# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/Bank_Security/status/1055092859404251137
# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/
# Reference: https://pastebin.com/a7ZXwiDf

ewyytrtw4646934.eririxab.com
exxxwrtw6115614.kloudghtlp.com
eririxab.com
kloudghtlp.com

# Reference: https://twitter.com/James_inthe_box/status/1152234123844415489

http://18.217.112.176

# Reference: https://twitter.com/JAMESWT_MHT/status/1136555502064848897

http://192.95.2.166

# Reference: https://twitter.com/casual_malware/status/1235206644981780480

ba6csnbs.gq
zd1dyct2.cf
hpds8smq.gq
sp5it6dt.cf
k3ytlro3.ga
lixokaln.tk
jslyjr3f.tk
rabbanbt.ml
a2ago5l1.ml
d9fearr9.ga

# Reference: https://twitter.com/Bank_Security/status/1235839277386182658
# Reference: https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
# Reference: https://otx.alienvault.com/pulse/5e60de80eaa561319a314b21

acquafufheirybveru.online
ambirsr.tk
carnataldez.ml
clooinfor.cf
dbuhcbudyu.tk
equilibrios.ga
gucinowertr.tk
guildma.bj
guildma.bm
guildma.br
guildma.bs
iuiuytrytrewrqw.gq
movbmog.ga
nvfjvtntt.cf
vhguyeu.ml
xskcjzamlkxwo.gq
zvatrswtsrw.ml

# Reference: https://twitter.com/malwrhunterteam/status/1252633339967799296
# Reference: https://www.virustotal.com/gui/file/10929c710dfbdc6e78a6bb44a65fa3b84c786be95105f065081ae5927883b3a9/detection

1puknzcr.gq
lqd1fhjr.tk
nztpe4cd.gq

# Reference: https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

01autogestor.ga
04autogestor.ml
0ff2mft71jarf.gq
4nk7h3s453b019.com.de
64pgrpyxpueoj.ga
6pnc3461.ink
6zs1njbw.ml
7wpinibw.ml
909nu3dx3rgk13.com.de
bantqr8rrm9c11.com.de
bnorp.ml
evokgtis.gq
g2ha14u2m2xe12.com.de
ghcco980m1zy9.org
gurulea8.ml
k8cf0j5u.cf
kaligodfrey.casa
kfgkqnf5.cf
nfiru.xyz
osieofcorizon.fun
peolplefortalce.gq
spacetopgear.cf
venumxmasz.club
vuryza.ga
xufa8hy15.online
xvbe.monster

# Reference: https://twitter.com/Arkbird_SOLG/status/1303749794578477057
# Reference: https://app.any.run/tasks/000ac8a8-dc24-4af9-8c7a-cd552bf37ad1/
# Reference: https://app.any.run/tasks/6085d4d7-8fc3-4b25-8305-9584b61d1910/

7bewp4nat2.x14x6x1x7x9x3x1x8x1.co.in
e8jattdiaey.48f7668a8f55e54e5f458f1ax.store
x14x6x1x7x9x3x1x8x1.co.in

# Reference: https://www.virustotal.com/gui/file/a1ec4ff447d2a762fb62e8d67124e2fb785bec401ae5a069bf68a36e208d078f/detection

nwr7ea9aa1.48f7668a8f55e54e5f458f1ax.store

# Reference: https://www.virustotal.com/gui/ip-address/172.67.135.119/relations

48f7668a8f55e54e5f458f1ax.store
cabwsntaa2t.48f7668a8f55e54e5f458f1ax.store
e6esfwaeyv.48f7668a8f55e54e5f458f1ax.store
e7cree5ai3m.48f7668a8f55e54e5f458f1ax.store
zw3gygwai4h.48f7668a8f55e54e5f458f1ax.store

# Reference: https://app.any.run/tasks/6346c55e-1b91-43f2-a2f4-7fe1eeee7560/

adm-perfumaria.be
uu7vtwraehv.adm-perfumaria.be

# Reference: https://twitter.com/JAMESWT_MHT/status/1350343863584616449
# Reference: https://pastebin.com/ACwzkJZn
# Reference: https://app.any.run/tasks/e9335a25-4a24-4a94-a939-aec0ab5e7da9/

16aacr.millenium-notas.xyz
39eihr.mhsprodutos.email
7kaier.planilhamsul.live
enei15.gsfogllftm.bid
eraa1d.contsfinas.xyz
fhwb8ypuu7f.reavisobombeiros2021.monster
narenstore.co.id
otq4flbei89.liberatesgroup.online
wa87.evbpmgeuvw.email
contsfinas.xyz
evbpmgeuvw.email
gsfogllftm.bid
liberatesgroup.online
millenium-notas.xyz
mhsprodutos.email
planilhamsul.live
reavisobombeiros2021.monster

# Reference: https://twitter.com/Unit42_Intel/status/1364285932296355844
# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-02-22-IOCs-from-Guildma-infection.txt

atrak.gold
bombeirosgov.xyz
cfjhrfrdprfudjhefdpsforuasdcuicb.tk
ncocotdenc.date
owpxfymsrl.casa
vistoriabombeiros.email
djuaai.vistoriabombeiros.email
ktaee3.ncocotdenc.date
rbeiwd.bombeirosgov.xyz
wat8.owpxfymsrl.casa
a8f907a15dd256a8efdeefa1b4296a10.cfjhrfrdprfudjhefdpsforuasdcuicb.tk
ead7b06da12ff1ad3601bc0e58d8378b.cfjhrfrdprfudjhefdpsforuasdcuicb.tk
d852e90de17f0e95cfa4e6bca58fdc7e.ppcrbpcofpofadfdhragrrcfiidmeufu.fun
d3fcad4e8c158a8347f69755408afe9c.hgebbgepeoaufjucdriibuuheamduohp.buzz
84d5c615a6148b4a64748944ab4fea32.daeoccijpuuujifgeusprsadbjabspas.monster
b9a3966d49f092087e84c2b2d47bddd6.dsofhsbehebshfsefaagordmrcefguiu.top
9af27bde5afc7d2f9d5a54cfb940eb23.afisohduhmbuiebbmcpgedmdahpsmoaa.xyz
3fdde23513cfea8244865de9dfc24576.baapceffjrpmdjjsdergsiefijcpuodo.xyz
d685edc33c9821948bad8f053744e671.hjaejauhfiecmhrsbpdmfafhaghrubmr.site
6b07d8ebf16094112539933605bc959b.jgiscuhreojgjmppmprdcaaabsbrsago.online
5f73dc9aab98162a161124bb9b33e0f3.crjusgsfuoghrcgbiesccrsgfdimejdh.gq
e9ea25b57f0f347a7f49cb9d560b7c9f.iffbhggmcimrgsgdsopaiaeoapjhfhor.cf
a7852fbe6a64197636486f136fcd1b9f.duiispaamoafbshuegpdjdmmrdrormpr.cf
2f62d23644cbc7648fae3c8a7e49ee55.dmoujibiogrmcgabfiaamuhmrodocaom.ga
756cc5b1bad841d9bcca71f5ef35d172.afhoasaoumhmcepdugfhmrcehjdaujui.ml
7fc673d1de394b80e8c31e56741530f3.upiejiuspmmoafamjrcsfurdrggdjidg.tk
b93dbe13513d3725c86e06472667e0dc.upjodfgeamscjrbgsijbapbebhjuphcc.tk
ecbacb2226e502ed95e4ca36775be81e.upmrjdauhjrogmcipcjdcofjumjsjubr.tech
e48e99830d9692e59da0b467d2e7e859.dajahireoippjuoaprburmsjohsirbrm.live
27e15cfae240de235bc0b1063835c282.poicirorodmjmieeffjpifhmoroibajc.store
fd15e0d9a0f3ca129bfda36be54193de.fmcgdifjhaffogrhgmfcjehhausjfpjf.space
c2d4305977b663085c423d764398115b.pfiaodebsgmsdgaaamoofoiabdcmegha.best
b9a3966d49f092087e84c2b2d47bddd6.dsofhsbehebshfsefaagordmrcefguiu.top
84d5c615a6148b4a64748944ab4fea32.daeoccijpuuujifgeusprsadbjabspas.monster
58b48f2a4111bbcfca5a5c29c7a62149.mhfpudaosgoecimrsaoupupajrjscgro.site
eb952bcdead65806877687be3db00367.egbggdgogrjjfgpheoiaeaiampppjaum.cf
6dc7e6324002d963a9f17d1b68234ed6.ebaaefmooecmmibdaipahradcgcfebph.best
afhoasaoumhmcepdugfhmrcehjdaujui.ml
afisohduhmbuiebbmcpgedmdahpsmoaa.xyz
baapceffjrpmdjjsdergsiefijcpuodo.xyz
crjusgsfuoghrcgbiesccrsgfdimejdh.gq
daeoccijpuuujifgeusprsadbjabspas.monster
dajahireoippjuoaprburmsjohsirbrm.live
dmoujibiogrmcgabfiaamuhmrodocaom.ga
dsofhsbehebshfsefaagordmrcefguiu.top
duiispaamoafbshuegpdjdmmrdrormpr.cf
ebaaefmooecmmibdaipahradcgcfebph.best
egbggdgogrjjfgpheoiaeaiampppjaum.cf
fmcgdifjhaffogrhgmfcjehhausjfpjf.space
hgebbgepeoaufjucdriibuuheamduohp.buzz
hjaejauhfiecmhrsbpdmfafhaghrubmr.site
iffbhggmcimrgsgdsopaiaeoapjhfhor.cf
jgiscuhreojgjmppmprdcaaabsbrsago.online
mhfpudaosgoecimrsaoupupajrjscgro.site
pfiaodebsgmsdgaaamoofoiabdcmegha.best
poicirorodmjmieeffjpifhmoroibajc.store
ppcrbpcofpofadfdhragrrcfiidmeufu.fun
upiejiuspmmoafamjrcsfurdrggdjidg.tk
upjodfgeamscjrbgsijbapbebhjuphcc.tk
upmrjdauhjrogmcipcjdcofjumjsjubr.tech

# Reference: https://twitter.com/malware_traffic/status/1411151303670128640
# Reference: https://www.malware-traffic-analysis.net/2021/07/02/index.html

1n0izrin45jf.date
i8b89z39ldede.casa
mobly.email
webktive.bid
a9eegc.webktive.bid
ooainb.1n0izrin45jf.date
71ou7a.mobly.email
jeaeir.mobly.email
vmawt.mobly.email
wa86.i8b89z39ldede.casa
