-
Notifications
You must be signed in to change notification settings - Fork 152
/
Copy pathIOC - Unit 42 blog Advanced URL Filtering.txt
65 lines (51 loc) · 3.56 KB
/
IOC - Unit 42 blog Advanced URL Filtering.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Suspicious URLs
paypal-account-mal234[.]com
Phishing
fbookcom-238137249[.]haroldsworld[.]org
facebook[.]com-------mobile---read---new--terms--56165419.peraltek.com/sign_in.htm
verify[.]facebook[.]com-------mobile---read---new--terms--977092107[.]peraltek[.]com/sign_in.htm
m[.]facebook[.]com-----phone----confirmation-----service---19827139271[.]peraltek[.]com/sign_in.htm
verify[.]facebook[.]com-------mobile---read---new--terms--410408116[.]peraltek[.]com/sign_in.htm
facebook[.]com-------mobile---read---new--terms--660947356[.]peraltek[.]com/sign_in.htm
aliceinformaticasrl[.]com/user/pages/20991962233.pdf
hxxp://sign[.]in[.]eday[.]co[.]uk[.]ws[.]eayis[.]api[.]dllsigninusingssl[.]celdhqslozjoe5khywlsoosab9qlr9[.]sslupcheckup[.]art/index.php/false/false/py1n.html/discovercard.com/dfs/accounthome/summary/-www.schwab.com/secure.accurint.com/unfcu2.org/login1/wachovia.com/myaccounts.aspx/investing.schwab.com/secure/schwab
hxxp://securty-supporrt[.]sun2seauvprotection[.]com[.]au/customer_center/customer-IDPP00C793/myaccount/signin/
hxxps://gcsnc-v[.]ga/adobe/email/document/authentication/
Malware Behind Cloaking
d3b0fbd6ff688034471e4400717742ffa21dcb1c909b0c1a1b2e82b34ae91d03
cq6ydl[.]qp8u[.]com/yx/22238.apk
178stu[.]com/new2_r_login.exe?collcc=739845076&collcc=3630194067&
25697[.]xc[.]wenpie[.]com/down/matlab%202017a%20???????????????@1166_3054.exe
xz[.]duote[.]com[.]cn/softdown/minjiehf@_29773.exe
down2[.]abckantu[.]com/tui/tips/2/v1.2.0.17/tips2-4.exe
govole[.]info/d23c1cda8c7736f9842243148d5eaf5b/getfp.exe
48995[.]xz[.]dy008[.]com/acdiu/setup_2000.exe
48156[.]xc[.]zhongguohao123[.]com/down/%E6%B8%85%E5%8D%8E%E5%A4%A9%E6%B2%B3pccad2015%2064%E4%BD%8D%E7%A0%B4%E8%A7%A3%E7%89%88@1166_9653.exe
72jdxe[.]securedfile[.]ru/b2/3/7/888e525e633be262a4412eff50518a2f/SpywareTerminatorSetup.exe
24910[.]xc[.]wenpie[.]com/down/cfree@1577_2873.exe
48272[.]xz[.]dy008[.]com/czasd/Setup_2000.exe
http://www[.]bjcslper[.]com/info/js/js/js/css/js/js/js/js/js/css/js/js/css/js/js/css/js/js/css/js/js/css/js/js/js/js/js/js/css/js/css/js/js/css/js/js/css/css/js/js/js/js/js/js/css/js/js/js/css/style.css
hxxp://best-targeted-traffic[.]com/install.php?pais=Unknown&unq=19o721145058oildxbc&version=1.7
click[.]imageperfect[.]in/lp/lp.php?urlid=2bccd82ee1&adst=152313&nsrc=5090&visitor_id=bmconv_20210809015727_8eea308d_b7d0_4637_9aa6_214ef468fbb9&siteid=2_to
coursera-quiz-answers-quora[.]pageinternetinfo[.]pw
Compromised/Abused websites
335cf91959d1dcb04c2e68431300d06a62035e31daba1d19dbfcca0aa398bda2
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
f5b7b51ef8f1d1e76c86bd1e78d99c439c6e65361d4560b2c9e7345cebffdcca
hxxp://udskhhkdsjdjskjdds[.]000webhostapp[.]com/nnv.exe
hxxps://cdn[.]discordapp[.]com/attachments/873992598220599389/873994139908313148/Setup2.exe
hxxps://cdn[.]discordapp[.]com/attachments/831792884545093653/834461595358199908/Nitro_Gen.exe
C2/Sality-A
www[.]eri[.]edu[.]pk/images/logo.gif?213c963=209107026
st1[.]dist[.]su[.]lt/logoh.gif?397ab36=301357070
motherengineering[.]com/images/logo.gif%3f345a38=24016776
cart133[.]org/images/main.gif?1f3bc6f=163753515
cacs[.]org[.]br/novosite/logos.gif?5f4e290=499674320
web4m[.]de/wordpress/wp-content/themes/twentyfourteen/image.gif?2df1b=1505496
Ursnif Trojan
13[.]59[.]135[.]197/wp-includes/fqhw5-6k88r-dgufy.view/
35[.]233[.]127[.]71/zjed1-iae7t-kdzwv.view/
114[.]116[.]171[.]195/wp-includes/h5zf-65kb9-btmdu.view/
119[.]9[.]136[.]146/ctkfp-ebmhpu-vifzs.view/
13[.]127[.]110[.]92/wcs3-94yxcd-vpne.view/
128[.]199[.]72[.]218[:]4700/wp-content/uploads/b4t7-uqcaw8-bvfis.view/