# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis

ussensivitius.gq
webcam4bdsm.tk
domainprobr.tk
eltinjapp.cf

# Reference: https://twitter.com/jorgemieres/status/1129069254395990016
# Reference: https://pastebin.com/8v7TEu3D

asdfqw.xyz
fastwebworks2010.org
protec-guvenlik-4.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1221865730054008833

kozzet.ru

# Reference: https://www.virustotal.com/gui/ip-address/162.244.32.142/relations

162.244.32.142:443
162.244.32.142:80

# Referencce: https://twitter.com/sh1shk0va/status/1229720531680796677 (Black Rose Lucy)
# Reference: https://www.virustotal.com/gui/file/72c84191fe66c690f5101cf307293c003f82d80f1d00ee010e3067bb0c668d75/detection

gapsoinasj.in
ja0h12p14k.in
jqeoq0r1hgf03ds.in
q9120qwpsa.in

# Reference: https://twitter.com/ReBensk/status/1243500015613554688

protectphone.pw

# Reference: https://twitter.com/malwrhunterteam/status/1248220464473923584

gov-bnminfo.com

# Reference: https://twitter.com/malwrhunterteam/status/1248226241527844865

http://45.63.98.87
213.176.36.43:4207

# Reference: https://twitter.com/malwrhunterteam/status/1250386648598228992
# Reference: https://www.virustotal.com/gui/file/a55a9e204ca0f1015a34f76967ab1e93d7e6ff4ab5abb4816b7438c8db41c8e7/detection
# Reference: https://seguranca-informatica.pt/marco-2020-analise-reversa-da-app-android-entregue-com-o-phishing-do-novo-banco
# Reference: https://www.virustotal.com/gui/ip-address/51.83.252.64/detection
# Reference: https://twitter.com/ESETresearch/status/1252252094066819072

http://186.235.91.100
abanca-sms.com
bankinter.online
bcp-cadastro.com
bcp-millennium.com
cadastro-bcp.com
cadastronb.com
caixaes.site
cgd-cadastro.com
cgd-cadastro.site
es-atualiza.com
estado-sms.com
millennium-bcp.online
nb-cadastro.com
net24apk.website
santa-espanha.com
sms-nb.site
totta2020.com
/controls/nb/control.php
/controls/nb/sms.php
/extras/bpi_link.txt
/extras/nb_link_lyly.txt

# Reference: https://twitter.com/malwrhunterteam/status/1250798529850880000
# Reference: https://twitter.com/midnight_comms/status/1250811148204675072

http://176.121.14.127
vodafone5gapps.com

# Reference: https://twitter.com/malwrhunterteam/status/1252269448267997185
# Reference: https://www.virustotal.com/gui/file/111cfd455f836794e40c6b088ab8e73f8e673a79c18e559adcffa89630a51042/detection

http://218.187.103.198
27.255.64.95:8080

# Reference: https://twitter.com/malwrhunterteam/status/1252287608274722817 (# Android variation)
# Reference: https://www.virustotal.com/gui/file/10cf5bdab95219661759bc58d572379953233ec44b30bf2f83a89f6058610f09/detection
# Reference: https://twitter.com/ninoseki/status/1253272702573395972 (# iOS variation)
# Reference: https://www.virustotal.com/gui/file/748b9f36e5a738665d082b347b5b1f4448d06a70906a32b52b77acd5aa70052e/detection

23.251.45.232:8080

# Reference: https://twitter.com/malwrhunterteam/status/1252323010662588421

poczta-interia.com

# Reference: https://twitter.com/malwrhunterteam/status/1252325976308166660

evdehayatvarfree20gb.com

# Reference: https://twitter.com/malwrhunterteam/status/1253016217268498437
# Reference: https://twitter.com/LukasStefanko/status/1253265204646903809

25s.site
obmenvsemfiles.com

# Reference: https://twitter.com/malwrhunterteam/status/1259886844961005568

bocongan113.com

# Reference: https://twitter.com/malwrhunterteam/status/1259906137891241985

bocongan113vn.com

# Reference: https://twitter.com/malwrhunterteam/status/1259909960311463936

8400113.com

# Reference: https://twitter.com/seafaringturtle/status/1259908100703821825

103.57.111.11:4163

# Reference: https://twitter.com/ReBensk/status/1260184449414647811

photobank-shar2020.website

# Reference: https://twitter.com/malwrhunterteam/status/1261545686325174273
# Reference: https://twitter.com/seafaringturtle/status/1263163367818215424
# Reference: https://www.virustotal.com/gui/file/8d742a1b50492fc35a54119f305daa054f666bf0ec08f7a668aa657af28a6563/detection

216.118.243.114:3500
216.118.243.114:57157
216.118.243.115:57157
216.118.243.116:57157
216.118.243.117:57157
216.118.243.118:57157

# Reference: https://twitter.com/malwrhunterteam/status/1266069349917503495

sosyaldestek-tr.com

# Reference: https://twitter.com/malwrhunterteam/status/1266073872614526982

dbierzkod.pl
odbierzkod.pl

# Reference: https://twitter.com/ReBensk/status/1269306854233997316

krazyfoxx9.xyz

# Reference: https://twitter.com/ReBensk/status/1270725741273964548
# Reference: https://www.virustotal.com/gui/ip-address/8.208.90.169/relations

covid-19argentina.top
darkfantasy.top
drzapato.online
drzapato.xyz
fastupdate.top
fastupdatemanager.top
greenandgrey.top
lovemeany.online
telecentrocovid19.top

# Reference: https://twitter.com/ReBensk/status/1272566330873479170

nansy782seetoyou38.website

# Reference: https://twitter.com/ReBensk/status/1272565628604502018

flashplayerupdate.top

# Reference: https://twitter.com/NtSetDefault/status/1275103442172891138

http://154.206.173.205

139.5.200.26:3500
139.5.200.27:3500
139.5.200.28:3500
139.5.200.29:3500

# Reference: https://www.virustotal.com/gui/ip-address/213.176.36.42/relations

http://213.176.36.42

# Reference: https://www.virustotal.com/gui/file/786a73ac6036cf091939ccfa945e14e53524875ce8911f1c8d98d441fac2fd19/detection

213.176.36.42:4207
bank-negaramy.com

# Reference: https://www.virustotal.com/gui/file/a240e8586dd9d5cf199cb96deef63356dd24ae9274d750a076fd5ac4bed3f402/detection

213.176.36.42:4205
gov-bnminfo.com

# Reference: https://www.virustotal.com/gui/file/388bdb3f1f2e514e29646fe3a36bf20b7d0c47c0f0375f0aa2af262df6401845/detection

213.176.36.42:4201

# Reference: https://www.virustotal.com/gui/file/796bcb1df6fe45592137e0ddfb4dd1aa8fa264b396e43b58111543c9af89e564/detection

bnm-gov-info.com

# Reference: https://www.virustotal.com/gui/file/91807792a8c025f5b4c96a4d62f65ab335f695e9a7bbc6484c598a6ad3463684/detection

213.176.36.42:4202
negaramy-bank.com

# Reference: https://www.virustotal.com/gui/file/d3724868bb2966d0bffd235a995b6ac926a66b0756ca13679f3075d976da28e2/detection

213.176.36.42:4203
negarabank-my.com

# Reference: https://www.virustotal.com/gui/file/9ecca511661e72be443fc179cc71a1ecfcc8af48c6a8c87ef3883cb4724377b7/detection

213.176.36.42:4206
siasatan-gov-bnm.com

# Reference: https://www.virustotal.com/gui/file/c07cde11fb494e666a36ac7bb9cc593b877fb5267d04174c2295e586fdaada57/detection

bnm-govinfo.com

# Reference: https://www.virustotal.com/gui/file/0734c1af9909ce1c55bfe7d71f0c80c18792680880f4e35d849d038ce15962c7/detection

213.176.60.234:3403

# Reference: https://www.virustotal.com/gui/file/486234a479def6497524d3b501e3dfa9ae2f5e1815bd9b09219e98b8e95d62b2/detection

bnmgovinfo.com
smkgovinfo.com

# Reference: https://www.virustotal.com/gui/file/0460ecbe48b8b9d657fd1a8f7e8bbae779eddf312388f46359b21a9d97616170/detection

gov-cbminfo.com

# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

cdek-payments.com
satterfieldbanks.com

# Reference: https://twitter.com/B0rys_Grishenko/status/1277515350658224128
# Reference: https://www.virustotal.com/gui/file/5ca38b7d208fbc5f665b4e0af7de5a1ac6cbc796375368934bffbef68732fc77/detection

sklepplay24.com

# Reference: https://twitter.com/ReBensk/status/1277615119594409987

http://154.206.173.194

# Reference: https://twitter.com/ReBensk/status/1277616463457792000
# Reference: https://www.virustotal.com/gui/file/c69af883dc42792500eecb12dc1f0641f1b9f4b4c340365c0491985ce6a89448/detection

193.112.126.184:39090

# Generic

/nhbank6/
/servicest/sms2wx/Sms2WXService
/servicest/sms2wx/uploadMobileInfo

# APK

/MicrosoftWord.apk
/nhbank.apk
/safe.apk
