# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/Antelox/status/768023996923277312 193.164.131.58:10000 # Reference: https://twitter.com/James_inthe_box/status/1080521422823337984 193.42.107.7:3687 # Reference: https://twitter.com/ostinjohn/status/994560995615039488 # Reference: https://www.hybrid-analysis.com/sample/3aca697f1ac623ac970764dd1b248339d03f18acd5ba1b4a443ff9d5016f8e4e/5af3d6237ca3e179812bdfc5 178.238.230.52:3828 178.238.230.52:6828 178.238.230.52:11226 # Reference: https://twitter.com/Antelox/status/810488762140684288 # Reference: https://www.virustotal.com/gui/file/f0b27a8c47f6d9f82489e0e5fba75f70fab8acdbb63b05c93cb3cceec90295ae/community 37.48.84.229:9901 # Reference: https://twitter.com/Antelox/status/770613975662796803 # Reference: https://www.virustotal.com/gui/file/c88095a28fea80409da7b2fc601b4c68828f0d31b7faebe4453217887f9e3241/community 5.189.161.200:7865 # Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf (# Crimson C&C) bhai123.no-ip.biz bhai1.ddns.net sudhir71nda.no-ip.org 178.238.228.113:7861 193.37.152.28:9990 213.136.87.122:10001 5.189.143.225:11114 # Reference: https://twitter.com/killamjr/status/1190456533588598784 139.28.36.82:53631 # Reference: https://twitter.com/DynamicAnalysis/status/1197938882026901504 5.196.210.44:33401 # Reference: https://twitter.com/DeadlyLynn/status/1213338265308155904 # Reference: https://www.virustotal.com/gui/file/6078b55381e39779f915032533a93d725bab98982b303998fa8ba2ecfc675737/detection # Reference: https://www.virustotal.com/gui/file/ecd7d7a27a2a043919a233bb91e3b009c05b7c81ff132a7c29228e1c45d2b6a6/detection 167.114.138.12:6828 # Reference: https://twitter.com/DynamicAnalysis/status/1220432888019214337 # Reference: https://medium.com/@dinu135dk/revive-of-crimson-rat-6b8838920c02 160.20.147.59:2987 bjorn111.duckdns.org newsupdates.myftp.org # Reference: https://www.virustotal.com/gui/file/d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f/detection 192.169.69.25:2987 # Reference: https://app.any.run/tasks/9ca972d6-3574-4d85-bd68-a9cd26c203ee/ 185.140.53.91:6711 # Reference: https://twitter.com/malwrhunterteam/status/1229780080517357568 64.188.25.232:3263 # Reference: https://twitter.com/w3ndige/status/1235184651699998721 # Reference: https://www.virustotal.com/gui/file/370a108b98b8652aacd4acec5d140cab685291ad77e2a4a0821734aad614eb6a/detection 185.174.100.63:34891 185.174.100.63:3920 transfer-shopping-malls.webredirect.org # Reference: https://app.any.run/tasks/8527edcf-6459-48f6-aee2-85eaf817571c/ 198.46.177.73:6421 # Reference: https://twitter.com/killamjr/status/1232071072096239617 # Reference: https://app.any.run/tasks/2eeeb372-d6ba-4f9f-add7-8b1532f938ec/ alrazi-pharrna.com # Reference: https://twitter.com/_re_fox/status/1236483115037704192 198.46.168.28:2581 # Reference: https://twitter.com/_re_fox/status/1235941826634354688 # Reference: https://app.any.run/tasks/d8b93681-2730-4d03-b796-c52562260328/ 181.215.47.169:3368 # Reference: https://twitter.com/_re_fox/status/1232493185475104771 107.175.64.209:6728 # Reference: https://twitter.com/_re_fox/status/1232402275181703169 185.136.163.197:4442 # Reference: https://twitter.com/srcr/status/1232288977790668801 185.244.30.102:4590 # Reference: https://twitter.com/killamjr/status/1232071072096239617 185.244.30.102:4950 # Reference: https://twitter.com/_re_fox/status/1237740569293701120 64.188.25.205:3692 # Reference: https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/ # Reference: https://otx.alienvault.com/pulse/5e6fa2a12088756147d24648 email.gov.in.maildrive.email # Reference: https://app.any.run/tasks/7fe802ae-9d74-4e40-91e3-bb65cd06a458/ 107.175.95.107:6790 westvalleyhospicecare.theworkpc.com # Reference: https://www.virustotal.com/gui/file/9f7bc1ac97d28d614f9b1965709a284511b9b13f3bd9685707f8f377b949efe5/detection 78.159.131.80:10001 superingtest.zapto.org # Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/ 107.175.64.251:6286 # Reference: https://twitter.com/_re_fox/status/1280221170307137538 # Reference: https://app.any.run/tasks/3b6fa50a-2496-400e-b7cf-fd2d4d48f405/ 173.212.226.184:3169 # Reference: https://app.any.run/tasks/26933c3a-127f-4b12-8396-8684d7bdec44/ 185.136.161.124:8761 # Reference: https://twitter.com/JAMESWT_MHT/status/1290952335192195072 # Reference: https://www.virustotal.com/gui/file/f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92/detection 193.142.59.56:1131 lawdvmercy.site # Reference: https://www.virustotal.com/gui/file/6d3982d6c6ca753d6d1daa71d88678c07718dd1919a874959a0c7975619c37fc/detection 151.106.56.32:3561 # Reference: https://www.virustotal.com/gui/file/db37f6755e954367a3365c3264e3916e5fd00c4c3e4c609515fa8599d36ca681/detection 64.188.26.219:4820 # Reference: https://securelist.com/transparent-tribe-part-1/98127/ # Reference: https://www.virustotal.com/gui/file/a860ba3861df2ae0add2b695071c04468f83c0973525519d62679dd4cd4d0026/detection # Reference: https://www.virustotal.com/gui/file/59c6721a5ec5f97ef9b35e17057a5edb4f0075d1430c0cbd3eecfd44ccfe272c/detection # Reference: https://www.virustotal.com/gui/file/e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132/detection # Reference: https://www.virustotal.com/gui/file/d2cc95b72c3e72b3888e9fa35f6fe0563f9dbbd08b76d0c3546065ceca3c5961/detection 173.212.192.229:3364 173.212.192.229:8264 173.249.14.119:6865 newsbizupdates.net uronlinestores.net # Reference: https://twitter.com/ShadowChasing1/status/1298268550340067329 # Reference: https://twitter.com/CyS_Centrum/status/1298565025985069057 209.127.16.126:4768 209.127.16.126:6758 209.127.16.126:11066 209.127.16.126:14824 209.127.16.126:18614 # Reference: https://twitter.com/ShadowChasing1/status/1304347789917212672 # Reference: https://www.virustotal.com/gui/file/9e305566f7d342adc8eaf30471aa3eb95c049acffc742ae23a5830a44f96e51d/detection 185.174.102.105:2991 tasnimnewstehran.club # Reference: https://www.virustotal.com/gui/file/a5f02bb70acdf335bed9c0fc8439ab3a220027a28c7eb44f459afda0ec7b62eb/detection 151.106.14.125:6818 # Reference: https://www.virustotal.com/gui/file/137c059adda4df22eb29785fada54ebc00a22d150bfdc423f87ff1f6093bd827/detection 185.136.161.124:11614 # Reference: https://www.virustotal.com/gui/file/87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad/detection 185.136.161.124:6128 # Reference: https://www.virustotal.com/gui/file/60d46513d3473c2cb4fdfcf64229f4e99d1e202a2f840503d77fa07978dcb025/detection 104.227.97.53:2548 # Reference: https://twitter.com/mg2_tracy1/status/1314754343124365312 # Reference: https://www.virustotal.com/gui/file/dba5d00a87ad96b74d234d1415ca5172285cd7d781556d45b6609fd738bfc747/detection 172.245.247.112:3878 172.245.247.112:5648 # Reference: https://www.virustotal.com/gui/file/e3fe87254b405fa132a52daf1651d2ff11296691131956bf3f0059031135dcdd/detection 45.147.231.191:3626 # Reference: https://twitter.com/_re_fox/status/1317499039932362753 # Reference: https://app.any.run/tasks/355396a2-6711-4750-98ec-e492625d4d54/ 45.147.231.191:8226 # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338192738135789570 # Reference: https://www.virustotal.com/gui/file/47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e/detection # Reference: https://www.virustotal.com/gui/file/b9446d663f2aef34efdb579ae02e62923b5c3bc02b9d0fe537f5974ae439a422/detection # Reference: https://www.virustotal.com/gui/file/5a449782c6d286a5af7fd5cbab5d5d46dd4dd153cbc46e4aeae0ea54f2785980/detection 64.188.12.126:6658 # Reference: https://app.any.run/tasks/b129aead-e7cb-4ba7-ba72-842644cf7c97/ 173.212.246.247:4368 # Reference: https://twitter.com/_re_fox/status/1337411756818395136 # Reference: https://www.virustotal.com/gui/file/5920a3300107b7b1cf8c230a071a0e5f2f5ff5941a5c450ef911582a7ce08346/detection 45.32.151.155:6126 # Reference: https://twitter.com/ShadowChasing1/status/1369196724544106504 # Reference: https://www.virustotal.com/gui/file/4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73/detection 172.245.87.12:6276 # Reference: https://twitter.com/ShadowChasing1/status/1397419326160793600 # Reference: https://www.virustotal.com/gui/file/eb7c34343944a6ae52b052bb263d29e2c627368aeee2080da0481f33a72f2085/detection 142.105.157.110:8181 # Reference: https://twitter.com/teamcymru_S2/status/1402607930046832645 185.136.169.139:14565 185.136.169.139:20555 185.136.169.139:28443 185.136.169.139:4561 # Reference: https://www.virustotal.com/gui/file/5f736d23d5d7f7382afb78acdc3b125ec101c0629327fb9a7fc5545b32ec0c38/detection 167.160.166.80:12214 167.160.166.80:16441 167.160.166.80:18822 167.160.166.80:6288 167.160.166.80:8868 # Reference: https://www.virustotal.com/gui/file/e052a90bdb716da64928b1286d86b3670efe5192115175ba25bf0c191398323d/detection 104.144.198.105:12816 104.144.198.105:14572 104.144.198.105:16286 104.144.198.105:4289 104.144.198.105:6722 # Reference: https://www.virustotal.com/gui/file/899a755ff675dbbf66d8bbcf6300bca7aa0c13d794430a1173f6fdc5cb87bd66/detection 178.238.239.176:7624 # Reference: https://www.virustotal.com/gui/file/0335de8eadbbd5dc7cbe92ef869bcea6f6596ac39a38680142c982ec6e97ecde/detection 185.136.161.124:15822 185.136.161.124:17443 # Reference: https://twitter.com/RedDrip7/status/1486997244310351873 # Reference: https://www.virustotal.com/gui/file/cffb0b0695abe36c0d23894650214f9329c530703f52cf44bc8853ca79a107cf/detection 96.47.234.102:12961 96.47.234.102:20886 96.47.234.102:22668 96.47.234.102:5898 96.47.234.102:8796 # Reference: https://twitter.com/James_inthe_box/status/1488987814066753538 # Reference: https://app.any.run/tasks/c1ccd827-a257-4598-aa9b-5872cdc44a40/ 92.12.144.246:5321 # Reference: https://twitter.com/0xrb/status/1491665998382247938 # Reference: https://www.virustotal.com/gui/file/d5484ddde1ea4aefcbf40f9845f911b059818ec0bb57d0d48922ed25d161e0ea/detection 78.138.107.166:16864 # Reference: https://twitter.com/0xrb/status/1492030514035060741 161.97.164.144:9168 164.68.108.169:16292 164.68.108.169:16484 164.68.108.169:6681 164.68.112.101:20864 164.68.96.32:8543 168.119.98.243:12184 173.249.14.119:12865 173.249.19.32:8866 173.249.50.243:22464 173.249.50.243:9248 185.136.161.169:18556 185.136.161.169:28443 185.136.169.214:11262 185.136.169.214:3561 185.136.169.214:8164 185.197.249.247:8543 207.180.227.55:10666 5.189.170.4:4268 5.189.170.4:8843 5.189.176.185:12262 75.119.133.15:10101 75.119.133.15:4401 75.119.133.15:8832 79.143.177.122:10468 79.143.177.122:14486 95.111.230.252:1051 # Reference: https://twitter.com/0xrb/status/1493467587619221507 139.28.36.77:2012 # Reference: https://twitter.com/PrakkiSathwik/status/1733923613437460525 # Reference: https://www.virustotal.com/gui/file/da298e4d09a9e151c6bf60e8ebfdd8fc2e633d078c705db768e3284acdad0678/detection 204.44.124.81:19182 204.44.124.81:20917 204.44.124.81:28791 204.44.124.81:26376 204.44.124.81:9159 adiptv.duckdns.org # Reference: https://www.virustotal.com/gui/file/8ff61163c7b74653da80dd1990123dd1977a5ec4e774f0c2f47d37f1360a6a9d/detection 95.119.198.38:3898 r6xyvcqm04wp1i4p.myfritz.net # Reference: https://www.virustotal.com/gui/file/ffa0b1fcdf51cc0851a0b878df16577ea180a9d245e31166d81670372bc8b338/detection # Reference: https://www.virustotal.com/gui/file/feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767/detection # Reference: https://www.virustotal.com/gui/file/b922698e7884f524cee2dd334f611b0cac193568c9de9f8073ef9c637f5833f0/detection # Reference: https://www.virustotal.com/gui/file/b5db0dd322656c19a05bc78f3ce1d8bed30e72fb8c1ac5071fce4afa720f2696/detection # Reference: https://www.virustotal.com/gui/file/7a07fbc4903e443f237fc7c99976a8cdb751a983860ea17b891a8c617a820ad0/detection # Reference: https://www.virustotal.com/gui/file/2ab7a3c53e31187bab9675b184bf1e891bd76ceb2967b609a6aa66c4e7626419/detection 173.212.228.121:12460 173.212.228.121:16484 173.212.228.121:2836 173.212.228.121:5638 173.212.228.121:8626 # Reference: https://threatfox.abuse.ch/browse/malware/win.crimson/ (# 2024-01-01) 107.172.76.170:11408 119.157.27.213:16780 144.91.125.70:8489 144.91.72.22:8484 154.127.54.168:10019 160.20.147.56:6582 161.97.139.248:12262 161.97.139.248:8143 161.97.176.42:12184 161.97.176.52:12468 161.97.176.52:18584 164.68.112.101:14684 164.68.96.32:12861 167.86.71.146:3482 168.119.111.43:12184 173.249.0.199:12168 173.249.14.119:3285 173.249.50.57:2642 178.238.235.88:12536 185.137.122.104:8484 185.161.208.57:1912 194.163.139.252:4698 194.61.120.134:999 194.9.178.85:9109 198.23.144.126:10480 198.23.145.12:10480 198.23.210.211:4898 198.23.213.44:7776 23.226.132.105:6959 38.242.211.87:8143 45.14.194.253:10243 5.189.183.63:16568 62.171.130.47:2201 62.171.135.174:8589 66.154.103.101:9108 66.235.175.91:1051 66.235.175.91:23001 79.143.177.122:8682 79.143.181.178:8861 84.46.251.145:1717 84.46.251.145:901 91.229.77.1:999 # Reference: https://www.virustotal.com/gui/file/3cd76330e2cbcf7c37d6fc9d21779c60fd3552ba5d777a32ba49ca949379019f/detection 185.161.208.46:909 indiamails.info