# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/Bank_Security/status/1055092859404251137
# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/
# Reference: https://pastebin.com/a7ZXwiDf

ewyytrtw4646934.eririxab.com
exxxwrtw6115614.kloudghtlp.com
eririxab.com
kloudghtlp.com

# Reference: https://twitter.com/James_inthe_box/status/1152234123844415489

http://18.217.112.176

# Reference: https://twitter.com/JAMESWT_MHT/status/1136555502064848897

http://192.95.2.166

# Reference: https://twitter.com/casual_malware/status/1235206644981780480

ba6csnbs.gq
zd1dyct2.cf
hpds8smq.gq
sp5it6dt.cf
k3ytlro3.ga
lixokaln.tk
jslyjr3f.tk
rabbanbt.ml
a2ago5l1.ml
d9fearr9.ga

# Reference: https://twitter.com/Bank_Security/status/1235839277386182658
# Reference: https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
# Reference: https://otx.alienvault.com/pulse/5e60de80eaa561319a314b21

acquafufheirybveru.online
ambirsr.tk
carnataldez.ml
clooinfor.cf
dbuhcbudyu.tk
equilibrios.ga
gucinowertr.tk
guildma.bj
guildma.bm
guildma.br
guildma.bs
iuiuytrytrewrqw.gq
movbmog.ga
nvfjvtntt.cf
vhguyeu.ml
xskcjzamlkxwo.gq
zvatrswtsrw.ml

# Reference: https://twitter.com/malwrhunterteam/status/1252633339967799296
# Reference: https://www.virustotal.com/gui/file/10929c710dfbdc6e78a6bb44a65fa3b84c786be95105f065081ae5927883b3a9/detection

1puknzcr.gq
lqd1fhjr.tk
nztpe4cd.gq

# Reference: https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

01autogestor.ga
04autogestor.ml
0ff2mft71jarf.gq
4nk7h3s453b019.com.de
64pgrpyxpueoj.ga
6pnc3461.ink
6zs1njbw.ml
7wpinibw.ml
909nu3dx3rgk13.com.de
bantqr8rrm9c11.com.de
bnorp.ml
evokgtis.gq
g2ha14u2m2xe12.com.de
ghcco980m1zy9.org
gurulea8.ml
k8cf0j5u.cf
kaligodfrey.casa
kfgkqnf5.cf
nfiru.xyz
osieofcorizon.fun
peolplefortalce.gq
spacetopgear.cf
venumxmasz.club
vuryza.ga
xufa8hy15.online
xvbe.monster

# Reference: https://twitter.com/Arkbird_SOLG/status/1303749794578477057
# Reference: https://app.any.run/tasks/000ac8a8-dc24-4af9-8c7a-cd552bf37ad1/
# Reference: https://app.any.run/tasks/6085d4d7-8fc3-4b25-8305-9584b61d1910/

7bewp4nat2.x14x6x1x7x9x3x1x8x1.co.in
e8jattdiaey.48f7668a8f55e54e5f458f1ax.store
x14x6x1x7x9x3x1x8x1.co.in

# Reference: https://www.virustotal.com/gui/file/a1ec4ff447d2a762fb62e8d67124e2fb785bec401ae5a069bf68a36e208d078f/detection

nwr7ea9aa1.48f7668a8f55e54e5f458f1ax.store

# Reference: https://www.virustotal.com/gui/ip-address/172.67.135.119/relations

48f7668a8f55e54e5f458f1ax.store
cabwsntaa2t.48f7668a8f55e54e5f458f1ax.store
e6esfwaeyv.48f7668a8f55e54e5f458f1ax.store
e7cree5ai3m.48f7668a8f55e54e5f458f1ax.store
zw3gygwai4h.48f7668a8f55e54e5f458f1ax.store

# Reference: https://app.any.run/tasks/6346c55e-1b91-43f2-a2f4-7fe1eeee7560/

adm-perfumaria.be
uu7vtwraehv.adm-perfumaria.be

# Reference: https://twitter.com/JAMESWT_MHT/status/1350343863584616449
# Reference: https://pastebin.com/ACwzkJZn
# Reference: https://app.any.run/tasks/e9335a25-4a24-4a94-a939-aec0ab5e7da9/

16aacr.millenium-notas.xyz
39eihr.mhsprodutos.email
7kaier.planilhamsul.live
enei15.gsfogllftm.bid
eraa1d.contsfinas.xyz
fhwb8ypuu7f.reavisobombeiros2021.monster
narenstore.co.id
otq4flbei89.liberatesgroup.online
wa87.evbpmgeuvw.email
contsfinas.xyz
evbpmgeuvw.email
gsfogllftm.bid
liberatesgroup.online
millenium-notas.xyz
mhsprodutos.email
planilhamsul.live
reavisobombeiros2021.monster

# Reference: https://twitter.com/Unit42_Intel/status/1364285932296355844
# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-02-22-IOCs-from-Guildma-infection.txt

atrak.gold
bombeirosgov.xyz
cfjhrfrdprfudjhefdpsforuasdcuicb.tk
ncocotdenc.date
owpxfymsrl.casa
vistoriabombeiros.email
djuaai.vistoriabombeiros.email
ktaee3.ncocotdenc.date
rbeiwd.bombeirosgov.xyz
wat8.owpxfymsrl.casa
a8f907a15dd256a8efdeefa1b4296a10.cfjhrfrdprfudjhefdpsforuasdcuicb.tk
ead7b06da12ff1ad3601bc0e58d8378b.cfjhrfrdprfudjhefdpsforuasdcuicb.tk
d852e90de17f0e95cfa4e6bca58fdc7e.ppcrbpcofpofadfdhragrrcfiidmeufu.fun
d3fcad4e8c158a8347f69755408afe9c.hgebbgepeoaufjucdriibuuheamduohp.buzz
84d5c615a6148b4a64748944ab4fea32.daeoccijpuuujifgeusprsadbjabspas.monster
b9a3966d49f092087e84c2b2d47bddd6.dsofhsbehebshfsefaagordmrcefguiu.top
9af27bde5afc7d2f9d5a54cfb940eb23.afisohduhmbuiebbmcpgedmdahpsmoaa.xyz
3fdde23513cfea8244865de9dfc24576.baapceffjrpmdjjsdergsiefijcpuodo.xyz
d685edc33c9821948bad8f053744e671.hjaejauhfiecmhrsbpdmfafhaghrubmr.site
6b07d8ebf16094112539933605bc959b.jgiscuhreojgjmppmprdcaaabsbrsago.online
5f73dc9aab98162a161124bb9b33e0f3.crjusgsfuoghrcgbiesccrsgfdimejdh.gq
e9ea25b57f0f347a7f49cb9d560b7c9f.iffbhggmcimrgsgdsopaiaeoapjhfhor.cf
a7852fbe6a64197636486f136fcd1b9f.duiispaamoafbshuegpdjdmmrdrormpr.cf
2f62d23644cbc7648fae3c8a7e49ee55.dmoujibiogrmcgabfiaamuhmrodocaom.ga
756cc5b1bad841d9bcca71f5ef35d172.afhoasaoumhmcepdugfhmrcehjdaujui.ml
7fc673d1de394b80e8c31e56741530f3.upiejiuspmmoafamjrcsfurdrggdjidg.tk
b93dbe13513d3725c86e06472667e0dc.upjodfgeamscjrbgsijbapbebhjuphcc.tk
ecbacb2226e502ed95e4ca36775be81e.upmrjdauhjrogmcipcjdcofjumjsjubr.tech
e48e99830d9692e59da0b467d2e7e859.dajahireoippjuoaprburmsjohsirbrm.live
27e15cfae240de235bc0b1063835c282.poicirorodmjmieeffjpifhmoroibajc.store
fd15e0d9a0f3ca129bfda36be54193de.fmcgdifjhaffogrhgmfcjehhausjfpjf.space
c2d4305977b663085c423d764398115b.pfiaodebsgmsdgaaamoofoiabdcmegha.best
b9a3966d49f092087e84c2b2d47bddd6.dsofhsbehebshfsefaagordmrcefguiu.top
84d5c615a6148b4a64748944ab4fea32.daeoccijpuuujifgeusprsadbjabspas.monster
58b48f2a4111bbcfca5a5c29c7a62149.mhfpudaosgoecimrsaoupupajrjscgro.site
eb952bcdead65806877687be3db00367.egbggdgogrjjfgpheoiaeaiampppjaum.cf
6dc7e6324002d963a9f17d1b68234ed6.ebaaefmooecmmibdaipahradcgcfebph.best
afhoasaoumhmcepdugfhmrcehjdaujui.ml
afisohduhmbuiebbmcpgedmdahpsmoaa.xyz
baapceffjrpmdjjsdergsiefijcpuodo.xyz
crjusgsfuoghrcgbiesccrsgfdimejdh.gq
daeoccijpuuujifgeusprsadbjabspas.monster
dajahireoippjuoaprburmsjohsirbrm.live
dmoujibiogrmcgabfiaamuhmrodocaom.ga
dsofhsbehebshfsefaagordmrcefguiu.top
duiispaamoafbshuegpdjdmmrdrormpr.cf
ebaaefmooecmmibdaipahradcgcfebph.best
egbggdgogrjjfgpheoiaeaiampppjaum.cf
fmcgdifjhaffogrhgmfcjehhausjfpjf.space
hgebbgepeoaufjucdriibuuheamduohp.buzz
hjaejauhfiecmhrsbpdmfafhaghrubmr.site
iffbhggmcimrgsgdsopaiaeoapjhfhor.cf
jgiscuhreojgjmppmprdcaaabsbrsago.online
mhfpudaosgoecimrsaoupupajrjscgro.site
pfiaodebsgmsdgaaamoofoiabdcmegha.best
poicirorodmjmieeffjpifhmoroibajc.store
ppcrbpcofpofadfdhragrrcfiidmeufu.fun
upiejiuspmmoafamjrcsfurdrggdjidg.tk
upjodfgeamscjrbgsijbapbebhjuphcc.tk
upmrjdauhjrogmcipcjdcofjumjsjubr.tech

# Reference: https://twitter.com/malware_traffic/status/1411151303670128640
# Reference: https://www.malware-traffic-analysis.net/2021/07/02/index.html

1n0izrin45jf.date
i8b89z39ldede.casa
mobly.email
webktive.bid
a9eegc.webktive.bid
ooainb.1n0izrin45jf.date
71ou7a.mobly.email
jeaeir.mobly.email
vmawt.mobly.email
wa86.i8b89z39ldede.casa


# Reference: https://twitter.com/pr0xylife/status/1463924565034377220

gsasochjrmecsrsbjmubhuspsjusaghs.club
5dooyn.gsasochjrmecsrsbjmubhuspsjusaghs.club

# Reference: https://twitter.com/ffforward/status/1463934334101037060

cvcxsdfrew.one
uytfgdkipoi.one
0ooc4.cvcxsdfrew.one
uaou9x.uytfgdkipoi.one

# Reference: https://twitter.com/1ZRR4H/status/1464118333884805148
# Reference: https://pastebin.com/e8NTUaP2

atelierasmeninas.com
blindamorares.com
ceramicasouzatex.com
condordosaires.com
construsouzaconstrucoes.com
creatinarupples.com
enlogtransportes.com
etiplasti.com
ferramentasbroca.com
fragmentomocas.com
fruteiratra.com
hrgrafica.com
importsgo.com
infordados.com
isendbox.com
lupafertilizantes.com
mestreadministracao.com
modaatevoce.com
nucleodequalificacao.com
omettoequipamentos.com
prometalfunilaria.com
propositonotificas.com
protocolospemail.com
redemmfs.com
rimainstalacoes.com
ruprestecomunicacao.com
saocamiloformosa.com
severoindustrial.com
turismocrostas.com
admti1.rimainstalacoes.com
admti10.rimainstalacoes.com
admti11.severoindustrial.com
admti13.severoindustrial.com
admti15.severoindustrial.com
admti16.rimainstalacoes.com
admti17.rimainstalacoes.com
admti18.rimainstalacoes.com
admti19.rimainstalacoes.com
admti19.severoindustrial.com
admti20.severoindustrial.com
admti21.rimainstalacoes.com
admti22.rimainstalacoes.com
admti24.rimainstalacoes.com
admti25.severoindustrial.com
admti26.rimainstalacoes.com
admti27.rimainstalacoes.com
admti28.severoindustrial.com
admti3.severoindustrial.com
admti4.rimainstalacoes.com
admti5.severoindustrial.com
admti6.rimainstalacoes.com
admti6.severoindustrial.com
admti9.severoindustrial.com
axsr11.protocolospemail.com
axsr13.protocolospemail.com
axsr14.protocolospemail.com
axsr18.protocolospemail.com
axsr5.protocolospemail.com
axsr6.protocolospemail.com
axsr7.protocolospemail.com
axsr8.protocolospemail.com
axsr9.protocolospemail.com
clipe1.blindamorares.com
clipe13.blindamorares.com
clipe14.blindamorares.com
clipe17.blindamorares.com
clipe19.blindamorares.com
clipe21.blindamorares.com
clipe24.blindamorares.com
clipe5.blindamorares.com
clipe7.blindamorares.com
codo2.fruteiratra.com
coordenarh1.etiplasti.com
coordenarh1.infordados.com
coordenarh10.etiplasti.com
coordenarh13.etiplasti.com
coordenarh15.etiplasti.com
coordenarh15.hrgrafica.com
coordenarh16.hrgrafica.com
coordenarh17.etiplasti.com
coordenarh17.infordados.com
coordenarh17.mestreadministracao.com
coordenarh18.etiplasti.com
coordenarh18.infordados.com
coordenarh19.etiplasti.com
coordenarh2.hrgrafica.com
coordenarh20.infordados.com
coordenarh21.hrgrafica.com
coordenarh22.etiplasti.com
coordenarh22.mestreadministracao.com
coordenarh23.etiplasti.com
coordenarh23.hrgrafica.com
coordenarh24.etiplasti.com
coordenarh27.etiplasti.com
coordenarh28.etiplasti.com
coordenarh3.hrgrafica.com
coordenarh4.etiplasti.com
coordenarh4.hrgrafica.com
coordenarh5.etiplasti.com
coordenarh6.etiplasti.com
coordenarh7.etiplasti.com
coordenarh8.etiplasti.com
coordenarh9.hrgrafica.com
lojas16.propositonotificas.com
lojas19.propositonotificas.com
lojas22.propositonotificas.com
lojas3.propositonotificas.com
metros1.creatinarupples.com
metros19.creatinarupples.com
metros24.creatinarupples.com
metros8.creatinarupples.com
oportunidadesrh11.ruprestecomunicacao.com
oportunidadesrh12.lupafertilizantes.com
oportunidadesrh15.ruprestecomunicacao.com
oportunidadesrh17.ruprestecomunicacao.com
oportunidadesrh18.saocamiloformosa.com
oportunidadesrh21.ruprestecomunicacao.com
oportunidadesrh22.ruprestecomunicacao.com
oportunidadesrh24.lupafertilizantes.com
oportunidadesrh24.ruprestecomunicacao.com
oportunidadesrh26.ruprestecomunicacao.com
oportunidadesrh29.ruprestecomunicacao.com
planilha22.fragmentomocas.com
planilha4.fragmentomocas.com
planilha7.fragmentomocas.com
planilha8.fragmentomocas.com
printinghot.oicp.net
proc11.protocolospemail.com
proc3.protocolospemail.com
proc4.protocolospemail.com
proc5.protocolospemail.com
proc6.protocolospemail.com
proc7.protocolospemail.com
proc9.protocolospemail.com
sedxf13.importsgo.com
sedxf6.importsgo.com
sedxf8.importsgo.com
sendf3.isendbox.com
sendf8.isendbox.com
sendf9.isendbox.com
superrh1.modaatevoce.com
superrh1.nucleodequalificacao.com
superrh1.prometalfunilaria.com
superrh10.nucleodequalificacao.com
superrh10.omettoequipamentos.com
superrh10.prometalfunilaria.com
superrh11.modaatevoce.com
superrh11.nucleodequalificacao.com
superrh11.omettoequipamentos.com
superrh12.modaatevoce.com
superrh12.omettoequipamentos.com
superrh12.prometalfunilaria.com
superrh13.nucleodequalificacao.com
superrh13.prometalfunilaria.com
superrh14.modaatevoce.com
superrh14.nucleodequalificacao.com
superrh14.omettoequipamentos.com
superrh15.nucleodequalificacao.com
superrh15.omettoequipamentos.com
superrh16.modaatevoce.com
superrh16.nucleodequalificacao.com
superrh17.modaatevoce.com
superrh17.omettoequipamentos.com
superrh17.prometalfunilaria.com
superrh18.prometalfunilaria.com
superrh19.nucleodequalificacao.com
superrh19.omettoequipamentos.com
superrh19.prometalfunilaria.com
superrh21.nucleodequalificacao.com
superrh21.omettoequipamentos.com
superrh21.prometalfunilaria.com
superrh22.modaatevoce.com
superrh22.nucleodequalificacao.com
superrh23.modaatevoce.com
superrh23.nucleodequalificacao.com
superrh23.prometalfunilaria.com
superrh24.omettoequipamentos.com
superrh24.prometalfunilaria.com
superrh25.modaatevoce.com
superrh25.nucleodequalificacao.com
superrh25.omettoequipamentos.com
superrh26.modaatevoce.com
superrh26.nucleodequalificacao.com
superrh26.omettoequipamentos.com
superrh27.omettoequipamentos.com
superrh27.prometalfunilaria.com
superrh28.modaatevoce.com
superrh29.modaatevoce.com
superrh29.omettoequipamentos.com
superrh3.nucleodequalificacao.com
superrh3.omettoequipamentos.com
superrh3.prometalfunilaria.com
superrh30.nucleodequalificacao.com
superrh30.omettoequipamentos.com
superrh30.prometalfunilaria.com
superrh4.modaatevoce.com
superrh4.omettoequipamentos.com
superrh5.modaatevoce.com
superrh5.omettoequipamentos.com
superrh5.prometalfunilaria.com
superrh6.modaatevoce.com
superrh6.nucleodequalificacao.com
superrh6.omettoequipamentos.com
superrh7.modaatevoce.com
superrh8.modaatevoce.com
superrh8.omettoequipamentos.com
superrh9.modaatevoce.com
superrh9.prometalfunilaria.com
supervisorrh1.ceramicasouzatex.com
supervisorrh10.atelierasmeninas.com
supervisorrh10.construsouzaconstrucoes.com
supervisorrh11.atelierasmeninas.com
supervisorrh11.condordosaires.com
supervisorrh12.ceramicasouzatex.com
supervisorrh12.condordosaires.com
supervisorrh13.atelierasmeninas.com
supervisorrh13.ceramicasouzatex.com
supervisorrh14.construsouzaconstrucoes.com
supervisorrh15.atelierasmeninas.com
supervisorrh15.condordosaires.com
supervisorrh15.construsouzaconstrucoes.com
supervisorrh16.atelierasmeninas.com
supervisorrh16.condordosaires.com
supervisorrh17.condordosaires.com
supervisorrh17.construsouzaconstrucoes.com
supervisorrh18.condordosaires.com
supervisorrh19.atelierasmeninas.com
supervisorrh19.enlogtransportes.com
supervisorrh2.construsouzaconstrucoes.com
supervisorrh20.atelierasmeninas.com
supervisorrh20.ceramicasouzatex.com
supervisorrh20.condordosaires.com
supervisorrh20.enlogtransportes.com
supervisorrh21.condordosaires.com
supervisorrh21.construsouzaconstrucoes.com
supervisorrh22.ceramicasouzatex.com
supervisorrh23.ceramicasouzatex.com
supervisorrh23.construsouzaconstrucoes.com
supervisorrh23.enlogtransportes.com
supervisorrh25.ceramicasouzatex.com
supervisorrh26.ceramicasouzatex.com
supervisorrh26.construsouzaconstrucoes.com
supervisorrh27.condordosaires.com
supervisorrh27.construsouzaconstrucoes.com
supervisorrh28.condordosaires.com
supervisorrh28.construsouzaconstrucoes.com
supervisorrh4.atelierasmeninas.com
supervisorrh4.condordosaires.com
supervisorrh4.construsouzaconstrucoes.com
supervisorrh5.ceramicasouzatex.com
supervisorrh5.condordosaires.com
supervisorrh6.condordosaires.com
supervisorrh7.ceramicasouzatex.com
supervisorrh7.condordosaires.com
supervisorrh8.atelierasmeninas.com
suporte17.turismocrostas.com
suporte22.turismocrostas.com
suporte6.turismocrostas.com
suporte9.turismocrostas.com
tgery11.redemmfs.com
tgery4.redemmfs.com
tgery9.redemmfs.com
veiculo1.ferramentasbroca.com
veiculo2.ferramentasbroca.com
veiculo4.ferramentasbroca.com
veiculo8.ferramentasbroca.com
