# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: MetaDroid

# Reference: https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html

178.132.6.150:3000
185.215.113.42:3000
185.215.113.81:3000
185.215.113.94:3000

# Reference: https://twitter.com/malwrhunterteam/status/1447613589456621569
# Reference: https://twitter.com/malwrhunterteam/status/1506698319992655875
# Reference: https://twitter.com/a1exeremin/status/1447679196042604544
# Reference: https://twitter.com/ViriBack/status/1475455704571985921
# Reference: https://www.virustotal.com/gui/ip-address/185.215.113.100/relations
# Reference: https://www.virustotal.com/gui/file/1261e271402ea43f0a51294c7037b6d9da627500ea7e6644f5b9f608f7368928/detection
# Reference: https://www.virustotal.com/gui/file/0911af4b050e632cba517adcf27e2550cb5685e8c88cea2ff164ecb0bdc42904/detection
# Reference: https://www.virustotal.com/gui/file/81249654f8bdea0a179afe97e7abf7d455f2ef821ea1c24521cecdcc8b7d3bdf/detection
# Reference: https://www.virustotal.com/gui/file/f42e34e3f19589895467eb15a73605df302cafd0ed0dedc571308e3ce55f8a78/detection
# Reference: https://www.virustotal.com/gui/file/c509ce7942ec45ba33eee473aacc158c5750957a56929bce07f2f31c59b395e0/detection

185.215.113.81:3000
185.215.113.100:3000
185.215.113.100:3434
185.215.113.59:3434
193.106.191.148:3434
ermac.icu
fghjngjkjgy.ga
/2iq5gqb84krcezxjhl.php
/2lsqn0nw5n.php
/3nl3.php
/5kvoe.php
/5yk3j1gowg5c.php
/a357na0rnxbw9illf.php
/cc3t9t7rdfz8.php
/kch7j27y5welfhkzqt.php
/lf7xbkvzloig.php
/p5ndowme.php
/wzv3g0jmiwua.php
/x9v8e.php
/xxovkl45054m1rmu.php

# Reference: https://twitter.com/malwrhunterteam/status/1514928660675014656
# Reference: https://www.virustotal.com/gui/file/fc09f1e1b7fcf70770b0d52c5f203472c10dc98b6717b2f0bc343b5d1947056f/detection
# Reference: https://www.virustotal.com/gui/file/c7e7489531d3fa243cd775cfafacefd473f2ae71a3e9cdd5331db60a11198896/detection

194.26.29.28:3434
/0kkl5nd7i2956678a9l.php
/1qk5jb1m6l2fka.php
/48tznctyvhev920.php
/4g1o0.php
/5eqr7narx7uarp.php
/9b5786npucessoc.php
/drg23mwx9.php
/edwypp9a1.php
/goljim4v58rk782.php
/h4ry5wb03lys5.php
/i9924d17g.php
/kpak1iq09.php
/mi0sr3c1qc1qir.php
/q9sf5kefkvxt94.php
/v6gbc9rsq3q1dt.php
/vfcakqx84rt6gwj.php
/xirbarg7dz.php
/yk1j2r7.php
/zfww.php

# Reference: https://twitter.com/pmmkowalczyk/status/1516779700953174017
# Reference: https://www.virustotal.com/gui/file/4b4712848697ba87a74eadca39afd93fc22b436647c4186879a19b12fc8ecc88/detection
# Reference: https://www.virustotal.com/gui/file/b35a51dd3d07f023f2235772857c8d04ec420e5f8fcf1ef3a416af4400cdb4fb/detection

193.106.191.116:3434
/4ugv0rt87ey1prjrx.php
/7919kocnto1lxhulud8.php
/8cepqi41rstpl4uv.php
/8p2yidc2m8atj8lb.php
/cmgiusaew29n0qyd3i1m.php
/cq05tmqtkaxft5qv769g.php
/f06osvq.php
/g89k5v1v.php
/gh1ieakq3.php
/qfinq.php
/qlwgp1d813.php
/s56680kc36e1ruhyb.php
/tc5gm7omu7en6.php
/u5xujynybl.php
/utv23m.php
/wmzjb4ijh.php

# Reference: https://twitter.com/ESETresearch/status/1526897310231322630
# Reference: https://blog.cyble.com/2022/05/25/ermac-back-in-action/
# Referennce: https://otx.alienvault.com/pulse/628e4b375bc6bbd74c7b920e
# Reference: https://www.virustotal.com/gui/file/2cc727c4249235f36bbc5024d5a5cb708c0f6d3659151afc5ae5d42d55212cb5/detection

http://185.215.113.100
http://193.106.191.116
http://193.106.191.118
http://193.106.191.121
http://193.106.191.148
185.215.113.100:3434
193.106.191.116:3434
193.106.191.118:3434
193.106.191.121:3434
193.106.191.148:3434
bolt-food.site
boltfood.site
/wfxgi.php
/gehwonr1ja.php
/5xeer7yia3fb0h.php
/bjcwnlxnqjq.php
/0xdflkzbi.php
/15s9gps5jkj0tuzp.php
/p2ocy7hfx30vz.php

# Reference: https://twitter.com/malwrhunterteam/status/1527732575401304066
# Reference: https://www.virustotal.com/gui/file/59e83ad07fc5944c90d06f8528d32c8cf3bd85da28cd4c4a6161d3413393c60a/detection

a2zgstcenter.com
design.a2zgstcenter.com
files.a2zgstcenter.com
fu.a2zgstcenter.com
kinkyapp.a2zgstcenter.com
onflyfansleaks.a2zgstcenter.com
porno.a2zgstcenter.com
track.a2zgstcenter.com
ys.a2zgstcenter.com
/damxvy2x006.php
/rrg748vxuxk.php

# Reference: https://twitter.com/malwrhunterteam/status/1527985074825732099
# Reference: https://www.virustotal.com/gui/file/f4d18662c927380a2d30eba367fafd3746fa137df499cb50d49e591a420aa95d/detection

http://45.141.85.25
45.141.85.25:3434
apkphoto.co.nz
/4nep90ruob0vphc.php
/78nyseehouzeh05xv98.php
/adbo5is6.php
/cyl392t.php
/f0j0aden00d2n.php
/gc3juqpqdcl.php
/i9hna3hczxbyqx.php
/jlsh5yrqgwxo.php
/njz0de7jwqjmeqx.php
/sy34cndqt.php
/u63suuv3728n8.php
/xnp7uhisi.php
/zw1zlr4oip6zt53rsbr.php

# Reference: https://tria.ge/220713-l3xrtscgdn/behavioral2

45.141.85.29:3434

# Reference: https://www.virustotal.com/gui/file/e75f008435339b5eedf30d49e93a164010c8fce9dc790535cf4fdab23d1bdc79/detection

45.141.85.30:3434
/2cuql1007.php
/3strcfz6fzvvdkk86.php
/69g567pf.php
/gw6zjp39mq9aov42w.php
/p42nthjhtt7tv.php

# Reference: https://www.virustotal.com/gui/file/042fd9bfb520cfd143d17d0b17982fe8fa598f0877a4d4e2d5b93d68d3280f75/detection

62.204.41.182:3434
/1a7g3gvdsp7zgj9ye9.php
/46fjsc5d77c7.php
/6d6rfa.php
/6w1lw42jwg3jcpycz38d.php
/713840vf2wh2p.php
/dkt6fwsob9g0afi116.php
/do9phtic6b1p.php
/fm9kx9zdpybqb7du.php
/jcvq6way.php
/uol23q.php
/uxh4xo.php
/vdfy6u9eqabv8qo50y.php
/xkwdo.php
/zd9je6271tn1jod0spe.php

# Reference: https://www.virustotal.com/gui/file/937fde61a2239182fcf4f2d3429e3d691ccea1bab75a1f01d04e7b849f14446f/detection

45.141.85.31:3434

# Reference: https://www.virustotal.com/gui/file/119847544d8d823c2bf7a541f446eb05eec0ca22cb0222583fdca173ace25074/detection

45.141.84.92:3434
/19m9op5.php
/hbqr3kez6gcd87.php
/j7nr3wg6slk7ed9ab41.php
/k00fejs2rbvxmv.php
/nnfuf72mfwfp4u3hga62.php
/pbzcd4xy09a.php
/su6hftlfphhc.php

# Reference: https://twitter.com/0xrb/status/1564222855830597632
# Reference: https://www.virustotal.com/gui/file/4ee64040dca285932d0533ef2f5715445347783dc941ad93465d632a8e25f00a/detection

http://62.204.41.98
62.204.41.98:3434

# Reference: https://twitter.com/r3dbU7z/status/1564501672340197376

http://108.61.166.245
http://194.26.29.28
http://20.249.63.72
http://213.226.123.8
http://216.238.71.179
http://45.141.84.92
http://45.141.85.29
http://45.141.85.30
http://45.141.85.31
http://62.204.41.182
108.61.166.245:3434
194.26.29.28:3434
20.249.63.72:3434
213.226.123.8:3434
216.238.71.179:3434
45.141.84.92:3434
45.141.85.29:3434
45.141.85.30:3434
45.141.85.31:3434
62.204.41.182:3434

# Reference: https://twitter.com/0xrb/status/1564546929110835200

http://51.15.150.5
51.15.150.5:3434

# Reference: https://twitter.com/AuCyble/status/1580552579452313600
# Reference: https://www.virustotal.com/gui/ip-address/103.109.101.137/relations

apk-combos.com
app-vidmate.com
app-vidmates.com
app-vidmates.link
m-apkpure.com
m-apkpures.com
paltpal-apk.com
snacpchat-apk.com
tlktok-apk.link
vidmate-apps.com
vidmates-app.com
vidmates-apps.com
vidmatesapp.com

# Reference: https://twitter.com/malwrhunterteam/status/1595130983061553152
# Reference: https://www.virustotal.com/gui/file/387c41679ac3de139fd175e22ba4f8019eb82d5125a2c9ac26e3f2b3ee4519e1/detection

wifi-autorisation1.com

# Reference: https://twitter.com/malwrhunterteam/status/1603105701278240769
# Reference: https://www.virustotal.com/gui/file/8c89fa9a0d6656b60ac91018a1feff58945b07e560b549a8f56440a2d00377d7/detection

176.113.115.66:3434

# Reference: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html
# Reference: https://www.virustotal.com/gui/file/768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15/detection
# Reference: https://www.virustotal.com/gui/file/8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0/detection

193.233.196.2:3434
5.42.199.22:3434

# Reference: https://www.virustotal.com/gui/ip-address/63.250.60.42/relations
# Reference: https://www.virustotal.com/gui/file/23536a2a04baf0f2432e38faf71d8480c308429c4c9ba6d03157b35672df7ed5/detection
# Reference: https://www.virustotal.com/gui/file/99397c9a53400130039479da2e8064daf0afcca71ef237d0d2c1f029d445f16f/detection

evjvrrxkgrohvbmogcjl.net
mcoxxpqxysmvsmbiqxjx.net

# Reference: https://twitter.com/malwrhunterteam/status/1631638354088407040
# Refereence: https://www.virustotal.com/gui/file/0756fbd9ecb958b7a3615ea9e6b78c0e2a66d33bd13c8af565bc5358f69fa0ee/detection

176.100.42.11:3434
directlink.info

# Reference: https://twitter.com/0x6rsk/status/1634185009798971397
# Reference: https://www.virustotal.com/gui/file/a86e95eb058725eeaa326655208e1fe4e70140303be07fc3bc92f01bca7aa1d6/detection

35.91.53.224:3434

# Reference: https://twitter.com/Gi7w0rm/status/1641570957352488961
# Reference: https://twitter.com/Gi7w0rm/status/1641603152607694848
# Reference: https://twitter.com/Gi7w0rm/status/1641604541677223936

http://176.100.42.11
http://91.215.85.23
canamacan.sc.ug

# Reference: https://twitter.com/0xrb/status/1641700350372478976

http://185.186.246.69
http://5.42.199.22

# Reference: https://twitter.com/jstrosch/status/1645874394684858368
# Reference: https://www.virustotal.com/gui/file/45a3846d33e39937fc3211675bc9a2a3b2634af80edec629b89f3ea27a5c0b93/detection
# Reference: https://www.virustotal.com/gui/file/0399d5868f1c7ace8585daba2b93d794a19dd354f95a2c5ae0bc870237c9eb37/detection

http://91.215.85.37
91.215.85.37:3434

# Reference: https://threatfox.abuse.ch/browse/malware/apk.hook/

http://45.93.201.92
http://91.215.85.223
45.93.201.92:3434
91.215.85.223:3434

# Reference: https://twitter.com/TLP_R3D/status/1646228697156812821

http://141.8.199.8
http://46.173.218.30