# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services
# Reference: https://otx.alienvault.com/pulse/5e615414b0254429fcb302f0

droptop.com
droptop1.com
droptop2.com
droptop3.com
droptop4.com
droptop5.com
droptop6.com
droptop7.com
droptop8.com
droptop9.com
droptop10.com

# Reference: https://twitter.com/MBThreatIntel/status/1240790622199406593
# Reference: https://www.virustotal.com/gui/ip-address/63.250.44.99/relations

popeorigin.pw
popeorigin1.pw
popeorigin2.pw
popeorigin3.pw
popeorigin4.pw
popeorigin5.pw
popeorigin6.pw
popeorigin7.pw
popeorigin8.pw
popeorigin9.pw
popeorigin10.pw

# Reference: https://www.virustotal.com/gui/file/42cda72eccc1564c97e004f2c01449e07bcad084ce767cc102bb99c8921f899e/detection

phamchilong.com

# Reference: https://twitter.com/malwrhunterteam/status/1235220750635806720
# Note: such trails can be met with /hjf sign in address

107.189.162.190:9090

# Reference: https://www.virustotal.com/gui/file/2f2d784e1e0d9d5a9ede345eef47d2228e82570a8bdaa632defdbc6c7f69f494/detection

141.105.66.243:9090

# Reference: https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
# Reference: https://otx.alienvault.com/pulse/5e879a7305b78c1346f82424

artizaa.com
matpincscr.com
murthydigitals.com
myamystills.com
novmintservices.com
ptgteft.com
rossogato.com
saidialxo.com

# Reference: https://blog.morphisec.com/guloader-the-rat-downloader
# Reference: https://otx.alienvault.com/pulse/5e87a721a6072454dfc0ca87

arabianbrother.com/a/
ntaryan.com/a/

# Generic

/hjf