From efad3796306b37fdbcf86fface95c18757a4574f Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 9 Aug 2022 16:42:58 +0100
Subject: [PATCH 1/2] Create santander-85b6cae.yml

---
 indicators/santander-85b6cae.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 indicators/santander-85b6cae.yml

diff --git a/indicators/santander-85b6cae.yml b/indicators/santander-85b6cae.yml
new file mode 100644
index 00000000..aba99ff5
--- /dev/null
+++ b/indicators/santander-85b6cae.yml
@@ -0,0 +1,24 @@
+title: Santander Phishing Kit 85b6cae
+description: |
+    Detects a Santander phishing kit targeting Spanish speaking users.
+    
+references:
+    - https://urlscan.io/result/56fb9b2c-e078-4d1d-b8a6-e6e5147e90d3
+    - https://urlscan.io/result/5ccf3cfc-cc1a-432d-a6e2-575f80742672
+    
+detection:
+
+    usernameLabelID:
+      html|contains: 'EB8236264AE3C04429B8F46076848E7B'
+      
+    passwordLabelID:
+      html|contains: '85B6CAE065D33FEEEB4297826ECB9B2D'
+      
+    exfilDestination:
+      html|contains: 'database_setup/routes/process_login.php'
+   
+
+    condition: usernameLabelID and passwordLabelID and exfilDestination
+
+tags:
+  - target.santander

From 798b181e1d6821890eddf282b7cab0cda64c549d Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 9 Aug 2022 16:47:17 +0100
Subject: [PATCH 2/2] Create santander-951d27d.yml

---
 indicators/santander-951d27d.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 indicators/santander-951d27d.yml

diff --git a/indicators/santander-951d27d.yml b/indicators/santander-951d27d.yml
new file mode 100644
index 00000000..80c789d2
--- /dev/null
+++ b/indicators/santander-951d27d.yml
@@ -0,0 +1,27 @@
+title: Santander Phishing Kit 951d27d
+description: |
+    Detects a Santander phishing kit targeting Spanish speaking users.
+    
+references:
+    - https://urlscan.io/result/d7f3f389-d10b-4b83-a45c-ba7f8ec54035
+    - https://urlscan.io/result/1c849740-38f2-4442-94f8-bf2147cc587e
+    
+detection:
+
+    cloneTimestamp:
+      requests|contains: '?v=1655293257536'
+      
+    usernameLabelID:
+      html|contains: '47563B2825160654ADB2CC97CE152AF3'
+      
+    passwordLabelID:
+      html|contains: '951D27D1CD8413E25C1D61149F928D85'
+      
+    exfilDestination:
+      html|contains: '/atualiza'
+   
+
+    condition: cloneTimestamp and usernameLabelID and passwordLabelID and exfilDestination
+
+tags:
+  - target.santander