# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery list131.ignorelist.com # Reference: https://twitter.com/guelfoweb/status/1105493553030053888 # Reference: https://twitter.com/JaromirHorejsi/status/1105447086361923584 schoolfurniturecompany.com # Reference: https://twitter.com/x42x5a/status/1111247631223791617 tsesser.duckdns.org # Reference: https://twitter.com/pollo290987/status/1113335382878425088 fada101.servehttp.com # Reference: https://twitter.com/James_inthe_box/status/1113423296211562497 91.192.100.8:47583 # Reference: https://twitter.com/Racco42/status/1115259915877146625 maxcoopart80.ddns.net # Reference: https://twitter.com/x42x5a/status/1116608057268527105 # Reference: https://app.any.run/tasks/e89ec46a-0637-4b24-9802-08cc19459bef 185.140.53.17:2888 # Reference: https://twitter.com/James_inthe_box/status/1118904407792345090 mydnssbox.gleeze.com # Reference: https://reaqta.com/2019/04/ave_maria-malware-part1/ maxibrainz.warzonedns.com 91.192.100.61:2580 # Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# AveMaria) tain.warzonedns.com noreply377.ddns.net server.mtcc.me doddyfire.dyndns.org toekie.ddns.net warmaha.warzonedns.com 185.162.131.97:222 # Reference: https://twitter.com/Racco42/status/1130511314537918465 mailsle001.duckdns.org mazzet990.duckdns.org # Reference: https://twitter.com/Lvanoel/status/1131441015922057217 # Reference: https://app.any.run/tasks/b00d980c-615c-433a-b549-36253786f9cb/ 145.239.202.109:1013 145.239.202.109:1018 # Reference: https://twitter.com/Racco42/status/1132911306472919040 hiswar45.warzonedns.com # Reference: https://twitter.com/abuse_ch/status/1145697917161934856 fuckoffesetdetectmysleep.com # Reference: https://twitter.com/HerbieZimmerman/status/1151196743201173507 respainc.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1151953182869741568 masterprof.warzonedns.com # Reference: https://twitter.com/James_inthe_box/status/1156163867744935938 dephantomz.duckdns.org # Reference: https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/ anglekeys.warzonedns.com # Reference: https://twitter.com/ps66uk/status/1159446703185047552 95.168.191.77:1436 dd122.duckdns.org # Reference: https://twitter.com/anyrun_app/status/1159700318478897152 # Reference: https://app.any.run/tasks/b89006cd-dba0-4bc3-8a16-002f4ccc416b/ 37.120.159.243:21204 aidsweden.serveblog.net # Reference: https://twitter.com/James_inthe_box/status/1161273917689880576 millionways.duckdns.org # Reference: https://twitter.com/Lvanoel/status/1161511143174823936 # Reference: https://app.any.run/tasks/bf09de69-e3b4-41d6-9d1e-d4875f9bca16/ 79.134.225.39:2134 ndubaba45.warzonedns.com # Reference: https://twitter.com/killamjr/status/1163429097273516032 wealthyblessed.warzonedns.com # Reference: https://twitter.com/tkanalyst/status/1167210316406484992 # Reference: https://app.any.run/tasks/bf11ba41-b5bf-4fed-8769-eebdf6b50760/ 185.70.184.34:3367 # Reference: https://www.virustotal.com/gui/file/544b299edea483bae81f71b7225aaa835ab025bcb6bd79b2d4ea9e2fe015c28f/behavior/Tencent%20HABO wealthyme.warzonedns.com # Reference: https://www.virustotal.com/gui/file/25a549daef7a464b48239af1d40f8aebba64dbadcbda0e99ce66b501aab7e36f/behavior/VirusTotal%20Jujubox ebase.duckdns.org # Reference: https://www.virustotal.com/gui/file/ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd/behavior/VirusTotal%20Jujubox warzo.duckdns.org # Reference: https://www.virustotal.com/gui/file/7c76424b56e4a678617fa9020a57c8342947ad883f747344f14520dee6f124a9/behavior/Dr.Web%20vxCube levelup.publicvm.com # Reference: https://www.virustotal.com/gui/file/da626882f225ded5ba58cefb4585de0c5a42f8e5fc9eb5b7762ef297187bf3fc/behavior/Lastline helloworld.ddnsking.com # Reference: https://www.virustotal.com/gui/file/2fdb79ca19e2ff06973e49b53ae627adfdf34a6f166f167fbceebb6c1cd60da3/behavior/Lastline millionways.duckdns.org # Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/behavior/Lastline amariceo.duckdns.org # Reference: https://www.virustotal.com/gui/file/733a272f202c9917b877be278df24368daa6de101a2b804ccb45b48c6119c6fa/behavior/Lastline eclass47.duckdns.org # Reference: https://twitter.com/wwp96/status/1170333909982285824 # Reference: https://app.any.run/tasks/32422cdd-19d0-40cf-87d9-cb08e706405a/ 185.165.153.12:1033 jsbcdns.warzonedns.com # Reference: https://twitter.com/wwp96/status/1171410401885589509 # Reference: https://app.any.run/tasks/9e8d008e-653e-4af0-bfa4-ac05910853d4/ 79.134.225.107:6703 naval.duckdns.org # Reference: https://twitter.com/w3ndige/status/1179711138981957633 # Reference: https://app.any.run/tasks/a5a9e2f9-45bc-4760-8fad-3683d76aaf56/ 94.237.114.17:59221 linuxpro1.warzonedns.com # Reference: https://twitter.com/killamjr/status/1189750151155474432 # Reference: https://app.any.run/tasks/abcdb43f-c221-4ffe-9598-c7d6a2301395/ # Reference: https://www.virustotal.com/gui/file/80c027aea4017e2a6ef61cb5d2da2f5cd5c47a6bb082f3172be668fa85f3b3ef/detection 142.44.161.51:5371 # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/a75dad61090b4575f360310d59647560ce9faaff047ad7513fde736ea90aec4e/detection # Reference: https://www.virustotal.com/gui/file/546dcac6a5fc155afcc19a4b74effff13414636362129cdbe73d47e994dc39b4/detection # Reference: https://www.virustotal.com/gui/file/a2bf4a9a1d776cf793a97d0b6fc37b63dcb55f7e4793070df5cc265f59e06f97/detection 185.165.153.46:83 # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/c3b48986b1377673856f5500f9c79ec3de25c51c10e44e09e9385ce779dd0f6b/detection # Reference: https://www.virustotal.com/gui/file/a11b7ef1b9ae4b05deec96035b8173d79861f3c661a66cb08ec5b7cb7993981a/detection 173.254.223.68:5005 37.49.225.237:5009 79.134.225.21:2244 favour.ddnsgeek.com # Reference: https://twitter.com/wwp96/status/1191754793737428993 # Reference: https://app.any.run/tasks/941b2543-3fdf-49f1-ab81-4ef621930c66/ # Reference: https://app.any.run/tasks/461f8149-bc37-4081-920f-002c2ece10be/ 185.165.153.150:6703 rentals.insidedns.com # Reference: https://www.virustotal.com/gui/file/01018330ea410c2b49df4ec0ef0b5867a708b9102a780fa230aabf0391c0b82d/detection craftedfollowing.duckdns.org # Reference: https://www.virustotal.com/gui/file/cde18266fd65ee26cd546a95f7e3b629b4f13b8101d0a7ced282b2fee1d4c673/detection 185.222.202.74:1515 79.134.225.105:2404 # Reference: https://www.virustotal.com/gui/file/456b827c946facaadae9a11182d864e21db248f17a24309eaee0798c1043d5bb/detection 79.134.225.89:3366 # Reference: https://www.virustotal.com/gui/file/d84fdbc7ba1461fa0609661a13b434e2c791d6d0e6d2bba1c431175ad6d13731/detection 79.134.225.89:5200 # Reference: https://www.virustotal.com/gui/file/52cca8d3b984b5116ba625d2379b3d171e0e4a3d932a8afc740c136db2b611ea/detection ventm.warzonedns.com # Reference: https://www.virustotal.com/gui/file/883562a2a36809c07e2368a7d0fd47e8e8fc23a839837f1ebe64b86dcc3209d5/detection 79.134.225.74:2404 79.134.225.89:2404 behco.duckdns.org paris4real111.ddnsfree.com # Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection 75.127.5.164:4741 # Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/detection 185.244.31.248:4741 # Reference: https://www.virustotal.com/gui/file/6059d33a2b43a5a840dd6525d7eeae99675e969a7d34f9a3fde663abec093abd/detection 41.111.120.82:5200 # Reference: https://www.virustotal.com/gui/file/f73bb2cac3348f9a3154d9c3761aaab9480c22c90272b8c6a2d12d03026545bd/detection 185.62.190.76:5200 # Reference: https://www.virustotal.com/gui/file/f92a5c1fbc216d4fa074f16df7cd779c7df900a8c83850fa28d375ae651a1ede/detection 194.5.98.28:1033 jsbcdns.warzonedns.com # Reference: https://www.virustotal.com/gui/file/a059e3d18e6769f4b57c0e6703194d490d4acfaac10d51e97deccf97ebdc543b/detection 194.5.98.82:6093 importa.100chickens.me # Reference: https://www.virustotal.com/gui/file/9c4d9735c010d737541d4992ea3263c7d9197892184ff1809b0bb57e4ce2f0fe/detection 51.77.254.184:2324 7fantasma.duckdns.org # Reference: https://www.virustotal.com/gui/file/12ed11e75e0520eea52213b3f9f5f727d3639af2539d38642a2d8306ec19104a/detection 79.134.225.25:6558 chukdominic.duckdns.org # Reference: https://www.virustotal.com/gui/file/f617de752f017722e0771b83b3f69ce38a4ba84602511ba91fccb84ea2fda7fc/detection 192.169.69.25:4070 benzkartel.duckdns.org # Reference: https://www.virustotal.com/gui/file/77819732b5a4837ca3594ef86d606a48c064441411d08a539514fcc5d91218cd/detection # Reference: https://www.virustotal.com/gui/file/0a4462d6b14ff52e9b445e260194357900ba7dbbe80774eb010b44e1bd4ee9a9/detection 192.169.69.25:5399 eclass47.duckdns.org # Reference: https://www.virustotal.com/gui/file/b7346a155d02bd68ff67f5546609f9d75057d5efd90a6376e977ef7ea869e2f2/detection 45.61.49.107:5240 tunechi101.warzonedns.com # Reference: https://www.virustotal.com/gui/file/07392385f56ddda989d5ad8bd8de01b108412982b159ac75e204be143d68b240/detection 185.62.188.136:5200 # Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection 75.127.5.164:4741 # Reference: https://www.virustotal.com/gui/file/c586ff7830ff31f8c053edb8f2629df87906bb01ec30f9e35bd29022ebea8419/detection 79.134.225.106:1177 praize19791.duckdns.org # Reference: https://www.virustotal.com/gui/file/d441cff2ab9244e49f4bc3b05eca90d9249a6e2618e5e4bd9b0a54097facb48b/detection 93.177.75.154:3151 dinibel11.webhop.org # Reference: https://www.virustotal.com/gui/file/e066a5143b342f5c231f97bb7f4eb49635abcde57d786f33fa1038ddd6ede11a/detection 170.130.31.104:1670 madmulla.duckdns.org # Reference: https://www.virustotal.com/gui/file/4b6259416f03b0f5af3674e7bd388a4463c24d21de53a02dfcb9c662adf22e8f/detection 172.93.228.235:5880 genericmoney.duckdns.org # Reference: https://www.virustotal.com/gui/file/a24048a30789ba42ceb68f5cd75a408d5de9497cd5d2aa12b2577fcba6a69d9c/detection 192.69.169.25:5200 egonbute.duckdns.org # Reference: https://www.virustotal.com/gui/file/bf81ce4168621e55a21d9f2dcb7a4ece8d36872ee6ef907345c99c272cea4e99/detection 79.134.225.58:7555 # Reference: https://any.run/malware-trends/avemaria (Note: as seen on 2019-12-04) sub.winkcaffe.waw.pl vemvemserver.duckdns.org tain.rapiddns.ru info1.duckdns.org googleman.duckdns.org moran101.duckdns.org duc1234.duckdns.org onelove03.duckdns.org benzkartel.duckdns.org westernautoweb.duckdns.org qxq.ddns.net kenw16570.ddns.net johnevans04.ddns.net sub007.duckdns.org hustle4eva2.3utilities.com sandshoe.duckdns.org olavroy.duckdns.org chance2019.ddns.net # Reference: https://www.virustotal.com/gui/file/78ed84dd60c338ceb78a4d358f07437a383e435c385000404da66e570e2321cc/detection 91.193.75.181:3367