# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: kegtap # Reference: https://pastebin.com/raw/BmPzBqUs # Reference: https://app.any.run/tasks/975fb69c-b5eb-49c7-8d8f-332d34b6f46b/ # Reference: https://app.any.run/tasks/d0b1de23-ac5a-4274-afa0-4066fcb51844/ # Reference: https://app.any.run/tasks/b21c7dbe-7a74-48d3-9762-874c3c80c9e0/ 164.132.76.76:443 164.68.107.165:443 195.123.241.194:443 212.22.70.4:443 54.37.237.253:443 82.146.37.128:443 calacatta.com rayanat.com unitedyfl.com # Reference: https://twitter.com/James_inthe_box/status/1310987704021073926 http://51.89.177.16 51.89.177.16:443 # Reference: https://twitter.com/James_inthe_box/status/1311386833041809408 # Reference: https://twitter.com/James_inthe_box/status/1311388126284185600 # Reference: https://app.any.run/tasks/6829a6b6-7444-400a-8888-b95ff3875ef6/ # Reference: https://www.virustotal.com/gui/ip-address/64.44.131.106/relations # Reference: https://www.virustotal.com/gui/ip-address/96.9.225.147/relations bubl6g.com check1ster.com control1domain.com gate56dc.com # Reference: https://www.virustotal.com/gui/file/23ac461f9b5128841cafabb4282432252ea7b57874595cf6fe8457fc1ac65007/detection # Reference: https://www.virustotal.com/gui/file/fa70444f840f593557d5d062dcb7d57d5869a8c1a998939881e7762044660272/detection # Reference: https://twitter.com/malware_traffic/status/1313261006634848256 3.137.182.114:443 54.146.200.146:443 cstr1.com cstr3.com # Reference: https://twitter.com/James_inthe_box/status/1313512886640074753 z57gc.com # Reference: https://twitter.com/IntezerLabs/status/1314236451119411200 # Reference: https://www.virustotal.com/gui/file/0654bd997b078513c0607683315b9499ec1edc970af5e75d71948ea605781867/detection ds45x1.com ds46x1.com ds47x1.com x55gc.com x57gc.com # Reference: https://twitter.com/James_inthe_box/status/1314612116574203906 # Reference: https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0 allrulk.com breezdesign.com cuprinc.com grumhit.com onevdg.com # Reference: https://twitter.com/James_inthe_box/status/1316009750086123523 3.137.180.197:443 34.221.202.231:443 # Reference: https://twitter.com/James_inthe_box/status/1316779729299542017 # Reference: https://twitter.com/pancak3lullz/status/1316790427958292515 244.222.244.154:443 freedubcs.com labelcs.com shophoof.com titlecs.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1319347664207679488 mixcinc.com nicknames.com # Reference: https://twitter.com/James_inthe_box/status/1319298609255383040 hunopk.xyz sersd.xyz # Reference: https://twitter.com/Scoobs_McGee/status/1321545184891539466 hmiu.xyz refvs.xyz zaxswder.xyz # Reference: https://gist.github.com/silence-is-best/0aa844b003c62c6ce491e91e168ac662 bigjamg.xyz dasvdbfgne.xyz lmnab.xyz z55gc.com # Reference: https://twitter.com/James_inthe_box/status/1323373950022250497 citycafeonline.com ikjumnh.xyz woodallmcneill.com # Reference: https://twitter.com/James_inthe_box/status/1323711792686587905 # Reference: https://app.any.run/tasks/e133041c-9c4c-48e9-8b9b-8912fb7fc835/ nemtos.com lukeschicago.com ukmedm.com # Reference: https://www.virustotal.com/gui/file/2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f/detection burngs.com # Reference: https://www.virustotal.com/gui/file/f54cec2b04daafb0a1d612ef84913a1d03ef61d7de8b4c144414378c4415ac09/detection 35.164.230.208:443 aegijmaliijo.bazar afehjlamghjn.bazar afeiilamgiin.bazar bdegjkbkggjm.bazar bdfgilbkhgin.bazar ceggjkcligjm.bazar dcegjldjggjn.bazar ddegkmdkggko.bazar ddehimdkghio.bazar dfegkkdmggkm.bazar # Reference: https://www.virustotal.com/gui/file/15305978d7c42e26d908feca9aed4efa3df89ae6524ecce10752a2ee3cdf813f/detection # Reference: https://www.virustotal.com/gui/file/20f46f645a8eee243166fe55e1473e908f194438bed47d8d0caf164fbbd45655/detection 81.17.28.105:443 # Reference: https://twitter.com/ffforward/status/1337091508391047168 cleancarwashlla.org envirodedge.com thecarwash-zone.com # Reference: https://twitter.com/ffforward/status/1337094696460496903 chukysdetall.com.com ecosmartdetaillng.com masterpiece-auto.com # Reference: https://www.virustotal.com/gui/file/ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497/detection cleaningcompany-online.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1340455647763189761 # Reference: https://www.virustotal.com/gui/file/288d28f4d53d8e44d599a4d2f70b53d5b13f0827ad2b7a953a7a3cbd6e67bf25/detection # Reference: https://www.virustotal.com/gui/file/a32ed4b36d44c489341721920d27294cab78ad7bd970c8ac6baa3edc4337a600/detection homeclean-heroes.com # Reference: https://twitter.com/_pr4gma/status/1340026234621857793 # Reference: https://www.virustotal.com/gui/file/56c5bee33c17a453c900725f88efb0466fd928072c420955fa599b518b9dfcd2/detection # Reference: https://www.virustotal.com/gui/file/68ed893ae6ab2d7f00c3aacf46bc0c92966b647bcfe7e940a5d3ee55af01105a/detection akbuilding-services.com johnnyclean-carwash.com # Reference: https://twitter.com/_pr4gma/status/1341115000652525569 # Reference: https://www.virustotal.com/gui/ip-address/192.236.155.212/relations # Reference: https://www.virustotal.com/gui/file/436301cb89dadecb6c6cefc043b8a4d8f47de2054b1e84e1612cf061cd14dc15/detection birch-psychology.com busybjjj.com flux-psychology.com kpn-diensten.com # Reference: https://www.virustotal.com/gui/file/102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31/detection bitaonyw.bazar etymsoem.bazar iqtielca.bazar izaztoew.bazar lilaelac.bazar uclaibyw.bazar vuazelqe.bazar # Reference: https://twitter.com/_pr4gma/status/1341513863364272128 # Reference: https://www.virustotal.com/gui/file/392c73ffa3b1513cd8de9435d7e76320eff7f98db884eb6bc776c3b2bea7c77e/detection elevateyoga-denver.com flourish-psychology.net impactpsychcoloradoo.com livingyoga-denver.com # Reference: https://twitter.com/James_inthe_box/status/1339660764303388673 sosefinawinnifredsullivan8-5ce0e.gr8.com # Reference: https://www.virustotal.com/gui/file/ba32f63679760a34efd78fb148785a5b9074a406a0a0bf5881e7ccdc15a5d70f/detection http://13.57.15.8/vegetable/cut/bananas http://54.193.186.118/map/spell/16 http://54.193.186.118/vegetable/cut/bananas dcegjldcggjn.bazar # Reference: https://www.virustotal.com/gui/file/ba31f57d30e59c14c77c44fc90b8220933771220fba0ec1b27acd665c2a145ad/detection 18.188.18.65:443 3.15.209.89:443 juiceandfilm.com aegijmaliijo.bazar bdegjkbkggjm.bazar bdfgilbkhgin.bazar dcegjldjggjn.bazar ddegkmdkggko.bazar ddehimdkghio.bazar # Reference: https://www.virustotal.com/gui/file/d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38/detection 34.209.40.84:443 54.184.178.68:443 # Reference: https://www.virustotal.com/gui/file/571c32689719ba00f0d60918ae70a8edc185435ce3201413c75da1dbd269f88c/detection http://34.209.40.84 http://54.184.178.68 # Reference: https://twitter.com/_pr4gma/status/1348468157028196352 # Reference: https://www.virustotal.com/gui/file/712613ccdbc874e5467e58f6132687d39ece03669a4f0ea085e2c11e2158a7ed/behavior http://34.216.201.114/biker/bearded1 http://52.37.6.188/biker/bearded1 http://52.37.6.188/manufacturer/ningbo a-c-s.com/omgas/orexda.php # Reference: https://twitter.com/jfslowik/status/1352075291137437696 # Reference: https://twitter.com/jfslowik/status/1352078589773037568 # Reference: https://twitter.com/jfslowik/status/1352078590746103809 1800carwashdcc.com carwashcafe-usa.com carwashers.app carwashnearme.online championsgatecarwashh.com cleanasawhistlecarwashh.com coastalbrezecarwash.com englewoodcarwashh.us flagshiipcarwash.com flagship-carwash.com insideoutexprescarwash.com liberty-carwashh.com lruless.org maidcompletee.com maycarwash.co miraclecarwashanddetall.com mysplash-carwash.com myvaleycarwash.com nemosexpresscarwashh.com riptidecarwashfll.com shellgasand-carwash.com steam-cleaning.us timetshinecarwash.com topshine-carwash.com usedcarwash.com usedcarwashequipment.com waldenlakeecarwash.com washcity-carwash.com # Reference: https://twitter.com/ffforward/status/1353695031287291905 # Reference: https://app.any.run/tasks/71430bf0-d4c1-4647-8e76-1ec367eac0db/ aceiikbdgiin.bazar acfgikbdhgin.bazar acghilbdihio.bazar adehjkbeghjn.bazar adggklbeigko.bazar afegkmbgggkp.bazar bchgjlcdjgjo.bazar bffhklcghhko.bazar nnotifytgame.bazar thegame.bazar # Reference: https://twitter.com/ffforward/status/1356571665648537601 # Reference: https://urlhaus.abuse.ch/browse/tag/BazarCall/ compact-ssd.us compactstorage.us compssd.us intimylingerie.us toptipsoffice.us toptoffice.us tt-office.us ttoffice.us ttoffices.us # Reference: https://twitter.com/ffforward/status/1358863187748282368 # Reference: https://app.any.run/tasks/c3e540e5-8fc5-4bd0-8477-5f497c6ef22c/ 34.210.71.206:443 34.213.138.61:443 54.241.149.90:443 acegikbcggin.bazar acegilbcggio.bazar acegimbcggip.bazar acegjkbcggjn.bazar acegjlbcggjo.bazar acegjmbcggjp.bazar acegkkbcggkn.bazar acegklbcggko.bazar acegkmbcggkp.bazar acehikbcghin.bazar acehilbcghio.bazar acehimbcghip.bazar acehjkbcghjn.bazar acehjlbcghjo.bazar acehjmbcghjp.bazar acehkkbcghkn.bazar acehklbcghko.bazar acehkmbcghkp.bazar aceiikbcgiin.bazar aceiilbcgiio.bazar aceiimbcgiip.bazar aceijkbcgijn.bazar aceijlbcgijo.bazar aceijmbcgijp.bazar aceikkbcgikn.bazar aceiklbcgiko.bazar aceikmbcgikp.bazar acfgikbchgin.bazar acfgilbchgio.bazar acfgimbchgip.bazar acfgjkbchgjn.bazar aeghkkbeihkn.bazar bcfijmcchijp.bazar cfhgjldfjgjo.bazar efehilffghio.bazar obpharmacy.us snutrition.us # Reference: https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day # Reference: https://otx.alienvault.com/pulse/602ecfb40524de16ef1b6fa3/ http://18.188.232.155/investigate/discharge/partially2 http://18.188.232.155/leading/crisis26/snow11 http://18.236.86.87/organization/round_table http://34.210.71.206/artists/id/13131 http://34.210.71.206/home/static http://34.210.71.206/news/article/12422 http://34.212.73.169/organization/round_table http://34.220.167.220/organization/round_table http://34.220.204.73/exceed/requested7/ppd15 http://52.12.160.92/blog/entry/361446 http://52.12.160.92/exceed/requested7/ppd15 http://52.12.160.92/goods/itemid/124324 http://54.190.50.234/organization/round_table cacla2006.org/achlom/hamin.php cutedigitalphotography.com/vitrum/caretas.php homeprojectplanning.com/germes/sanertl.php horsehospital.com/assebles/hamnab.php morrislibraryconsulting.com/favicam/gertnm.php # Reference: https://twitter.com/jfslowik/status/1362453716230492166 basketandgoal.us chasingflavour.us cookingvillage.us crazytrends.us dacklera.us famouscuisine.us freekick.us funshowbiz.us iconiccook.us infototal.us midcourtgoal.us penaltyshot.us totalshowbiz.us # Reference: https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ ceeiildegiio.bazar ceeiimdegiip.bazar ceeijkdegijn.bazar # Reference: https://www.proofpoint.com/uk/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware # Reference: https://www.virustotal.com/gui/file/540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d/detection centralbancshares.com gariloy.com liqui-technik.com # Reference: https://twitter.com/z0ul_/status/1374121916143919106 3.14.85.24:443 3.137.152.31:443 # Reference: https://twitter.com/executemalware/status/1374100169747267599 # Reference: https://pastebin.com/0dmZaAgj 35.168.81.240:443 # Reference: https://twitter.com/z0ul_/status/1374129456411906048 # Reference: https://www.virustotal.com/gui/file/e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6/detection # Reference: https://www.virustotal.com/gui/file/c8768444c9e489989a6610537ecb1bc204216e0b0880079e6d9e561e56dc60a8/detection 3.137.152.31:443 34.219.157.178:443 35.166.81.240:443 54.91.125.140:443 # Reference: https://twitter.com/pmmkowalczyk/status/1374321802105733121 aeghikanihin.bazar affiklaohiko.bazar bcegkmblggkp.bazar bcfhikblhhin.bazar coldmountainsanimals.bazar rareanimalsofcanada.bazar wildwinternature.bazar # Reference: https://twitter.com/malware_traffic/status/1375237822941134850 # Reference: https://app.any.run/tasks/ef6d19a8-ff03-46d2-9e78-6893ed577889/ # Reference: https://www.virustotal.com/gui/file/d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9/detection 18.188.109.70:443 3.89.160.167:443 34.239.255.128:443 /studio/cut_the_crup # Reference: https://twitter.com/Unit42_Intel/status/1379875382699167752 13.57.235.224:443 # Generic /23c55b2cb0637e6dfa0f80a62ca03dc3/ /bont/past /bont/vnt /pgta/a12 /pgta/a14