🚀Create IOK: fauxmoralis-6a3cac21 & facebook-d47226ee (#223)

* 🚀Create IOK: fauxmoralis-6a3cac21

Create fauxmoralis-6a3cac21.yml

* 🚀Create IOK: facebook-d47226ee

Create facebook-d47226ee.yml

* ✨Update facebook-d47226ee

Use end of filename as it has a higher chance of being unique

indicators/facebook-d47226ee.yml

@@ -0,0 +1,27 @@
+title: Facebook Phishing Kit d47226ee
+description: |
+    Facebook (Meta for Business) phishing kit 
+    that communicates with a master server/API
+    in order to exfiltrate credentials entered.
+
+    This kit has several anti analysis capabilities, 
+    such as being able to redirect to a non-existent 
+    domain if the organization owning the IP address 
+    of the viewer is part of a pre-defined list, which
+    is defined in the javascript code.
+    
+references:
+  - https://urlscan.io/result/d47226ee-0e03-4978-a9b8-1719ed43cfa4
+  - https://urlscan.io/result/3291f27f-c62d-4713-877c-91e7085af833
+
+detection:
+
+    kitAssets:
+      requests|contains|all:
+        - '62b0718b3254f2a8ab0f.png'
+        - 'montserrat-latin-400-normal.acb6629fe45c43ad5d8b.woff2'
+
+    kitAPI:
+      requests|contains: 'flexflex.online'
+
+    condition: kitAssets and kitAPI

indicators/fauxmoralis-6a3cac21.yml

@@ -0,0 +1,23 @@
+title: FauxMoralis Crypto Drainer 6a3cac21
+description: |
+    Sites that contact this domain are websites that will
+    drain a user's crypto wallet using a piece of javascript
+    code known as a 'crypto drainer'.
+
+    Due to this domain imitating the real Moralis API it 
+    has been named FauxMoralis to reflect this.
+    
+references:
+  - https://urlscan.io/result/6a3cac21-e6e5-40a7-984f-c9bcf023b2ed
+  - https://urlscan.io/search/#domain:"moralis-api.zip"
+
+detection:
+
+    drainerConfigurationDomain:
+      requests|contains: 'moralis-api.zip'
+
+    condition: drainerConfigurationDomain
+
+tags:
+  - kit
+  - cryptocurrency