# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery list131.ignorelist.com # Reference: https://twitter.com/guelfoweb/status/1105493553030053888 # Reference: https://twitter.com/JaromirHorejsi/status/1105447086361923584 schoolfurniturecompany.com # Reference: https://twitter.com/x42x5a/status/1111247631223791617 tsesser.duckdns.org # Reference: https://twitter.com/pollo290987/status/1113335382878425088 fada101.servehttp.com # Reference: https://twitter.com/James_inthe_box/status/1113423296211562497 91.192.100.8:47583 # Reference: https://twitter.com/Racco42/status/1115259915877146625 maxcoopart80.ddns.net # Reference: https://twitter.com/x42x5a/status/1116608057268527105 # Reference: https://app.any.run/tasks/e89ec46a-0637-4b24-9802-08cc19459bef 185.140.53.17:2888 # Reference: https://twitter.com/James_inthe_box/status/1118904407792345090 mydnssbox.gleeze.com # Reference: https://reaqta.com/2019/04/ave_maria-malware-part1/ maxibrainz.warzonedns.com 91.192.100.61:2580 # Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# AveMaria) tain.warzonedns.com noreply377.ddns.net server.mtcc.me doddyfire.dyndns.org toekie.ddns.net warmaha.warzonedns.com 185.162.131.97:222 # Reference: https://twitter.com/Racco42/status/1130511314537918465 mailsle001.duckdns.org mazzet990.duckdns.org # Reference: https://twitter.com/Lvanoel/status/1131441015922057217 # Reference: https://app.any.run/tasks/b00d980c-615c-433a-b549-36253786f9cb/ 145.239.202.109:1013 145.239.202.109:1018 # Reference: https://twitter.com/Racco42/status/1132911306472919040 hiswar45.warzonedns.com # Reference: https://twitter.com/abuse_ch/status/1145697917161934856 fuckoffesetdetectmysleep.com # Reference: https://twitter.com/HerbieZimmerman/status/1151196743201173507 respainc.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1151953182869741568 masterprof.warzonedns.com # Reference: https://twitter.com/James_inthe_box/status/1156163867744935938 dephantomz.duckdns.org # Reference: https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/ anglekeys.warzonedns.com # Reference: https://twitter.com/ps66uk/status/1159446703185047552 95.168.191.77:1436 dd122.duckdns.org # Reference: https://twitter.com/anyrun_app/status/1159700318478897152 # Reference: https://app.any.run/tasks/b89006cd-dba0-4bc3-8a16-002f4ccc416b/ 37.120.159.243:21204 aidsweden.serveblog.net # Reference: https://twitter.com/James_inthe_box/status/1161273917689880576 millionways.duckdns.org # Reference: https://twitter.com/Lvanoel/status/1161511143174823936 # Reference: https://app.any.run/tasks/bf09de69-e3b4-41d6-9d1e-d4875f9bca16/ 79.134.225.39:2134 ndubaba45.warzonedns.com # Reference: https://twitter.com/killamjr/status/1163429097273516032 wealthyblessed.warzonedns.com # Reference: https://twitter.com/tkanalyst/status/1167210316406484992 # Reference: https://app.any.run/tasks/bf11ba41-b5bf-4fed-8769-eebdf6b50760/ 185.70.184.34:3367 # Reference: https://www.virustotal.com/gui/file/544b299edea483bae81f71b7225aaa835ab025bcb6bd79b2d4ea9e2fe015c28f/behavior/Tencent%20HABO wealthyme.warzonedns.com # Reference: https://www.virustotal.com/gui/file/25a549daef7a464b48239af1d40f8aebba64dbadcbda0e99ce66b501aab7e36f/behavior/VirusTotal%20Jujubox ebase.duckdns.org # Reference: https://www.virustotal.com/gui/file/ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd/behavior/VirusTotal%20Jujubox warzo.duckdns.org # Reference: https://www.virustotal.com/gui/file/7c76424b56e4a678617fa9020a57c8342947ad883f747344f14520dee6f124a9/behavior/Dr.Web%20vxCube levelup.publicvm.com # Reference: https://www.virustotal.com/gui/file/da626882f225ded5ba58cefb4585de0c5a42f8e5fc9eb5b7762ef297187bf3fc/behavior/Lastline helloworld.ddnsking.com # Reference: https://www.virustotal.com/gui/file/2fdb79ca19e2ff06973e49b53ae627adfdf34a6f166f167fbceebb6c1cd60da3/behavior/Lastline millionways.duckdns.org # Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/behavior/Lastline amariceo.duckdns.org # Reference: https://www.virustotal.com/gui/file/733a272f202c9917b877be278df24368daa6de101a2b804ccb45b48c6119c6fa/behavior/Lastline eclass47.duckdns.org # Reference: https://twitter.com/wwp96/status/1170333909982285824 # Reference: https://app.any.run/tasks/32422cdd-19d0-40cf-87d9-cb08e706405a/ 185.165.153.12:1033 jsbcdns.warzonedns.com # Reference: https://twitter.com/wwp96/status/1171410401885589509 # Reference: https://app.any.run/tasks/9e8d008e-653e-4af0-bfa4-ac05910853d4/ 79.134.225.107:6703 naval.duckdns.org # Reference: https://twitter.com/w3ndige/status/1179711138981957633 # Reference: https://app.any.run/tasks/a5a9e2f9-45bc-4760-8fad-3683d76aaf56/ 94.237.114.17:59221 linuxpro1.warzonedns.com # Reference: https://twitter.com/killamjr/status/1189750151155474432 # Reference: https://app.any.run/tasks/abcdb43f-c221-4ffe-9598-c7d6a2301395/ # Reference: https://www.virustotal.com/gui/file/80c027aea4017e2a6ef61cb5d2da2f5cd5c47a6bb082f3172be668fa85f3b3ef/detection 142.44.161.51:5371 # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/a75dad61090b4575f360310d59647560ce9faaff047ad7513fde736ea90aec4e/detection # Reference: https://www.virustotal.com/gui/file/546dcac6a5fc155afcc19a4b74effff13414636362129cdbe73d47e994dc39b4/detection # Reference: https://www.virustotal.com/gui/file/a2bf4a9a1d776cf793a97d0b6fc37b63dcb55f7e4793070df5cc265f59e06f97/detection 185.165.153.46:83 # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/c3b48986b1377673856f5500f9c79ec3de25c51c10e44e09e9385ce779dd0f6b/detection # Reference: https://www.virustotal.com/gui/file/a11b7ef1b9ae4b05deec96035b8173d79861f3c661a66cb08ec5b7cb7993981a/detection 173.254.223.68:5005 37.49.225.237:5009 79.134.225.21:2244 favour.ddnsgeek.com # Reference: https://twitter.com/wwp96/status/1191754793737428993 # Reference: https://app.any.run/tasks/941b2543-3fdf-49f1-ab81-4ef621930c66/ # Reference: https://app.any.run/tasks/461f8149-bc37-4081-920f-002c2ece10be/ 185.165.153.150:6703 rentals.insidedns.com # Reference: https://www.virustotal.com/gui/file/01018330ea410c2b49df4ec0ef0b5867a708b9102a780fa230aabf0391c0b82d/detection craftedfollowing.duckdns.org # Reference: https://www.virustotal.com/gui/file/cde18266fd65ee26cd546a95f7e3b629b4f13b8101d0a7ced282b2fee1d4c673/detection 185.222.202.74:1515 79.134.225.105:2404 # Reference: https://www.virustotal.com/gui/file/456b827c946facaadae9a11182d864e21db248f17a24309eaee0798c1043d5bb/detection 79.134.225.89:3366 # Reference: https://www.virustotal.com/gui/file/d84fdbc7ba1461fa0609661a13b434e2c791d6d0e6d2bba1c431175ad6d13731/detection 79.134.225.89:5200 # Reference: https://www.virustotal.com/gui/file/52cca8d3b984b5116ba625d2379b3d171e0e4a3d932a8afc740c136db2b611ea/detection ventm.warzonedns.com # Reference: https://www.virustotal.com/gui/file/883562a2a36809c07e2368a7d0fd47e8e8fc23a839837f1ebe64b86dcc3209d5/detection 79.134.225.74:2404 79.134.225.89:2404 behco.duckdns.org paris4real111.ddnsfree.com # Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection 75.127.5.164:4741 # Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/detection 185.244.31.248:4741 # Reference: https://www.virustotal.com/gui/file/6059d33a2b43a5a840dd6525d7eeae99675e969a7d34f9a3fde663abec093abd/detection 41.111.120.82:5200 # Reference: https://www.virustotal.com/gui/file/f73bb2cac3348f9a3154d9c3761aaab9480c22c90272b8c6a2d12d03026545bd/detection 185.62.190.76:5200 # Reference: https://www.virustotal.com/gui/file/f92a5c1fbc216d4fa074f16df7cd779c7df900a8c83850fa28d375ae651a1ede/detection 194.5.98.28:1033 jsbcdns.warzonedns.com # Reference: https://www.virustotal.com/gui/file/a059e3d18e6769f4b57c0e6703194d490d4acfaac10d51e97deccf97ebdc543b/detection 194.5.98.82:6093 importa.100chickens.me # Reference: https://www.virustotal.com/gui/file/9c4d9735c010d737541d4992ea3263c7d9197892184ff1809b0bb57e4ce2f0fe/detection 51.77.254.184:2324 7fantasma.duckdns.org # Reference: https://www.virustotal.com/gui/file/12ed11e75e0520eea52213b3f9f5f727d3639af2539d38642a2d8306ec19104a/detection 79.134.225.25:6558 chukdominic.duckdns.org # Reference: https://www.virustotal.com/gui/file/f617de752f017722e0771b83b3f69ce38a4ba84602511ba91fccb84ea2fda7fc/detection 192.169.69.25:4070 benzkartel.duckdns.org # Reference: https://www.virustotal.com/gui/file/77819732b5a4837ca3594ef86d606a48c064441411d08a539514fcc5d91218cd/detection # Reference: https://www.virustotal.com/gui/file/0a4462d6b14ff52e9b445e260194357900ba7dbbe80774eb010b44e1bd4ee9a9/detection 192.169.69.25:5399 eclass47.duckdns.org # Reference: https://www.virustotal.com/gui/file/b7346a155d02bd68ff67f5546609f9d75057d5efd90a6376e977ef7ea869e2f2/detection 45.61.49.107:5240 tunechi101.warzonedns.com # Reference: https://www.virustotal.com/gui/file/07392385f56ddda989d5ad8bd8de01b108412982b159ac75e204be143d68b240/detection 185.62.188.136:5200 # Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection 75.127.5.164:4741 # Reference: https://www.virustotal.com/gui/file/c586ff7830ff31f8c053edb8f2629df87906bb01ec30f9e35bd29022ebea8419/detection 79.134.225.106:1177 praize19791.duckdns.org # Reference: https://www.virustotal.com/gui/file/d441cff2ab9244e49f4bc3b05eca90d9249a6e2618e5e4bd9b0a54097facb48b/detection 93.177.75.154:3151 dinibel11.webhop.org # Reference: https://www.virustotal.com/gui/file/e066a5143b342f5c231f97bb7f4eb49635abcde57d786f33fa1038ddd6ede11a/detection 170.130.31.104:1670 madmulla.duckdns.org # Reference: https://www.virustotal.com/gui/file/4b6259416f03b0f5af3674e7bd388a4463c24d21de53a02dfcb9c662adf22e8f/detection 172.93.228.235:5880 genericmoney.duckdns.org # Reference: https://www.virustotal.com/gui/file/a24048a30789ba42ceb68f5cd75a408d5de9497cd5d2aa12b2577fcba6a69d9c/detection 192.69.169.25:5200 egonbute.duckdns.org # Reference: https://www.virustotal.com/gui/file/bf81ce4168621e55a21d9f2dcb7a4ece8d36872ee6ef907345c99c272cea4e99/detection 79.134.225.58:7555 # Reference: https://any.run/malware-trends/avemaria (Note: as seen on 2019-12-04) sub.winkcaffe.waw.pl vemvemserver.duckdns.org tain.rapiddns.ru info1.duckdns.org googleman.duckdns.org moran101.duckdns.org duc1234.duckdns.org onelove03.duckdns.org benzkartel.duckdns.org westernautoweb.duckdns.org qxq.ddns.net kenw16570.ddns.net johnevans04.ddns.net sub007.duckdns.org hustle4eva2.3utilities.com sandshoe.duckdns.org olavroy.duckdns.org chance2019.ddns.net # Reference: https://www.virustotal.com/gui/file/78ed84dd60c338ceb78a4d358f07437a383e435c385000404da66e570e2321cc/detection 91.193.75.181:3367 # Reference: https://www.virustotal.com/gui/file/7b15afbcaa1bcb0d2a6bdf83f6c93658817962b19c35326b8077d7be44b39a69/detection 79.134.225.71:5437 # Reference: https://www.virustotal.com/gui/file/b496ddb8d4c141887c11ea69fdce376b172a0fc194cb2de6c95599aecbb537ab/detection cush007.ddns.net # Reference: https://www.virustotal.com/gui/file/fe8703808c3f40b46b07af0e129c2102524347869710b02174c72a153d137760/detection 129.56.70.249:8282 # Reference: https://www.virustotal.com/gui/file/a984da90a5ad37b1ce550f33ff607095db19355c04025e38b3ee45ac8f693eb5/detection 79.134.225.39:9090 parospp.duckdns.org # Reference: https://www.virustotal.com/gui/file/572f87602151f3338afa66ad3e732149fe3e360e3fa2e215f23a0a6925ce4d3d/detection benrohr442.zapto.org # Reference: https://www.virustotal.com/gui/file/f0f94d21b0f262127a2ded52cb7a1f4259f23dbf964d7df85d531c183212174b/detection 185.247.228.208:2888 # Reference: https://www.virustotal.com/gui/file/6bdff20a07a44acf12e43805c730c7ff7f38cbeafe921217c03d3dd1617a4880/detection 5.181.234.14:2888 # Reference: https://www.virustotal.com/gui/file/1b9ddb40b3935d58544774f7c6b7e95343be5dc0a8bf98b3105163a5afbb8c65/detection 79.134.225.71:84 # Reference: https://www.virustotal.com/gui/file/7b4f34a769a9e9c7c2624154a5573e195e0988cea062b374c03304f7478fc961/detection 79.134.225.71:5500 grounderwarone.freeddns.org # Reference: https://www.virustotal.com/gui/file/e87773b992b99b6efd4c74e564d08eb67d315cc59d23a8c9b69abb33ea950dd4/detection 79.134.225.105:11896 # Reference: https://www.virustotal.com/gui/file/ac98d1565e8f687a0c631996c5029e6240f6e729042dca8e7858d35022b209b3/detection marknagy44565-36386.portmap.host # Reference: https://www.virustotal.com/gui/file/b7cf331992b5483898c5e8193c660a245b09bcb058988835a30cb1692892273c/detection 193.161.193.99:47765 # Reference: https://www.virustotal.com/gui/file/da2eb53310a9b8d6c4131288fcce98602f0e7b77085a02f7d7f69ac11565687b/detection 193.161.193.99:37648 # Reference: https://www.virustotal.com/gui/file/a0f6f5047ec47503ec7cbb61e04ebb9b97bfa9746392f7c3ed08182db8be8138/detection 193.161.193.99:45947 officialkezmuzik-45947.portmap.host # Reference: https://www.virustotal.com/gui/file/5ff6e4edbf3c902b9a813d59800a60264373eb60f7babefe4dff54fedddb65e4/detection 185.101.92.3:1690 # Reference: https://www.virustotal.com/gui/file/ee4c2071e9030b4387111797f6d11f092f8781cdc5aac999139963fdcb63ff42/detection 185.140.53.95:5216 # Reference: https://www.virustotal.com/gui/file/15cae950567d2811ad51b7eb71c6b1bfc451548179931cdcfbbb498e24c2f661/detection 185.140.53.95:5200 # Reference: https://www.virustotal.com/gui/file/90852481986c5563f93a7615fd4a0f3d238ab62811603aca14585bcbd0c6e71c/detection 91.193.75.66:2088 # Reference: https://app.any.run/tasks/10544624-bea9-442e-98b9-8e862f612f6b/ ultrablank.linkpc.net 46.4.156.46:3008 # Reference: https://www.virustotal.com/gui/file/f100dd11620426161e6e36d5778c458dcb92b1cd551df338007bb52dfff4cdbc/detection 213.152.161.5:45315 # Reference: https://www.virustotal.com/gui/file/3c0180e5c2e750dd5f2af5d2cb94e17189b5e89381e8292b249eb02e7bdc7f37/detection 193.161.193.99:27190 scharo-27190.portmap.host # Reference: https://www.virustotal.com/gui/file/a2f8c2d56df5bd28fe6524c0a41ecefbf43700f89c6bf083516109d021cb5a46/detection 193.161.193.99:2719 # Reference: https://www.virustotal.com/gui/file/e25774ea715ce20d9608948df1831b1f258df07e2b2065014c85c2fb6ad14213/detection 194.5.98.8:33033 # Reference: https://www.virustotal.com/gui/file/e909c918287b835821e26e1076693d426d127fdd5a589953deabf77717c2ef62/detection # Reference: https://www.virustotal.com/gui/file/9826ff5418fe35cbab6465dd359968ffe56bd7b725dbc26d0d8d21c7e3dbc0ec/detection # Reference: https://twitter.com/James_inthe_box/status/1214169622380834816 185.140.53.232:5211 # Reference: https://www.virustotal.com/gui/file/6733088fefa603350dd9904a49763b2e628c10f6f32a90e1f30789ae91b0bd28/detection 141.255.155.122:3008 palhacinhacker.ddns.net # Reference: https://twitter.com/Racco42/status/1216993503118577665 79.134.225.103:5216 # Reference: https://www.virustotal.com/gui/file/1a0374f3f7a51bd877212c37b642a7980a27ea2b38c68b009a80ece64147beec/detection 141.255.154.127:5200 qayshaija.ddns.net # Reference: https://www.virustotal.com/gui/file/03be3c7214fe1b769d22c4e8f93dab67b0d8aa399715bea4e37529438300f376/detection 141.255.147.80:5200 # Reference: https://www.virustotal.com/gui/file/b1d85b2e44628774c5706b05ba05a3ff66976258d3bbeeadb5db33fa0778341b/detection 179.180.11.89:5061 179.180.11.89:6008 # Reference: https://www.virustotal.com/gui/file/e92ba8c91051a2491c7b0c7a6310a3381734c11e54045e687c1591e2d757d8ab/detection 187.59.229.214:5200 # Reference: https://www.virustotal.com/gui/file/dd6a6d312452055ab81cee64848fa088feab2c197c177d10b9edc4569739954a/detection 177.133.237.246:5000 # Reference: https://www.virustotal.com/gui/file/3c8c14bc831c980fb43d33d23b59e2932785f410228908e17e69a9485b1893c6/detection 179.162.69.48:2020 191.35.36.143:2013 # Reference: https://www.virustotal.com/gui/file/87571c558c0c211cd407d87217a3a64240736fb6645919e970dadef3680975ef/detection 177.133.235.48:6606 177.133.235.48:8808 177.133.235.48:9830 # Reference: https://www.virustotal.com/gui/file/d5b2fbcf5a08b47f077f7ef5b703fb54c6d5b35af67a7d5d5a57d70d045b9ef4/detection 191.250.235.230:83 191.250.235.230:200 # Reference: https://www.virustotal.com/gui/file/ed3e1f7e8672d12735ca0e61a0d148d77c19c11e1857433d511ad91d84885207/detection 191.32.188.158:83 191.32.188.158:200 191.32.188.158:6060 # Reference: https://www.virustotal.com/gui/file/935226940893b40ce02be1230be2df7dce8cbd846013543298bf1d3d191462f2/detection 177.157.217.116:83 177.157.217.116:200 177.157.217.116:6060 # Reference: https://www.virustotal.com/gui/file/ed30e9e2d1ff9616faf3c5a67fec892453294b7e6b3f56aa3c8d265f4b04e56d/detection 179.183.44.100:83 179.183.44.100:200 179.183.44.100:6060 # Reference: https://www.virustotal.com/gui/file/c9a7c30772ea01a05608d2eea76f2863aec5cd35d0512ae64c914d224bc5a2fe/detection 191.35.44.154:83