AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan

1. Indicators of Compromise
2.  
3. Infection
4. Domain IP
5. hxxp://priyadarsiniculturalsociety[.]com//images/?hash=%email% 51[.]81[.]75[.]131
6. hxxp://hothiphopbeats[.]com//images/?hash=%email% 209[.]40[.]193[.]208
7. hXXp://www3[.]santoandre[.]sp[.]gov[.]br/assistencia/wp-folha/TGR 189[.]1[.]163[.]21
8.  
9. Payload
10. Domain IP
11. hxxp://critichotshot[.]com/loc/ 162[.]255[.]118[.]194
12. hxxps://thaipoliticstoday[.]com/saudi-news-tq1vh/ 172[.]67[.]181[.]248
13. hXXp://web[.]groupe-convergence[.]com/ 213[.]186[.]33[.]69
14. hXXp://www[.]aralimp[.]com[.]br/wp-content/upgrade/TGR/SII_000492106006B8[.]zip 177[.]12[.]164[.]108
15. hXXp://umc24[.]club//wp-content/gallery/ 217[.]160[.]0[.]235
16. hXXps://leopard-hunt[.]com//wp-content/userr/20AVW5RSJKV8948[.]zip 104[.]21[.]63[.]133 - 172[.]67[.]145[.]198
17. – 89[.]44[.]9[.]254
18. – 104[.]214[.]107[.]176
19.  
20. C2 IP
21. es[.]sslhermanos[.]com 45[.]147[.]229[.]128 - 45[.]147[.]231[.]119
22. hxxp://40[.]112[.]173[.]53/again/?oriudfjdfij88 40[.]112[.]173[.]53