# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: elephantrat, gh0st, pcrat, smanagerrat # Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html bj6po.a1free9bird.com beiyeye.401hk.com # Reference: https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant # Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/ # Reference: https://www.virustotal.com/gui/file/54f62979c8c7637af238093fbf204b1edb16e9ce7ca371f9f62c4039f934cede/detection # Reference: https://www.virustotal.com/gui/file/d3dfa0f0582818e24caaccdda78c0b0833d30aa97a8ca9c43cacc7fe3bebab67/detection # Reference: https://www.virustotal.com/gui/file/23414344a6c2afdec92a4679f7947b44498db151dff2822ca7c72d704c6e28e0/detection # Reference: https://www.virustotal.com/gui/file/beade05902c2bd59b1aafe77e0a043766f5e507ac4024640f17ad1fe7c890d6c/detection # Reference: https://www.virustotal.com/gui/file/cbd875b7f9516d4662526457c2132f17e4ac4596380202aac105bc3c146ea93a/detection # Reference: https://www.virustotal.com/gui/file/d4dec64053fa6de0aa85fefd692ce71fb71d3cdd295e7169c8b9b9bd4210b023/detection # Reference: https://www.virustotal.com/gui/file/ea49fbabc6f69ffc9f93993e3d7d5fe47f743fbdc1cc031557a8595fb1594d94/detection # Reference: https://www.virustotal.com/gui/file/d4a21390dd9c85fe6f3b41038a4b270de055a30ad6f9500699775e3ae78d7fd1/detection # Reference: https://www.virustotal.com/gui/file/77722a09b3cc0b17159e27433945548b3e6bd9160d4de4919b02ea6eea671111/detection # Reference: https://www.virustotal.com/gui/file/8e1c369e8b470c9bad0aee715da300dda9a50db153a025b3c797c219d537bb68/detection # Reference: https://www.virustotal.com/gui/file/6d79053611e0d0e2f586061636f337d27de51325b24070edefe08af7d9c5006d/detection # Reference: https://www.virustotal.com/gui/file/88df6448d091acba48dfea761e5360d111f4f50acaf15b4bd2734d81a79ab21b/detection # Reference: https://www.virustotal.com/gui/file/1f824c7b70667072964e4c08a372305cc78a0833beacad52b3e0d24a84e89065/detection # Reference: https://www.virustotal.com/gui/file/0caf2987bca2ca7f644c2cb33099950eb8a5aebe03244ddf8de5e6f3fc8bf1cf/detection # Reference: https://www.virustotal.com/gui/file/45a84d5bb8ce67685504a4409bf4604a500628e454e80ef3f3b832507a4cf855/detection # Reference: https://www.virustotal.com/gui/file/af8f6c9a5a588e4d61913d54c2ae4fb3de2e50b43f57290b0657b11466a18779/detection # Reference: https://www.virustotal.com/gui/file/dfe0e061279f0d67ba84bb4f945b0115b20759f6c48a91dd6c09782cb232266e/detection # Reference: https://www.virustotal.com/gui/file/3b925244721054a15cbb845ba4b617e5c7c46d80ea1c78e7fa5d02bb2069553b/detection # Reference: https://www.virustotal.com/gui/file/258b70d70b856484b65bdaaf4a5c23efb200b160af0babfb21ccd0679bd09749/detection # Reference: https://www.virustotal.com/gui/file/d19bf8ad35b8d494e68ca817a324a4eac3d456a527c8963145e438db9c1e6924/detection 106.14.45.61:15963 106.14.45.61:18566 106.14.45.61:19637 106.14.45.61:19931 106.14.45.61:19932 106.14.45.61:19934 106.14.45.61:25553 106.14.45.61:25563 106.14.45.61:29931 106.14.45.61:3654 113.28.187.169:15963 113.28.187.169:18566 113.28.187.169:19931 113.28.187.169:3654 123.129.224.185:15963 123.129.224.185:18882 123.129.224.185:18883 123.129.224.185:19931 123.129.224.185:19932 123.129.224.185:3654 129.28.23.76:81 221.229.207.145:19931 221.229.207.145:3654 221.7.12.156:19637 221.7.12.156:19931 221.7.12.156:19932 221.7.12.156:19934 221.7.12.156:25553 221.7.12.156:25563 221.7.12.156:29931 221.7.12.156:3654 23.101.115.41:18566 23.101.115.41:19931 23.101.115.41:3654 43.229.153.122:19931 43.229.153.122:3654 58.218.66.180:19931 58.218.66.180:3654 60.169.10.86:15963 60.169.10.86:19637 60.169.10.86:19931 60.169.10.86:19934 60.169.10.86:25553 60.169.10.86:25563 60.169.10.86:29931 60.169.10.86:3654 61.147.125.184:19931 61.147.125.184:3654 95.211.102.25:19931 95.211.102.25:3654 mdzz2019.noip.cn yuankong.info # Reference: https://twitter.com/lazyactivist192/status/1112449219653193736 # Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations z-hacker-y.win # Reference: https://twitter.com/Jan0fficial/status/1102912998975434752 # Reference: https://twitter.com/lazyactivist192/status/1168582672752566279 # Reference: https://pastebin.com/D2pUSzcS # Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f # Reference: https://www.virustotal.com/gui/file/2fcc9c48d5d8a5c6889ca3302fcaa9f6296a9e36b167526033a0371172ab1693/detection haohai.hopto.org ip.yototoo.com 116.196.18.237:8082 122.114.192.241:8082 139.196.209.127:923 183.104.6.120:923 # Reference: https://twitter.com/malware_traffic/status/949057588250865665 # Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html etybh.com # Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977 45.125.17.15:443 # Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906 nicetiss54.lflink.com # Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0) # Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af 278267882.f3322.org 850967012.f3322.org a3328657.f3322.org a678157.oicp.net cfhx.f3322.org ddos-cc.vicp.cc guduyinan.gnway.com guduyinan.gnway.net jie0109.hackxd.net linchen1.3322.org q727446006.gicp.net touzi1616.com xm974192128.3322.org xueyang22.gicp.net y927.f3322.org zy520.f3322.org sweety2001.dating4you.cn paleb.no-ip.org honeypus.rusladies.cn marina99.ruladies.cn youwave932.no-ip.biz x.93ne.com ns1.helpchecks.at ns1.helpchecks.by ns1.helpchecks.com ns1.helpchecks.eu ns1.helpchecks.info ns1.helpcheck1.com ns1.helpcheck1.net ns1.helpcheck1.org mskgh.ddns.net yeswecan.duckdns.org sabridz.no-ip.biz mskhe.ddns.net karem.no-ip.org cdn.zry97.com dmar-ksa.ddns.net alkhorsan2016.no-ip.biz amiramir.noip.me katarinasw.date4you.cn # Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0) 79575465.f3322.net chhacke.win cx820329965.f3322.net e2.luyouxia.net guxiaosen.f3322.net labixiaoxin.e2.luyouxia.net mf123.f3322.net mingyemo.3322.org yaoyao.f3322.net # Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0) 1321.f3322.org 254143.f3322.net 53ca.meibu.net feng12763.3322.org jwl520.xicp.net pass.5sfox.com pzss.f3322.org pzss.foxdos.cc separa.f3322.org wfs2015.f3322.net # Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584 haohai.ddns.net # Reference: https://twitter.com/dcTavvy/status/1168906154602373122 154.221.22.25:8080 # Reference: https://twitter.com/killamjr/status/1196089316986032128 # Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/ 106.54.57.80:8080 # Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection # Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection 106.54.57.80:80 106.54.57.80:94 # Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0) 107.163.241.193:6520 107.163.56.251:6658 host123.zz.am # Reference: https://twitter.com/pancak3lullz/status/743123575146586112 183.61.165.228:8000 243145432.f3322.org # Reference: https://twitter.com/securiteoff/status/739622863485931520 qqqq374281.f3322.org # Reference: https://twitter.com/pancak3lullz/status/739619999334031360 115.239.229.196:8090 # Reference: https://twitter.com/lazyactivist192/status/1214302017981702144 1j5p551644.iok.la # Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection 218.94.148.242:2015 218.94.148.242:2554 # Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection 61.142.176.23:2014 # Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/ xilongxi.net 45.138.209.61:8080 # Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1) # Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection 67.198.149.218:6720 67.198.149.220:8590 # Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264 # Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection 192.225.226.217:80 # Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection 192.225.226.217:8443 # Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection 192.225.226.217:443 192.225.226.217:53 # Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/ 137.220.135.36:8000 # Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/ vip38000a.com 30.554205.com # Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/ 183.236.2.18:8888 haidishijie.3322.org # Reference: https://twitter.com/wwp96/status/1232326236636090370 # Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb 425rt.rapiddns.ru ref.tbfull.com # Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf # Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27 cloud.newsofnp.com load.collegesmooch.com ssl.newsofnp.com # Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02 chdvks88.dns0755.net # Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection 101.200.58.177:16233 # Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1) # Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations # Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations 113.214.1.34:52 117.78.50.197:333 210.222.25.223:7718 210.222.25.223:7748 cq52.top w1464642840.f3322.org xiaoxinzadan.gicp.net # Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection 210.222.25.223:8562 # Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection 107.163.56.243:18963 107.163.56.246:18530 # Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection 107.163.56.250:18963 # Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection 107.163.56.245:18963 # Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0) # Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection # Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection # Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection # Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection # Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection # Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection # Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection # Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection # Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection 106.9.144.132:7777 106.9.146.161:7777 116.62.168.250:24649 123.207.217.39:90 129.28.191.60:8000 129.28.191.60:99 174.128.255.252:8000 183.131.80.101:90 43.248.201.209:27268 49.232.147.19:8080 8686.f3322.net ccidc.f3322.net qqqqdddd.e2.luyouxia.net qyefeng.vicp.net wzbbk.com # Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0) 1.93.49.73:2012 104.143.150.115:2012 142.4.97.105:2012 155604.f3322.org 182.91.107.168:2012 192.210.63.230:2012 198.74.98.230:2012 aa7899.f3322.org j8666.f3322.org jiuyin.f3322.org kingsir.6600.org linlinwoaini.f3322.org q1299771210.f3322.org qq0104.gicp.net songkeliang.eicp.net vves.3322.org wuer1985.9966.org xiaoxiannv.gnway.net xiaozijun.f3322.org xyllz.com yangman520.f3322.net youlanxiangyin.vicp.cc yzc110110.meibu.net zuoyi5201314.5166.info # Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html # Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3 45.76.6.149:443 comcleanner.info mlcrosoft.site # Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection 103.133.177.250:4563 quasa.ddns.net # Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection 103.40.101.68:4563 # Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection 43.248.11.151:4243 pclient.ddns.net # Reference: https://app.any.run/tasks/b584a05c-2f6d-47cf-83e7-657b2e0cf4b1/ http://118.107.47.110 118.107.47.104:8000 118.107.47.104:8001 # Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html (# Win.Packed.Gh0stRAT-9776529-0) # Reference: https://www.virustotal.com/gui/file/086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b/detection 122.114.28.118:3522 xmrminer.f3322.net # Reference: https://app.any.run/tasks/be0fe876-bcf2-4de7-9ff0-9df1935d0e3b/ 103.74.173.145:6688 pc.8686dy.com # Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html (# Win.Dropper.Gh0stRAT-9786931-0) 1x1elma7.xiaomy.net 22i5b37672.51mypc.cn 2313u080t2.imwork.net 232mr66094.iok.la 26k4593i06.51vip.biz 273o4d5660.wicp.vip 27ow345733.wicp.vip 2z213948z7.iask.in a731940742.gicp.net y2291815a1.51mypc.cn # Reference: https://app.any.run/tasks/4d47550f-cc3b-4b49-8af8-0ccad1760a9e/ 27.124.10.245:4753 syy.skt-one.com # Reference: https://twitter.com/wwp96/status/1327897784213794816 # Reference: https://app.any.run/tasks/e5baf985-6f1d-48ac-bcf2-1302d4a3086d/ 143.92.57.83:8001 143.92.57.83:8080 # Reference: https://www.virustotal.com/gui/file/99d47a61b580eedd39efa6d6c7fb9d13fa1fca3c9fe628cee0f49f1c8f97e8db/detection xiaohai2013.f3322.org # Reference: https://otx.alienvault.com/pulse/5fc0eb77569dc57d9686fb39 graceland777.ddns.net mitty1.freemyip.com williamz20.ddns.net # Reference: https://otx.alienvault.com/pulse/5fc8d47bae040ead5cfc4767 cloudbase-init.pw compprotect.com # Reference: https://twitter.com/lazyactivist192/status/1216814092725506049 zjq1993.meibu.com # Reference: https://twitter.com/_re_fox/status/1238188943587377155 # Reference: https://app.any.run/tasks/f2118744-26c3-4523-8e82-d7203e3bb1e4/ 193.203.215.52:2011 online.update--microsoft.com # Reference: https://www.virustotal.com/gui/file/12d847b384f2aa42db19236178ccd18cf39feb4f18477e48b957816c537d854c/detection 104.149.136.66:2011 mail.update--microsoft.com # Reference: https://www.virustotal.com/gui/file/b739076d107965600dfdb92536faa8638deb6d0dcfba5fc6e653ec12853c215c/detection live.korearac.com # Reference: https://www.virustotal.com/gui/file/4c652657944ba7f09a4dbeff95ea66d69f7d82c3bea44808e0428935c513273b/detection # Reference: https://www.virustotal.com/gui/file/4ecc8864e91febef66a6efc6538749e29af715f1a61807b78cd25efebe372449/detection 107.175.137.138:59170 211.149.209.11:59170 lijiejie.nat123.cc # Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html (# Win.Dropper.Gh0stRAT-9800485-0) 53074960.nat123.cc bqcyyx.com lht1361828085.3322.org mingyemo.3322.org seo.kfj.cc # Reference: https://www.virustotal.com/gui/file/9b757b63b31061e0b77a31b5706911f223376283ace22140a415203cbe8040e3/detection 35084ea6.nat123.cc # Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1204-1211.html (# Win.Dropper.Gh0stRAT-9802375-0) # Reference: https://www.virustotal.com/gui/file/e347ced607de94a87801a27edc9b3faec0551829dbd78294748d93460e28346c/detection 118.193.233.10:7360 a13932873816.f3322.org cescmouad.zapto.org # Reference: https://twitter.com/wwp96/status/1337849110536347650 # Reference: https://app.any.run/tasks/8edcf322-5fba-49ea-a98e-dec554b3d9d0/ 202.58.105.174:8000 # Reference: https://twitter.com/wato_dn/status/1356965355650863106 # Reference: https://twitter.com/kienbigmummy/status/1361965176451264517 # Reference: https://app.any.run/tasks/b91747ae-ea86-4875-9cbf-8a2b78487cc1/ https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html 103.255.177.138:8080 # Reference: https://www.virustotal.com/gui/file/2fadd1cb04e54811ca3d3538b9833c254a31db8b875a96794d44aa49db3faa60/detection 43.248.201.209:21922 yg484698405.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/dba5987cbe9958bb86bd08eeccdb72999e0327b032821c0b2df4ea5b537c4072/detection 43.248.201.209:29719 xiaok66.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/429cd23868b064297dd5c536ea420152394b2b5210d8b1f6f1802d353759e7a6/detection 43.248.201.209:32520 xiaoren234.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/e407517a144c10e6946082afded7cf7f6afbf4beb4808894fd6b7ac170830a85/detection 43.248.201.209:27140 mmp224460.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/f711c717473bb221b7f39a6f13d2c1aaa9403f7fcc5791dc53c38468efead20d/detection 43.248.201.133:28672 hax0fdafda.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/9eed6ad63fd1688c0e906ef294a1c6f0489cb6356c3736584c12a34ceea0ff0d/detection 43.248.201.133:27731 damm25969.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/09291140c7cd8b73219fa7a95564ec75c54bbfea92dd92cbccfb47c6a7699736/detection 222.186.170.35:29802 zhangjian123.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/23ad910aadc455b38b41446ba7425cb891d00f3791d64c7cf8b2c7b47ddf1fe7/detection 43.248.201.133:2021 yindixiang.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/130a026be6e1c01d23c3a94052db892950dd00cf2195cc7e54d7e3add19f6278/detection 43.248.201.133:21727 fxd9988019.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/0a80a258c199b864b1de65ed260b2cfed02934eb1e51a45e89ae192fb3afa787/detection 43.248.201.133:28316 q3088429300.e1.luyouxia.net # Reference: https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html (# Win.Trojan.Gh0stRAT-9831483-1) aka.f3322.net gyxin1314.xicp.net god_xinghe.f3322.org ljwser.xicp.net nt520.f3322.org # Reference: https://app.any.run/tasks/67e24e08-584b-4cca-a8a1-b1ca12f70e95/ 125.65.79.5:5522 103.119.1.139:1987 # Reference: https://twitter.com/wwp96/status/1368417388543180800 # Reference: https://app.any.run/tasks/39d974b3-6fe0-4278-8695-98684eb35c1f/ 113.212.91.178:4753 six.skt-one.com # Reference: https://www.virustotal.com/gui/file/32f2fe76ed68ffaa93baaf3e05ab0cabb058c48a431974e2f8312e2661849a93/detection 45.154.198.168:4753 sy.skt-one.com # Reference: https://www.virustotal.com/gui/file/91c422b4d9d826ff83ba875f46091c5907b61dcac8a7829ad25aebe181bdc359/detection 45.154.198.160:4753 mm.skt-one.com # Reference: https://www.virustotal.com/gui/file/fd77950eb7f104dfef6eb7f535a5d324069e8f7fb7cca7057e67e427d248f1ff/detection 202.5.23.125:4753 ss.skt-one.com # Reference: https://www.virustotal.com/gui/file/90085f7de94a2ca42f3f534d628318854d7dea91d97a4527ca5b3545fe75094b/detection 27.124.10.245:4753 syy.skt-one.com # Reference: https://www.virustotal.com/gui/file/a99f4c0c9653bb121c9d6875b756203adf3e4d9086f2111e0fe0243355f26e36/detection 73.23.200.124:44579 # Reference: https://www.virustotal.com/gui/file/7f8742297042b4da3914c65c79bec5608eb166fe2034fa054f3d108f7d4f8131/detection # Reference: https://www.virustotal.com/gui/file/2d26ef7b55e8345369b4e6c184441197304532dcf0557022431e5689fd2e9552/detection 113.212.90.152:4753 113.212.91.215:4753 tmh.skt-one.com # Reference: https://www.virustotal.com/gui/file/4359b20a9570083d6126fc013d74d5fb65de09a628a287ae291cd3b7335eb5e3/detection # Reference: https://www.virustotal.com/gui/file/ad101c55122b9bd5be2d5a64d27de50b1826b5908741355e1a28cf38cde79b79/detection # Reference: https://www.virustotal.com/gui/file/ae90ea48bb6a9501de26f6d2763ead816047dab1bed91e5565c477113c63ddef/detection 103.135.101.189:4753 ax.skt-one.com # Reference: https://www.virustotal.com/gui/file/2d3d7817dfaf66265cf2db4a3b8a1806394b74530ae36e7d6d3ad0ba95a0606e/detection 27.124.10.245:4753 ssy.skt-one.com # Reference: https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html (# Win.Keylogger.Gh0stRAT-9847918-1) 36ho560717.wicp.vip cn-xz-bgp.sakurafrp.com lolsb.cn # Reference: https://twitter.com/wwp96/status/1385603503998095361 # Reference: https://app.any.run/tasks/8b366bb8-90d3-422c-bf28-c20fad648817/ 122.114.68.46:1990 39.103.200.111:14996 qjy888.f3322.net ref.tbfull.com # Reference: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html # Reference: https://www.virustotal.com/gui/file/55ade218a34f3e727186c9e9c645265f161d7a9b7f55a721ba29e6ef5c3a12da/detection download.adobe-air.com # Reference: https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html (# Win.Dropper.Gh0stRAT-9871236-0) gaoshouzaimimang.f3322.org # Reference: https://twitter.com/wwp96/status/1409713019802710029 # Reference: https://app.any.run/tasks/9de5a384-d5aa-4e56-9ead-6a6e63a3731b/ 192.250.240.130:8000 # Reference: https://twitter.com/wwp96/status/1410328605389905923 103.194.104.94:8080 # Reference: https://www.virustotal.com/gui/file/156673535edad847a0bfaa2e3ed0d641b912b7c9704a576c458a968c9d64bb35/detection 160.20.147.36:2019 23.82.19.11:2019 cc.nainainainainainainainainainainai.com # Reference: https://www.virustotal.com/gui/file/4c244d5aa5e534df85e0e56f4b7816029a9d03f26bbff03c1dbb4fec5366b8a4/detection 160.20.147.36:8888 # Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html (# Win.Malware.Gh0stRAT-9880225-1) aaas0000.codns.com adobeservice.codns.com gkgk5421.codns.com gkgk5544.codns.com gmdals87.codns.com guswns740.codns.com sex5844.ddns.net tmal44.codns.com wldhr15.codns.com # Reference: https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html (# Win.Trojan.Gh0stRAT-9882928-1) zxl520.f3322.org # Reference: https://www.virustotal.com/gui/file/f942f8d6fdc97692ed7f864732f4ef0a91f13116f85b56a651eab059f51e3fca/detection bodyres.f3322.net dahuilianglaile.f3322.net # Reference: https://otx.alienvault.com/pulse/61c708f7de699b6b1d490dcd # Reference: https://www.virustotal.com/gui/file/b70da60888ac5237fb74c6dd5fcbb4c4c1c0b26ab0ff5709339c629e54167a9a/detection 106.13.228.81:2025 # Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html (# Win.Dropper.Gh0stRAT-9892254-0) 107.183.41.149:3204 # Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html (# Win.Malware.Gh0stRAT-9893485-1) qc4.pw qqqzxc.win tak9.win tzzpt.win wyx146.top # Reference: https://www.virustotal.com/gui/file/85e4be57ce216b2123ba6ded2d65696bd7d6040ccf63fa7593fe4e2f64869e7a/detection anonymousdzss.no-ip.biz anonymousso.no-ip.biz anonymousuhytsa.no-ip.biz anonymusblack12.no-ip.biz anthonycamis.no-ip.biz # Reference: https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html (# Win.Dropper.Gh0stRAT-9899606-0) 110.34.174.66:8000 # Reference: https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html (# Win.Trojan.Gh0stRAT-9928675-1) 67.198.215.213:3204 # Reference: https://www.virustotal.com/gui/file/000a2ceaa0c6a10dadcece38e9b37f0b4e7adc0bb26936801f330ca1b7b56b1a/detection 107.163.241.197:12354 107.163.241.198:6520 # Reference: https://www.virustotal.com/gui/file/aeba2bd0382eb3e80387fdc5a0182175a50208922d6aab56f090968676e3b32f/detection # Reference: https://www.virustotal.com/gui/file/c11430593fe348d7d2c6c2b5c38004af815e63c2ac87b1bcc09707499de5c160/detection 107.163.241.194:6520 107.163.241.195:12354 # Reference: https://www.virustotal.com/gui/file/a80c87e032a84b4a1df56f5a882b2da1f1f392208258648748277ddbe2749410/detection 107.163.241.191:16300 107.163.241.192:12354 # Reference: https://www.virustotal.com/gui/file/c2769cf66869f1207b0e1d498f541e66d47ba373306b8ff6728ed5ddaddd83d6/detection 107.163.241.189:12354 107.163.241.190:16300 # Reference: https://www.virustotal.com/gui/file/0debc35d129e03a8c856b14fba71671de04906b2de1546754396c63944a8ef00/detection 107.163.241.187:16300 107.163.241.188:12354 # Reference: https://www.virustotal.com/gui/file/09d56d1c1070532b70d5ea512849d432affe85e7e7a5d120e3c8a308e243b243/detection 107.163.241.185:16300 107.163.241.186:12354 # Reference: https://www.virustotal.com/gui/file/4f131307faa566c5780630e2f58beec65fef4f6e068d0834cdb0f6b99991ff9c/detection 107.163.241.183:16300 107.163.241.184:12354 # Reference: https://www.virustotal.com/gui/file/2b11428f8477dc1ab6e3aeafc8e8a4a749df748225ead91bcba07f946c8eae62/detection 107.163.43.143:12388 107.163.241.181:16300 107.163.241.182:12354 # Reference: https://www.virustotal.com/gui/file/72f947ca4affb5dc522b08c079fec7757412a3616abf333c73295f26e843ceeb/detection 107.163.241.179:16300 107.163.241.180:12354 107.163.56.110:18530 # Reference: https://www.virustotal.com/gui/file/c133d06d32d03a0a315455ecbc5845f242ee244068162fba160b63d614b6fc1c/detection 107.163.241.175:16300 107.163.241.176:12354 # Reference: https://www.virustotal.com/gui/file/04370baf78b59a171007f518b3eb4d5854637f8c036ad7022d078af4abef8980/detection 107.163.241.202:12354 krnaver.com # Reference: https://twitter.com/honeymoon_ioc/status/1487546093911085070 # Reference: https://twitter.com/vinopaljiri/status/1487653340699844610 # Reference: https://tria.ge/220129-1rwgysaabj/behavioral1 # Reference: https://www.virustotal.com/gui/file/5c07770e22f6b69b150d3b43f2ef2145020f73738d3ba4610932189a0b62927e/detection 185.199.224.169:8145 185.199.224.169:9090 exiles.site # Reference: http://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html (# Win.Packed.Gh0stRAT-9937867-1) 98.126.40.18:3204 # Reference: https://www.virustotal.com/gui/file/004744315ef2277a8bd1078173fe88080a97a91dbe0e37ff9fdea7701151f191/detection 107.163.56.241:18530 107.163.56.240:18963 # Reference: https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html # Reference: https://otx.alienvault.com/pulse/615c2a13c152c6c325889282 tftpupdate.ftpserver.biz # Reference: https://www.virustotal.com/gui/file/4cf08b61835581ebafacd5913eba5d5c743d500c005fe23238650e011ce180f7/detection # Reference: https://www.virustotal.com/gui/file/7d080b7bcd89791afd112738c5d40af4d41a0ef84dde15a906cad764df8ef20b/detection http://45.125.218.178 http://45.125.218.179 45.125.218.178:8000 45.125.218.179:8000 # Reference: https://blog.talosintelligence.com/2022/04/threat-roundup-0422-0429.html (# Win.Trojan.Gh0stRAT-9946565-1) 1sf.8800.org black123.gnway.net ddos.zhanglianlian.com hao.2sqj.com l.emp666.org one2ada.f3322.org senlin1996.3322.org shiyong.8866.org sszhuan.3322.org vip.523sew.com yangzihouyuanhui.6600.org yplinfo.gnway.net # Reference: https://twitter.com/1ZRR4H/status/1523791593278345217 154.23.191.157:5896 nishabii.live # Reference: https://www.virustotal.com/gui/file/28114eb0261850e8d744be4605b506cd2058ca3acd7c2da7387464f038f4c438/detection 223.171.55.127:1999 # Reference: https://tria.ge/220423-hdggrsaha2/behavioral2 144.202.74.176:2012 asd1738402137.f3322.org # Reference: https://tria.ge/220425-z1573sddd3/behavioral2 3.13.191.225:14136 # Reference: https://tria.ge/220427-bncs1afad6/behavioral2 171.38.77.97:42419 171.38.77.97:42420 171.38.77.97:42421 chaofeng1.f3322.org # Reference: https://www.virustotal.com/gui/file/d9d1d2c440fffc40d5ac6abeb16bb83cc98267b0130637e54b8e79e22dce87e4/behavior/Microsoft%20Sysinternals 154.23.182.128:8089 # Reference: https://www.virustotal.com/gui/file/cec8082b581df5a734ff3d6c6582c94fa1cb12f08c3bd3390a4c58960dd1de8f/behavior/VirusTotal%20Jujubox 23.224.97.111:5555 # Reference: https://www.virustotal.com/gui/file/f563029f4a88368711eed2b7acbdf244cc865027945407098c3bc7e2e504d2c6/behavior/VirusTotal%20Jujubox 134.175.141.126:2022 # Reference: https://www.virustotal.com/gui/file/39af9d875717c9a93fbe97fdd5f5b5da1d7dbb76cae14fdeeae4556da9827813/behavior/C2AE 216.83.45.203:7500 # Reference: https://www.virustotal.com/gui/file/f75d645400b91e9b1ea1f1f3f4806c1f59b378399684e1a499061b79724a0a68/behavior/Microsoft%20Sysinternals 110.186.58.114:9797 # Reference: https://www.virustotal.com/gui/file/a09ff60f0acaef699dc08ee06aac0bdc9a6ab4c1427b15dace33752ab753f92c/behavior/Microsoft%20Sysinternals 193.218.38.158:8080 # Reference: https://www.virustotal.com/gui/file/95e5988e40f7655cd95b70b5ae927ca25ac8ceb486117bd933fbfabe5456bf3e/behavior/VirusTotal%20Jujubox 43.248.201.133:21328 a798370668.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/a120d80235eccb05e995c3f6d72acf3c89e5b8809a72f366bc01171e40d69608/behavior/Dr.Web%20vxCube 103.194.104.10:8089 # Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html (# Win.Malware.Gh0stRAT-9949686-0) 1.15.252.63:3339 # Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html (# Win.Dropper.Gh0stRAT-9950358-1) # Reference: https://www.virustotal.com/gui/file/05a9987be765d374c21143d6aa92ed0b6405e28bd96291375cf0d28f21a165ec/detection # Reference: https://www.virustotal.com/gui/file/188328a03eafa8a5ab8e1fcd971e10eacb6fe4428741fb72e8a965cdda850f0d/detection # Reference: https://www.virustotal.com/gui/file/388d77e4fa716c49dde738b8897b7ed13313a6800155de7d388e59cd23eebab7/detection 154.221.21.125:65004 nianqing.xyz yckz.5453.top # Reference: https://www.virustotal.com/gui/file/999e537d3fe2789a074121cee8f83d6858ca7d0baf7b54e6e24ed5f91a231444/detection 47.97.103.217:2012 # Reference: https://twitter.com/r3dbU7z/status/1624977660735528962 # Reference: https://www.virustotal.com/gui/file/12b71b648d7b07fcd01b954e2615e21548e7c818effa5748dfa20fbba08d2ef2/detection 182.92.235.68:1990 # Reference: https://otx.alienvault.com/pulse/63f361ef1a12fc11df419438 lanzuanpay.xyz # Reference: https://twitter.com/wwp96/status/1627448220182872064 # Reference: https://app.any.run/tasks/33efb5a3-5668-44bb-a98d-e24ee0510a54/ 114.96.97.0:1997 # Reference: https://twitter.com/wwp96/status/1630019574816182272 # Reference: https://app.any.run/tasks/8fb9ad39-57dc-444d-88d8-d71ac942cddc/ 47.94.241.76:43 # Reference: https://twitter.com/wwp96/status/1630343778367344640 # Reference: https://app.any.run/tasks/93bad3ed-b2d5-4e2a-9c02-f1b8c9c3d889/ 58.221.57.142:7777 # Reference: https://twitter.com/wwp96/status/1632152368178659328 # Reference: https://app.any.run/tasks/3bbe3ab0-33d4-4248-bd12-d52d368f804a/ 39.109.113.141:7777 # Reference: https://twitter.com/0xToxin/status/1633009525530800131 # Reference: https://app.any.run/tasks/2d6ac745-bdbe-401b-9099-f5d1d5ee63d5/ http://124.220.35.63 103.127.83.43:8225 # Reference: https://twitter.com/JAMESWT_MHT/status/1633019264675241984 # Reference: https://www.virustotal.com/gui/file/05974133505a3e988edff7e6f12db30b978a7b1f222aa180bc37cae4fa235633/detection 124.220.35.63:8880 # Reference: https://www.virustotal.com/gui/file/79a46b45d026b26a52c76fd5729a7dbd43a3c3233300c0624122cd578dd6c0b8/detection 124.220.35.63:8081 # Reference: https://www.virustotal.com/gui/file/cb321addb3a80115ca704ce53d3d395ab9ff994863c8e04ad4e6082def455113/detection 124.220.35.63:8001 # Reference: https://twitter.com/pollo290987/status/1654581586342338560 # Reference: https://www.virustotal.com/gui/file/f1b2416eafb95e5e027569b21e575c5c19c8994b26c5be785c833d18c77488ed/detection 111.92.242.184:2200 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ http://2.58.64.219 101.132.125.131:8000 101.43.124.250:16823 103.145.86.39:7777 103.145.86.6:7777 103.145.87.50:7777 103.163.46.120:10086 103.193.188.98:8000 103.193.192.90:8000 103.20.193.166:2015 103.21.117.137:7375 103.25.19.32:9735 103.37.1.131:443 103.45.138.180:1369 103.46.128.46:26098 103.99.63.138:8900 104.232.98.28:2222 107.175.50.207:20327 110.249.156.50:9522 110.76.158.75:11024 114.110.198.107:8886 114.110.198.107:8889 114.110.208.215:7747 115.231.218.18:12611 115.236.153.170:11302 115.28.142.7:2433 116.62.165.107:5555 118.121.184.235:8023 118.184.169.48:80 121.4.122.206:37936 123.160.10.39:60756 123.57.186.60:8088 123.99.198.201:12611 125.240.117.220:2221 125.65.79.5:7777 129.211.208.176:8000 13.58.157.220:16180 139.155.178.173:19060 150.242.98.19:29514 154.204.209.197:8008 154.221.18.47:7777 154.221.30.106:7777 154.39.66.37:18443 156.234.127.6:8000 171.38.76.144:42421 175.107.89.72:8287 18.189.106.45:10874 183.105.164.105:10798 183.236.2.18:1031 183.236.2.18:1212 183.236.2.18:12588 183.236.2.18:1300 183.236.2.18:1415 183.236.2.18:17 183.236.2.18:1980 183.236.2.18:1989 183.236.2.18:1994 183.236.2.18:1997 183.236.2.18:2007 183.236.2.18:2011 183.236.2.18:2222 183.236.2.18:2223 183.236.2.18:3565 183.236.2.18:44 183.236.2.18:4821 183.236.2.18:512 183.236.2.18:5408 183.236.2.18:6000 183.236.2.18:61 183.236.2.18:6666 183.236.2.18:7001 183.236.2.18:7308 183.236.2.18:7732 183.236.2.18:7740 183.236.2.18:800 183.236.2.18:8000 183.236.2.18:8001 183.236.2.18:8084 183.236.2.18:81 183.236.2.18:8181 183.236.2.18:83 183.236.2.18:8312 183.236.2.18:8686 183.236.2.18:8786 183.236.2.18:8787 183.236.2.18:9820 202.163.158.147:9735 210.97.234.97:13966 211.173.73.165:2333 219.153.12.4:8786 23.106.215.217:1017 23.225.73.110:8000 23.251.41.162:7777 3.134.125.175:14136 3.134.39.220:14136 3.14.182.203:14136 3.141.177.1:10874 3.142.81.166:16180 3.17.7.232:14136 3.22.30.40:14136 38.181.58.21:8000 38.47.204.154:7777 43.129.192.59:7777 43.142.38.153:8520 43.249.195.178:9595 43.255.241.176:1337 45.153.241.207:1016 47.112.163.50:8086 47.114.98.223:8888 58.138.234.82:9065 58.138.247.121:7745 58.138.247.121:8286 58.138.247.121:8287 58.138.247.121:8288 58.158.177.102:4116 58.221.72.142:7777 61.160.236.44:9015 188s.co s7.188s.co # Reference: https://twitter.com/sicehice/status/1689863652122255360 # Reference: https://www.virustotal.com/gui/file/21c3b30041dc16f6fb0fe758c4cd1767e272133ff45dd21aee22506e6d9199aa/detection 193.142.58.208:443 193.142.58.208:8888 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-08-23) 103.145.86.153:6000 88.218.195.109:60601 # Reference: https://threatfox.abuse.ch/ioc/1151937/ 82.157.254.217:8000 # Reference: https://threatfox.abuse.ch/ioc/1151949/ 123.99.198.201:20973 # Reference: https://threatfox.abuse.ch/ioc/1152213/ 115.236.153.170:58669 # Reference: https://threatfox.abuse.ch/ioc/1152289/ 115.236.153.181:41719 # Reference: https://threatfox.abuse.ch/ioc/1152321/ 60.247.148.188:2023 # Reference: https://threatfox.abuse.ch/ioc/1155822/ 115.236.153.170:41719 # Reference: https://twitter.com/naumovax/status/1703765086014152778 # Reference: https://twitter.com/naumovax/status/1704062570510877176 # Reference: https://www.virustotal.com/gui/file/e7eb91b0994a94a22d4a27f9cd85997d4570ffe2e1c02a690930e78486b7d43e/detection # Reference: https://www.virustotal.com/gui/file/c161bedddebc92c399f6bd8edf0005e3e594c635a2ac6d072a46d4a0232251ec/detection 103.218.0.125:6000 124.222.139.41:6000 163.197.241.150:6000 27.124.3.48:6000 34.92.223.98:6000 38.55.186.235:6000 8.218.169.130:6000 # Reference: https://threatfox.abuse.ch/ioc/1164419/ 47.111.82.157:53637 # Reference: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape # Reference: https://www.virustotal.com/gui/ip-address/103.59.103.99/relations # Reference: https://www.virustotal.com/gui/file/2fd76b7c461cfa5d1cbc0a753cc408e9787df2f176407ac4ab7ad99733b44f06/detection # Reference: https://www.virustotal.com/gui/file/1e792148cee06743f14b0e96d3cc3c2cc81353af5344b61294b64bd56dc35489/detection # Reference: https://www.virustotal.com/gui/file/43e21ba4a2290cfedfce1acff67f6a14b8020a6a8672165bb8c235ccb8f81e1a/detection # Reference: https://www.virustotal.com/gui/file/0ac2f42a2e07a6c5fd6e4f1272e714ef98f85ee8150ee705092df4a338aef24a/detection http://103.145.22.215 http://178.236.42.11 http://27.124.12.21 http://45.119.52.243 103.105.23.34:3368 103.59.103.99:3366 27.124.12.2:3367 bitoke.top bitokex.top haoyun2.top fakaka16.top kakasone.top rus3rcqtp.hn-bkt.clouddn.com /5555/cdyxf.png /5555/ty.txt /6700/cdyxf.png /6700/ty.txt /7788/cdyxf.png /7788/ty.txt # Reference: https://app.any.run/tasks/a7d9af4e-7c0e-4bc1-844a-cef9b3ac3617/ bensonman-1318879887.cos.accelerate.myqcloud.com # Reference: https://twitter.com/naumovax/status/1711430493822976216 # Reference: https://twitter.com/Jane_0sint/status/1711716833970020835 # Reference: https://app.any.run/tasks/38e0a2e7-fb09-4e3b-8c6a-081821e24a0d/ 122.10.15.8:7060 164.88.140.82:7000 27.124.6.64:7700 38.165.9.247:7000 38.6.160.10:7000 # Reference: https://twitter.com/naumovax/status/1712461549494014420 # Reference: https://app.any.run/tasks/4f50dd6b-99a6-4b46-b0ee-40c9eb82ab07/ # Reference: https://www.virustotal.com/gui/file/9ee6e44f1d3444f3d17614273d11cd9e373f7bec152be4de262da9e8a3a07d07/detection http://134.122.138.2 134.122.138.2:2023 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-10-13) 1.13.249.49:7070 103.148.245.125:999 106.52.216.65:999 106.55.28.59:5688 115.236.153.170:32592 116.63.35.42:12000 121.5.136.143:2012 123.99.198.130:12323 123.99.198.130:12611 124.222.227.63:12345 124.223.199.81:8808 124.248.67.83:12323 124.248.67.83:12611 125.229.22.79:3456 125.229.22.79:3458 144.202.74.176:81 180.97.238.254:8000 202.63.172.122:47779 202.95.8.183:8888 211.101.247.155:8000 222.222.106.47:8008 38.181.20.78:6000 47.111.82.157:42090 51.222.230.191:443 61.147.199.238:8000 85.214.255.25:53 # Reference: https://twitter.com/g0njxa/status/1715081804649046128 # Reference: https://app.any.run/tasks/1246e115-7cd2-4b91-8723-f61bd9bd5b8a/ # Reference: https://www.virustotal.com/gui/file/d565948a3b1b0d86166b62553864a7739284a292cc9c832fddf696bb274f8166/detection 195.130.202.155:450 195.130.202.232:8004 # Reference: https://threatfox.abuse.ch/ioc/1195820/ 106.12.126.136:8086 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-11-01) 103.71.154.163:6000 121.22.243.241:47779 121.62.16.112:8000 156.224.27.167:8000 61.147.93.153:999 10-10.telecgram.com 10.cmananan.com 15.cmananan.com 17.cmananan.com 30.cmananan.com 3005.qmananan.com 3009.qmananan.com 3010.qmananan.com 3011.qmananan.com 3012.qmananan.com 3013.qmananan.com 3015.qmananan.com 3016.qmananan.com 4.cmananan.com 482e6192z0.goho.co 6.cmananan.com 6x514937w5.goho.co 6xj.telegramh.net 7001.aadaa1.cc 7002.aadaa1.cc 7003.aadaa1.cc 792c682w73.goho.co a2.aadaa1.cc aadaa1.cc chao1323301.e1.luyouxia.net cmananan.com hdalulnc.e3.luyouxia.net hei.xjbtv.com hk.yunpingbao.com kekn.asselst.com knight114.e1.luyouxia.net kyy1010.e1.luyouxia.net lfh520.e1.luyouxia.net lfh521.e1.luyouxia.net lyh111.e3.luyouxia.net nmslcnmsb1.e2.luyouxia.net nzh995188.e2.luyouxia.net op114514.e1.luyouxia.net player1.e3.luyouxia.net qmananan.com rere.e3.luyouxia.net sccwangluo.asselst.com shaoshuai3.top shengfutong-pay.com t1492261251.e1.luyouxia.net telecgram.com telegramh.net vb147258.e1.luyouxia.net wangchenchao.e1.luyouxia.net xy1.youjucan.com zhj08.e2.luyouxia.net zhodaji.com # Reference: https://threatfox.abuse.ch/ioc/1198075/ # Reference: https://www.virustotal.com/gui/ip-address/20.96.151.88/detection http://20.96.151.88 # Reference: https://www.virustotal.com/gui/ip-address/51.222.230.191/relations http://51.222.230.191 51.222.230.191:443 # Reference: https://www.virustotal.com/gui/ip-address/146.59.220.235/relations http://146.59.220.235 146.59.220.235:443 # Reference: https://www.virustotal.com/gui/ip-address/54.38.116.47/relations http://54.38.116.47 54.38.116.47:443 # Reference: https://threatfox.abuse.ch/ioc/1199251/ http://211.149.226.68 # Reference: https://www.virustotal.com/gui/ip-address/184.73.185.248/detection 184.73.185.248:443 # Reference: https://www.virustotal.com/gui/ip-address/94.191.187.105/detection http://94.191.187.105 # Reference: https://www.virustotal.com/gui/ip-address/139.99.117.0/detection http://139.99.117.0 139.99.117.0:443 # Reference: https://www.virustotal.com/gui/ip-address/46.32.37.132/detection http://46.32.37.132 # Reference: https://www.virustotal.com/gui/ip-address/213.179.32.9/detection http://213.179.32.9 # Reference: https://www.virustotal.com/gui/ip-address/222.190.108.207/detection 222.190.108.207:443 # Reference: https://www.virustotal.com/gui/ip-address/109.190.79.33/detection http://109.190.79.33 # Reference: https://www.virustotal.com/gui/ip-address/149.210.20.118/detection 149.210.20.118:443 # Reference: https://www.virustotal.com/gui/ip-address/163.44.43.131/detection http://163.44.43.131 163.44.43.131:443 # Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/detection http://180.184.71.135 # Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/community http://180.184.71.135 180.184.71.135:443 # Reference: https://www.virustotal.com/gui/ip-address/52.61.168.199/community http://52.61.168.199 # Reference: https://www.virustotal.com/gui/ip-address/87.26.121.156/community http://87.26.121.156 # Reference: https://www.virustotal.com/gui/ip-address/37.255.148.139/detection http://37.255.148.139 37.255.148.139:443 # Reference: https://www.virustotal.com/gui/ip-address/149.210.4.170/community 149.210.4.170:443 # Reference: https://www.virustotal.com/gui/ip-address/220.90.135.156/community 220.90.135.156:443 # Reference: https://www.virustotal.com/gui/ip-address/149.210.74.229/community 149.210.74.229:443 # Reference: https://www.virustotal.com/gui/ip-address/114.35.162.47/community http://114.35.162.47 # Reference: https://www.virustotal.com/gui/ip-address/54.233.162.122/community http://54.233.162.122 # Reference: https://threatfox.abuse.ch/ioc/1204672/ 43.248.137.153:8000 # Reference: https://threatfox.abuse.ch/ioc/1206321/ 47.92.53.65:13155 # Reference: https://threatfox.abuse.ch/ioc/1206537/ yy3088429300.e2.luyouxia.net # Reference: https://twitter.com/naumovax/status/1730567945862995981 # Reference: https://tria.ge/231125-paex4aba7y/behavioral1 # Reference: https://tria.ge/231127-snxxlshd37/behavioral1 103.216.155.149:44156 192.252.181.27:13150 xingxing.asselst.com # Reference: https://www.virustotal.com/gui/ip-address/100.20.96.2/relations http://100.20.96.2 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-12-10) 103.165.81.82:10086 103.45.128.143:8000 104.37.185.125:6543 107.151.244.80:6000 134.122.135.75:8000 134.122.135.81:8000 143.92.40.173:6108 149.88.73.191:8000 154.23.141.34:8000 154.55.135.102:6666 154.55.135.102:8888 163.181.92.82:1688 206.233.128.72:8899 43.136.78.18:8000 dlink.host gettimi.top book.cookielive.top new.gettimi.top q3472884397.e2.luyouxia.net # Reference: https://twitter.com/naumovax/status/1734225709994803206 # Reference: https://tria.ge/231204-mefdbaae3w # Reference: https://www.virustotal.com/gui/file/e847385dc200a5a101344a0912de4766cbd97aedfd7f4fa3a0c69e39025fd2fa/detection # Reference: https://www.virustotal.com/gui/file/e1e94dd9014aa9707605fbde38d2e3753dc8b23da507344d45416ba9583da31e/detection # Reference: https://www.virustotal.com/gui/file/9883f7808137667b448dbb4ce94c7202af626f4e34e021b581173e666ac6d8c8/detection http://1.14.71.246 1.14.25.37:1443 1.14.25.37:1444 139.186.228.218:443 # Reference: https://www.virustotal.com/gui/ip-address/89.247.50.50/community http://89.247.50.50 # Reference: https://www.virustotal.com/gui/ip-address/89.247.50.206/community http://89.247.50.206 # Reference: https://twitter.com/naumovax/status/1738198104996774145 # Reference: https://www.virustotal.com/gui/ip-address/202.63.172.17/relations # Reference: https://tria.ge/231212-kwqjhaabgj/behavioral2 # Reference: https://www.virustotal.com/gui/file/bf5a41c08bbc65bac437d651c7334a8ea6c2113a6fa20c817a1c5623124da047/detection 202.63.172.17:27100 # Reference: https://tria.ge/231205-qkdnfsbe87/behavioral1 # Reference: https://twitter.com/naumovax/status/1740305905990971642 http://38.54.25.23 http://49.129.12.59 1.14.70.108:8668 103.207.166.117:13842 206.238.199.226:8668 206.238.221.105:8668 38.60.204.65:53261 45.112.206.130:18496 # Reference: https://www.virustotal.com/gui/ip-address/18.136.0.29/community http://18.136.0.29 # Reference: https://www.virustotal.com/gui/ip-address/106.38.221.252/relations http://106.38.221.252 # Reference: https://www.virustotal.com/gui/ip-address/18.170.11.119/relations http://18.170.11.119 # Reference: https://www.virustotal.com/gui/ip-address/34.211.241.194/community http://34.211.241.194 # Reference: https://www.virustotal.com/gui/ip-address/83.22.228.184/community http://83.22.228.184 # Reference: https://twitter.com/ShanHolo/status/1746848612120744282 # Reference: https://www.virustotal.com/gui/file/3a33ee8017eeb09a4e9d416370172d49691ddf1d2e2c9388de53a4816b78d25a/detection http://45.150.67.155 http://64.176.37.64 http://8.219.91.175 http://80.92.205.55 45.150.67.155:443 64.176.37.64:443 8.219.91.175:443 80.92.205.55:443 # Reference: https://www.virustotal.com/gui/ip-address/54.200.228.98/community http://54.200.228.98 # Reference: https://threatfox.abuse.ch/ioc/1231443/ 129.204.53.10:8081 # Reference: https://www.virustotal.com/gui/ip-address/89.247.50.125/community http://89.247.50.125 # Reference: https://www.virustotal.com/gui/ip-address/217.31.202.98/community http://217.31.202.98 # Reference: https://www.virustotal.com/gui/ip-address/13.245.184.253/community http://13.245.184.253 # Reference: https://www.virustotal.com/gui/ip-address/188.127.24.220/community http://188.127.24.220 # Reference: https://www.virustotal.com/gui/ip-address/89.247.50.191/community http://89.247.50.191 # Reference: https://www.virustotal.com/gui/ip-address/100.21.141.96/community http://100.21.141.96 # Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-03-24) http://175.203.14.166 http://221.159.15.231 1.92.90.232:8000 110.42.102.82:6688 111.67.195.90:6000 115.231.218.42:14363 123.99.198.201:20064 124.248.69.29:14363 156.236.72.163:8000 175.24.197.196:8001 18.158.249.75:14210 18.192.31.165:14210 198.44.174.170:10086 198.44.174.232:10086 216.83.40.187:7777 3.124.142.205:14210 3.125.223.134:14210 42.237.24.42:7899 42.237.25.52:7899 43.248.129.152:8000 8.130.11.62:8000 54412.e3.luyouxia.net 66ddjkr.e3.luyouxia.net ad2916985983.e2.luyouxia.net asjidoaiosdjo.e3.luyouxia.net cn-he-plc-2.openfrp.top fdsfhkjf.e3.luyouxia.net gx121.e1.luyouxia.net hfs666.top i.wanna.see.20242525.xyz kx5555.e3.luyouxia.net latiao.ddns.net 996m2m2.top xc091221.e2.luyouxia.net xiaoyuwudi.e3.luyouxia.net zxyhwww.top