# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: 404 keylogger, snake keylogger # Reference: https://habr.com/ru/company/group-ib/blog/477198/ (Russian) 404projects.xyz # Reference: https://app.any.run/tasks/c87283f6-7087-4ab5-91ac-f8fdfa25ce9e/ srvc13.turhost.com # Reference: https://app.any.run/tasks/94023cca-f07c-4a5f-8a72-2cc9fc4eb1be/ blackhillls.ddns.net # Reference: https://twitter.com/wwp96/status/1328308638470066177 # Reference: https://app.any.run/tasks/c16aff7d-63be-4654-bc27-ae78b489fcee/ 167.88.170.103:21 167.88.170.103:35060 # Reference: https://twitter.com/wwp96/status/1331116035680980992 # Reference: https://app.any.run/tasks/e3dd7875-4ef2-4f7f-ac5b-8616f3c132c4/ ckfashion.shop # Reference: https://app.any.run/tasks/13b60c7f-f80e-4a7a-8f21-afd287113465/ # Reference: https://app.any.run/tasks/4b675b8e-4a84-4d75-a4a1-4dc6868bdc5a/ 92.53.96.254:35705 bitrix370.timeweb.ru # Reference: https://app.any.run/tasks/40ed1720-a991-4a6a-9e76-25907a359531/ 188.225.21.131:35076 vh340.timeweb.ru # Reference: https://app.any.run/tasks/824f076f-c5e6-473a-84b6-d114a4837863/ 176.57.209.21:59257 premium34.timeweb.ru # Reference: https://twitter.com/reecdeep/status/1364226980120465412 itrader-germany.de # Reference: https://twitter.com/reecdeep/status/1371750624140857345 endovision.xyz # Reference: https://twitter.com/Racco42/status/1372290134931083266 # Reference: https://app.any.run/tasks/bb98a4a5-192e-42c3-9fbc-7625dfffd4ff/ imginternational.xyz # Reference: https://twitter.com/whitehoodie4/status/1374289414935961600 vespang.tk # Reference: https://twitter.com/ps66uk/status/1381918013214064646 # Reference: https://tria.ge/210413-s27a2natdx govidanatur.xyz # Reference: https://twitter.com/ps66uk/status/1382274063658258440 # Reference: https://www.virustotal.com/gui/file/92a4c8920eda2528675ed61d4e72b4e2e6f51f6c47aab88581bab36d656a224a/detection nobetone.xyz # Reference: https://twitter.com/BushidoToken/status/1387495666184822785 nobettwo.xyz # Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676 # Reference: https://www.virustotal.com/gui/file/a2c1e79d6f5f36ab9af9d623c37dedf201cb3552bade7cfc1f00bcaeaed98d5e/detection lokalboyz.com # Reference: https://www.virustotal.com/gui/domain/maisoui.us/relations # Reference: https://www.virustotal.com/gui/file/64a17ddefb0368f4512f3d89fabbb0e220f80d2febd28b21fc4262779ceea635/detection maisoui.us # Reference: https://www.virustotal.com/gui/domain/1bayer.com/relations # Reference: https://www.virustotal.com/gui/file/dd7d3cad1f509caedc2ea7a255a74cdc75498eeca31b67a5fa581ca67ba8b761/detection 1bayer.com # Reference: https://twitter.com/reecdeep/status/1406925281928134661 iykmoreentrprise.org # Reference: https://gist.github.com/silence-is-best/ac1440dcf7aec90a53905ae86559e621 # Reference: https://www.virustotal.com/gui/file/dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659/detection cressi.xyz # Reference: https://app.any.run/tasks/2be51146-6800-4820-a38a-8321bb6b6c5e/ hisensetech.xyz # Reference: https://gist.github.com/silence-is-best/e2af8aa61000e4b740934331291c619b # Reference: https://www.virustotal.com/gui/file/193ac87ce3fbdcbc7def7776cac94b2548c0eabcfa179f701b96f65d9cfe7631/detection efinancet.shop # Reference: https://www.virustotal.com/gui/file/413c67ee147430c3d1a39e18601b33b90e3c434db8850949c08e8b1a4fa4f399/detection krsmakina.com # Reference: https://www.virustotal.com/gui/file/23cfe2786b8343a225d7d8ca6906c364ab19d6f594c92dfea39c8f2eb26a635f/detection guanyjfoods.com mail.guanyjfoods.com # Reference: https://www.virustotal.com/gui/file/f861b22de2dce92e689b895e8b862fe51bfab56cf466db8d1ea7513682cd3c36/behavior/VirusTotal%20ZenBox trietlongvinhvien.info # Reference: https://twitter.com/James_inthe_box/status/1486356525798998019 # Reference: https://www.virustotal.com/gui/file/db977a845e1b88d303bf7633ba8153a579e7be33904b0a46fc2cf61ac820801b/detection http://18.159.59.253 rfebatics.xyz # Reference: https://www.virustotal.com/gui/file/f77eb03582184792bb5bb2e7ca6f80de3e31e0ffb4e4084b28999858f1f489b0/detection http://3.112.243.28 febbdin.xyz # Reference: https://www.virustotal.com/gui/file/f4b4716fd756e090bc988dc4ca0ad23bdf22a238c3d1b4a329582fb936e8ee92/detection febquip.shop # Reference: https://www.virustotal.com/gui/file/c2672e6fd55b129125a19c7837943c0844c03ec02dcf165af183f9e4df4dccbc/detection bajoost.xyz # Reference: https://www.virustotal.com/gui/file/b9a46bd95fc23d278e97b151eecdfb95a0bc7649374a1c30fe6b95b384c7d196/detection ackuc.icu # Reference: https://twitter.com/peterkruse/status/1498602381403209730 yikun.cf # Reference: https://twitter.com/James_inthe_box/status/1507047796121096193 # Reference: https://app.any.run/tasks/66fcd49d-0527-4f23-a1c1-c72d9ce0ac85/ facts-jo.com # Reference: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware # Reference: https://otx.alienvault.com/pulse/6185218842a91bb63bda21dc # Reference: https://www.virustotal.com/gui/file/0910e1c2d33a73a0e5a7b5e87eaaae42b839de9bb6ab3f42a52cf3c438e1a56f/detection http://3.64.251.139 restd.xyz # Reference: https://www.virustotal.com/gui/file/6aaa23c5aa6f2fb2e99f5ec667194e22c4a9922df0106473d96b1d12fa7a93c5/detection http://163.123.142.134 # Reference: https://twitter.com/0xToxin/status/1544369084405583873 dragonfruitting.com # Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Snake%20Keylogger/Snake%20Keylogger%20-%2013072022 # Reference: https://www.virustotal.com/gui/file/b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf/detection 185.244.36.213:21 185.244.36.213:587 resultboxx.xyz ftp.resultboxx.xyz mail.resultboxx.xyz # Reference: https://twitter.com/pollo290987/status/1565225398857879559 # Reference: https://www.virustotal.com/gui/file/29824b969da3b9237bf59813a07dea7c3294e2506be355a26e19932a9d8f82d3/detection injectmmmmme.fra1.digitaloceanspaces.com # Reference: https://twitter.com/kienbigmummy/status/1578388073422807040 http://185.216.71.120 /Nwdhlnuy.bmp # Reference: https://twitter.com/reecdeep/status/1583409946791620608 grupoasei.com ftp.grupoasei.com mail.grupoasei.com mx1.grupoasei.com # Reference: https://gist.github.com/silence-is-best/213f7b2112a46acd56ceb78bf79286a8 # Reference: https://www.virustotal.com/gui/file/010287dcbcc3d730f170eb5b0cc06fe5b1c612e15c0228460e534b26a3f4c8dd/detection http://208.67.105.148 cp5ua.hyperhost.ua # Reference: https://twitter.com/osipov_ar/status/1636096845335130115 # Reference: https://www.virustotal.com/gui/file/1e8a5f0e7ee689b8f452fe93c90173c278a88de1995d866241793b9232d58951/detection # Reference: https://www.virustotal.com/gui/file/8fb593875f0bf9a1ecf72114935267caa80e7f2b2a268c3570927e4138070dd0/detection http://37.139.128.83 # Reference: https://twitter.com/reecdeep/status/1649379258916012032 premium76.web-hosting.com # Reference: https://twitter.com/Gi7w0rm/status/1706061724099457411 # Reference: https://www.virustotal.com/gui/file/b84d48bebe60d57c67a020d3e880a7ef138b12bdbad198785e62c952f03d10fc/detection # Reference: https://www.virustotal.com/gui/file/647816ec76f04594da29576e94eb3febd405dd027379bc558b20babe65b11712/detection 67.223.118.35:21 product-secured.com ftp.product-secured.com server.product-secured.com # Reference: https://tria.ge/230924-yzl75sba35/behavioral1 # Reference: https://tria.ge/230924-yzy7psba43/behavioral1 179.43.183.46:21 179.43.183.46:49564 179.43.183.46:61104 179.43.183.46:61857 179.43.183.46:64572 # Reference: https://www.virustotal.com/gui/file/d14b001c207c2e6ef60e9afd599e8ad815789893ababa09eda19fead65cf2337/detection http://185.254.37.174 /droidsnakebase654.txt /SNA$$$KELOGGER.vbs # Reference: https://www.virustotal.com/gui/file/0018c0cdaf6f58880005d8df0e7ad30d69f37e8b8dde22ee42d451f4d9a28e66/detection 51.38.247.67:8081 91.92.253.149:8081 91.92.255.235:8081 94.156.65.197:8081 94.156.68.12:8081 aborters.duckdns.org # Reference: https://www.virustotal.com/gui/file/88137ef5ca05130558e846da3d480008f2e5488a7543872195f64daa5a04b365/detection scratchdreams.tk