# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ViriBack/status/1035683053459460098

3dchesmellltda.club

# Reference: https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/

compra-da-sorte.com
vemsorte2015.com

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banloa-CRQ/detailed-analysis.aspx

triocar.web1629.kinghost.net
www.inducar.kinghost.net

# Reference: https://twitter.com/pancak3lullz/status/1040343104564473865

beladoces.online/wp/wp-includes/brazilkrisemundial/index.php

# Reference: https://twitter.com/James_inthe_box/status/1242573224006696961

/AppCounter20032020-001/index.php

# Reference: https://twitter.com/1ZRR4H/status/1243178915507703810

seguridadsucursal.online
tma8sjw.myftp.org

# Reference: https://blog.scilabs.mx/blog/2019/12/06/campana-cosmic-banker-sigue-activa-y-revela-vinculo-con-banload/
# Reference: https://www.virustotal.com/gui/ip-address/51.79.31.28/relations

http://51.79.31.28
comprobantes.sytes.net
dgi1b2n3m4.ddns.net
/RO3473I4R4Y.php

# Reference: https://twitter.com/James_inthe_box/status/1245427754977263617

receitafazenda.webcindario.com
/primo/verifique.php

# Reference: https://twitter.com/NtSetDefault/status/1253292071877820416

4up4.com/uploads/file_2020-04-13_031927.jpg

# Reference: https://twitter.com/Bank_Security/status/1258359587729813504
# Reference: https://seguranca-informatica.pt/brazilian-trojan-banker-is-targeting-portuguese-users-using-browser-overlay/
# Reference: https://www.virustotal.com/gui/file/ed1e2a3767b575cce54e13e05112f30156590cc080a0d0865aaf85686c4e51be/detection

23.108.57.243:3389
http://23.106.124.20/avs/img1/index.php

# Reference: https://twitter.com/sevenofnull/status/1275342947068915713
# Reference: https://app.any.run/tasks/141db5f3-0e93-43c3-96e9-ebf0e69bccda/ (# MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload))
# Reference: https://www.virustotal.com/gui/ip-address/104.154.43.185/relations
# Reference: https://www.virustotal.com/gui/file/b22f8eaf82e15fe8118617cd7db703486696a82924dbafcbc31d8ce1262fcdb5/detection
# Reference: https://www.virustotal.com/gui/file/2f4db2bd529b5705308afd647b26d1a172d34b31d3382da57bac67aa3373a43c/detection
# Reference: https://www.virustotal.com/gui/file/507b299b76133f4ee7a30c12e23e45fa6fe9a1990ac87cb39136c25cc015e011/detection

104.154.43.185:60001

# Reference: https://twitter.com/NtSetDefault/status/1282277236423512065
# Reference: https://www.virustotal.com/gui/file/bc0073b75adda338d994361b4ebc1bc964197826ee75cf790948f128785780bc/detection
# Reference: https://app.any.run/tasks/637f560b-00da-442c-aef5-6ebc990a0646/

outlook39923.autodesk360.com

# Reference: https://twitter.com/NtSetDefault/status/1285909036815323136
# Reference: https://twitter.com/NtSetDefault/status/1285914518095302656
# Reference: https://app.any.run/tasks/599e1eb9-a1c9-4d80-b33d-281cd619cc6c/

correiosbrasilsedex.serveftp.org
enviocorreios.serveftp.org
sendcorreiosbr.serveftp.org
seusedexrapido.serveftp.org
m0380933669.s3-us-west-1.amazonaws.com
u3028903369.s3-us-west-1.amazonaws.com

# Reference: https://twitter.com/NtSetDefault/status/1273040649542131713

emissaocontadigital.eastus.cloudapp.azure.com

# Reference: https://twitter.com/sirpedrotavares/status/1305076741107519488
# Reference: https://www.virustotal.com/gui/file/e6cbaf9d2d01467048c758ba5e6ef3b68e624f67ece32dd68ebfeab235ed7ce5/detection
# Reference: https://www.virustotal.com/gui/file/cd878cd53b60f3bd950dc84ca731e07b4b49e18aed28f7e5d0bb39e5ab9c4ae7/detection
# Reference: https://www.virustotal.com/gui/file/373386e10c2e71329f0e8b4f51bef1fc0c4eb716f459cdf8a93941cff336b89b/detection
# Reference: https://www.virustotal.com/gui/file/8e9e5c2e16c8712f9e1ebfd4c295a1afe9373b95580ca73352f32e37d07408b6/detection
# Reference: https://www.virustotal.com/gui/file/4227332820fffcae05ae9d12a0e0b20f2291eb7b6bf8982b5301f24caadfbe8e/detection
# Reference: https://www.virustotal.com/gui/file/c05e9c1b155559d500ed0a2b3ca4c02d2a679db4191a7b35b9c44c2bdd61210d/detection
# Reference: https://www.virustotal.com/gui/file/985485888ef165eba912578cceb76981e9e5841bf928db739afbf472ea09deff/detection
# Reference: https://www.virustotal.com/gui/file/23892054f9494f0ee6f4aa8749ab3ee6ac13741a0455e189596edfcdf96416b3/detection
# Reference: https://www.virustotal.com/gui/ip-address/191.235.99.13/relations
# Reference: https://www.virustotal.com/gui/ip-address/52.91.227.152/relations

http://191.235.99.13
http://52.91.227.152

# Reference: https://otx.alienvault.com/pulse/5f75c5efcce31cfc583bafaa

58sky.com
wdx.go890.com
khelpdesk.com.br
go890.com
mg.5636.com
master.khelpdesk.com.br

# Reference: https://www.virustotal.com/gui/ip-address/31.220.59.65/relations
# Reference: https://www.virustotal.com/gui/file/3c23a8a65d78c035753bc0a437ed1bcab53f4a981608c10dbf936de28be4f3e3/detection
# Reference: https://www.virustotal.com/gui/file/99ba789471d2df7249bddf5741a0d5fa58147af4e3865490a93fcd1ea609c3ec/detection
# Reference: https://www.virustotal.com/gui/file/8aff76bef1eaed56b46d983051e8a817a893905c82cda79573316adc823baa54/detection
# Reference: https://www.virustotal.com/gui/file/1e6aaee1a283c652812fec6a70f8d1759de53a723af4ea415d3a4fa2ea083166/detection

defaqw.duckdns.org
fyjftn.duckdns.org
hsjkse.duckdns.org
jddrtj.duckdns.org
lokj.duckdns.org
xcgt.duckdns.org
xder.duckdns.org
xeida.duckdns.org
yiydk.duckdns.org
zere.duckdns.org
zxcw.duckdns.org

# Reference: https://www.virustotal.com/gui/domain/novelsim.shacknet.us/relation
# Reference: https://www.virustotal.com/gui/file/7ca842d8f2c83eddf6bd393415c4cff54ec7fa5c51f34738bb6aa1114714c6ec/detection

novelsim.shacknet.us
/troBEROamkr0192013.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1329728270326247425
# Reference: https://bazaar.abuse.ch/sample/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/
# Reference: https://www.virustotal.com/gui/file/5c3f5dec5271e020a29643f1e75b7a6b07bb52562ee8426b21e7d76e9a46661b/detection
# Reference: https://analyze.intezer.com/analyses/55ad918a-ba00-497f-a2c5-262c957aa52f/sub/dc9bf2d0-cfce-46e1-8b22-6034f5df3d68

217.8.117.74:8364

# Reference: https://twitter.com/wwp96/status/1337112340001681411

gassmp.podzone.org
/Bebroms29129MSKEdrf.php

# Reference: https://www.virustotal.com/gui/file/3f15a5000fe56acf94ddaf281bbb634cc14d0d84ffed7b244ac38f97c4b23a0c/detection

lojinha-deroupas.com.br
/muralavisos.php

# Reference: https://www.virustotal.com/gui/file/9d4e819a148f6f3ba4d205cf7f3e383ba5c1e6510e34968c38f192dc0e8b3e07/detection

guardasnoturnos.com.br

# Reference: https://otx.alienvault.com/pulse/5ffc3ef208af976d9393d1e2
# Reference: https://www.virustotal.com/gui/domain/cp2.sanandresplazza.com/relations
# Reference: https://www.virustotal.com/gui/file/87c87de35dcd8832043ead5aee4d937ad57f60eb7b68506bd2d976c52d694f3a/detection
# Reference: https://www.virustotal.com/gui/file/cb28fb0cd8281caab59fd57ed18619d9d8c41cfbd01e6e8ed1b35399d2d36d73/detection

astylo.net
guiama.is
/plugins/authentication/ldap/Des_x_.png

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz
# Reference: https://www.virustotal.com/gui/domain/lucas.digitaldesk.biz/relations

lucas.digitaldesk.biz
prepara.biricell.com.br

# Reference: https://www.virustotal.com/gui/file/02131c8c30c6852ea1094661960d8cd697e014c2327582b9bbfc8440100d08ef/detection

casting.diamondhostess.hu
uslugi-ryazan.ru

# Reference: https://www.virustotal.com/gui/file/f8d9e056bfaa7ee2d74c2fcd5411de3868f47c1301e1cf55a0180b774df1d348/detection
# Reference: https://www.virustotal.com/gui/file/42575b866129035b28068456fa9d988ff86d5573e86a8138ba63c0b3423f6820/detection

mssql.maurosouza9899.kinghost.net

# Reference: https://twitter.com/dgarcianet/status/1352235429160955904

web.groupe-convergence.com

# Reference: https://www.virustotal.com/gui/file/34e16a68835f05ec748e2928409c3f07bdc5268eae0916cfef8a182e031cf6d1/detection
# Reference: https://www.virustotal.com/gui/file/7c019dca867ba21a5d8bb6eabd5750d0f06778fb82ff8866d4900a793d7bcc5c/detection
# Reference: https://www.virustotal.com/gui/file/43ea536308e35b15858237ff4b4b565ca70c1434af0b40dc7336c90c5362e99d/detection

critichotshot.com

# Reference: https://otx.alienvault.com/pulse/6023cbfddb978ba4bf15730b

5636.com
58sky.com
go890.com
jxwan.com
wanyouxi7.com
lordstark.dynamic-dns.net

# Reference: https://twitter.com/Unit42_Intel/status/1369043270429466634
# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-03-08-IOCs-from-Banload-infection.txt

arquivomes03.brazilsouth.cloudapp.azure.com
casaprodutosportal.net
hirotrindade.webcindario.com
shonitrohifi.com

# Reference: https://www.virustotal.com/gui/file/8e95a0564b92cc9285ab0f74076c2aa5c666658a3933ceeaa9942d1a3823a7e2/detection

nwdnydxxxeo.hosthampster.com

# Reference: https://www.virustotal.com/gui/file/a9045a3692c91964dcb62966c7d44f6c00344bf11b5784374b7b64eef9c3ed31/detection

br12jh87te87lkre63a.servepics.com
/hhrytn35/lw1.php

# Reference: https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html (# Win.Downloader.Banload-9861199-0)

brasilcargas.space
cabanadosol.net

# Reference: https://www.virustotal.com/gui/file/d51886e1555a1a94472f639a4cc9d670993011eafa7be4a3ea93219cd2a7b975/detection

http://74.125.230.247
http://98.137.201.117
deliverycards.sytes.net
rdsbox.no-ip.info

# Reference: https://www.virustotal.com/gui/file/e62d5c2402f3455766839f357ae4a4c9ff48cb82451e7a06329fe7186dc9fbcc/detection

41.100.82.137:1891
salah-dz.no-ip.biz

# Generic

/ezemeneotewdoiazbi.djx
/ezemeneroaelenozi.djx
