# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: hworm, h-worm, wshrat # Reference: https://twitter.com/DissectMalware/status/986467663353442305 pm2bitcoin.com # Reference: https://twitter.com/Racco42/status/1047173279553900551 toheeb.publicvm.com # Reference: https://twitter.com/Racco42/status/1044562743519584257 # Reference: https://twitter.com/Racco42/status/1040353263579738113 # Generic trail /is-ready # Reference: https://twitter.com/Racco42/status/1053747018835869696 fud.fudcrypt.com # Reference: https://twitter.com/Racco42/status/1102879193631731713 185.198.26.245:3843 # Reference: https://twitter.com/Racco42/status/1110868159492489216 brothersjoy.nl newmenow.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1016808667692204032 windefendeupdate.duckdns.org # Reference: https://twitter.com/Jan0fficial/status/1009009607988187137 # Reference: https://pastebin.com/MxR1p5wG stanman.linkpc.net /is-sending # Reference: https://twitter.com/avman1995/status/963273945955864577 ines0049.ddns.net # Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/ 149.28.14.103:535 # Reference: https://twitter.com/pmelson/status/1119756002503606272 updatesystem.linkpc.net # Reference: https://twitter.com/Racco42/status/1120981890947854336 185.101.94.172:3018 # Reference: https://twitter.com/Racco42/status/1121350734350413824 # Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/ 194.187.249.104:7777 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09 105.105.218.193:4433 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection updatefacebook.ddns.net 197.162.66.49:2 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection 23.227.201.158:3047 # Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a office-update.services 104.24.112.139:2082 # Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513 savelifes.tech # Reference: https://twitter.com/James_inthe_box/status/1138092566820212737 doughnut-snack.live mynameisstaff.warzonedns.com # Reference: https://twitter.com/luc4m/status/1138430833533104128 unknownsoft.duckdns.org # Reference: https://twitter.com/Racco42/status/1139458016611356672 sirkashmoremoney.duckdns.org # Reference: https://twitter.com/Racco42/status/1139461501113311232 chance2019.ddns.net # Reference: https://twitter.com/HONKONE_K/status/1141181986523844612 bylgay.hopto.org microsoftoutlook.duckdns.org soucdtevoceumcuzao.duckdns.org # Reference: https://twitter.com/Bank_Security/status/1141388470293655552 # Reference: https://pastebin.com/P4h3NHJE tcoolsoul.com # Reference: https://twitter.com/Racco42/status/1143054336563564544 # Reference: https://twitter.com/dvk01uk/status/1143027551151042560 # Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/ doughnut-snack.live microsoft.btc-crypto-rewards.cash 160.202.163.246:9966 185.247.228.14:7755 # Reference: https://twitter.com/coderippers/status/1154003951152484352 9d1.myq-see.com mzu.publicvm.com # Reference: https://twitter.com/Timele9527/status/1159673642332016640 mmksba.dyndns.org 64.188.25.230:4455