# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis

ussensivitius.gq
webcam4bdsm.tk
domainprobr.tk
eltinjapp.cf

# Reference: https://twitter.com/jorgemieres/status/1129069254395990016
# Reference: https://pastebin.com/8v7TEu3D

asdfqw.xyz
fastwebworks2010.org
protec-guvenlik-4.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1221865730054008833

kozzet.ru

# Reference: https://www.virustotal.com/gui/ip-address/162.244.32.142/relations

162.244.32.142:443
162.244.32.142:80

# Referencce: https://twitter.com/sh1shk0va/status/1229720531680796677 (Black Rose Lucy)
# Reference: https://www.virustotal.com/gui/file/72c84191fe66c690f5101cf307293c003f82d80f1d00ee010e3067bb0c668d75/detection

gapsoinasj.in
ja0h12p14k.in
jqeoq0r1hgf03ds.in
q9120qwpsa.in

# Reference: https://twitter.com/ReBensk/status/1243500015613554688

protectphone.pw

# Reference: https://twitter.com/malwrhunterteam/status/1248220464473923584

gov-bnminfo.com

# Reference: https://twitter.com/malwrhunterteam/status/1248226241527844865

http://45.63.98.87
213.176.36.43:4207

# Reference: https://twitter.com/malwrhunterteam/status/1250386648598228992
# Reference: https://www.virustotal.com/gui/file/a55a9e204ca0f1015a34f76967ab1e93d7e6ff4ab5abb4816b7438c8db41c8e7/detection
# Reference: https://seguranca-informatica.pt/marco-2020-analise-reversa-da-app-android-entregue-com-o-phishing-do-novo-banco
# Reference: https://www.virustotal.com/gui/ip-address/51.83.252.64/detection
# Reference: https://twitter.com/ESETresearch/status/1252252094066819072

http://186.235.91.100
abanca-sms.com
bankinter.online
bcp-cadastro.com
bcp-millennium.com
cadastro-bcp.com
cadastronb.com
caixaes.site
cgd-cadastro.com
cgd-cadastro.site
es-atualiza.com
estado-sms.com
millennium-bcp.online
nb-cadastro.com
net24apk.website
santa-espanha.com
sms-nb.site
totta2020.com
/controls/nb/control.php
/controls/nb/sms.php
/extras/bpi_link.txt
/extras/nb_link_lyly.txt

# Reference: https://twitter.com/malwrhunterteam/status/1250798529850880000
# Reference: https://twitter.com/midnight_comms/status/1250811148204675072

http://176.121.14.127
vodafone5gapps.com

# Reference: https://twitter.com/malwrhunterteam/status/1252269448267997185
# Reference: https://www.virustotal.com/gui/file/111cfd455f836794e40c6b088ab8e73f8e673a79c18e559adcffa89630a51042/detection

http://218.187.103.198
27.255.64.95:8080

# Reference: https://twitter.com/malwrhunterteam/status/1252287608274722817 (# Android variation)
# Reference: https://www.virustotal.com/gui/file/10cf5bdab95219661759bc58d572379953233ec44b30bf2f83a89f6058610f09/detection
# Reference: https://twitter.com/ninoseki/status/1253272702573395972 (# iOS variation)
# Reference: https://www.virustotal.com/gui/file/748b9f36e5a738665d082b347b5b1f4448d06a70906a32b52b77acd5aa70052e/detection

23.251.45.232:8080

# Reference: https://twitter.com/malwrhunterteam/status/1252323010662588421

poczta-interia.com

# Reference: https://twitter.com/malwrhunterteam/status/1252325976308166660

evdehayatvarfree20gb.com

# Reference: https://twitter.com/malwrhunterteam/status/1253016217268498437
# Reference: https://twitter.com/LukasStefanko/status/1253265204646903809

25s.site
obmenvsemfiles.com

# Reference: https://twitter.com/malwrhunterteam/status/1259886844961005568

bocongan113.com

# Reference: https://twitter.com/malwrhunterteam/status/1259906137891241985

bocongan113vn.com

# Reference: https://twitter.com/malwrhunterteam/status/1259909960311463936

8400113.com

# Reference: https://twitter.com/seafaringturtle/status/1259908100703821825

103.57.111.11:4163

# Reference: https://twitter.com/ReBensk/status/1260184449414647811

photobank-shar2020.website

# Reference: https://twitter.com/malwrhunterteam/status/1261545686325174273
# Reference: https://twitter.com/seafaringturtle/status/1263163367818215424
# Reference: https://www.virustotal.com/gui/file/8d742a1b50492fc35a54119f305daa054f666bf0ec08f7a668aa657af28a6563/detection

216.118.243.114:3500
216.118.243.114:57157
216.118.243.115:57157
216.118.243.116:57157
216.118.243.117:57157
216.118.243.118:57157

# Reference: https://twitter.com/malwrhunterteam/status/1266069349917503495

sosyaldestek-tr.com

# Reference: https://twitter.com/malwrhunterteam/status/1266073872614526982

dbierzkod.pl
odbierzkod.pl

# Reference: https://twitter.com/ReBensk/status/1269306854233997316

krazyfoxx9.xyz

# Reference: https://twitter.com/ReBensk/status/1270725741273964548
# Reference: https://www.virustotal.com/gui/ip-address/8.208.90.169/relations

covid-19argentina.top
darkfantasy.top
drzapato.online
drzapato.xyz
fastupdate.top
fastupdatemanager.top
greenandgrey.top
lovemeany.online
telecentrocovid19.top

# Reference: https://twitter.com/ReBensk/status/1272566330873479170

nansy782seetoyou38.website

# Reference: https://twitter.com/ReBensk/status/1272565628604502018

flashplayerupdate.top

# Reference: https://twitter.com/NtSetDefault/status/1275103442172891138

http://154.206.173.205

139.5.200.26:3500
139.5.200.27:3500
139.5.200.28:3500
139.5.200.29:3500

# Reference: https://www.virustotal.com/gui/ip-address/213.176.36.42/relations

http://213.176.36.42

# Reference: https://www.virustotal.com/gui/file/786a73ac6036cf091939ccfa945e14e53524875ce8911f1c8d98d441fac2fd19/detection

213.176.36.42:4207
bank-negaramy.com

# Reference: https://www.virustotal.com/gui/file/a240e8586dd9d5cf199cb96deef63356dd24ae9274d750a076fd5ac4bed3f402/detection

213.176.36.42:4205
gov-bnminfo.com

# Reference: https://www.virustotal.com/gui/file/388bdb3f1f2e514e29646fe3a36bf20b7d0c47c0f0375f0aa2af262df6401845/detection

213.176.36.42:4201

# Reference: https://www.virustotal.com/gui/file/796bcb1df6fe45592137e0ddfb4dd1aa8fa264b396e43b58111543c9af89e564/detection

bnm-gov-info.com

# Reference: https://www.virustotal.com/gui/file/91807792a8c025f5b4c96a4d62f65ab335f695e9a7bbc6484c598a6ad3463684/detection

213.176.36.42:4202
negaramy-bank.com

# Reference: https://www.virustotal.com/gui/file/d3724868bb2966d0bffd235a995b6ac926a66b0756ca13679f3075d976da28e2/detection

213.176.36.42:4203
negarabank-my.com

# Reference: https://www.virustotal.com/gui/file/9ecca511661e72be443fc179cc71a1ecfcc8af48c6a8c87ef3883cb4724377b7/detection

213.176.36.42:4206
siasatan-gov-bnm.com

# Reference: https://www.virustotal.com/gui/file/c07cde11fb494e666a36ac7bb9cc593b877fb5267d04174c2295e586fdaada57/detection

bnm-govinfo.com

# Reference: https://www.virustotal.com/gui/file/0734c1af9909ce1c55bfe7d71f0c80c18792680880f4e35d849d038ce15962c7/detection

213.176.60.234:3403

# Reference: https://www.virustotal.com/gui/file/486234a479def6497524d3b501e3dfa9ae2f5e1815bd9b09219e98b8e95d62b2/detection

bnmgovinfo.com
smkgovinfo.com

# Reference: https://www.virustotal.com/gui/file/0460ecbe48b8b9d657fd1a8f7e8bbae779eddf312388f46359b21a9d97616170/detection

gov-cbminfo.com

# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

cdek-payments.com
satterfieldbanks.com

# Reference: https://twitter.com/B0rys_Grishenko/status/1277515350658224128
# Reference: https://www.virustotal.com/gui/file/5ca38b7d208fbc5f665b4e0af7de5a1ac6cbc796375368934bffbef68732fc77/detection

sklepplay24.com

# Reference: https://twitter.com/ReBensk/status/1277615119594409987

http://154.206.173.194

# Reference: https://twitter.com/ReBensk/status/1277616463457792000
# Reference: https://www.virustotal.com/gui/file/c69af883dc42792500eecb12dc1f0641f1b9f4b4c340365c0491985ce6a89448/detection

193.112.126.184:39090

# Reference: https://twitter.com/ESETresearch/status/1277930672477343760

arabamuayenesi.com
usom-gov-tr.ml

# Reference: https://twitter.com/malwrhunterteam/status/1280220519460208641

http://102.129.249.232

# Reference: https://twitter.com/malwrhunterteam/status/1280502011981676546

chromekill.xyz

# Reference: https://twitter.com/malwrhunterteam/status/1280572099686531072

looparkadaslik.xyz

# Reference: https://www.virustotal.com/gui/file/1998850290d2d17e5537610fdd074fce3027e0999a06bc7f2d9c2ee9170773eb/detection

172.104.120.109:23040

# Reference: https://twitter.com/LukasStefanko/status/1280624418876686336
# Reference: https://twitter.com/NtSetDefault/status/1280648662499155968

antonioguterres.app
billclinton.app
bobiger.app
charlleskoch.institute
dougmcmillon.app
georgewbush.dev
jimyongkim.app
martinlutherkingjr.app
micheltemer.app
nelsonmandela.dev
pedroalvarescabral.dev
ragfactory.red
rupertmurdoch.red

# Reference: https://twitter.com/malwrhunterteam/status/1280846189433413634
# Reference: https://www.virustotal.com/gui/ip-address/5.252.179.35/relations

bufirte.xyz
contatorfull.best
contmobi.club
contmobi.online
contmobi.work
cubirta.club
cubirta.xyz
dietasricas.xyz
loltopgor.monster
mastercuponsdays.com
masteroffersdays.com
norditcph.xyz
ofertasgrandes.best
offersdirects.com
parse654.xyz
parse655.xyz
passtravel.best
poptoper2.monster
shopingoffers.xyz
topbestoffers.best
topbestoffers.monster
topbestoffers.xyz
topnomber.monster
toroftos.xyz
yourbestoffers.best

# Reference: https://twitter.com/malwrhunterteam/status/1281269010231853056

http://154.206.173.205

# Reference: https://twitter.com/malwrhunterteam/status/1283040684614852609

http://154.206.147.115

# Reference: https://www.virustotal.com/gui/file/fc0b880ddd9bda92dfb776d32a1958635be8933fa138dd35044cb5e76f470860/detection

emobileservices.club

# Generic

/kbsbk24/
/nhbank6/
/nhcap6/
/servicest/sms2wx/Sms2WXService
/servicest/sms2wx/uploadMobileInfo

# Reference: https://twitter.com/malwrhunterteam/status/1288838413345607680

foranymefc.site

# Reference: https://twitter.com/0bfusCat/status/1089817931435905025

izmirsiberahmet.online

# Reference: https://twitter.com/0bfusCat/status/1088413094722879488
# Reference: https://www.virustotal.com/gui/ip-address/47.74.70.68/relations

aperdosali.top
atbfinance.top
atbfinanza.top
atbfinanziario.top
comedirtad.top
ctechnick.top
dopeblock.top
materongoc.top
oldcrystal.top
sickslick.top
sleepmate.top

# Reference: https://twitter.com/sh1shk0va/status/1290267524592934918
# Reference: https://www.virustotal.com/gui/file/548ea89dcfe3fed1e6766d1c9ef36407b6d3a852fd359635e5fe9de99732eb0b/detection

vigolimone.website

# Reference: https://twitter.com/malwrhunterteam/status/1290635046169260032

cooperativa-mobile.ml

# Reference: https://twitter.com/malwrhunterteam/status/1290964433402044416

llmymdq.site

# Reference: https://twitter.com/malwrhunterteam/status/1293831060611096579
# Reference: https://www.virustotal.com/gui/file/63a07c43fc8ab595a45eb17329f8b310c8db72efef3b16a4ea081251f2e40b05/detection

154.92.17.105:1506
154.92.17.105:1509

# Reference: https://twitter.com/malwrhunterteam/status/1297078797553074176
# Reference: https://twitter.com/B0rys_Grishenko/status/1297277745362358273
# Reference: https://www.virustotal.com/gui/file/92648f5945ce65aa9ee46afe1a07e9300d4724255118d4c37bf58b8bafdbedeb/detection

http://217.8.117.104

# Reference: https://www.virustotal.com/gui/file/de5707b8afb341c45625d3693e319b2925d8150fcdf816f5efb5ba7ba078a2da/detection

oldsk.buzz
oldsk.monster

# Reference: https://twitter.com/malwrhunterteam/status/1298677192667402248
# Reference: https://www.virustotal.com/gui/file/b336120b0dcb02d15b63f623ec1ef55659aed23f9d1355f80f2b5d1000963eac/detection

http://154.218.21.181

# APK

/Actualizar.apk
/Adobe-Pdf.apk
/Adobe_Flash_2020v21113.apk
/Adobe_Flash_2020v21711.apk
/Avito.apk
/DHL.apk
/entel4GLTE.apk
/GoogleUpdate.apk
/hana.apk
/KBbank.apk
/MicrosoftWord.apk
/nhbank.apk
/nhc2.0.apk
/safe.apk
/shsaving2.0.apk
/Update11.7.apk
/vizualizarpedido30543.apk
