# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf 154.48.241.199:15912 98.126.1.26:15912 98.126.1.27:15917 98.126.80.90:15912 98.126.80.91:15912 # Reference: https://www.virustotal.com/gui/file/942411f2fa054ec621023c6b9b4ad3b92372697da43eb38d2b661f80e19e6deb/behavior /panel/mining/CPUMiner.files # Reference: https://www.virustotal.com/gui/file/0ac003e6d8091544f7b055d7295ded55de94576729ab13925cde17eb2dd4ceab/detection coin-pool.com give-us-ltc.com # Reference: https://www.virustotal.com/gui/file/c1d66b09938e5177a9406a8935f717cba888b06bc5ff74797e32c7b793d6a935/detection give-us-btc.pw # Reference: https://www.virustotal.com/gui/domain/give-us-btc.biz/relations # Reference: https://www.virustotal.com/gui/file/8678f395fb9ae84d495c669f056f8226d9b3dca85040e65d35fa4511f1ce48b8/detection # Reference: https://www.virustotal.com/gui/file/ecb40d340aee4666b7c3c2a0d1bbbcdcd9a92c578b15ba9dcce3bdabb3d528b6/detection # Reference: https://www.virustotal.com/gui/file/e91b5ee9a6130afad7dfe64e024b8bffcaf39079b17937c78e6b262bf5fc7442/detection 162.211.228.130:3333 188.40.65.132:3333 213.239.198.109:3333 give-us-btc.biz # Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz # Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz darxk.com # Reference: https://www.virustotal.com/gui/file/405a51b74c7c4e26ae112189e5ef071d6279b5fece6e2af08985306fdd28e223/detection # Reference: https://github.com/stamparm/maltrail/pull/14162 a0153884.xsph.ru # Reference: https://www.virustotal.com/gui/file/8e205172f1b49fe661e165ed633fcedb898ad7956ad71ee08e7b6c794148e9f4/detection a0154466.xsph.ru # Reference: https://www.virustotal.com/gui/file/67cec0a185c606a2ef972ed0c95b4cfc8b8a2c2d032c55b6c2058669ea216149/detection f0160735.xsph.ru # Reference: https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/ # Reference: https://www.virustotal.com/gui/domain/update.aegis.aliyun.com/relations update.aegis.aliyun.com # Reference: https://www.virustotal.com/gui/file/9ca8870623b9a5dc238975dcde1049fa66c7dab326b16b57f2146580f667ddb5/detection 185.25.50.217:14811 # Reference: https://www.virustotal.com/gui/file/9ff4bb63bec0cf9a7870ed5d283ad35726eab6b11c82ddce9e861374566049ea/detection # Reference: https://www.virustotal.com/gui/domain/itsupport.hldns.ru/relations 151.237.185.51:3333 185.60.133.214:3333 185.65.201.27:3333 188.64.170.220:3333 213.159.212.162:3333 37.252.7.150:3333 45.138.99.4:3333 46.249.59.91:3333 80.241.222.37:3333 82.146.50.128:3333 82.146.50.49:3333 82.202.167.202:3333 91.207.61.175:3333 95.181.178.66:3333 95.181.179.25:3333 itsupport.hldns.ru # Reference: https://twitter.com/r3dbU7z/status/1358998466735833088 134.209.65.62:5001 # Reference: https://twitter.com/r3dbU7z/status/1362399595519766530 # Reference: https://www.virustotal.com/gui/file/4a7937ab8db988782c15ea79a707c454798189744efe9f7a3f7825f501345990/details # Reference: https://www.virustotal.com/gui/file/a037c15659d91a7555fbd0ec17978c26f7974ea66909c8732629c4a1ec961f14/detection 194.5.249.224:8080 209.141.35.17:8080 212.114.52.24:8080 66.70.218.40:8080 xmr.givemexyz.in # Reference: https://twitter.com/xuy1202/status/1367814695143366657 # Reference: https://twitter.com/redbad2/status/1390978401985449987 150.109.99.116:8000 miner.awayfar.top fee.oldace.xyz gw.oldace.xyz miner.oldace.xyz raylee.5166.info # Reference: https://www.virustotal.com/gui/file/13345f418c210dee561872a5e21dc53b9f5a752110aca661647ac444ac4fa2cf/detection f0490769.xsph.ru # Reference: https://www.virustotal.com/gui/file/5f7b733e73ca432dce141e3cd3b07712a13b441d1cf4c09695e5ad07e917521a/detection minertest.niex.cc # Reference: https://securelist.com/ad-blocker-with-miner-included/101105/ # Reference: https://otx.alienvault.com/pulse/604a40993962cb029d4ee31a # Reference: https://github.com/stamparm/maltrail/pull/15250 adshield.pro netshieldkit.com opendns.info transmissionbt.org # Reference: https://twitter.com/r3dbU7z/status/1370348745586540544 lingx.club # Reference: https://twitter.com/r3dbU7z/status/1370460292577173513 # Reference: https://www.virustotal.com/gui/domain/miner.kek.gay/detection miner.kek.gay # Reference: https://www.virustotal.com/gui/file/60e6449b35fd1b91b0c700fc638a710b79ec8e3772617c5d60e6fcf2f314f726/detection pool.bmnr.pw # Reference: https://blog.netlab.360.com/necro-shi-yong-tor-dong-tai-yu-ming-dga-shuang-sha-windows-linux/ cloud-miner.de ublock-referer.dev # Reference: https://twitter.com/xuy1202/status/1372021764797079556 http://45.197.95.2 # Reference: https://www.virustotal.com/gui/file/1b4a9e2b766cbfe23c42dad7d1bf0ed73b7b10e940b936cb5b69ba07f84f8de5/detection cw02993.tmweb.ru # Reference: https://twitter.com/r3dbU7z/status/1375063266129555461 45.144.225.104:9999 # Reference: https://www.virustotal.com/gui/file/69cb2e279b941d04d2e06476915b5d03e92ad900b665175b4e667677de457a81/detection 552-39-1658.krebsonsecurity.top # Reference: https://www.virustotal.com/gui/file/4031b4d52db424a876a9af14c665cd166858eae1382e223147e67e728dd99146/detection 552-39-1659.krebsonsecurity.top # Reference: https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/ # Reference: https://otx.alienvault.com/pulse/6061ebaf97943b790e97e899 # Reference: https://www.virustotal.com/gui/file/5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb/detection krebsonsecurity.top brian.krebsonsecurity.top # Reference: https://twitter.com/KorbenD_Intel/status/1379537565498363906 # Reference: https://twitter.com/James_inthe_box/status/1379538678356185088 # Reference: https://www.virustotal.com/gui/file/a7c8b4c917102a5578a504f9badea75602544d765dd0dacf31420e44cc7b7d4b/detection 999.accesscam.org # Reference: https://twitter.com/xuy1202/status/1387414908199866369 bmst.pw # Reference: https://twitter.com/xuy1202/status/1394882908704284672 http://192.227.185.106 # Reference: https://twitter.com/xuy1202/status/1396059012794224643 http://195.133.40.24 service-exec.net # Reference: https://www.virustotal.com/gui/file/ceb3a7a521dc830a603037c455ff61e8849235f74db3b5a482ad5dcf0a1cdbc5/detection http://209.141.40.190 194.5.249.24:8080 # Reference: https://twitter.com/r3dbU7z/status/1400841914933518340 # Reference: https://www.virustotal.com/gui/ip-address/172.93.96.59/relations # Reference: https://www.virustotal.com/gui/file/ae891eb02906204edc9abcfaaf3031b275d0e6fad472f49ee07dc189300ce87a/detection http://172.93.96.59 172.93.96.59:42350 # Reference: https://www.virustotal.com/gui/file/758ccdc9b720e0e849f2d9452f7c9c33bcf6789343f6de919f13bcc72a8ce00a/detection # Reference: https://www.virustotal.com/gui/file/5848e6c2e0776a59d8882b9df7fcc9af144a5c8f8e04f5ff8a5ec308228a1d4d/detection 93.179.121.215:3333 betandwinornot.com red1r2.xyz # Reference: https://www.virustotal.com/gui/file/10432e31480b3e9f1e45dff5ed4b91a374b947cb4b86ce3a069ff74b7dbe9a22/detection xmrv7.sfwewtryhrerwewqretr.com xmrv7.weoqieqwuishdwuygqw.com # Reference: https://www.virustotal.com/gui/file/324438a817b0b3838d7e59ea2f2ba21e2ccf3da6a3501844915991ee9a82937a/detection swiftmining.win # Reference: https://www.virustotal.com/gui/file/3193b300523363511736fd6c6dfe49441d389acc0b654f7df72f16e42e05d0a7/detection ivansupermining.info # Reference: https://blog.group-ib.com/prometheus-tds honeyminer.live # Reference: https://twitter.com/James_inthe_box/status/1423632214172991488 # Reference: https://www.virustotal.com/gui/file/4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708/detection 185.195.233.157:57484 185.65.135.248:58899 sanctam.net config.sanctam.net /assets/txt/resource_url.php?type=xmrig /resource_url.php?type=xmrig # Reference: https://www.virustotal.com/gui/file/270abae022a66939cc7ddc2dec35cae33a9796adb6e36114e09a7e8954254f72/detection 185.62.189.66:8000 185.62.188.59:8000 relay.100chickens.me # Reference: https://www.virustotal.com/gui/file/fa14c6a94b370a062658803d59cc516eb0e11655526e707f29c63576328f511e/detection 5.206.225.122:8000 relay.phatbois.biz # Reference: https://www.virustotal.com/gui/domain/k2ygoods.ydns.eu/relations k2ygoods.ydns.eu # Reference: https://www.virustotal.com/gui/file/04e0b91e1f39a16f5b2814d473f5d5ba5945b26d5912ef99932e9093a52c5584/detection killer5x.beget.tech # Reference: https://www.virustotal.com/gui/file/3648a38a2c01f49a1d3f536c184c110665d32bc4cf331475e219a3f07aaddede/detection # Reference: https://www.virustotal.com/gui/file/b79bc880122234796a52a80eb27446ddb6c68f5bbc86afaf947735847e6b587e/detection carraq7r.beget.tech excerptible-navigat.000webhostapp.com # Reference: https://www.virustotal.com/gui/file/eab31e6869088065a7e82f3dcf0dbc96b80d962ce266c1be7cefa385827aa4a9/detection wuntedj2.beget.tech # Reference: https://www.virustotal.com/gui/file/4688539a79b4d7a680159419a23b3ee0802838f7f2d5598a6f61369c5ad1a50e/detection top1chqu.beget.tech # Reference: https://www.virustotal.com/gui/file/345dc95a2d9042a38497a6effa7e9125e59a0a475332a9d92124dc48062d7b03/detection koskiahg.beget.tech # Reference: https://www.virustotal.com/gui/file/5b1185beeadb639f323162915888ddec2b21d7c0def905cfccfb700668b57924/detection darksmtf.beget.tech # Reference: https://www.virustotal.com/gui/file/03e15c75c983fe3b555d48a31c77d1c09574980d805daeedab614d87bcb2f79e/detection maxnem8g.beget.tech # Reference: https://www.virustotal.com/gui/file/59f9e3d1e60698fa43b80699bead99271d8d2fbd3c3d99c4f7a11637a432d5b0/detection btcminws.beget.tech # Reference: https://www.virustotal.com/gui/file/f81f52daa847f5419d1643185db6e82891944373a848f0ec54c7ad31deb3eb21/detection gabataiser.beget.tech # Reference: https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/ 190.144.115.54:443 45.77.76.158:25643 # Reference: https://www.virustotal.com/gui/file/6e4b708017992a4600a644660b82c1068becb1c1d1212a70a14bbe89c3b211fd/detection http://195.201.124.214 # Generic /bot/miner.php /cpuminer-opt-linux.tar.gz /honeyminer.exe /pool_mine_example.cmd /setup_xmr.sh /xdi-performance.exe /xmr.plg /xmr64.exe /xmr64.plg /xmrig.exe /xmr.sh.sh /xmrig.tar.gz /xmrig.so