85.12
45.153.231.136
46.44.62.227
46.101.82.153
46.101.85.199
46.101.201.97
46.137.19.86
46.137.38.121
47.251.56.204
50.173.136.70
50.173.136.89
50.220.18.251
51.38.185.204
51.75.91.172
51.83.249.137
51.91.102.222
51.91.192.245
51.91.255.96
51.104.206.207
51.136.18.109
51.138.178.152
51.222.210.33
51.250.15.242
51.255.5.104
52.3.246.29
52.14.45.109
52.14.219.131
52.14.231.198
52.39.134.246
52.54.249.74
52.61.243.196
52.62.245.83
52.63.54.1
52.148.136.164
52.156.24.108
52.176.39.204
52.210.38.225
52.213.56.33
52.214.15.177
52.215.189.181
52.232.66.211
52.233.69.141
52.237.219.78
52.242.127.108
54.74.80.81
54.74.103.235
54.74.113.22
54.74.121.3
54.78.31.229
54.78.36.15
54.84.64.28
54.154.116.15
54.171.182.212
54.171.200.92
54.194.26.52
54.194.129.38
54.202.161.131
54.215.195.254
54.216.35.66
54.216.99.131
54.221.74.208
54.229.70.32
54.229.180.175
54.235.25.159
62.10.74.27
62.10.74.218
62.182.159.155
63.32.112.45
63.33.70.163
63.34.170.255
63.35.181.86
63.35.187.119
63.35.209.111
63.250.41.138
64.73.162.11
64.95.58.116
64.225.16.14
64.225.79.75
64.226.68.20
64.226.126.5
64.227.99.90
65.108.196.151
65.109.9.51
66.109.142.164
66.225.35.229
67.204.14.215
67.207.92.254
68.183.48.144
68.183.52.177
69.61.107.214
75.119.142.33
76.80.45.197
77.87.189.34
78.47.126.26
78.57.231.58
78.128.99.215
78.128.113.130
79.137.199.98
80.77.25.147
80.85.156.184
80.90.181.129
81.29.134.165
82.65.153.201
82.203.66.252
82.209.203.58
84.222.45.254
86.107.197.31
87.239.108.174
88.99.87.77
88.119.171.155
88.218.194.37
89.17.153.8
89.29.128.9
89.96.196.150
89.103.125.204
89.117.53.115
89.185.233.204
89.207.88.72
89.246.175.139
91.107.237.229
91.134.141.245
91.153.61.172
91.198.77.129
91.245.253.74
92.205.183.181
92.222.82.133
92.243.64.44
94.34.22.106
94.34.35.44
94.34.39.95
94.34.46.13
94.34.69.41
94.34.135.188
94.34.138.108
94.102.59.188
94.231.205.74
94.237.56.83
94.237.58.198
95.179.185.77
95.214.55.202
95.215.8.182
97.101.28.237
99.20.25.218
101.43.185.225
102.67.140.187
103.56.55.109
103.179.98.83
104.131.3.28
104.131.9.22
104.194.222.50
104.200.16.74
104.200.72.212
104.207.155.133
104.214.231.190
104.225.129.100
104.238.60.31
104.238.190.138
104.248.6.54
104.248.82.194
107.175.172.171
108.11.193.244
109.120.182.2
109.248.6.221
109.248.6.224
109.248.6.246
109.250.180.168
109.250.181.60
120.138.18.160
120.138.26.178
128.199.35.229
128.199.149.75
131.246.5.26
134.122.68.71
134.209.28.104
134.209.83.148
134.210.3.102
135.125.190.193
137.184.24.157
137.184.40.73
137.184.95.140
137.184.125.135
137.184.225.245
137.184.232.71
138.68.114.167
138.68.131.112
138.68.172.182
138.68.176.126
138.197.2.107
138.197.40.125
138.197.129.43
138.197.171.97
139.59.169.53
139.162.138.252
139.162.185.21
139.162.203.245
139.177.189.73
139.177.193.144
140.99.170.9
141.164.54.106
142.93.190.214
142.93.239.226
142.234.157.66
143.110.238.47
143.110.239.243
143.198.0.217
143.198.11.108
143.198.93.21
143.198.105.12
144.21.38.200
144.91.86.133
144.91.109.211
144.126.152.51
146.70.35.153
146.70.106.86
146.190.30.180
146.190.163.231
146.190.177.246
149.28.176.160
149.102.158.245
151.216.222.60
154.53.37.105
157.230.18.228
157.230.122.150
157.230.217.169
157.245.22.50
157.245.118.196
158.101.172.180
158.160.16.61
158.160.68.42
159.65.86.149
159.65.130.138
159.65.188.55
159.65.193.223
159.89.136.178
159.203.78.46
159.203.143.27
159.223.244.75
161.35.110.235
162.55.182.201
162.221.25.38
163.172.232.20
163.172.234.8
164.90.192.165
165.22.36.210
165.22.47.224
165.22.57.138
165.22.79.82
165.154.221.149
165.227.76.192
165.227.96.221
165.227.112.99
165.227.191.106
165.227.216.142
165.232.41.18
165.232.108.62
165.232.154.39
167.71.27.110
167.71.105.253
167.71.130.5
167.71.162.248
167.71.164.74
167.71.245.181
167.99.113.2
167.99.114.6
167.99.124.140
167.114.115.246
167.114.199.74
167.172.68.48
168.75.77.20
168.235.67.214
170.64.129.207
170.64.152.14
170.64.153.127
170.64.196.87
171.33.246.87
172.86.70.31
172.86.76.246
172.104.149.134
172.105.20.107
172.190.188.163
174.138.56.197
174.138.88.77
176.97.73.54
176.124.198.40
178.20.43.41
178.79.164.166
178.128.159.180
178.170.221.54
179.43.142.90
185.14.58.59
185.33.13.189
185.62.57.120
185.62.58.178
185.162.235.233
185.163.48.111
185.183.33.148
185.195.24.162
185.200.221.16
185.224.129.221
185.225.70.149
185.225.75.198
185.238.248.67
188.93.210.12
188.116.36.102
188.165.172.200
188.165.185.107
188.166.11.107
188.166.41.114
190.12.102.167
192.52.167.199
192.169.6.162
192.241.193.93
193.36.15.198
193.36.15.249
193.42.39.50
193.42.39.254
193.46.199.253
193.46.254.201
193.108.4.76
193.142.30.29
193.149.185.71
193.233.133.63
194.37.97.138
194.67.103.231
194.68.26.244
194.87.236.17
194.113.72.148
194.113.74.9
195.2.67.79
198.98.53.100
198.199.108.132
198.211.103.135
199.44.220.88
200.40.79.11
201.174.21.202
201.174.115.4
203.41.157.231
206.71.148.109
206.188.197.123
206.189.95.62
206.189.96.108
206.189.204.236
207.127.27.17
207.246.106.194
209.38.206.59
209.38.212.41
209.38.225.79
209.51.171.194
209.97.156.169
209.222.17.15
210.16.65.178
213.32.72.95
213.227.155.89
213.227.155.115
216.66.50.242
216.66.50.250
216.120.203.74
217.69.9.193
217.182.253.107

Block `Cobalt Strike` Malware alias: `Agentemis, BEACON, CobaltStrike, cobeacon`

Enhancement idea

Block Cobalt Strike Malware alias: Agentemis, BEACON, CobaltStrike, cobeacon.

Links

https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/

IOC

Added separately.

delete this issue

n/a

Block `AVE_MARIA1, 1AveMariaRAT1, 1Warzone RAT1, 1WarzoneRAT1, 1avemaria` malware

Enhancement idea

Block AVE_MARIA1, 1AveMariaRAT1, 1Warzone RAT1, 1WarzoneRAT1, 1avemaria malware.

Links

https://threatfox.abuse.ch/browse/malware/win.ave_maria/

IOC

Domains

adaisreal.ddns.net
backup1212.ddns.net
bluemoon7.duckdns.org
jayurbf.gleeze.com
mcmac.duckdns.org
testing1212.ddns.net
windnsch.freeddns.org

IP's

Added separately.

Block `BianLian` malware

Enhancement idea

Block BianLian malware.

Description

BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file.

Links

https://threatfox.abuse.ch/browse/malware/win.bianlian/

IOC

I2P websites

n/a

IPFS websites

n/a

TOR websites

n/a

URL's

n/a

Folders

n/a

Sub-Domains

n/a

Domains

n/a

IP's

2.59.254.29
3.72.105.50
3.82.108.57
3.109.108.143
3.134.86.154
3.236.161.7
3.249.5.101
5.45.67.163
5.104.80.155
5.161.51.212
5.181.20.110
5.182.39.10
5.183.95.20
5.183.95.54
5.183.95.165
5.206.224.39
5.230.67.2
5.230.72.245
5.230.74.62
5.230.74.81
5.255.123.19
13.38.36.123
13.38.37.128
13.39.160.220
13.59.168.154
13.212.116.128
13.215.227.78
13.215.228.73
15.188.49.63
18.144.70.39
18.159.131.209
18.191.133.139
18.204.17.193
18.221.191.129
23.106.215.47
23.163.0.32
23.163.0.34
23.163.0.50
23.163.0.51
23.163.0.149
23.163.0.228
23.163.0.241
23.227.203.245
34.172.205.52
34.207.174.202
34.219.121.232
34.249.53.58
35.157.43.44
35.180.225.185
35.181.59.201
35.183.14.149
37.1.220.35
37.220.31.17
37.220.31.54
37.228.129.4
41.199.178.166
43.139.241.58
43.155.77.226
43.239.158.5
44.212.18.9
45.12.2.230
45.32.124.182
45.33.119.19
45.45.219.118
45.56.162.16
45.56.165.30
45.58.52.123
45.64.186.135
45.76.181.107
45.77.198.117
45.80.151.49
45.82.72.227
45.82.153.168
45.86.163.224
45.86.163.228
45.87.155.88
45.114.129.150
45.125.64.198
45.134.174.99
45.145.186.188
45.150.65.235
45.150.65.251
45.153.231.73
45.153.241.96
46.30.190.27
46.148.139.144
51.15.18.85
51.38.103.199
51.68.190.20
51.81.61.109
51.91.79.105
51.91.79.144
51.250.67.119
51.255.5.14
51.255.5.104
51.255.171.187
52.53.186.224
52.59.214.191
54.70.125.21
54.144.145.126
54.173.59.51
54.186.70.33
54.186.116.62
54.193.91.232
54.227.224.229
60.251.43.146
62.84.103.107
62.141.75.134
62.182.159.155
64.44.185.125
64.52.80.219
64.190.113.2
65.49.204.225
65.109.3.80
65.109.225.7
66.29.145.128
66.29.151.151
66.29.155.94
66.85.26.54
66.85.26.162
66.85.27.163
66.85.156.78
66.85.156.83
67.43.236.29
67.43.236.30
69.57.161.144
69.57.163.45
74.119.194.165
74.137.167.112
76.74.127.146
76.74.127.147
78.111.99.46
78.142.29.14
79.137.203.215
80.78.22.88
80.92.206.206
80.211.65.159
83.97.20.170
85.13.119.232
85.13.119.234
85.13.119.235
85.13.119.236
85.217.222.44
85.239.34.36
85.239.52.212
87.247.185.109
88.119.169.140
89.23.107.110
89.147.110.189
89.203.129.66
89.203.129.77
89.203.129.78
89.203.129.98
89.203.129.99
89.203.129.100
89.203.129.101
89.203.129.125
89.203.129.126
89.208.106.3
89.248.172.108
91.213.50.35
91.234.199.23
91.234.199.211
93.95.224.189
94.156.6.19
94.158.244.220
94.198.53.89
94.232.46.24
95.163.181.86
95.164.46.139
95.179.147.117
95.179.251.217
95.213.145.101
96.45.160.162
97.74.80.232
102.189.9.45
103.20.235.154
103.20.235.195
103.109.100.222
103.208.86.32
104.156.149.138
104.194.11.252
104.194.215.254
104.194.222.35
104.194.222.70
104.194.222.87
104.200.67.41
104.200.67.156
104.200.67.244
104.200.72.2
104.200.72.6
104.200.72.25
104.200.72.94
104.200.73.117
104.200.73.239
104.223.0.85
104.234.118.129
104.236.1.224
104.238.35.26
104.238.35.76
104.238.35.112
104.238.223.3
104.238.223.5
104.238.223.10
104.238.223.15
104.238.223.19
104.243.32.53
104.243.33.83
104.243.33.84
104.243.33.85
105.197.95.254
108.165.178.42
108.165.178.43
108.174.60.151
109.248.6.207
109.248.6.217
109.248.6.223
109.248.150.13
130.193.43.10
134.122.60.222
134.195.88.27
134.209.34.155
135.125.250.237
135.181.94.156
138.124.183.149
139.59.238.242
139.99.78.141
140.82.54.186
141.98.168.19
141.98.168.159
142.93.141.211
142.202.205.24
143.198.46.29
144.208.127.18
144.208.127.115
146.70.35.153
146.70.41.200
146.70.115.26
146.70.158.90
146.70.158.169
147.78.46.40
147.182.185.94
149.56.95.151
149.91.91.174
149.154.158.114
149.154.158.153
149.154.158.214
149.248.14.201
151.236.9.60
151.236.9.205
151.236.20.110
151.236.20.232
151.236.21.76
154.7.99.15
154.237.225.34
155.94.160.243
157.254.194.223
158.160.3.251
158.160.7.184
158.160.10.29
158.160.30.214
158.160.68.42
158.160.110.214
158.255.208.115
159.65.124.252
159.223.223.189
159.223.250.0
161.35.138.42
161.97.78.118
162.0.225.155
162.0.230.23
162.19.175.54
162.33.179.116
162.244.83.217
162.252.172.69
162.252.172.194
162.252.175.211
163.172.132.163
165.22.31.213
165.22.244.32
165.232.112.135
167.71.15.25
168.119.88.236
168.119.183.224
169.239.129.77
170.247.3.189
171.217.52.185
171.221.170.20
172.86.122.183
172.86.123.67
172.93.96.60
172.93.193.157
172.96.137.159
172.96.188.130
172.104.62.140
172.105.94.31
172.105.120.11
172.245.128.35
173.232.2.41
173.254.235.24
173.254.236.139
176.105.202.212
176.119.30.73
179.61.154.3
185.17.40.156
185.82.200.188
185.99.133.112
185.108.129.37
185.108.129.62
185.112.146.250
185.156.252.168
185.193.126.62
185.243.114.63
188.34.130.46
188.116.24.4
188.127.242.204
188.208.141.203
188.225.73.216
188.241.240.117
188.241.240.203
192.52.167.39
192.52.167.83
192.71.227.70
192.71.227.116
192.71.227.126
192.71.227.236
192.74.254.207
192.121.16.180
192.144.37.56
192.161.48.17
192.161.48.51
192.236.192.207
193.29.59.109
193.29.187.217
193.36.117.117
193.149.129.110
193.149.185.27
193.164.249.99
194.4.48.63
194.26.29.87
194.68.26.216
194.135.119.168
194.156.98.226
195.62.53.94
195.123.218.117
195.128.235.20
195.133.40.108
195.154.166.134
198.177.123.207
198.177.124.107
198.199.76.216
198.252.98.186
198.252.108.86
203.161.54.85
204.152.203.90
204.152.203.94
207.246.68.214
208.123.119.100
208.123.119.153
210.16.121.40
212.118.42.117
213.164.30.188
216.128.151.226
216.146.25.23
216.189.149.71
216.189.159.34
216.238.72.107
216.238.78.86
216.238.83.131
217.195.153.228

Emails

n/a

Wallet Addresses

n/a