# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: VizaviBot, L3mon # Reference: https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/ radiobalouch.com /Debugging/process/process/resolving/system/ReadAllTracks.php # Reference: https://twitter.com/LukasStefanko/status/1244584890361839616 193.161.193.99:27229 # Reference: https://twitter.com/malwrhunterteam/status/1262415009419874305 tryanotherhorse.com # Reference: https://www.virustotal.com/gui/file/675f5f887a66d21ea0d314e359f97ba9caa5d04436ef904deeaeaa4c83f06018/detection 95.8.94.174:4000 bhblack.duckdns.org # Reference: https://twitter.com/malwrhunterteam/status/1263081748482723840 95.8.94.174:4444 # Reference: https://twitter.com/malwrhunterteam/status/1265733202674581507 turktelekom-bilgilendirme.com # Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt ahmyth.ddnsking.com # Reference: https://twitter.com/malwrhunterteam/status/1297073202024325120 zebraking.ddnsking.com # Reference: https://www.virustotal.com/gui/file/b039f0ab2a62a5e1f42c5c0f1d34fc247cb6c0fa65ce33629fccbd28b1d0d064/detection 193.161.193.99:38442 c0cf28ed20-51369.portmap.host # Reference: https://twitter.com/malwrhunterteam/status/1305940469927550977 maladiescoronavirus.com # Reference: https://twitter.com/LukasStefanko/status/1306143556281737217 176.31.193.59:22222 tweensangoma.servebbs.com # Reference: https://www.virustotal.com/gui/file/82b49c84601b36ae1dc7d3056b33bb58716551e85c006354e030d0dc8f6059a2/detection 193.161.193.99:49487 # Reference: https://twitter.com/malwaretracekr/status/1304189932055834624 # Reference: https://www.virustotal.com/gui/file/6a1bb59bd1faa3dbca7df51eb6b265b0fd2b5220d99a5befb2a0aabdb9a946da/detection /nhsave.apk /pentapp.apk # Reference: https://twitter.com/malwrhunterteam/status/1309567899649138689 /GBWhatsapp.apk # Reference: https://twitter.com/malwrhunterteam/status/1317395859726807040 # Reference: https://twitter.com/bl4ckh0l3z/status/1318126608226582529 # Reference: https://www.virustotal.com/gui/file/00ee72e69290217f5e6977750a873887e8a9ab91d7f91a3004c9d04148ec28b5/detection # Reference: https://www.virustotal.com/gui/ip-address/85.10.199.40/relations 213.230.90.191:3232 85.10.199.40:80 # Reference: https://twitter.com/malwrhunterteam/status/1328391739523141640 # Reference: https://twitter.com/bl4ckh0l3z/status/1329082787723317250 http://118.167.70.214 http://123.253.110.27 123.253.110.27:8662 123.253.110.27:8889 /kbcapital.apk # Reference: https://twitter.com/malwrhunterteam/status/1329353263498596352 http://114.43.113.63 http://123.253.109.211 /woori.apk # Reference: https://www.virustotal.com/gui/file/deb4098d86440e52832eb6f17b38cb2c82e50e9f6de21819e61b0ada5189bbe9/detection # Reference: https://twitter.com/bl4ckh0l3z/status/1329437919162081282 122.10.114.159:1234 /Aarogya Setu_v1.4.1-ok_sign.apk # Reference: https://twitter.com/malwrhunterteam/status/1332421014886752262 # Reference: https://www.virustotal.com/gui/file/9550de103b11a99e2ff9551a99e61001ab33d86b86baf76a3265e1a30c2d8493/detection http://45.143.93.59 /HDLiveWallpaper.apk # Reference: https://twitter.com/malwrhunterteam/status/1333506610245885960 # Reference: https://twitter.com/bl4ckh0l3z/status/1333742182466023425 # Reference: https://www.virustotal.com/gui/file/8b9ba90a1c7758714e68333c9541cf9fd99b368d0e3df62e91b003af60311047/detection 123.253.110.74:7272 123.253.110.74:8889 http://61.228.224.127 # Reference: https://twitter.com/malwrhunterteam/status/1334126697462030337 # Reference: https://twitter.com/malwrhunterteam/status/1351868441402118147 # Reference: https://twitter.com/malwrhunterteam/status/1356668707062353924 # Reference: https://twitter.com/bl4ckh0l3z/status/1334164150763851781 # Reference: https://twitter.com/bl4ckh0l3z/status/1352927204372586496 # Reference: https://twitter.com/bl4ckh0l3z/status/1352927832754843652 # Reference: https://www.virustotal.com/gui/file/f155131f21cb1fbabc5e1d4e29858caea240bc30a38826ce0671c27eb231cb0b/detection # Reference: https://www.virustotal.com/gui/file/cd361f4f5cfd28c11a9e305f841cc173a04911fbf37ef8cad798a37a4ebe2a69/detection # Reference: https://www.virustotal.com/gui/file/cd361f4f5cfd28c11a9e305f841cc173a04911fbf37ef8cad798a37a4ebe2a69/detection # Reference: https://www.virustotal.com/gui/file/b1cf84700e37ff608ea0ebd179dc6909ad48f0a68031ac88d276ad334d7c0f39/detection http://178.132.3.230 178.132.3.230:5987 iwillsecureyou.com myabcxyz.ddns.net obs1.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1344989314409754625 # Reference: https://twitter.com/bl4ckh0l3z/status/1345446556003143681 # Reference: https://www.virustotal.com/gui/file/6d1a8a655b62220ba415b06e34a7a7970fe745074d83608fadc57fc0c22fe3a7/detection 93.115.28.37:42474 pigeonmessenger.app # Reference: https://twitter.com/malwrhunterteam/status/1349329349380550656 # Reference: https://www.virustotal.com/gui/domain/umengs.sanxikou.cc/relations # Reference: https://www.virustotal.com/gui/file/d0f36b9a19cee045c79af58d58b24dcab3850dfd21d1079920ac6f1e8554666e/detection 47.240.50.196:42474 47.91.170.222:42474 umengs.sanxikou.cc # Reference: https://www.virustotal.com/gui/file/209998484f18f69fe608d658b9f5c8afdb4530308ddcf06b20703a764d89e7d1/detection http://103.93.79.32 103.93.79.32:9000 # Reference: https://twitter.com/sysk1ll3r/status/1371567150704525316 # Reference: https://github.com/CYB3RMX/MalwareAnalysis101/blob/master/Android/Kbank/ReportKbank.txt 103.159.80.61:8700 # Reference: https://www.virustotal.com/gui/domain/crayzzik.ddns.net/relations # Reference: https://www.virustotal.com/gui/file/99949dfcbcf839e50ed3aa42ebdbf2d3aa1b26847eef8bff7cdbd5f7bcb30614/detection crayzzik.ddns.net # Reference: https://www.virustotal.com/gui/file/f941fae5480184428b3724bef1bd2fafd4d8c959ba831563d6877f09e6426b36/detection 193.161.193.99:51805 # Reference: https://www.virustotal.com/gui/file/3a998217822cc5db7d6540f6d1cc907400a97c55d397438e05a14539a299f8c9/detection 176.9.70.180:22222 dihavnewapp.xyz # Reference: https://www.virustotal.com/gui/file/8c99919e6837d693f7cbd1cb8f6fe4d354dd28d1a9864cd898934cb6dccb1d59/detection 193.161.193.99:37614 cheeta-37614.portmap.host # Reference: https://www.virustotal.com/gui/file/f90ac69c7817cd7164c03f3b78f03045bb6a3ebb6d2c4f01b36387cb3e5ca37b/detection 108.61.210.74:1166 185.141.62.35:1166 208.101.60.87:1166 213.244.123.150:1166 66.220.147.44:1166 93.115.28.195:1166 scr.selfip.net # Reference: https://www.virustotal.com/gui/file/4a7eea45ace28678e0fabb77196d9845eeb80e675006ca4b58a5fe6e360c3e7d/detection 3.130.209.29:21572 # Reference: https://twitter.com/malwrhunterteam/status/1481236472061743104 # Reference: https://twitter.com/LukasStefanko/status/1481960668186226695 # Reference: https://www.virustotal.com/gui/file/3db0d587001285f306fbdd73d29ad62ee826a0c27585ebaaf1d993504fdacc5f/detection chitchat.ngrok.io wetalk.ngrok.io # Reference: https://twitter.com/malwrhunterteam/status/1484835454985850882 # Reference: https://www.virustotal.com/gui/file/c351bf2fa876cefe5fb8d6e6f5764364456f3fa89eef83d3743bd1702fffefd9/detection 195.58.38.192:22222 # Reference: https://www.virustotal.com/gui/file/d4ab7d2f4ba6875f149f4168646aa73f6fbd33479d32b34e5a31c72da73b382d/detection 206.189.80.59:22964 # Reference: https://twitter.com/malwrhunterteam/status/1496800388321722370 # Reference: https://www.virustotal.com/gui/file/be3341e32f700d6eb86540c1b4bf864b9a0da006bb56a97aa891d5be081d9046/detection robertapollysexy.com # Reference: https://www.virustotal.com/gui/file/be3341e32f700d6eb86540c1b4bf864b9a0da006bb56a97aa891d5be081d9046/detection androidrapido.com # Reference: https://www.virustotal.com/gui/file/2d7d3de64cd33f74e337c50855353506c3a45971e003f98fc137d5df62d9369b/detection 3.141.142.211:12098 # Reference: https://www.virustotal.com/gui/file/ddc9d251af6e67bce5f95065a1d49dd85bde2b2cc177c12cf36abdbfa1907d87/detection 193.161.193.99:48147 yourboss-48147.portmap.io # Reference: https://www.virustotal.com/gui/file/be3341e32f700d6eb86540c1b4bf864b9a0da006bb56a97aa891d5be081d9046/detection o731193.ingest.sentry.io # Reference: https://twitter.com/malwrhunterteam/status/1574465208340418575 # Reference: https://www.virustotal.com/gui/ip-address/185.136.162.238/relations # Reference: https://www.virustotal.com/gui/file/49c8539b26c8c7134e2ee14688eb14410690d748e4a3c105d8722f3a8983013c/detection 185.136.162.238:9108 appreviewhelper.com chatindian.xyz beautynaturali.ddns.net server-chat1.chatindian.xyz # Reference: https://twitter.com/malwrhunterteam/status/1581003205516722176 # Reference: https://www.virustotal.com/gui/file/fb40823417fabe77dda51d836c8b69699e14c528468b50aef6c917810ae02098/detection 172.104.187.113:8092 miya3jh1z.xyz c9dz99.miya3jh1z.xyz # Reference: https://twitter.com/malwrhunterteam/status/1590070110240538627 # Reference: https://www.virustotal.com/gui/file/06a253cddba6ac9686939527075e2235b7741ea6903349d86a1a33543af7fcfa/detection letchitchat.info # Reference: https://twitter.com/ReBensk/status/1622580063664472064 # Reference: https://www.virustotal.com/gui/file/1c6fa481ca4c332228be0e183e700e97febc1af6c90d07609514184434d2d70a/detection 43.204.187.172:500 hiddenpirates.com forward.hiddenpirates.com # Reference: https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/ # Reference: https://www.virustotal.com/gui/file/dcec293ce8daf454170b6bbb95d4ac6c70c943b40673ef4f225b96abc003093e/detection # Reference: https://www.virustotal.com/gui/file/aa06b4f63fb8037e1f57a063f6a6b5fbe4615247458433c578644628e54a4216/detection # Reference: https://www.virustotal.com/gui/file/0e88140c921493b587adcba8a586f289bedca8517c069cc8c7fbce21206453d8/detection # Reference: https://www.virustotal.com/gui/file/0e88140c921493b587adcba8a586f289bedca8517c069cc8c7fbce21206453d8/detection 13.215.7.130:22222 13.228.247.118:22222 149.28.142.29:8085 80876dd5.shop order.80876dd5.shop video-maker.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1678864160635904000 # Reference: https://www.virustotal.com/gui/file/fe8658e2f2481671b689f53d341f45b06351bd2104afa7ed58a147923d36bf5a/detection aichats.shop # Reference: https://twitter.com/malwrhunterteam/status/1688651241922920449 # Reference: https://www.virustotal.com/gui/file/25adacf654c3c0fb99ae8dcdb50abbac335163a61d4708c05eab787a9791914b/detection # Reference: https://www.virustotal.com/gui/file/70479e67efb9dc2f630410d87e8b8c62be879f16cb5623db3967a6b49b4f6ed3/detection 185.136.162.238:56798 exclusivestore.in server.chatindian.xyz # Reference: https://twitter.com/RustyNoob619/status/1694022693014712377 # Note: censys.io request: (services.http.response.html_title="L3MON Manager") and services.port=`22533` 103.146.202.41:22533 123.60.143.74:22533 124.70.52.134:22533 13.232.81.83:22533 13.234.245.217:22533 138.3.244.157:22533 138.68.144.100:22533 139.59.7.66:22533 141.144.230.252:22533 144.91.106.189:22533 156.67.208.71:22533 157.230.203.142:22533 161.35.56.10:22533 161.97.152.170:22533 164.92.112.142:22533 167.71.18.99:22533 172.104.236.174:22533 172.104.238.185:22533 172.105.246.70:22533 178.250.246.46:22533 18.139.227.135:22533 18.236.82.135:22533 185.17.144.140:22533 185.208.172.225:22533 188.166.160.193:22533 195.123.212.30:22533 195.211.101.219:22533 206.81.7.25:22533 207.246.114.52:22533 209.58.169.94:22533 3.0.97.175:22533 3.142.246.136:22533 3.211.28.243:22533 3.91.220.81:22533 34.251.151.96:22533 43.156.240.185:22533 43.204.149.24:22533 43.240.224.206:22533 45.149.187.61:22533 47.108.249.177:22533 47.254.244.11:22533 47.63.166.22:22533 54.169.201.111:22533 54.237.80.247:22533 54.37.139.152:22533 65.0.18.71:22533 65.1.3.80:22533 65.108.61.91:22533 68.183.131.1:22533 82.146.49.131:22533 88.198.152.124:22533 91.191.147.97:22533 # Reference: https://threatfox.abuse.ch/browse/tag/L3MON/ http://144.24.156.3 http://161.97.102.40 http://34.251.151.96 http://54.200.196.104 110.50.87.237:85 122.165.225.42:22555 128.140.80.159:22533 128.199.111.140:22333 139.162.30.197:22533 157.245.23.86:22533 157.245.23.86:22535 158.101.25.78:443 158.101.25.78:9000 159.203.16.141:22533 161.97.102.40:22533 167.71.139.50:22533 170.187.226.247:22533 172.233.82.22:22533 173.254.240.26:22533 173.254.240.26:443 178.128.31.16:3001 184.169.216.66:443 184.75.254.203:22533 188.166.160.193:22535 189.169.129.114:22533 20.102.192.219:22533 20.117.108.93:22533 20.122.16.244:22533 200.54.37.90:22533 207.246.114.52:443 209.250.254.13:22533 213.136.73.171:22533 3.22.132.176:22533 45.79.237.45:21533 51.77.159.52:22533 54.255.204.248:22533 82.176.77.143:22733 db.nya.lat host.md-faisal.com md-faisal.com nontonlah.site nya.lat srv001e.feja111.de zoonux.nontonlah.site # Reference: https://www.virustotal.com/gui/file/23d4cd610194c825dc926fe5e84e6d5c999d25b6bbd766d19b543ee18160245c/detection # Reference: https://www.virustotal.com/gui/file/d058774436ddef427174561ff235be10207f7804d9e185a484849d0cb2267985/detection 00x19.hopto.org # Reference: https://twitter.com/ShilpeshTrivedi/status/1726114982570651870 # Reference: https://www.virustotal.com/gui/file/601637fa23a28872bf48a9e441e35be2acc5f99a6a4d64ea9eaa6fe89aa115d5/detection # Reference: https://www.virustotal.com/gui/file/c8772f743faa1c33fbe1ecc966cc52669115470734fdd54874dde774b35c1979/detection # Reference: https://www.virustotal.com/gui/file/83a9f69242ef8bc5484c3724dee9399a185fee69b3a8538d3d05e1ab74202e96/detection # Reference: https://www.virustotal.com/gui/file/601637fa23a28872bf48a9e441e35be2acc5f99a6a4d64ea9eaa6fe89aa115d5/detection 142.4.102.7:8092 k7hu3a.top c91phchat.k7hu3a.top # Reference: https://twitter.com/karol_paciorek/status/1729070903936565401 # Reference: https://tria.ge/231127-k9kkeafe96/static1 122.144.6.226:4782 # Reference: https://www.virustotal.com/gui/file/88736218aa4249a8f2964ff8d55105eb69bb0549eddc849c70c6b10e4951ae60/detection 197.0.122.231:1122 updatt.publicvm.com # Reference: https://twitter.com/karol_paciorek/status/1750481398626947286 91.245.44.46:4446 91.245.44.46:81 # Reference: https://www.virustotal.com/gui/file/20ed03b4ef00bd5ea698568e1a5968825dbba032169027b4a13ad4a783eb316f/detection 46.246.98.161:6000 # Reference: https://twitter.com/banthisguy9349/status/1756398753081143615 # Reference: https://www.virustotal.com/gui/file/76fa625d0ce6ad454d44541fad76438f5fdc9311b7327b85b742454e2b1dd3d9/detection http://45.86.163.142 212.83.61.197:22222 45.86.163.142:22533 # Generic /pgb9umnsh_m1pgb9umn.html # APK /AF_News.apk /AVATRADE_APP.apk /ChatinIncognito.apk /ROCKFORT_APP.apk /Pigeon_Messenger.apk /whatsapplite.apk