# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: carbanak, jssloader, odinaff, wemosis

# Reference: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

bigred-tours.com
clients12-google.com
clients2-google.com
p3-marketing.com
cdn-googleapi.com
cdn-googleservice.com
acity-lawfirm.com
algew.me
aloqd.pw
amhs.club
anselbakery.com
apvo.club
arctic-west.com
auyk.club
b-bconsult.com
bcleaningservice.com
bigrussianbss.com
bipismol.com
bipovnerlvd.com
blopsadmvdrl.com
blopsdmvdrl.com
bnrnboerxce.com
bpee.pw
bureauofinspections.com
bvyv.club
bwuk.club
bwwrvada.com
cgqy.us
chatterbuzz-media.com
chenstravelconsulting.com
cihr.site
citizentravel.biz
cjsanandreas.com
ckwl.pw
cloo.com
cnkmoh.pw
cnlu.net
cnmah.pw
coec.club
coffee-joy-usa.com
cspg.pw
ctxdns.org
ctxdns.pw
cuuo.us
daskd.me
dbxa.pw
ddmd.pw
deliciouswingsny.com
dlex.pw
dlox.pw
dnstxt.net
dnstxt.org
doof.pw
dosdkd.mo
dpoo.pw
dsud.com
dtxf.pw
duglas-manufacturing.com
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
extmachine.biz
facs.pw
fbjz.pw
fhyi.club
firsthotelgroup.com
firstprolvdrec.com
fkij.net
flowerprosv.com
fredbanan.com
futh.pw
gcan.site
ge-stion.com
gjcu.pw
gjuc.pw
glavpojdfde.com
gnoa.pw
gnsn.us
goldman-travel.com
goproders.com
gprw.site
grand-mars.ru
grij.us
gsdg.site
guopksl.com
gxhp.top
hijrnataj.com
hilertonv.com
hilopser.com
hippsjnv.com
hldu.site
hoplessinple.com
hoplessinples.com
hopsl3.com
hvzr.info
idjb.us
ihrs.pw
imyo.site
itstravel-ekb.ru
ivcm.club
jblz.net
jersetl.com
jimw.club
jipdfonte.com
jiposlve.com
jjee.site
johsimsoft.org
jomp.site
josephevinchi.com
just-easy-travel.com
juste-travel.com
jxhv.site
kalavadar.com
kashtanspb.ru
kbep.pw
kiposerd.com
kiprovol.com
kiprovolswe.com
kjke.pw
kjko.pw
koldsdes.com
kshv.site
kuyarr.com
kwoe.us
ldzp.pw
lgdr.com
lhlv.club
lnoy.site
luckystartwith.com
lvrm.pw
lvxf.pw
manchedevs.org
maofmdfd5.com
meli-travel.com
melitravel.ru
mewt.us
mfka.pw
michigan-construction.com
mjet.pw
mjot.pw
mjut.pw
mkwl.pw
molos-2.com
mtgk.site
mtxf.com
muedandubai.com
muhh.us
mut.pw
mvze.pw
mvzo.pw
mxfg.pw
mxtxt.net
myspoernv.com
navigators-travel.com
neartsay.com
nevaudio.com
neverfaii.com
nroq.pw
ns0.site
ns0.space
ns0.website
ns1.press
ns1.website
ns2.press
ns3.site
ns3.space
ns4.site
ns4.space
ns5.biz
ns5.online
ns5.pw
ntlw.net
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
olckwses.com
olgw.my
oloqd.pw
oneliveforcopser.com
onokder.com
ooep.pw
oof.pw
ooyh.us
orfn.com
otzd.pw
oxrp.info
oyaw.club
p3marketing.org
pafk.us
palj.us
park-travels.com
parktravel-mx.ru
partnersind.biz
pbbk.us
pbsk.site
pdoklbr.com
pdokls3.com
pgnb.net
pinewood-financial.com
pjpi.com
plusmarketingagency.com
ppdx.pw
prideofhume.com
pronvowdecee.com
proslr3.com
prostelap3.com
proverslokv4.com
provnkfexxw.com
pvze.club
qdtn.us
qefg.info
qlpa.club
qsez.club
qznm.pw
rdnautomotiv.biz
redtoursuk.org
reld.info
rescsovwe.com
revital-travel.com
revitaltravel.com
rmbs.club
rnkj.pw
rtopsmve.com
rzzc.pw
sgvt.pw
shield-checker.com
simpelkocsn.com
simplewovmde.com
soru.pw
sprngwaterman.com
strideindastry.biz
strideindustrial.com
strideindustrialusa.com
strikes-withlucky.com
swio.pw
tijm.pw
tnt-media.net
true-deals.com
trustbankinc.com
tsrs.pw
turp.pw
twfl.us
ueox.club
ufyb.club
utca.site
uwqs.club
vdfe.site
viebsdsccscw.com
viebvbiiwcw.com
vikppsod.com
vjro.club
vkpo.us
voievnenibrinw.com
vpua.pw
vpuo.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wein.net
wfsv.us
whily.pw
wider-machinery-usa.com
widermachinery.biz
widermachinery.com
wnzg.us
wqiy.info
wruj.club
wuc.pw
wvzu.pw
xhqd.pw
xnlz.club
xnmy.com
yamd.pw
ybnz.site
ydvd.net
yedq.pw
yodq.pw
yomd.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zrst.com
zugh.us
clients14-google.com
clients18-google.com
clients19-google.com
clients23-google.com
clients31-google.com
clients33-google.com
clients39-google.com
clients46-google.com
clients47-google.com
clients51-google.com
clients52-google.com
clients55-google.com
clients56-google.com
clients57-google.com
clients58-google.com
clients6-google.com
clients62-google.com
clients7-google.com
fda-gov.com
dropbox-security.com
google-sll1.com
google-ssls.com
google-stel.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
ssl-googles4.com
ssl-googlesr5.com
stats10-google.com
stats25-google.com
treasury-government.com
usdepartmentofrevenue.com
bols-googls.com
moopisndvdvr.com
dewifal.com
essentialetimes.com
fisrdteditionps.com
fisrteditionps.com
micro-earth.com
moneyma-r.com
newuniquesolutions.com
wedogreatpurchases.com

# Reference: http://blog.talosintelligence.com/2017/03/dnsmessenger.html

algew.me
aloqd.pw
bpee.pw
bvyv.club
bwuk.club
cgqy.us
cihr.site
ckwl.pw
cnmah.pw
coec.club
cuuo.us
daskd.me
dbxa.pw
dlex.pw
doof.pw
dtxf.pw
dvso.pw
dyiud.com
eady.club
enuv.club
eter.pw
fbjz.pw
fhyi.club
futh.pw
gjcu.pw
gjuc.pw
gnoa.pw
grij.us
gxhp.top
hvzr.info
idjb.us
ihrs.pw
jimw.club
jomp.site
jxhv.site
kjke.pw
kshv.site
kwoe.us
ldzp.pw
lhlv.club
lnoy.site
lvrm.pw
lvxf.pw
mewt.us
mfka.pw
mjet.pw
mjut.pw
mvze.pw
mxfg.pw
nroq.pw
nwrr.pw
nxpu.site
oaax.site
odwf.pw
odyr.us
okiq.pw
oknz.club
ooep.pw
ooyh.us
otzd.pw
oxrp.info
oyaw.club
pafk.us
palj.us
pbbk.us
ppdx.pw
pvze.club
qefg.info
qlpa.club
qznm.pw
reld.info
rnkj.pw
rzzc.pw
sgvt.pw
soru.pw
swio.pw
tijm.pw
tsrs.pw
turp.pw
ueox.club
ufyb.club
utca.site
vdfe.site
vjro.club
vkpo.us
vpua.pw
vqba.info
vwcq.us
vxqt.us
vxwy.pw
wfsv.us
wqiy.info
wvzu.pw
xhqd.pw
yamd.pw
yedq.pw
yqox.pw
ysxy.pw
zcnt.pw
zdqp.pw
zjav.us
zjvz.pw
zmyo.club
zody.pw
zugh.us
cspg.pw

# Reference: https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf

bipovnerlvd.com
blopsadmvdrl.com
bnrnboerxce.com
dewifal.com
essentialetimes.com
fisrteditionps.com
halyk-bank.com
kiprovolswe.com
kiprovol.com
micro-earth.com
moneyma-r.com
privat-bankau.com
privatbank-ua.com
tejara-bank.com
voievnenibrinw.com
wedogreatpurchases.com

# Reference: https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
# Reference: https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
# Reference: https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf

adguard.name
beefeewhewhush-eelu.biz
blizko.net
blizko.org
comixed.org
coral-trevel.com
datsun-auto.com
di-led.com
financialnewson-line.pw
financialwiki.pw
flowindaho.info
freemsk-dns.com
gjhhghjg6798.com
glonass-map.com
great-codes.com
icafyfootsinso.ru
idedroatyxoaxi.ru
vaserivaseeer.biz
microloule461soft-c1pol361.com
microsoftc1pol361.com
mind-finder.com
operatemesscont.net
paradise-plaza.com
public-dns.us
publics-dns.com
systemsvc.net
system-svc.net
traider-pro.com
travel-maps.info
update-java.net
veslike.com
wefwe3223wfdsf.com
worldnews24.pw
worldnewsonline.pw

# Reference: https://www.tr1adx.net/intel/public/TIB-00002_IOC_Domain.txt

ai0ha.com
atlantis-bahamas.com
bentley-systems-ltd.com
bols-googls.com
dhl-service-au.com
esb-energy-int.com
fda-gov.com
google2-ssl.com
google3-ssl.com
google4-ssl.com
google5-ssl.com
google-ssls.com
google-stel.com
iris-woridwide.com
microfocus-official.com
ornuafood.com
perrigointernational.com
prsnewwire.com
sizzier.com
ssl-googles4.com
ssl-googlesr5.com
strideindustrialusa.com
syngenta-usa.com
taskretaiitechnology.com
treasury-government.com
waldorfs-astoria.com
zynga-ltd.com

# Reference: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
# Reference: https://otx.alienvault.com/pulse/5a16a16d3477580fcf4e359a

1povkjbdw87kgf518nl361.com
adguard.name
adventureseller.com
advetureseller.com
akamai-technologies.org
akkso-dob.in
akkso-dob.xyz
androidn.ne
androidn.net
ass-pussy-fucking.net
baltazar-btc.com
brazilian-love.org
btcshop.cc
c1pol361.com
cameron-archibald.com
casas-curckos.com
castello-casta.com
casting-cortell.com
chugumshimusona.com
comixed.org
coral-travel.com
coral-trevel.com
critical-damage333.org
datsun-auto.com
di-led.com
dimeline.eu
dragonn-force.com
financialnewsonline.pw
freemsk-dns.com
gendelf.com
glonass-map.com
gooip-kumar.com
great-codes.com
ihave5kbtc.biz
ihave5kbtc.org
java-update.co.uk
jhecwhb7832873.com
klyferyinsoxbabesy.biz
levetas-marin.com
maorkkk-grot.xyz
marcello-bascioni.com
mind-finder.com
my-amateur-gals.com
namorushinoshi.com
narko-cartel.com
narko-dispanser.com
ngx.net
nikaka-ost.in
nikaka-ost.xyz
nyugorta.com
oerne.com
onlineoffice.pw
oplesandroxgeoflax.org
paradise-plaza.com
pasteronixca.com
pasteronixus.com
ppc-club.org
public-dns.com
public-dns.us
publics-dns.com
road-to-dominikana.biz
shfdhghghfg.com
skaoow-loyal.net
skaoow-loyal.xyz
strangeerglassingpbx.org
systemsvc.net
travel-maps.info
updateserver.info
vincenzo-bardelli.com
wascodogamel.com
weekend-service.com
worldnewsonline.pw
zaydo.co
zaydo.space
zaydo.website

# Reference: https://twitter.com/VK_Intel/status/1102754053774290946

tw32-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1096515532558340099

logitech-cdn.com

# Reference: https://twitter.com/HONKONE_K/status/1105351576384749568

cdn-skype.com

# Reference: https://twitter.com/MalwareCantFly/status/1059831561498095617

googleapi-cdn.com

# Reference: https://twitter.com/VK_Intel/status/1072716050259681280

cisco-cdn.com

# Reference: https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
# Reference: https://www.flashpoint-intel.com/wp-content/uploads/2019/03/iocs_astra_sqlrat_dnsbot_flashpoint_March2019.csv

bigmoneyforus.com
magicsoundmusic.com

# Reference: https://twitter.com/VK_Intel/status/1112961058812186624

combisecurity.net

# Reference: https://twitter.com/HONKONE_K/status/1117696735973761025
# Reference: https://otx.alienvault.com/pulse/5cb46aba498cfc2a71bb2936

booking-cdn.com
hpservice-cdn.com
jquery-ca-cdn.com
jquery-us-cdn.com
mse-cdn.com
norton-cdn.com

# Reference: https://twitter.com/kyleehmke/status/1123629309539885058

cdn-akamai.net

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# FIN7/GRIFFON)
# Reference: https://twitter.com/malz_intel/status/1144295975999221760

hpservice-cdn.com
realtek-cdn.com
logitech-cdn.com
pci-cdn.com
appleservice-cdn.com
servicebing-cdn.com
cisco-cdn.com
facebook77-cdn.com
yahooservices-cdn.com
globaltech-cdn.com
infosys-cdn.com
google-services-s5.com
instagram-cdn.com
mse-cdn.com
akamaiservice-cdn.com
booking-cdn.com
live-cdn2.com
cloudflare-cdn-r5.com
cdnj-cloudflare.com
bing-cdn.com
servicebing-cdn.com
cdn-yahooapi.com
cdn-googleapi.com
googl-analytic.com
mse-cdn.com
tw32-cdn.com
gmail-cdn3.com
digicert-cdn.com
vmware-cdn.com
exchange-cdn.com
cdn-skype.com
windowsupdatemicrosoft.com
msdn-cdn.com
testing-cdn.com
msdn-update.com
185.162.131.25:222

# Reference: https://twitter.com/kyleehmke/status/1127966783284101120

jquery-cdn-us2.com

# Reference: https://twitter.com/kyleehmke/status/1126663210340372480

jquery-cdn-cn.com
jquery-cdn-us1.com
jquery-update2.com

# Reference: https://twitter.com/HONKONE_K/status/1131432019940917248

bindupdate.com

# Reference: https://twitter.com/HONKONE_K/status/1136489932938072064

comodosec.com

# Reference: https://twitter.com/HONKONE_K/status/1138301293636677632

https://185.159.82.237/odrivers/update-9367.php

# Reference: https://hyas.com/news/magecart-group-4-a-link-with-cobalt-group/

aoreestr.com
aoreestr.online
aoreestr.site
curacao-egaming.online
curacaoegaming.online
curacaoegaming.site
my-1xbet.com
my1xbet.online
my1xbet.top
newreg.host
newreg.online
newreg.site
oracle-business.com
orkreestr.com
orkreestr.host
orkreestr.press
sbeibank.com
sbeibank.online
sbelbank.com
sbelbank.online
sbepbank.com
sbepbank.online
sbersafe.top

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
# Reference: https://otx.alienvault.com/pulse/5d9f3036acdd17b6b5db4d3d

http://109.230.199.227

# Reference: https://twitter.com/Rmy_Reserve/status/1184142117284667393

moviedvdpower.com

# Reference: https://twitter.com/ps66uk/status/1189890438938988544
# Reference: https://app.any.run/tasks/fbad12cf-e3cd-4e27-a554-46c038ba70ff/
# Reference: https://www.virustotal.com/gui/file/9feddbc1e2b90685e444504804670b5f6db9db07f3a2d3d29dafe67540e27c91/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/08cdc3abc328ab032ed407399926f1d42e2a7fec38e203ab372a9501e5937573/detection
# Reference: https://www.virustotal.com/gui/file/09720515998190d47bd1e019d7077b0c2996942e269ab8499cfd969f0492415f/detection
# Reference: https://twitter.com/500mk500/status/1189912497102446597

185.156.177.132:443
insta-pulse.ca
insta-pulse.com

# Reference: https://www.endgame.com/blog/technical-blog/protecting-financial-sector-early-detection-trojanodinaff
# Reference: https://www.virustotal.com/gui/ip-address/162.243.45.200/relations

162.243.45.200:443
162.243.45.200:80
beardczaoffr.com
bigtrackrbvo.com
bravotkr.com
bravotrakrday.com
czaroffnow.com
datewomseek.com
extraczaroff.com
getrackroffr.com
goinhancemind.com
gotrackrdeal.com
inteligenbrainoff.com
libertyautogroup.com
livewomensek.com
nerverenewoff.com
newczaroff.online
newoffbravo.com
official-alert.com
savetrackroff.com
seniorwsm.com
staminanoon.com
staminonoffr.com
staminonus.com
trackrealoff.com
trackroffdeal.com
trackroffshop.com
trackrpromoday.com
urtrakrnowoff.com

# Reference: https://twitter.com/ps66uk/status/1190320112894664705

cigpcl.com

# Reference: https://twitter.com/VK_Intel/status/1205205015427727360

hawrickday.com

# Reference: https://twitter.com/VK_Intel/status/1226370026770509824

landscapesboxdesign9.com

# Reference: https://twitter.com/felixaime/status/1243544929281945602
# Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/
# Reference: https://otx.alienvault.com/pulse/5e7e18b31f7f5e7279c15455

milkmovemoney.com

# Reference: https://twitter.com/VK_Intel/status/1250189247895744517
# Reference: https://otx.alienvault.com/pulse/5e973b9172c3f4e1a4153960

domenuscdm.com
environmentalist.com

# Reference: https://twitter.com/TweeterCyber/status/1268956628746813440
# Reference: https://www.virustotal.com/gui/file/967882624ba26c4fcd6806791aa4994b5bf64ca4b1e66dd8d24f1fa54b3a43f0/detection

spacemetic.com

# Reference: https://twitter.com/bryceabdo/status/1271063097722183681

colorpickerdesk.com
expressdesign9.com
softowii.com

# Reference: https://twitter.com/IntezerLabs/status/1291355808811409408 (# GOSH, Carbanak related ELF-malware)
# Reference: https://www.virustotal.com/gui/file/2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46/detection

45.35.41.12:443

# Reference: https://twitter.com/Bank_Security/status/1301129840754556928
# Reference: https://threatintel.blog/OPBlueRaven-Part1/
# Reference: https://threatintel.blog/OPBlueRaven-Part2/
# Reference: https://pastebin.com/CKNYfMBG
# Reference: https://otx.alienvault.com/pulse/5f4fd46ac0f4e7ee5448bd40

http://172.86.75.175
http://193.187.175.213
digitalsoundmaker99.com
fgfotr.com
hong-security.com
mozillaupdate.com
nattplot.com
tableofcolorize.com
untypicaldesign9.com
uoplotr.com

# Reference: https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/
# Reference: https://www.virustotal.com/gui/file/452315d33f6c0a9fb77e0e6d88a8cfbbe3a778461e90178d26267215522d2ab2/detection
# Reference: https://www.virustotal.com/gui/file/51060b4e21864f229b5945b24d66cb29c727641c36639de395ebc4c83b0860a9/detection
# Reference: https://www.virustotal.com/gui/file/9a00f0edc87a44d10369fdb9f35ebe1b1df57e01719a5b48ac3eddc068f77f87/detection
# Reference: https://www.virustotal.com/gui/file/de5f89ffa034281a20cbcc5d7482c78b0b5b9b249538e1947034166d68cd21ac/detection

104.232.32.61:443
104.232.32.62:443
141.255.167.28:443
162.221.183.109:443
162.221.183.11:443
162.221.183.11:80
178.209.50.245:443
185.29.9.28:443
192.52.166.66:443
193.203.48.41:700
194.146.180.58:80
216.170.116.120:443
216.170.116.120:700
216.170.116.120:80
31.3.155.123:443
50.62.171.62:700
82.163.78.188:443
84.200.4.226:443
87.98.217.9:443
89.144.14.65:80
91.207.60.68:80
adobe-dns-3-adobe.com
clients4-google.com
in-travelusa.com
seven-sky.org

# Reference: https://www.virustotal.com/gui/file/46c551fed052f3f8857709df900e33d1dbfe9b10f55ff597a1986dc108c6a4f4/detection
# Reference: https://www.virustotal.com/gui/file/d8661896d83427642d3fa2b108752691c90e98a9327f9550e24928ac90504a63/detection
# Reference: https://www.virustotal.com/gui/file/3881f459301b073073bfb2befb4545197af1c8c2160b8e583e46fa769b78289f/detection

79.134.225.126:8596
configsamg.bounceme.net
/fasthamid.php?pwdws=
/systeme.php?pwdws=

# Reference: https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
# Reference: https://otx.alienvault.com/pulse/5f6e34fc8c150f8d8fb9c337

http://158.69.105.207
http://172.241.27.171
browserupdate.download

# Reference: https://twitter.com/Arkbird_SOLG/status/1310966874352635907
# Reference: https://bazaar.abuse.ch/sample/003645e2686bf863585f95532e847dfe8f3b791c5b36f1a02ea2060f97b12125/
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral1
# Reference: https://tria.ge/200929-cywpm51vcj/behavioral2

195.123.227.40:1433
195.123.227.40:443
195.123.227.40:49725
195.123.227.40:53
195.123.227.40:80

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522

sec-apps-verify.com

# Reference: https://twitter.com/malwrhunterteam/status/1313191441431232522
# Reference: https://twitter.com/bl4ckh0l3z/status/1316389511182647297
# Reference: https://www.virustotal.com/gui/file/9c8bf89d043ba3ed802d6d4f9b290747d12822402d61065adfbcb48a740a47b8/detection

http://192.236.176.214

# Reference: https://twitter.com/Arkbird_SOLG/status/1319289563404103680
# Reference: https://www.virustotal.com/gui/ip-address/51.210.135.2/relations
# Reference: https://www.virustotal.com/gui/file/da725957d24a193350af135631ab7b286983caeaa1619b61c2535aa1794575c2/detection
# Reference: https://www.virustotal.com/gui/file/c81c1c53b66cdb4d9310bed5e70cec0cd4fa5b6b22f8ae1012b5a9fdcfb218a2/detection

51.210.135.2:443

# Reference: https://twitter.com/ShadowChasing1/status/1339399145933524993
# Reference: https://www.virustotal.com/gui/file/44e95a6a78a80e7ef6f4d92d9708bc04568385304d7a405fa201dfd50be8e172/detection

githubstore.site

# Reference: https://twitter.com/ShadowChasing1/status/1342631173508349952
# Reference: https://www.virustotal.com/gui/file/5a948a8d417c114f13e471cce4141131a496638d0e888564ad9ca74a1170320b/detection (# OSX.Bella)

159.65.147.28:4545

# Reference: https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
# Reference: https://www.virustotal.com/gui/file/662124b0c998fd0826c192514b1f57f8002f2ab031996aa6dd7832f561679779/detection

170.130.55.85:443
besaintegration.com
sephardimension.com

# Reference: https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader
# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf
# Reference: https://otx.alienvault.com/pulse/5ff37057aba1bd56afb7e0cb
# Reference: https://app.any.run/tasks/9ce5148e-531b-415b-9cf4-a047c493ab06/
# Reference: https://www.virustotal.com/gui/file/49895428f1a30131308022dd3aa56eab6a1aa49b08a978ebc1520e289d3d6744/detection

alexisdanger.com
attractivology.com
bungalowphotographyblog.com
culturehiphopcafe.com
dempoloka.com
freshenvironmentaldesigns.com
huskerblackshirts.com
medinamarina.com
mekanuum.com
monusorge.com
petshopbook.com
sdidrichsen.com
skedoilltd.com
spacemetic.com
theelitevailcollection.com

# Reference: https://twitter.com/BushidoToken/status/1346555464931303424

teamgrouppcl-my.sharepoint.com

# Reference: https://twitter.com/z0ul_/status/1361698529228578816
# Reference: https://www.virustotal.com/gui/file/34218554f4469a6c8c5d68fd6c4c90d6e9789d3bf2935704f81897352b3a1627/detection

civilizationidium.com

# Reference: https://twitter.com/kyleehmke/status/1362030909676015618

conglomeratoid.com
cooperativology.com
inspirationizable.com
refrigeratoraholic.com

# Reference: https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

http://138.201.44.4/informs.jsp
aaa.stage.15594901.en.onokder.com
aaa.stage.4710846.ns3.kiposerd.com

# Reference: https://twitter.com/kyleehmke/status/1363845965208297472

vmwarize.com

# Reference: https://twitter.com/kyleehmke/status/1366366163089956872

shareholderma.com

# Reference: https://twitter.com/kyleehmke/status/1375414387415072768

foundationious.com

# Reference: https://twitter.com/kyleehmke/status/1374696986369216517

eyebrowaholic.com

# Reference: https://twitter.com/kyleehmke/status/1374310441036419075

associationable.com
coincidencious.com
offspringance.com
uncertaintology.com

# Reference: https://twitter.com/kyleehmke/status/1381183857916010498

shareholderery.com

# Reference: https://twitter.com/kyleehmke/status/1381514483126927360

occasionent.com

# Reference: https://twitter.com/z0ul_/status/1381590862300377089
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443

# Reference: https://twitter.com/z0ul_/status/1383076948293808129
# Reference: https://www.virustotal.com/gui/file/d41ee5bfeda26eedef14b23efb42497f096c5faf34882d8ff427b66b5afdbc16/detection

192.248.188.166:443

# Reference: https://twitter.com/kyleehmke/status/1384149754045624327
# Reference: https://twitter.com/kyleehmke/status/1384149758613155840

migrationable.com
refrigeratored.com
safarienzo.com

# Reference: https://habr.com/ru/company/bizone/blog/553136/ (Russian)
# Reference: https://www.virustotal.com/gui/file/fbd2d816147112bd408e26b1300775bbaa482342f9b33924d93fd71a5c312cce/detection

108.61.148.97:443
136.244.81.250:443
185.33.84.43:443
195.123.214.181:443
31.192.108.133:443
45.133.203.121:443

# Reference: https://twitter.com/U039b/status/1387487404160860166
# Reference: https://twitter.com/U039b/status/1387495127401308162
# Reference: https://beta.pithus.org/report/ae05bbd31820c566543addbb0ddc7b19b05be3c098d0f7aa658ab83d6f6cd5c8
# Reference: https://www.virustotal.com/gui/domain/qa-demo.wire.link/relations

78.46.120.20:443
account.qa-demo.wire.link
assets.qa-demo.wire.link
nginz-https.qa-demo.wire.link
nginz-ssl.qa-demo.wire.link
teams.qa-demo.wire.link
webapp.qa-demo.wire.link
account.wire.com
clientblacklist.wire.com
prod-nginz-https.wire.com
prod-nginz-ssl.wire.com
teams.wire.com
staging-nginz-https.zinfra.io
taging-nginz-ssl.zinfra.io
wire-account-staging.zinfra.io
wire-teams-staging.zinfra.io

# Reference: https://twitter.com/kyleehmke/status/1396803284359319560

halfious.com
jurisdictionious.com

# Reference: https://twitter.com/kyleehmke/status/1398190859137470466
# Reference: https://twitter.com/kyleehmke/status/1399316036957179905
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1399116019743010816

curriculumance.com
deprivationant.com
dullism.com
hemispherious.com
injuryless.com
myofibrilliance.com

# Reference: https://twitter.com/z0ul_/status/1400099980250058753
# Reference: https://www.virustotal.com/gui/file/2609c6ec5d4fdde28d29c272484da66e0995e529cf302ed46f94c68cd99352e3/detection

legislationient.com

# Reference: https://twitter.com/Arkbird_SOLG/status/1400845444889120783
# Reference: https://twitter.com/Arkbird_SOLG/status/1400845453101522947

bank4america.com
opposedent.com

# Reference: https://twitter.com/kyleehmke/status/1401480321779052547

indulgology.com
trenchize.com

# Reference: https://twitter.com/kyleehmke/status/1401851062592720898
# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1402008850690154504

boldhamia.com
jurisdictionient.com
landownerable.com
perespectable.com
unitious.com
uprestrice.com

# Reference: https://twitter.com/ViriBack/status/1209650095626575872
# Reference: https://www.virustotal.com/gui/file/c1e7d6ec47169ffb1118c4be5ecb492cd1ea34f3f3dd124500d337af3e980436/detection

107.189.11.206:443
huskerblackshirts.com

# Reference: http://tracker.viriback.com/dump.php (# 2020-022-29, JSSLoader)

grepodesk.com

# Reference: https://twitter.com/ShadowChasing1/status/1402533794352025602
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection
# Reference: https://www.virustotal.com/gui/file/fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206/detection

http://108.170.20.89
http://195.123.234.24
108.170.20.89:443
195.123.234.24:443

# Reference: https://twitter.com/ShadowChasing1/status/1402291088740675586
# Reference: https://www.virustotal.com/gui/file/944e1871cecddd5c18a8939f246e5f552cb24f0b0179f4902c0559b2ad3d336b/detection

185.203.118.54:443

# Reference: https://twitter.com/z0ul_/status/1401795117678219267
# Reference: https://twitter.com/z0ul_/status/1401795127601991682
# Reference: https://otx.alienvault.com/pulse/60be3e3f6ba2c7d1bec747a2

capermission.com
hidrofilms.com
primeautorecon.com

# Reference: https://twitter.com/z0ul_/status/1401795123294441475
# Reference: https://www.virustotal.com/gui/file/944e47dc9da19b753beba173214cdebea2aa3651c402dfacae2dde82c4fdaa43/detection
# Reference: https://www.virustotal.com/gui/file/fada67a9f89429d6c191cd6fef5d75cd7b49eebaa2e40d1dd1f9884b3038a23b/detection

185.225.17.78:443
185.33.87.24:443
37.1.210.119:443

# Reference: https://twitter.com/z0ul_/status/1401795124556861441
# Reference: https://www.virustotal.com/gui/file/0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d/detection

185.16.40.108:443
195.123.243.169:443

# Reference: https://twitter.com/z0ul_/status/1401795126314344453
# Reference: https://www.virustotal.com/gui/file/5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538/detection

108.170.20.89:443
195.123.240.46:443
37.252.4.131:443

# Reference: https://twitter.com/kyleehmke/status/1405822067191300100
# Reference: https://www.virustotal.com/gui/ip-address/85.217.171.64/relations

hooferry.com

# Reference: https://twitter.com/kyleehmke/status/1408000343410085889

blankance.com

# Reference: https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded

bikweb.com

# Reference: https://twitter.com/Nzc2ZjZjNjY/status/1410227748140990469

laccolumn.com
