# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: elephantrat, gh0st, pcrat, smanagerrat # Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html bj6po.a1free9bird.com beiyeye.401hk.com # Reference: https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant # Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/ # Reference: https://www.virustotal.com/gui/file/54f62979c8c7637af238093fbf204b1edb16e9ce7ca371f9f62c4039f934cede/detection # Reference: https://www.virustotal.com/gui/file/d3dfa0f0582818e24caaccdda78c0b0833d30aa97a8ca9c43cacc7fe3bebab67/detection # Reference: https://www.virustotal.com/gui/file/23414344a6c2afdec92a4679f7947b44498db151dff2822ca7c72d704c6e28e0/detection # Reference: https://www.virustotal.com/gui/file/beade05902c2bd59b1aafe77e0a043766f5e507ac4024640f17ad1fe7c890d6c/detection # Reference: https://www.virustotal.com/gui/file/cbd875b7f9516d4662526457c2132f17e4ac4596380202aac105bc3c146ea93a/detection # Reference: https://www.virustotal.com/gui/file/d4dec64053fa6de0aa85fefd692ce71fb71d3cdd295e7169c8b9b9bd4210b023/detection # Reference: https://www.virustotal.com/gui/file/ea49fbabc6f69ffc9f93993e3d7d5fe47f743fbdc1cc031557a8595fb1594d94/detection # Reference: https://www.virustotal.com/gui/file/d4a21390dd9c85fe6f3b41038a4b270de055a30ad6f9500699775e3ae78d7fd1/detection # Reference: https://www.virustotal.com/gui/file/77722a09b3cc0b17159e27433945548b3e6bd9160d4de4919b02ea6eea671111/detection # Reference: https://www.virustotal.com/gui/file/8e1c369e8b470c9bad0aee715da300dda9a50db153a025b3c797c219d537bb68/detection # Reference: https://www.virustotal.com/gui/file/6d79053611e0d0e2f586061636f337d27de51325b24070edefe08af7d9c5006d/detection # Reference: https://www.virustotal.com/gui/file/88df6448d091acba48dfea761e5360d111f4f50acaf15b4bd2734d81a79ab21b/detection # Reference: https://www.virustotal.com/gui/file/1f824c7b70667072964e4c08a372305cc78a0833beacad52b3e0d24a84e89065/detection # Reference: https://www.virustotal.com/gui/file/0caf2987bca2ca7f644c2cb33099950eb8a5aebe03244ddf8de5e6f3fc8bf1cf/detection # Reference: https://www.virustotal.com/gui/file/45a84d5bb8ce67685504a4409bf4604a500628e454e80ef3f3b832507a4cf855/detection # Reference: https://www.virustotal.com/gui/file/af8f6c9a5a588e4d61913d54c2ae4fb3de2e50b43f57290b0657b11466a18779/detection # Reference: https://www.virustotal.com/gui/file/dfe0e061279f0d67ba84bb4f945b0115b20759f6c48a91dd6c09782cb232266e/detection # Reference: https://www.virustotal.com/gui/file/3b925244721054a15cbb845ba4b617e5c7c46d80ea1c78e7fa5d02bb2069553b/detection # Reference: https://www.virustotal.com/gui/file/258b70d70b856484b65bdaaf4a5c23efb200b160af0babfb21ccd0679bd09749/detection # Reference: https://www.virustotal.com/gui/file/d19bf8ad35b8d494e68ca817a324a4eac3d456a527c8963145e438db9c1e6924/detection 106.14.45.61:15963 106.14.45.61:18566 106.14.45.61:19637 106.14.45.61:19931 106.14.45.61:19932 106.14.45.61:19934 106.14.45.61:25553 106.14.45.61:25563 106.14.45.61:29931 106.14.45.61:3654 113.28.187.169:15963 113.28.187.169:18566 113.28.187.169:19931 113.28.187.169:3654 123.129.224.185:15963 123.129.224.185:18882 123.129.224.185:18883 123.129.224.185:19931 123.129.224.185:19932 123.129.224.185:3654 129.28.23.76:81 221.229.207.145:19931 221.229.207.145:3654 221.7.12.156:19637 221.7.12.156:19931 221.7.12.156:19932 221.7.12.156:19934 221.7.12.156:25553 221.7.12.156:25563 221.7.12.156:29931 221.7.12.156:3654 23.101.115.41:18566 23.101.115.41:19931 23.101.115.41:3654 43.229.153.122:19931 43.229.153.122:3654 58.218.66.180:19931 58.218.66.180:3654 60.169.10.86:15963 60.169.10.86:19637 60.169.10.86:19931 60.169.10.86:19934 60.169.10.86:25553 60.169.10.86:25563 60.169.10.86:29931 60.169.10.86:3654 61.147.125.184:19931 61.147.125.184:3654 95.211.102.25:19931 95.211.102.25:3654 mdzz2019.noip.cn yuankong.info # Reference: https://twitter.com/lazyactivist192/status/1112449219653193736 # Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations z-hacker-y.win # Reference: https://twitter.com/Jan0fficial/status/1102912998975434752 # Reference: https://twitter.com/lazyactivist192/status/1168582672752566279 # Reference: https://pastebin.com/D2pUSzcS # Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f # Reference: https://www.virustotal.com/gui/file/2fcc9c48d5d8a5c6889ca3302fcaa9f6296a9e36b167526033a0371172ab1693/detection haohai.hopto.org ip.yototoo.com 116.196.18.237:8082 122.114.192.241:8082 139.196.209.127:923 183.104.6.120:923 # Reference: https://twitter.com/malware_traffic/status/949057588250865665 # Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html etybh.com # Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977 45.125.17.15:443 # Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906 nicetiss54.lflink.com # Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0) # Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af 278267882.f3322.org 850967012.f3322.org a3328657.f3322.org a678157.oicp.net cfhx.f3322.org ddos-cc.vicp.cc guduyinan.gnway.com guduyinan.gnway.net jie0109.hackxd.net linchen1.3322.org q727446006.gicp.net touzi1616.com xm974192128.3322.org xueyang22.gicp.net y927.f3322.org zy520.f3322.org sweety2001.dating4you.cn paleb.no-ip.org honeypus.rusladies.cn marina99.ruladies.cn youwave932.no-ip.biz x.93ne.com ns1.helpchecks.at ns1.helpchecks.by ns1.helpchecks.com ns1.helpchecks.eu ns1.helpchecks.info ns1.helpcheck1.com ns1.helpcheck1.net ns1.helpcheck1.org mskgh.ddns.net yeswecan.duckdns.org sabridz.no-ip.biz mskhe.ddns.net karem.no-ip.org cdn.zry97.com dmar-ksa.ddns.net alkhorsan2016.no-ip.biz amiramir.noip.me katarinasw.date4you.cn # Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0) 79575465.f3322.net chhacke.win cx820329965.f3322.net e2.luyouxia.net guxiaosen.f3322.net labixiaoxin.e2.luyouxia.net mf123.f3322.net mingyemo.3322.org yaoyao.f3322.net # Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0) 1321.f3322.org 254143.f3322.net 53ca.meibu.net feng12763.3322.org jwl520.xicp.net pass.5sfox.com pzss.f3322.org pzss.foxdos.cc separa.f3322.org wfs2015.f3322.net # Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584 haohai.ddns.net # Reference: https://twitter.com/dcTavvy/status/1168906154602373122 154.221.22.25:8080 # Reference: https://twitter.com/killamjr/status/1196089316986032128 # Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/ 106.54.57.80:8080 # Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection # Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection 106.54.57.80:80 106.54.57.80:94 # Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0) 107.163.241.193:6520 107.163.56.251:6658 host123.zz.am # Reference: https://twitter.com/pancak3lullz/status/743123575146586112 183.61.165.228:8000 243145432.f3322.org # Reference: https://twitter.com/securiteoff/status/739622863485931520 qqqq374281.f3322.org # Reference: https://twitter.com/pancak3lullz/status/739619999334031360 115.239.229.196:8090 # Reference: https://twitter.com/lazyactivist192/status/1214302017981702144 1j5p551644.iok.la # Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection 218.94.148.242:2015 218.94.148.242:2554 # Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection 61.142.176.23:2014 # Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/ xilongxi.net 45.138.209.61:8080 # Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1) # Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection 67.198.149.218:6720 67.198.149.220:8590 # Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264 # Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection 192.225.226.217:80 # Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection 192.225.226.217:8443 # Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection 192.225.226.217:443 192.225.226.217:53 # Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/ 137.220.135.36:8000 # Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/ vip38000a.com 30.554205.com # Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/ 183.236.2.18:8888 haidishijie.3322.org # Reference: https://twitter.com/wwp96/status/1232326236636090370 # Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb 425rt.rapiddns.ru ref.tbfull.com # Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf # Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27 cloud.newsofnp.com load.collegesmooch.com ssl.newsofnp.com # Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02 chdvks88.dns0755.net # Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection 101.200.58.177:16233 # Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1) # Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations # Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations 113.214.1.34:52 117.78.50.197:333 210.222.25.223:7718 210.222.25.223:7748 cq52.top w1464642840.f3322.org xiaoxinzadan.gicp.net # Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection 210.222.25.223:8562 # Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection 107.163.56.243:18963 107.163.56.246:18530 # Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection 107.163.56.250:18963 # Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection 107.163.56.245:18963 # Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0) # Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection # Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection # Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection # Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection # Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection # Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection # Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection # Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection # Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection 106.9.144.132:7777 106.9.146.161:7777 116.62.168.250:24649 123.207.217.39:90 129.28.191.60:8000 129.28.191.60:99 174.128.255.252:8000 183.131.80.101:90 43.248.201.209:27268 49.232.147.19:8080 8686.f3322.net ccidc.f3322.net qqqqdddd.e2.luyouxia.net qyefeng.vicp.net wzbbk.com # Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0) 1.93.49.73:2012 104.143.150.115:2012 142.4.97.105:2012 155604.f3322.org 182.91.107.168:2012 192.210.63.230:2012 198.74.98.230:2012 aa7899.f3322.org j8666.f3322.org jiuyin.f3322.org kingsir.6600.org linlinwoaini.f3322.org q1299771210.f3322.org qq0104.gicp.net songkeliang.eicp.net vves.3322.org wuer1985.9966.org xiaoxiannv.gnway.net xiaozijun.f3322.org xyllz.com yangman520.f3322.net youlanxiangyin.vicp.cc yzc110110.meibu.net zuoyi5201314.5166.info # Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html # Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3 45.76.6.149:443 comcleanner.info mlcrosoft.site # Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection 103.133.177.250:4563 quasa.ddns.net # Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection 103.40.101.68:4563 # Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection 43.248.11.151:4243 pclient.ddns.net # Reference: https://app.any.run/tasks/b584a05c-2f6d-47cf-83e7-657b2e0cf4b1/ http://118.107.47.110 118.107.47.104:8000 118.107.47.104:8001 # Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html (# Win.Packed.Gh0stRAT-9776529-0) # Reference: https://www.virustotal.com/gui/file/086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b/detection 122.114.28.118:3522 xmrminer.f3322.net # Reference: https://app.any.run/tasks/be0fe876-bcf2-4de7-9ff0-9df1935d0e3b/ 103.74.173.145:6688 pc.8686dy.com # Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html (# Win.Dropper.Gh0stRAT-9786931-0) 1x1elma7.xiaomy.net 22i5b37672.51mypc.cn 2313u080t2.imwork.net 232mr66094.iok.la 26k4593i06.51vip.biz 273o4d5660.wicp.vip 27ow345733.wicp.vip 2z213948z7.iask.in a731940742.gicp.net y2291815a1.51mypc.cn # Reference: https://app.any.run/tasks/4d47550f-cc3b-4b49-8af8-0ccad1760a9e/ 27.124.10.245:4753 syy.skt-one.com # Reference: https://twitter.com/wwp96/status/1327897784213794816 # Reference: https://app.any.run/tasks/e5baf985-6f1d-48ac-bcf2-1302d4a3086d/ 143.92.57.83:8001 143.92.57.83:8080 # Reference: https://www.virustotal.com/gui/file/99d47a61b580eedd39efa6d6c7fb9d13fa1fca3c9fe628cee0f49f1c8f97e8db/detection xiaohai2013.f3322.org # Reference: https://otx.alienvault.com/pulse/5fc0eb77569dc57d9686fb39 graceland777.ddns.net mitty1.freemyip.com williamz20.ddns.net # Reference: https://otx.alienvault.com/pulse/5fc8d47bae040ead5cfc4767 cloudbase-init.pw compprotect.com # Reference: https://twitter.com/lazyactivist192/status/1216814092725506049 zjq1993.meibu.com # Reference: https://twitter.com/_re_fox/status/1238188943587377155 # Reference: https://app.any.run/tasks/f2118744-26c3-4523-8e82-d7203e3bb1e4/ 193.203.215.52:2011 online.update--microsoft.com # Reference: https://www.virustotal.com/gui/file/12d847b384f2aa42db19236178ccd18cf39feb4f18477e48b957816c537d854c/detection 104.149.136.66:2011 mail.update--microsoft.com # Reference: https://www.virustotal.com/gui/file/b739076d107965600dfdb92536faa8638deb6d0dcfba5fc6e653ec12853c215c/detection live.korearac.com # Reference: https://www.virustotal.com/gui/file/4c652657944ba7f09a4dbeff95ea66d69f7d82c3bea44808e0428935c513273b/detection # Reference: https://www.virustotal.com/gui/file/4ecc8864e91febef66a6efc6538749e29af715f1a61807b78cd25efebe372449/detection 107.175.137.138:59170 211.149.209.11:59170 lijiejie.nat123.cc # Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html (# Win.Dropper.Gh0stRAT-9800485-0) 53074960.nat123.cc bqcyyx.com lht1361828085.3322.org mingyemo.3322.org seo.kfj.cc # Reference: https://www.virustotal.com/gui/file/9b757b63b31061e0b77a31b5706911f223376283ace22140a415203cbe8040e3/detection 35084ea6.nat123.cc # Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1204-1211.html (# Win.Dropper.Gh0stRAT-9802375-0) # Reference: https://www.virustotal.com/gui/file/e347ced607de94a87801a27edc9b3faec0551829dbd78294748d93460e28346c/detection 118.193.233.10:7360 a13932873816.f3322.org cescmouad.zapto.org # Reference: https://twitter.com/wwp96/status/1337849110536347650 # Reference: https://app.any.run/tasks/8edcf322-5fba-49ea-a98e-dec554b3d9d0/ 202.58.105.174:8000 # Reference: https://twitter.com/wato_dn/status/1356965355650863106 # Reference: https://twitter.com/kienbigmummy/status/1361965176451264517 # Reference: https://app.any.run/tasks/b91747ae-ea86-4875-9cbf-8a2b78487cc1/ https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html 103.255.177.138:8080 # Reference: https://www.virustotal.com/gui/file/2fadd1cb04e54811ca3d3538b9833c254a31db8b875a96794d44aa49db3faa60/detection 43.248.201.209:21922 yg484698405.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/dba5987cbe9958bb86bd08eeccdb72999e0327b032821c0b2df4ea5b537c4072/detection 43.248.201.209:29719 xiaok66.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/429cd23868b064297dd5c536ea420152394b2b5210d8b1f6f1802d353759e7a6/detection 43.248.201.209:32520 xiaoren234.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/e407517a144c10e6946082afded7cf7f6afbf4beb4808894fd6b7ac170830a85/detection 43.248.201.209:27140 mmp224460.e2.luyouxia.net # Reference: https://www.virustotal.com/gui/file/f711c717473bb221b7f39a6f13d2c1aaa9403f7fcc5791dc53c38468efead20d/detection 43.248.201.133:28672 hax0fdafda.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/9eed6ad63fd1688c0e906ef294a1c6f0489cb6356c3736584c12a34ceea0ff0d/detection 43.248.201.133:27731 damm25969.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/09291140c7cd8b73219fa7a95564ec75c54bbfea92dd92cbccfb47c6a7699736/detection 222.186.170.35:29802 zhangjian123.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/23ad910aadc455b38b41446ba7425cb891d00f3791d64c7cf8b2c7b47ddf1fe7/detection 43.248.201.133:2021 yindixiang.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/130a026be6e1c01d23c3a94052db892950dd00cf2195cc7e54d7e3add19f6278/detection 43.248.201.133:21727 fxd9988019.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/0a80a258c199b864b1de65ed260b2cfed02934eb1e51a45e89ae192fb3afa787/detection 43.248.201.133:28316 q3088429300.e1.luyouxia.net # Reference: https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html (# Win.Trojan.Gh0stRAT-9831483-1) aka.f3322.net gyxin1314.xicp.net god_xinghe.f3322.org ljwser.xicp.net nt520.f3322.org # Reference: https://app.any.run/tasks/67e24e08-584b-4cca-a8a1-b1ca12f70e95/ 125.65.79.5:5522 103.119.1.139:1987 # Reference: https://twitter.com/wwp96/status/1368417388543180800 # Reference: https://app.any.run/tasks/39d974b3-6fe0-4278-8695-98684eb35c1f/ 113.212.91.178:4753 six.skt-one.com # Reference: https://www.virustotal.com/gui/file/32f2fe76ed68ffaa93baaf3e05ab0cabb058c48a431974e2f8312e2661849a93/detection 45.154.198.168:4753 sy.skt-one.com # Reference: https://www.virustotal.com/gui/file/91c422b4d9d826ff83ba875f46091c5907b61dcac8a7829ad25aebe181bdc359/detection 45.154.198.160:4753 mm.skt-one.com # Reference: https://www.virustotal.com/gui/file/fd77950eb7f104dfef6eb7f535a5d324069e8f7fb7cca7057e67e427d248f1ff/detection 202.5.23.125:4753 ss.skt-one.com # Reference: https://www.virustotal.com/gui/file/90085f7de94a2ca42f3f534d628318854d7dea91d97a4527ca5b3545fe75094b/detection 27.124.10.245:4753 syy.skt-one.com # Reference: https://www.virustotal.com/gui/file/a99f4c0c9653bb121c9d6875b756203adf3e4d9086f2111e0fe0243355f26e36/detection 73.23.200.124:44579 # Reference: https://www.virustotal.com/gui/file/7f8742297042b4da3914c65c79bec5608eb166fe2034fa054f3d108f7d4f8131/detection # Reference: https://www.virustotal.com/gui/file/2d26ef7b55e8345369b4e6c184441197304532dcf0557022431e5689fd2e9552/detection 113.212.90.152:4753 113.212.91.215:4753 tmh.skt-one.com # Reference: https://www.virustotal.com/gui/file/4359b20a9570083d6126fc013d74d5fb65de09a628a287ae291cd3b7335eb5e3/detection # Reference: https://www.virustotal.com/gui/file/ad101c55122b9bd5be2d5a64d27de50b1826b5908741355e1a28cf38cde79b79/detection # Reference: https://www.virustotal.com/gui/file/ae90ea48bb6a9501de26f6d2763ead816047dab1bed91e5565c477113c63ddef/detection 103.135.101.189:4753 ax.skt-one.com # Reference: https://www.virustotal.com/gui/file/2d3d7817dfaf66265cf2db4a3b8a1806394b74530ae36e7d6d3ad0ba95a0606e/detection 27.124.10.245:4753 ssy.skt-one.com # Reference: https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html (# Win.Keylogger.Gh0stRAT-9847918-1) 36ho560717.wicp.vip cn-xz-bgp.sakurafrp.com lolsb.cn # Reference: https://twitter.com/wwp96/status/1385603503998095361 # Reference: https://app.any.run/tasks/8b366bb8-90d3-422c-bf28-c20fad648817/ 122.114.68.46:1990 39.103.200.111:14996 qjy888.f3322.net ref.tbfull.com # Reference: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html # Reference: https://www.virustotal.com/gui/file/55ade218a34f3e727186c9e9c645265f161d7a9b7f55a721ba29e6ef5c3a12da/detection download.adobe-air.com # Reference: https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html (# Win.Dropper.Gh0stRAT-9871236-0) gaoshouzaimimang.f3322.org # Reference: https://twitter.com/wwp96/status/1409713019802710029 # Reference: https://app.any.run/tasks/9de5a384-d5aa-4e56-9ead-6a6e63a3731b/ 192.250.240.130:8000 # Reference: https://twitter.com/wwp96/status/1410328605389905923 103.194.104.94:8080 # Reference: https://www.virustotal.com/gui/file/156673535edad847a0bfaa2e3ed0d641b912b7c9704a576c458a968c9d64bb35/detection 160.20.147.36:2019 23.82.19.11:2019 cc.nainainainainainainainainainainai.com # Reference: https://www.virustotal.com/gui/file/4c244d5aa5e534df85e0e56f4b7816029a9d03f26bbff03c1dbb4fec5366b8a4/detection 160.20.147.36:8888 # Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html (# Win.Malware.Gh0stRAT-9880225-1) aaas0000.codns.com adobeservice.codns.com gkgk5421.codns.com gkgk5544.codns.com gmdals87.codns.com guswns740.codns.com sex5844.ddns.net tmal44.codns.com wldhr15.codns.com # Reference: https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html (# Win.Trojan.Gh0stRAT-9882928-1) zxl520.f3322.org # Reference: https://www.virustotal.com/gui/file/f942f8d6fdc97692ed7f864732f4ef0a91f13116f85b56a651eab059f51e3fca/detection bodyres.f3322.net dahuilianglaile.f3322.net # Reference: https://otx.alienvault.com/pulse/61c708f7de699b6b1d490dcd # Reference: https://www.virustotal.com/gui/file/b70da60888ac5237fb74c6dd5fcbb4c4c1c0b26ab0ff5709339c629e54167a9a/detection 106.13.228.81:2025 # Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html (# Win.Dropper.Gh0stRAT-9892254-0) 107.183.41.149:3204 # Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html (# Win.Malware.Gh0stRAT-9893485-1) qc4.pw qqqzxc.win tak9.win tzzpt.win wyx146.top # Reference: https://www.virustotal.com/gui/file/85e4be57ce216b2123ba6ded2d65696bd7d6040ccf63fa7593fe4e2f64869e7a/detection anonymousdzss.no-ip.biz anonymousso.no-ip.biz anonymousuhytsa.no-ip.biz anonymusblack12.no-ip.biz anthonycamis.no-ip.biz # Reference: https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html (# Win.Dropper.Gh0stRAT-9899606-0) 110.34.174.66:8000 # Reference: https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html (# Win.Trojan.Gh0stRAT-9928675-1) 67.198.215.213:3204 # Reference: https://www.virustotal.com/gui/file/000a2ceaa0c6a10dadcece38e9b37f0b4e7adc0bb26936801f330ca1b7b56b1a/detection 107.163.241.197:12354 107.163.241.198:6520 # Reference: https://www.virustotal.com/gui/file/aeba2bd0382eb3e80387fdc5a0182175a50208922d6aab56f090968676e3b32f/detection # Reference: https://www.virustotal.com/gui/file/c11430593fe348d7d2c6c2b5c38004af815e63c2ac87b1bcc09707499de5c160/detection 107.163.241.194:6520 107.163.241.195:12354 # Reference: https://www.virustotal.com/gui/file/a80c87e032a84b4a1df56f5a882b2da1f1f392208258648748277ddbe2749410/detection 107.163.241.191:16300 107.163.241.192:12354 # Reference: https://www.virustotal.com/gui/file/c2769cf66869f1207b0e1d498f541e66d47ba373306b8ff6728ed5ddaddd83d6/detection 107.163.241.189:12354 107.163.241.190:16300 # Reference: https://www.virustotal.com/gui/file/0debc35d129e03a8c856b14fba71671de04906b2de1546754396c63944a8ef00/detection 107.163.241.187:16300 107.163.241.188:12354 # Reference: https://www.virustotal.com/gui/file/09d56d1c1070532b70d5ea512849d432affe85e7e7a5d120e3c8a308e243b243/detection 107.163.241.185:16300 107.163.241.186:12354 # Reference: https://www.virustotal.com/gui/file/4f131307faa566c5780630e2f58beec65fef4f6e068d0834cdb0f6b99991ff9c/detection 107.163.241.183:16300 107.163.241.184:12354 # Reference: https://www.virustotal.com/gui/file/2b11428f8477dc1ab6e3aeafc8e8a4a749df748225ead91bcba07f946c8eae62/detection 107.163.43.143:12388 107.163.241.181:16300 107.163.241.182:12354 # Reference: https://www.virustotal.com/gui/file/72f947ca4affb5dc522b08c079fec7757412a3616abf333c73295f26e843ceeb/detection 107.163.241.179:16300 107.163.241.180:12354 107.163.56.110:18530 # Reference: https://www.virustotal.com/gui/file/c133d06d32d03a0a315455ecbc5845f242ee244068162fba160b63d614b6fc1c/detection 107.163.241.175:16300 107.163.241.176:12354 # Reference: https://www.virustotal.com/gui/file/04370baf78b59a171007f518b3eb4d5854637f8c036ad7022d078af4abef8980/detection 107.163.241.202:12354 krnaver.com # Reference: https://twitter.com/honeymoon_ioc/status/1487546093911085070 # Reference: https://twitter.com/vinopaljiri/status/1487653340699844610 # Reference: https://tria.ge/220129-1rwgysaabj/behavioral1 # Reference: https://www.virustotal.com/gui/file/5c07770e22f6b69b150d3b43f2ef2145020f73738d3ba4610932189a0b62927e/detection 185.199.224.169:8145 185.199.224.169:9090 exiles.site # Reference: http://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html (# Win.Packed.Gh0stRAT-9937867-1) 98.126.40.18:3204 # Reference: https://www.virustotal.com/gui/file/004744315ef2277a8bd1078173fe88080a97a91dbe0e37ff9fdea7701151f191/detection 107.163.56.241:18530 107.163.56.240:18963 # Reference: https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html # Reference: https://otx.alienvault.com/pulse/615c2a13c152c6c325889282 tftpupdate.ftpserver.biz # Reference: https://www.virustotal.com/gui/file/4cf08b61835581ebafacd5913eba5d5c743d500c005fe23238650e011ce180f7/detection # Reference: https://www.virustotal.com/gui/file/7d080b7bcd89791afd112738c5d40af4d41a0ef84dde15a906cad764df8ef20b/detection http://45.125.218.178 http://45.125.218.179 45.125.218.178:8000 45.125.218.179:8000 # Reference: https://blog.talosintelligence.com/2022/04/threat-roundup-0422-0429.html (# Win.Trojan.Gh0stRAT-9946565-1) 1sf.8800.org black123.gnway.net ddos.zhanglianlian.com hao.2sqj.com l.emp666.org one2ada.f3322.org senlin1996.3322.org shiyong.8866.org sszhuan.3322.org vip.523sew.com yangzihouyuanhui.6600.org yplinfo.gnway.net # Reference: https://twitter.com/1ZRR4H/status/1523791593278345217 154.23.191.157:5896 nishabii.live # Reference: https://www.virustotal.com/gui/file/28114eb0261850e8d744be4605b506cd2058ca3acd7c2da7387464f038f4c438/detection 223.171.55.127:1999 # Reference: https://tria.ge/220423-hdggrsaha2/behavioral2 144.202.74.176:2012 asd1738402137.f3322.org # Reference: https://tria.ge/220425-z1573sddd3/behavioral2 3.13.191.225:14136 # Reference: https://tria.ge/220427-bncs1afad6/behavioral2 171.38.77.97:42419 171.38.77.97:42420 171.38.77.97:42421 chaofeng1.f3322.org # Reference: https://www.virustotal.com/gui/file/d9d1d2c440fffc40d5ac6abeb16bb83cc98267b0130637e54b8e79e22dce87e4/behavior/Microsoft%20Sysinternals 154.23.182.128:8089 # Reference: https://www.virustotal.com/gui/file/cec8082b581df5a734ff3d6c6582c94fa1cb12f08c3bd3390a4c58960dd1de8f/behavior/VirusTotal%20Jujubox 23.224.97.111:5555 # Reference: https://www.virustotal.com/gui/file/f563029f4a88368711eed2b7acbdf244cc865027945407098c3bc7e2e504d2c6/behavior/VirusTotal%20Jujubox 134.175.141.126:2022 # Reference: https://www.virustotal.com/gui/file/39af9d875717c9a93fbe97fdd5f5b5da1d7dbb76cae14fdeeae4556da9827813/behavior/C2AE 216.83.45.203:7500 # Reference: https://www.virustotal.com/gui/file/f75d645400b91e9b1ea1f1f3f4806c1f59b378399684e1a499061b79724a0a68/behavior/Microsoft%20Sysinternals 110.186.58.114:9797 # Reference: https://www.virustotal.com/gui/file/a09ff60f0acaef699dc08ee06aac0bdc9a6ab4c1427b15dace33752ab753f92c/behavior/Microsoft%20Sysinternals 193.218.38.158:8080 # Reference: https://www.virustotal.com/gui/file/95e5988e40f7655cd95b70b5ae927ca25ac8ceb486117bd933fbfabe5456bf3e/behavior/VirusTotal%20Jujubox 43.248.201.133:21328 a798370668.e1.luyouxia.net # Reference: https://www.virustotal.com/gui/file/a120d80235eccb05e995c3f6d72acf3c89e5b8809a72f366bc01171e40d69608/behavior/Dr.Web%20vxCube 103.194.104.10:8089 # Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html (# Win.Malware.Gh0stRAT-9949686-0) 1.15.252.63:3339 # Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html (# Win.Dropper.Gh0stRAT-9950358-1) # Reference: https://www.virustotal.com/gui/file/05a9987be765d374c21143d6aa92ed0b6405e28bd96291375cf0d28f21a165ec/detection # Reference: https://www.virustotal.com/gui/file/188328a03eafa8a5ab8e1fcd971e10eacb6fe4428741fb72e8a965cdda850f0d/detection # Reference: https://www.virustotal.com/gui/file/388d77e4fa716c49dde738b8897b7ed13313a6800155de7d388e59cd23eebab7/detection 154.221.21.125:65004 nianqing.xyz yckz.5453.top # Reference: https://www.virustotal.com/gui/file/999e537d3fe2789a074121cee8f83d6858ca7d0baf7b54e6e24ed5f91a231444/detection 47.97.103.217:2012 # Reference: https://twitter.com/r3dbU7z/status/1624977660735528962 # Reference: https://www.virustotal.com/gui/file/12b71b648d7b07fcd01b954e2615e21548e7c818effa5748dfa20fbba08d2ef2/detection 182.92.235.68:1990 # Reference: https://otx.alienvault.com/pulse/63f361ef1a12fc11df419438 lanzuanpay.xyz # Reference: https://twitter.com/wwp96/status/1627448220182872064 # Reference: https://app.any.run/tasks/33efb5a3-5668-44bb-a98d-e24ee0510a54/ 114.96.97.0:1997 # Reference: https://twitter.com/wwp96/status/1630019574816182272 # Reference: https://app.any.run/tasks/8fb9ad39-57dc-444d-88d8-d71ac942cddc/ 47.94.241.76:43 # Reference: https://twitter.com/wwp96/status/1630343778367344640 # Reference: https://app.any.run/tasks/93bad3ed-b2d5-4e2a-9c02-f1b8c9c3d889/ 58.221.57.142:7777 # Reference: https://twitter.com/wwp96/status/1632152368178659328 # Reference: https://app.any.run/tasks/3bbe3ab0-33d4-4248-bd12-d52d368f804a/ 39.109.113.141:7777 # Reference: https://twitter.com/0xToxin/status/1633009525530800131 # Reference: https://app.any.run/tasks/2d6ac745-bdbe-401b-9099-f5d1d5ee63d5/ http://124.220.35.63 103.127.83.43:8225 # Reference: https://twitter.com/JAMESWT_MHT/status/1633019264675241984 # Reference: https://www.virustotal.com/gui/file/05974133505a3e988edff7e6f12db30b978a7b1f222aa180bc37cae4fa235633/detection 124.220.35.63:8880 # Reference: https://www.virustotal.com/gui/file/79a46b45d026b26a52c76fd5729a7dbd43a3c3233300c0624122cd578dd6c0b8/detection 124.220.35.63:8081 # Reference: https://www.virustotal.com/gui/file/cb321addb3a80115ca704ce53d3d395ab9ff994863c8e04ad4e6082def455113/detection 124.220.35.63:8001 # Reference: https://twitter.com/pollo290987/status/1654581586342338560 # Reference: https://www.virustotal.com/gui/file/f1b2416eafb95e5e027569b21e575c5c19c8994b26c5be785c833d18c77488ed/detection 111.92.242.184:2200