# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: dinihou, duhini, hworm, h-worm, wshrat # Reference: https://twitter.com/DissectMalware/status/986467663353442305 pm2bitcoin.com # Reference: https://twitter.com/Racco42/status/1047173279553900551 toheeb.publicvm.com # Reference: https://twitter.com/Racco42/status/1044562743519584257 185.141.27.177:4123 # Reference: https://twitter.com/Racco42/status/1040353263579738113 # Reference: https://app.any.run/tasks/f6eca300-7137-4e88-bd28-7f9a507a17d3/ 46.243.189.128:6969 # Reference: https://twitter.com/Racco42/status/1053747018835869696 fud.fudcrypt.com # Reference: https://twitter.com/Racco42/status/1102879193631731713 185.198.26.245:3843 # Reference: https://twitter.com/Racco42/status/1110868159492489216 brothersjoy.nl newmenow.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1016808667692204032 windefendeupdate.duckdns.org # Reference: https://twitter.com/Jan0fficial/status/1009009607988187137 # Reference: https://pastebin.com/MxR1p5wG stanman.linkpc.net # Reference: https://twitter.com/avman1995/status/963273945955864577 ines0049.ddns.net # Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/ # Reference: https://www.virustotal.com/gui/file/65d61cf1481749565fc8f4186c92c7b4f499b39e4d93295551ece4ec9560cd27/detection 149.28.14.103:535 149.28.14.103:80 mighty-dead.ddns.net mighty-dead.spdns.de mightydead.webredirect.org # Reference: https://twitter.com/pmelson/status/1119756002503606272 updatesystem.linkpc.net # Reference: https://twitter.com/Racco42/status/1120981890947854336 185.101.94.172:3018 # Reference: https://twitter.com/Racco42/status/1121350734350413824 # Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/ 194.187.249.104:7777 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09 105.105.218.193:4433 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection updatefacebook.ddns.net 197.162.66.49:2 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection 23.227.201.158:3047 # Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a office-update.services 104.24.112.139:2082 # Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513 savelifes.tech # Reference: https://twitter.com/James_inthe_box/status/1138092566820212737 doughnut-snack.live mynameisstaff.warzonedns.com # Reference: https://twitter.com/luc4m/status/1138430833533104128 unknownsoft.duckdns.org # Reference: https://twitter.com/Racco42/status/1139458016611356672 sirkashmoremoney.duckdns.org # Reference: https://twitter.com/Racco42/status/1139461501113311232 chance2019.ddns.net # Reference: https://twitter.com/HONKONE_K/status/1141181986523844612 bylgay.hopto.org microsoftoutlook.duckdns.org soucdtevoceumcuzao.duckdns.org # Reference: https://twitter.com/Bank_Security/status/1141388470293655552 # Reference: https://pastebin.com/P4h3NHJE tcoolsoul.com # Reference: https://twitter.com/Racco42/status/1143054336563564544 # Reference: https://twitter.com/dvk01uk/status/1143027551151042560 # Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/ microsoft.btc-crypto-rewards.cash 160.202.163.246:9966 185.247.228.14:7755 # Reference: https://twitter.com/coderippers/status/1154003951152484352 9d1.myq-see.com mzu.publicvm.com # Reference: https://twitter.com/Timele9527/status/1159673642332016640 mmksba.dyndns.org 64.188.25.230:4455 # Reference: https://twitter.com/smica83/status/1166275236741955585 dbin240.ddns.net # Reference: https://twitter.com/luc4m/status/1166765980489584640 91.132.139.181:9999 # Reference: https://twitter.com/wwp96/status/1171069954881392641 # Reference: https://app.any.run/tasks/d3b840d6-520a-4529-a561-b2ce8c05b432/ 79.134.225.72:1104 165.22.129.173:7756 ablerightventures.duckdns.org pluginsrv1.duckdns.org # Reference: https://twitter.com/Paladin3161/status/1172178725959397378 plunder.nsupdate.info # Reference: https://twitter.com/malware_traffic/status/1172610957929062410 81.92.202.176:5200 tain0077.warzonesdns.com # Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816 pleasurekeys.hopto.org suzuki-dc.biz unknownsoft.duckdns.org # Reference: https://www.virustotal.com/gui/domain/dz47.cf/relations dz47.cf # Reference: https://www.threatcrowd.org/listMalware.php?antivirus=Worm.VBS.Dinihou 4ever4.zapto.org 999mostafa999.no-ip.org 999mostafa999.sytes.net aboodzainuddin.ddns.net adda.no-ip.org adolf2013.sytes.net alfhaddd-hakr.no-ip.biz anarqe77.no-ip.biz anassrojola.ddnsking.com androidupdate.myq-see.com avg-antivirus.zapto.org blackr00t5.no-ip.org blkisdz.ddns.net bog5151.zapto.org bogus911.no.ip.biz bogus911.no-ip.biz brigittenetwork.hopto.org chrome00.sytes.com chuckey1.no-ip.org cupidon.zapto.org desermyth.dyndns.org devil.hopto.org diiimaria.zapto.org dmar123.no-ip.biz dodaaa.zapto.org dz-drs.no-ip.biz dz47.myq-see.com elisou19.ddns.net eroor.ddns.net exxilero.ddns.net ffff99fff.no-ip.biz gerssy.zapto.org google-1.linkpc.net google00.ddns.net google7.no-ip.org greekwebtv.viewdns.net h-w0rm.zapto.org hadizz.no-ip.biz haydar93.no-ip.biz helps.zapto.org introworld.no-ip.org introworld.zapto.org iphack.no-ip.info j2w2d.no-ip.biz jaberlovee.ddns.net jhk.no-ip.org khalode4me.no-ip.biz killer---204.no-ip.biz king25.zapto.org kiyoma200.no-ip.biz klonkino.no-ip.org kusaisouf.no-ip.org lastdance.ddns.net lolokamal.zapto.org maxxx12.serveftp.org maxy.no-ip.info mda.no-ip.org memo8.no-ip.org memo9.no-ip.org mesopotemia222.zapto.org microsoftsystem.sytes.net microsoftwindows.sytes.net migalou2012.no-ip.biz mlcrosoft.serveftp.com monas04.no-ip.info mootje01.no-ip.org mrkiller.no-ip.org nouna1985.no-ip.org pilo-raouf.no-ip.biz pscho546.hopto.org qqwe.hopto.org qwqhack.no-ip.biz redex.no-ip.info righi.linkpc.net rndaso.no-ip.info romyo333.sytes.net ronaldo-123.no-ip.biz s-mz.sytes.net saifnjrat55.no-ip.biz sexcam.3utilities.com shawaf.sytes.net sidisalim.myvnc.com smoky29902332.hopto.org swanox.no-ip.org tariqalr.zapto.org terminator9.zapto.org twiti2390.no-ip.biz vpn-hacker.no-ip.biz waforex2011.no-ip.info winup.serveftp.com wkooora.sytes.net wvvw.sytes.net x.dvr-ddns.com yah00.sytes.net ycemufkk6g.bounceme.net youcef142.no-ip.biz ysf.no-ip.biz # Reference: https://www.securityhome.eu/malware/malware.php?mal_id=51549698551bff97f583c51.51712090 abdnjworm.no-ip.biz abocasse.zapto.org ahmedghost.no-ip.info b-trese.no-ip.biz boucraa.no-ip.org dd.no-ip.bz debili1.no-ip.biz fuck-all.no-ip.info hackers1990.no-ip.org heartbraker.no-ip.biz jnyn-99.no-ip.org mda.no-ip.org mmrick.zapto.org mntm.no-ip.biz mootje01.no-ip.org mozaya46415.zapto.org rouge166821.no-ip.biz vanonymous.no-ip.org vichtorio-israeli.zapto.org zkzak.np-ip.biz # Reference: http://ddos-info.weebly.com/blog/h-worm-plus-public-in-depth-analysis adamdam.zapto.org adolf2013.sytes.net ahmad212.no-ip.biz alii007.zapto.org am1.no-ip.info ballgogo.no-ip.biz basss.no-ip.info bg1337.zapto.org bog5151.zapto.org dataday3.no-ip.org docteuur13.no-ip.org doda.redirectme.net dzhacker15.no-ip.org g00gle.sytes.net gerssy.zapto.org googlechrome.servegame.com hackediraq.no-ip.biz hackeralbasrah.no-ip.biz hattouma12.no-ip.biz hmode123.no-ip.biz karimstar.zapto.org kiyoma200.no-ip.biz koko.myftp.org mda.no-ip.org medolife.no-ip.biz microsoftsystem.sytes.net mootje01.no-ip.org msgbox.zapto.org new-hacker.no-ip.org njnj.redirectme.net no99.zapto.org noooot.no-ip.biz pess-123.zapto.org pess-12.zapto.org portipv6.redirectme.net ronaldo-123.no-ip.biz sawdz.no-ip.biz securityfocus.bounceme.net shagagy21.no-ip.biz sidisalim.myvnc.com silent9.zapto.org terminator9.zapto.org vpn-hacker.no-ip.biz xbox720.zapto.org xkiller.no-ip.info yahia17.no-ip.org zeusback.no-ip.biz zoia.no-ip.org # Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Jenxcus#tab=2 # Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2 a.servecounterstrike.com eqe.sytes.net jnj.redirectme.net winlogon.servecounterstrike.com 3dmntk.no-ip.biz 999mostafa999.no-ip.biz 9d1.no-ip.org a.servecounterstrike.com abanas19.no-ip.biz abdo1abdo.no-ip.biz adolf2013.sytes.net ahmad909.no-ip.biz ajeeb.zapto.org ali2010.no-ip.biz aljabiry1.no-ip.biz alnazee.no-ip.org alnazee.no-ip.org alsha2e.zapto.org amere-ali.no-ip.biz aore.no-ip.org asmarany.no-ip.biz asmarany.np-ip.biz aymen112233.no-ip.org bifrost-jordan.zapto.org big-hack.no-ip.com blackhawk.myftp.biz cggfhddsscds.no-ip.biz cxxz.no-ip.biz damla.no-ip.org dhuaa.no-ip.org dnsip.servehttp.com doopy99.zapto.org fadliking.sytes.net fons.no-ip.info frostate.no-ip.biz ghoster13.no-ip.biz gmail2013.no-ip.info hackeralbasrah.no-ip.biz haedar.no-ip.biz hanan96.no-ip.bizport iraqi2013.servemp3.com jn.redirectme.net klagord.no-ip.org kurd2013.no-ip.biz localh0st.servehttp.com loll1.no-ip.biz m4b.no-ip.org mda.no-ip.org microsoftsystem.sytes.net milito.no-ip.org mohez.no-ip.org msy.myvnc.com naza.no-ip.biz new-hacker.no-ip.org oscar-bif.zapto.org portipv6.redirectme.net pthacker.no-ip.org ramadan.zapto.org sdgsg.no-ip.biz shawaf.sytes.net shee5iq.no-ip.biz shee5iq.no-p.biz sro7.no-ip.info systemsxp.sytes.net theghostholako.no-ip.org thescorpionking.no-ip.org utilesat.zapto.org uty.myq-see.com wahidhackerdz.no-ip.biz xkiller.no-ip.info xmx.no-ip.info xxsc.no-ip.org xxxxxx.no-ip.biz yahoomail.3utilities.com zilol.no-ip.org # Reference: https://twitter.com/Racco42/status/1174605204353949697 # Reference: https://app.any.run/tasks/27a475ac-c113-49be-b947-f580662600e4/ 91.132.139.181:9999 # Reference: https://twitter.com/Littl3field/status/1174624023709454336 178.124.140.148:3571 # Reference: https://www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf dz47.servehttp.com maroco.linkpc.net maroco.myq-see.com maroco.redirectme.net # Reference: https://twitter.com/pmelson/status/1175928909264838660 185.251.38.91:5555 # Reference: https://twitter.com/dvk01uk/status/1176483058058440705 # Reference: https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc/ 192.169.69.25:7757 79.134.225.100:2813 2813.noip.me # Reference: https://twitter.com/Racco42/status/1178932126588297217 45.79.41.137:2344 # Reference: http://blog.morphisec.com/hworm-houdini-aka-njrat chroms.linkpc.net finix5.hopto.org finixalg11.ddns.net salh.linkpc.net # Reference: https://twitter.com/fletchsec/status/1179891198615531521 # Reference: https://www.hybrid-analysis.com/sample/a1da7465c3893cb30408820ee821210c0c1c008dcfde0af167f33e9db61975a2/5d965b610288389582043002 186.85.86.96:1235 nfiefbwihf48h9wun3foisnc98ehfb9uwfu.duckdns.org # Reference: https://twitter.com/Racco42/status/1131130800630579200 admin1960.linkpc.net savelifes.tech # Reference: https://twitter.com/Racco42/status/1111615130272444416 181.52.113.177:8105 socketw3.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1092764605766483969 194.5.99.53:5732 # Reference: https://twitter.com/luc4m/status/1092483141619601408 easyresa.ddns.net shkis.publicvm.com # Reference: https://twitter.com/luc4m/status/1073257560625569792 goz.unknowncrypter.com # Reference: https://twitter.com/Racco42/status/1064880890277494785 185.141.27.177:6544 # Reference: https://twitter.com/DissectMalware/status/1008387935199260672 # Reference: https://www.virustotal.com/gui/domain/suport.ddns.net/relations 141.255.145.240:233 141.255.145.255:233 141.255.145.87:233 141.255.146.205:233 141.255.146.59:233 141.255.148.251:233 141.255.148.91:233 141.255.149.205:233 141.255.151.184:233 141.255.152.112:233 141.255.153.20:233 141.255.153.7:233 141.255.155.127:233 141.255.157.34:233 141.255.158.240:233 141.255.158.49:233 141.255.158.62:233 141.255.159.223:233 179.89.100.165:233 196.70.42.129:233 93.182.168.132:233 93.182.168.14:233 93.182.168.15:233 93.182.168.16:233 93.182.168.29:233 93.182.168.31:233 93.182.168.36:233 93.182.168.6:233 93.182.168.8:233 93.182.169.10:233 93.182.169.29:233 93.182.169.30:233 93.182.169.32:233 93.182.170.11:233 93.182.170.141:233 93.182.170.145:233 93.182.170.33:233 93.182.170.5:233 93.182.171.131:233 93.182.171.146:233 93.182.171.164:233 93.182.171.22:233 93.182.171.25:233 93.182.171.26:233 93.182.171.5:233 93.182.172.21:233 93.182.173.20:233 93.182.173.21:233 93.182.173.37:233 93.182.173.6:233 93.182.174.23:233 141.255.145.240:322 141.255.145.255:322 141.255.145.87:322 141.255.146.205:322 141.255.146.59:322 141.255.148.251:322 141.255.148.91:322 141.255.149.205:322 141.255.151.184:322 141.255.152.112:322 141.255.153.20:322 141.255.153.7:322 141.255.155.127:322 141.255.157.34:322 141.255.158.240:322 141.255.158.49:322 141.255.158.62:322 141.255.159.223:322 179.89.100.165:322 196.70.42.129:322 93.182.168.132:322 93.182.168.14:322 93.182.168.15:322 93.182.168.16:322 93.182.168.29:322 93.182.168.31:322 93.182.168.36:322 93.182.168.6:322 93.182.168.8:322 93.182.169.10:322 93.182.169.29:322 93.182.169.30:322 93.182.169.32:322 93.182.170.11:322 93.182.170.141:322 93.182.170.145:322 93.182.170.33:322 93.182.170.5:322 93.182.171.131:322 93.182.171.146:322 93.182.171.164:322 93.182.171.22:322 93.182.171.25:322 93.182.171.26:322 93.182.171.5:322 93.182.172.21:322 93.182.173.20:322 93.182.173.21:322 93.182.173.37:322 93.182.173.6:322 93.182.174.23:322 141.255.145.240:323 141.255.145.255:323 141.255.145.87:323 141.255.146.205:323 141.255.146.59:323 141.255.148.251:323 141.255.148.91:323 141.255.149.205:323 141.255.151.184:323 141.255.152.112:323 141.255.153.20:323 141.255.153.7:323 141.255.155.127:323 141.255.157.34:323 141.255.158.240:323 141.255.158.49:323 141.255.158.62:323 141.255.159.223:323 179.89.100.165:323 196.70.42.129:323 93.182.168.132:323 93.182.168.14:323 93.182.168.15:323 93.182.168.16:323 93.182.168.29:323 93.182.168.31:323 93.182.168.36:323 93.182.168.6:323 93.182.168.8:323 93.182.169.10:323 93.182.169.29:323 93.182.169.30:323 93.182.169.32:323 93.182.170.11:323 93.182.170.141:323 93.182.170.145:323 93.182.170.33:323 93.182.170.5:323 93.182.171.131:323 93.182.171.146:323 93.182.171.164:323 93.182.171.22:323 93.182.171.25:323 93.182.171.26:323 93.182.171.5:323 93.182.172.21:323 93.182.173.20:323 93.182.173.21:323 93.182.173.37:323 93.182.173.6:323 93.182.174.23:323 141.255.145.240:324 141.255.145.255:324 141.255.145.87:324 141.255.146.205:324 141.255.146.59:324 141.255.148.251:324 141.255.148.91:324 141.255.149.205:324 141.255.151.184:324 141.255.152.112:324 141.255.153.20:324 141.255.153.7:324 141.255.155.127:324 141.255.157.34:324 141.255.158.240:324 141.255.158.49:324 141.255.158.62:324 141.255.159.223:324 179.89.100.165:324 196.70.42.129:324 93.182.168.132:324 93.182.168.14:324 93.182.168.15:324 93.182.168.16:324 93.182.168.29:324 93.182.168.31:324 93.182.168.36:324 93.182.168.6:324 93.182.168.8:324 93.182.169.10:324 93.182.169.29:324 93.182.169.30:324 93.182.169.32:324 93.182.170.11:324 93.182.170.141:324 93.182.170.145:324 93.182.170.33:324 93.182.170.5:324 93.182.171.131:324 93.182.171.146:324 93.182.171.164:324 93.182.171.22:324 93.182.171.25:324 93.182.171.26:324 93.182.171.5:324 93.182.172.21:324 93.182.173.20:324 93.182.173.21:324 93.182.173.37:324 93.182.173.6:324 93.182.174.23:324 suport.ddns.net # Reference: https://twitter.com/DissectMalware/status/986467663353442305 # Reference: https://www.hybrid-analysis.com/sample/f0a1aeaf2a6f3c6098696d3802675097072459b89213177f1e4f1494a67c250a 185.209.85.177:5000 # Reference: https://twitter.com/Racco42/status/1017007079813451778 tune.tym-internationals.com # Reference: https://twitter.com/Racco42/status/995955505221730304 ihsann.casacam.net # Reference: https://app.any.run/tasks/505c6e4c-723b-46b0-8917-c200c65817ea/ 181.215.247.18:3339 185.198.59.114:5000 # Reference: https://twitter.com/Racco42/status/982731639301267459 lordsdoing2017.ddns.net # Reference: https://github.com/silence-is-best/c2db#dunihi 192.186.145.93:8885 # Reference: https://github.com/silence-is-best/c2db#houdini-aka-vjworm-vjw0rm jihanenouhaila.ddns.net # Reference: https://twitter.com/Racco42/status/1183666041706168321 194.5.98.216:10122 # Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923 # Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/ 186.147.55.19:5473 186.147.55.19:8371 186.147.55.19:8372 192.169.69.25:8370 mozillamaintenanceservice.duckdns.org papeleradereciclaje.duckdns.org seguridaddewindows.duckdns.org # Reference: https://app.any.run/tasks/1bd816aa-3764-480e-ba70-b57b36551bc7 # Reference: https://www.virustotal.com/gui/ip-address/213.208.152.217/relations nascoman.ddnsgeek.com 213.208.152.217:14337 60.50.181.240:14337 # Reference: https://www.virustotal.com/gui/ip-address/79.134.225.80/relations 79.134.225.80:7776 # Reference: https://pastebin.com/29uSdMAk 185.165.153.172:3642 homi.doomdns.org # Reference: https://twitter.com/wwp96/status/1193987577323360256 # Reference: https://app.any.run/tasks/dc2b37db-6f22-4d4c-b13e-ae863ddc9004/ 185.165.153.45:2014 # Reference: https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated/ # Reference: https://otx.alienvault.com/pulse/5dcad67ae098a56db0a277d5 # Reference: https://www.virustotal.com/gui/file/d55d5b0c6f41cc6a86764a07715a1a38f2fddda9b90ec641d902be8946939d14/detection # Reference: https://www.virustotal.com/gui/ip-address/185.84.181.102/relations # Reference: https://www.virustotal.com/gui/ip-address/193.56.28.179/relations 185.165.153.14:4132 185.84.181.102:5478 193.56.28.134:5478 07actnewdocreview.servebeer.com 247accountreview.hopto.org 2d0low.warzonedns.com acountfordocreview.redirectme.net alertnewdoc.3utilities.com aloc21.ddns.net alphazone12.bounceme.net britianica.uk.com cboss33.hopto.org glotin.zapto.org hazaz12.hopto.org info1.nowddns.com kartelicemoney.duckdns.org newdocreviewonline.3utilities.com omada91.ddns.net ubadaddy.ddns.net zamza.hopto.org # Reference: https://twitter.com/Racco42/status/1194915765755031554 185.29.10.15:7777 # Reference: https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ # Reference: https://otx.alienvault.com/pulse/5dd27af757b18947b0544345 # Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ 192.119.111.4:4521 192.119.111.4:4587 # Reference: https://twitter.com/cyber__sloth/status/1197120949755219968 microsoftntdll.sytes.net # Reference: https://twitter.com/JayTHL/status/1199347277510270977 188.76.111.76:21125 # Reference: https://www.virustotal.com/gui/file/ca4299f39f28700d8e667451f756fb9637403bb2051d916e90378afe15ff3a57/detection 188.76.111.76:21926 # Reference: https://www.virustotal.com/gui/file/ed7e46b0cf27b8f728cdd71a7c4ae98afde8d2e63f0817eb322c8e77bdd767c5/detection new2019.mine.nu webhoptest.webhop.info # Reference: https://www.virustotal.com/gui/file/141d48379222c0866a009713d0fd18d5ab6ceb5d98a93f63f2c9f1b9aea25f25/detection 192.236.194.169:4422 192.236.194.169:4455 31.13.79.17:4433 31.13.82.23:4433 mmksba.dyndns.org mmksba.simple-url.com # Reference: https://www.virustotal.com/gui/file/b7f8a55906d7246ab2b6222f10f38e33947aaa9d0e2a182688129386b11b0759/detection 176.58.72.195:4424 5.133.24.135:4424 mmksba100.linkpc.net # Reference: https://www.virustotal.com/gui/file/d4055047fcbc3424694d071ab30c96b696aa47353464e2a648627aaae5474493/detection 103.136.43.131:1425 138.68.229.219:7744 159.65.75.168:7744 192.169.69.25:1425 192.169.69.25:7744 # Reference: https://www.virustotal.com/gui/file/929e7fdd01a604fa8070d752365af3651f6ac82fd90e4fd6eb8c7e10b1d0711f/detection 185.92.220.177:3030 sokomoko.duckdns.org xbacks.duckdns.org # Reference: https://www.virustotal.com/gui/file/2ab9443a1d793828f9adfe0736bb7a9b45cc6d968847b5f75fcce678af71424f/detection 192.69.169.25:1000 njhost.hopto.org todoaqui.duckdns.org # Reference: https://www.virustotal.com/gui/file/7aff993ed971c40aa483a334f5cb4c71e07278fb1a78d422c3d378bdb07360cd/detection 79.134.225.71:10001 thankyoulord.sytes.net # Reference: https://twitter.com/wwp96/status/1211677791822983170 # Reference: https://app.any.run/tasks/aa27eb28-6432-4e46-891f-4cc804ff29d3/ 37.120.145.184:9999 wshsoft.company # Reference: https://www.virustotal.com/gui/file/dc99eb7e9bc0d251c19893f5fade268b5bcc7f148a2b549edd555758a1eb080d/detection 193.161.193.99:35778 193.161.193.99:47195 blackid-35778.portmap.io blackid-47195.portmap.io # Reference: https://www.virustotal.com/gui/file/053f4d8ec5c79e12c0214a38475d2adf80eb66dd910b279bd8547996bbc1be02/detection vemvemserver.duckdns.org # Reference: https://www.virustotal.com/gui/file/bedc43be4177fb73172a6ca0a9520e096b567fbfdb0c549b5aa65b2135268d56/detection 216.38.8.175:2356 216.38.8.175:2357 doughnuthoney.com emisintl.com # Reference: https://www.virustotal.com/gui/file/192d31f001c6551081873a98a4d14575bab6003f143e916fb9b7eeef4273bbf8/detection 186.85.86.50:8210 socketw4.duckdns.org # Reference: https://www.virustotal.com/gui/file/a1215d5e03dbfce21bc1000f57e0ea955427bc3314471518b1771e4fbad53f67/detection 181.141.4.105:6363 microsuftplay656.duckdns.org # Reference: https://www.virustotal.com/gui/file/3f3989ddb1dd14df5b937cca78ec5e039e9cccad59e726c2196c758c2c5d0990/detection 185.165.153.14:4132 # Reference: https://www.virustotal.com/gui/file/ad3b52dccec40e7924bb59f320ae536e5eb2903456a284113bf9609ae2e582ab/detection 185.84.181.102:5478 193.56.28.134:5478 # Reference: https://www.virustotal.com/gui/file/64af7d8a5d13fc5523f55eaef17a5ae8bdbe69f47c4d77a6fa2273d3d751ea28/detection 175.140.1.8:14337 175.144.118.127:14337 # Reference: https://www.virustotal.com/gui/file/93201744ed9d58b1cfdffe2404abd8b43571c32aa894d2250226ae9bfa180cd0/detection 216.38.8.175:2359 # Reference: https://www.virustotal.com/gui/file/a82079d073c6aa574c7bdaf6fbb4d92150b589ac7c64cbc879493d347adec691/detection 79.134.225.105:9213 # Reference: https://www.virustotal.com/gui/file/368fbed374ff8ddcfdb713ab32b74e58611f0e399a1fb550294c087bea54dc71/detection 92.38.86.175:1337 # Reference: https://www.virustotal.com/gui/file/20a9591cddd7876dca477f912f4af83e4a7f859bbb6f618dbc64576a8680df1f/detection 69.171.224.40:9094 79.134.225.72:4132 toustruksd.mywire.org # Reference: https://www.virustotal.com/gui/file/3c2596940559732bc88a38c163c70bf9f9a9d49fc065be8aa4bcef7a299418f2/detection plugnsrv2.duckdns.org # Reference: https://www.virustotal.com/gui/file/fea25a627fc28d92aea6a51b74d6b71ef9aae27fb9ca1f4041b262434423ee0a/detection 185.244.30.19:5000 # Reference: https://www.virustotal.com/gui/file/c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10/detection 194.5.98.46:4132 # Reference: https://www.virustotal.com/gui/url/76ac2d4c2a0552c632071f062bdaa4ea158b98b610305a35f51ffe5151964b5a/details 141.255.155.122:9988 wrk99.ddns.net # Reference: https://app.any.run/tasks/7492c122-a646-468c-9531-50d40a2da425/ updatewinrar.duckdns.org chance2019.ddns.net 185.165.153.165:1036 # Reference: https://app.any.run/tasks/90163f12-f649-4689-8e02-f8f0f036d0bb/ dhanaolaipallets.com 185.244.30.19:5000 # Reference: https://www.virustotal.com/gui/domain/dabadaba225.duckdns.org/relations 192.169.69.25:43300 dabadaba225.duckdns.org # Reference: https://www.virustotal.com/gui/file/14862182488371811658558c0024e78b6d81419b4f2bdb8628e2184ccd9ebfff/detection 213.152.162.154:3903 # Reference: https://www.virustotal.com/gui/ip-address/197.27.69.48/relations 197.27.69.48:3010 # Reference: https://twitter.com/JAMESWT_MHT/status/1220027808791044096 # Reference: https://app.any.run/tasks/52b380ef-b29d-48fe-b63b-8160f4bec416/ 194.5.99.45:44300 deepweb212.duckdns.org # Reference: https://pastebin.com/0ZxSHAWi 192.169.69.25:44300 # Reference: https://www.virustotal.com/gui/file/581d0676872101e1eb9c3dab54da43eaf4bc70141ed1985e8c8018aea0418ed3/detection 192.169.69.22:8884 psnpsnpsn.duckdns.org # Reference: https://www.virustotal.com/gui/file/221c20f334ad19314517b53b997694a8dfacb6974137686079f6c54449fa35dd/detection 192.169.69.22:1922 # Reference: https://www.virustotal.com/gui/file/24f2322b8ee33c26bddbf7aa62a8835cfa1a6c5145ca26ba3441254d7dbd9d35/detection # Reference: https://www.virustotal.com/gui/file/f4f74c829121448d70bef413e6cd9c43f3de9084f03cf90656dcc0f1d5dce980/detection joker500.mywire.org # Reference: https://www.virustotal.com/gui/file/2550cd813fa1375087c78d715f182cb3b480254b741adaf442b1d9bdf479c4c4/detection jbarynhsn.duckdns.org # Reference: https://www.virustotal.com/gui/file/3acbad45d8730e3658b6cf926339f239953dd933190f75cf9bb3db81c299c0c7/detection 79.134.225.24:70 # Reference: https://www.virustotal.com/gui/file/e91e821c14a5fe33982952d83be3917515e720dc8d6e7e91bc91b504a2fe7d95/detection 152.245.176.96:70 152.246.206.5:70 79.134.225.20:70 # Reference: https://www.virustotal.com/gui/file/7c85327300dcf7266b90c49c46a31d36de4689229f3433757cc451ec803aaccb/detection 185.62.189.77:5000 # Reference: https://app.any.run/tasks/06046cbc-8a54-4bfe-8297-372cd60eeb3a/ 185.244.30.92:4587 # Reference: https://www.virustotal.com/gui/file/f0f425ab50a4839e3fcf9a69d944473ae37813e076aed3d6bc3b44ce8ae206b5/detection 95.233.69.34:1188 # Reference: https://www.virustotal.com/gui/file/e52ea99a66bcbed844d7ba2f439b59e45c2566e80dfa486f2392be4a38a0ee13/detection 79.35.43.177:81 # Reference: https://www.virustotal.com/gui/file/933b42479f92cc0682576621d139316a503e7217bb50fe0341405e8d6a60332d/detection 79.30.198.114:81 # Reference: https://www.virustotal.com/gui/file/77ba7bba82eabb82fd6d35ce24bf45150da2461cb0e6f794960b7ca0cb52e08e/detection 87.16.46.48:81 95.247.42.192:81 # Reference: https://www.virustotal.com/gui/file/9a73a75bfea3da19e4b3a9d0f92e611ad3c6fb2e17d92b927b89e4521d935b96/detection 79.33.46.247:81 # Reference: https://www.virustotal.com/gui/file/511c799d7b661092314c00b762f2e6726759d2bc699bcd8d16d2724610f2f290/detection 79.30.213.227:81 # Reference: https://app.any.run/tasks/83f88cce-cdf7-48d1-9915-4da55f6241a1/ sexylegs.ddns.net # Reference: http://benkow.cc/export_rat.php (Note: as seen on 2020-02-26 - filtered) anahowa.duckdns.org bellevie.duckdns.org ghanaandco.sytes.net loginsecure.mywire.org mouqgsud.duckdns.org ozill619.ddns.net shore.kozow.com ssss22.ddns.net sub2.qaysarpizzajo.xyz top2.alqaysarpizza.xyz total-virus.myq-see.com # Reference: https://app.any.run/tasks/e264efca-90d4-4c69-b86d-074e3f213ea5/ 185.244.30.92:3546 # Reference: https://www.virustotal.com/gui/domain/arseisa.no-ip.org/relations arseisa.no-ip.org # Reference: https://www.threatminer.org/sample.php?q=3020b84a6e350dd10ad070aa184209b5 ali2627.ddns.net # Reference: https://www.threatminer.org/sample.php?q=ce434374314444912254af88faa3c204 microsoftaccount.myvnc.com # Reference: https://www.threatminer.org/sample.php?q=d499243df4e1405b18fd411032bcdedb mimi06.zapto.org # Reference: https://www.threatminer.org/sample.php?q=75be7737707a3c6fbb732d6c3fa46c99 tatabatata.hopto.org # Reference: https://www.threatminer.org/sample.php?q=151e1983c54690c9d6972d91cb5f5011 xn8n8.sytes.net # Reference: https://www.threatminer.org/sample.php?q=68217e8092e97336f143489a6cf9804d 23df.myq-see.com # Reference: https://www.threatminer.org/sample.php?q=37d212a09a72bc79781b19311d061767 absiii.ddns.net absikwt.ddns.net absikwt88.ddns.net # Reference: https://www.threatminer.org/sample.php?q=2b664826552bf37b23f185e7675f310c avfucker.com # Reference: https://www.threatminer.org/sample.php?q=3c6b003e50a9c72ed12942afe897718d coobra.zapto.org # Reference: https://www.threatminer.org/sample.php?q=7415faef2d164505e450e181b6d69d0d ecu-sec.hacked.jp # Reference: https://www.threatminer.org/sample.php?q=bac1e4bc667f3a14e83a82a8f029bc9e hllll.no-ip.biz # Reference: https://www.threatminer.org/sample.php?q=26a8615022bac8666804fe2f1add8ba6 jrmodas.no-ip.org # Reference: https://www.threatminer.org/sample.php?q=2a2e7d3844f735687c8d8e8ad22112f4 kfr.sytes.net # Reference: https://www.threatminer.org/sample.php?q=c0df9b9539b2b9a36d38340c24bb1f6a ludvanjohnson.zapto.org # Reference: https://www.threatminer.org/sample.php?q=9bbbcfd508fbe11ba52e4f4b1ed40e49 mlkm33.no-ip.biz # Reference: https://www.threatminer.org/sample.php?q=1a82cbb7eb48319a6fe56ccaa4c1bba6 mzab47.myq-see.com # Reference: https://www.threatminer.org/sample.php?q=38c6a71f408395993540493a5e2d0067 profess3ional.no-ip.biz # Reference: https://www.threatminer.org/sample.php?q=209cc75973f0d896e078350eb404751a raouf-vbs.no-ip.biz # Reference: https://www.threatminer.org/sample.php?q=e6e7cd28c5f8a4fcf557d46d0efe9393 tcp.nightowldvr.com # Reference: https://www.threatminer.org/sample.php?q=cb4ab603c5d31677099bf54805b95d54 tdiod.zapto.org # Reference: https://www.threatminer.org/sample.php?q=9e55e00fd5e2420ad7b14adcf70f7e53 vipx.zapto.org # Reference: https://www.threatminer.org/sample.php?q=bec5d7e5df05bd02d6ba81aeb29407ce whisher.no-ip.org # Reference: https://www.threatminer.org/sample.php?q=171dabfb315dec64e52691e93c432300 winup.publicvm.com # Reference: https://www.threatminer.org/sample.php?q=e7b3ff4591a4c026bfdd9e42af03807c wiredmax.no-ip.org # Reference: https://www.virustotal.com/gui/file/db4fe7e43c19a1d17e4b7738c36b85ebfb5cc5d91db25ac5ac4b94af82a0b68a/detection 213.45.7.218:1188 sensual2020.ddns.net # Reference: https://www.virustotal.com/gui/file/38df912352f1d4e3e871261be13ad8eef44dcf2979e6603f6888c531111d3ede/detection 82.55.251.22:1188 # Reference: https://www.virustotal.com/gui/file/17e58d20dbd15ecbf1ac9a8482b2273581860abbcfd3d093cbbdcbefa0d2a158/detection 82.61.221.212:1188 # Reference: https://www.virustotal.com/gui/file/9097ae5f5d63fa5a74c67384bcc6fee14e046d0c21a18424edc479f16052e8eb/detection 192.121.247.97:1414 # Reference: https://www.virustotal.com/gui/file/7a556ed1083575a556b4bc3b4b7e35c4419367e5bb0bcf7285e7862343022ec8/detection 194.35.115.16:1414 # Reference: https://www.virustotal.com/gui/file/c7f5e679b44ff70d1f0cb302b0727744decd967fd0984e6b5d62bbe904cf6a8f/detection 194.35.115.43:1414 # Reference: https://www.virustotal.com/gui/file/98644e0e9ec41617fb8baea461bd7eec879e8504397a01a2098ffe53d3564b38/detection 102.69.4.170:1414 # Reference: https://www.virustotal.com/gui/file/4f5e28b7c22bfb6d9c5279b5be1d7b62ddca3c94c1350f19b0e7dce309504bb5/detection 102.69.2.129:1414 # Reference: https://www.virustotal.com/gui/file/d8fefc2f17dff156f575c36b7fc2ce84f4f1d55b3bb01d9e29965478ee51a6eb/detection 172.111.196.133:1414 # Reference: https://www.virustotal.com/gui/file/063efa057d9ba0e91f3f9ca461cf73ad96e3ab67718a1c71e8143f477d7460bd/detection 102.69.4.88:1414 # Reference: https://www.virustotal.com/gui/file/5406475d295f7cb80a87dc2858d2af48594714d65a3bec9da048753f4116ada7/detection 46.243.141.97:1414 # Reference: https://twitter.com/Bl4ng3l/status/1236946300463190017 # Reference: https://app.any.run/tasks/62f5c5aa-4a3d-483f-a737-d3a39c20f7fd/ 78.138.105.191:7504 pphndirmm.hopto.org # Reference: https://www.virustotal.com/gui/file/36a8d97504bb0437a0dfdb35fcb161b8169f4b77c3a75184e40c4f129f1a61d7/detection 196.234.188.115:3008 # Reference: https://www.virustotal.com/gui/file/0d9cbd75a3a1f154b2cee4efe4bd6bf1ab00340f45289113ce6ab00fdd69cf27/detection 196.234.207.160:3008 # Reference: https://twitter.com/malwrhunterteam/status/1238790854514532353 # Reference: https://www.virustotal.com/gui/ip-address/181.141.13.108/relations 181.141.13.108:1900 marzo132020.duckdns.org marzo42020.duckdns.org # Reference: https://www.virustotal.com/gui/file/526bc4ebea1c78d540ffb273a477ede65d2e97fb2af35b7cea80d9de0ce13890/detection 149.200.190.218:190 # Reference: https://www.virustotal.com/gui/file/99b0705fb9c26482904efbb35507d9d6eed783414a9f85a03ebe169839fb2800/detection # Reference: https://www.virustotal.com/gui/file/6f78d9ae6a2bed1789868849bd7cef8503973785193c8c3a20173104017b0057/detection 149.200.189.60:190 # Reference: https://www.virustotal.com/gui/file/570b6d49bb0667b868293bc432fe325f46237e1f8249d3756561a062986359df/detection 91.109.176.5:190 # Reference: https://www.virustotal.com/gui/file/cfb3b7886160198eb36879727e9c5a142f733af13acd65e3680e190f0dcdcefa/detection 188.247.73.175:190 # Reference: https://www.virustotal.com/gui/file/05910bef557bb3f0acbc198ae78017011c75349f45bac028f51d329436259279/detection 217.138.215.125:190 # Reference: https://www.virustotal.com/gui/url/609b9405352293863e2f41d5648a1861f4455f388e85e31d71b5ec60ab7989d4/details 185.19.85.155:9045 # Reference: https://www.virustotal.com/gui/file/2da8f420290e7068297d77c15aed0327eed74380cdc68e8990e2add41654bc57/detection igfx.ddns.net # Reference: https://www.virustotal.com/gui/file/27b749b33e052473fdd1045493b0eeca34a4b8a5e2863f2e838e561d60088880/detection 185.165.153.228:2014 kimjoy007.dyndns.org # Reference: https://app.any.run/tasks/4b73163e-c948-43ce-ac2d-a2df4bddbab7/ 192.169.69.25:8000 # Reference: https://www.virustotal.com/gui/file/f12113dfd58eebfc534a60d5b4d095f9bd6e1c4631fc2e15fa74e6b769dda6c0/detection 193.26.21.80:4025 # Reference: https://twitter.com/Racco42/status/1243523523013992448 # Reference: https://app.any.run/tasks/238a152a-5bb6-40a5-937a-e7b472957dee/ 102.141.212.9:2003 2003wsh.ddns.net # Reference: https://www.virustotal.com/gui/file/f26944ff49e0437533df291a1ce454631cbb77eae51e0757e2ca4393aeaed70b/detection 156.223.86.230:4000 # Reference: https://www.virustotal.com/gui/domain/uty2.no-ip.org/relations 204.95.99.86:5510 # Reference: https://twitter.com/0xCARNAGE/status/1246422142427770881 # Reference: https://app.any.run/tasks/a25d886d-bec7-43d4-9015-302f051844de/ 192.169.69.25:8899 # Reference: https://www.virustotal.com/gui/file/51fba0dc5149e23b697d955c63feaec88cad72d77b97a02ec559ac8057edb569/detection 204.95.99.26:22 boss21121.no-ip.org # Reference: https://bazaar.abuse.ch/sample/b8ac5893e69e9e99d02d7498c2a68ae4b44dcb025ec2886e46f0d1703ad93db9 185.62.58.109:2208 musicport.duckdns.org # Reference: https://twitter.com/FaLconIntel/status/1255665102264528898 # Reference: https://app.any.run/tasks/3f461626-f5e7-4a6c-8b5b-f517bb5619e2/ # Reference: https://www.virustotal.com/gui/file/a609076b02f19b4dd1ce2b365cdfacd2bb89042fbede90b698a5a1f9003138b4/detection # Reference: https://www.virustotal.com/gui/file/053721878d63edba7b43ea65c0fe11e6fdbdd969376d34a107d689609b47035f/detection 188.76.111.85:21125 191.101.124.8:21125 217.216.90.29:21125 # Reference: https://twitter.com/James_inthe_box/status/1257624020490436610 79.134.225.80:7060 # Reference: https://twitter.com/ActorExpose/status/1257617349286510593 # Reference: https://www.virustotal.com/gui/domain/dsaety.hopto.org/relations # Reference: https://app.any.run/tasks/061c2039-0a08-48e6-bf99-f6c040586aa1/ 79.134.225.80:807 dsaety.hopto.org # Reference: https://twitter.com/JAMESWT_MHT/status/1263801108444712967 # Reference: https://app.any.run/tasks/78c84285-5569-43bc-916a-8e2fa61010d2/ suka-mht.duckdns.org # Reference: https://www.virustotal.com/gui/file/1e09e5b0f0a2b92dd508bd1b9a3d2094b16076e879e74a8e137ef92b10b0f7fa/detection 37.106.167.17:4343 94.99.52.125:4343 94.97.34.100:4343 # Reference: https://www.virustotal.com/gui/file/7e892538f59ed8025147b3a1c333ef39b9633b71dcccbd939157ed9ba7869032/detection 154.66.19.253:4191 ghostwsh4191.ddns.net # Reference: https://www.virustotal.com/gui/file/20313c395789a155d8bc37d3ec617bd6641724e540246c088061c7ad06b6ec67/detection 31.13.76.16:7800 69.63.181.12:7800 # Reference: https://www.virustotal.com/gui/file/24ecc1a35f077c65e1fcc1a127ff3e6727808c2791fda3a0711a895bb450f9b2/detection 188.52.123.43:7800 # Reference: https://www.virustotal.com/gui/file/c67648c0016e1d66ec344ff329a3ab288ffca75034869e8606c736eb7d07dd8a/detection 188.52.27.9:7800 # Reference: https://www.virustotal.com/gui/file/0d6754f45501de6dd8f63917c09ab884691475a1e7da6f4c7458d578cc940544/detection 69.63.176.59:7800 # Reference: https://app.any.run/tasks/9c5d42c7-c22e-4070-b1cf-5a3bad6ffbc8/ 84.38.134.21:6696 # Reference: https://www.virustotal.com/gui/file/2cc18a9def3d2f33ebfc7d6ec9e49fbf69259014376098842e378ca4376ff6f7/detection 185.22.32.53:1987 life698.ddns.net # Reference: https://www.virustotal.com/gui/file/aa85a5f32b8f57f2714edfd8f18d7c6f8e0031667997dcb3e920515952658a50/detection 185.97.93.0:1987 # Reference: https://www.virustotal.com/gui/file/70c1dde88e26977f33048b549468d847c34e22e592c62d040564d7cf59a69446/detection 195.33.241.242:6464 # Reference: https://www.virustotal.com/gui/file/652d991541bd96a23dfed6e96460222796718b226ab932036ece3777f5035353/detection 194.5.98.191:3021 rwsh.duckdns.org # Reference: https://app.any.run/tasks/024b86d5-6f92-43d4-9b36-1aa7c213c461/ 185.244.30.3:47580 microsoftnetframework4820190418.duckdns.org # Reference: https://www.virustotal.com/gui/file/7ece6173931237b004f4d24c8bd5ff5808a310f35fd6e630d04272f1e1f4c30e/detection 185.244.30.27:4521 # Misc (incidents) tablet.system-ns.net # Generic trails /give-me-chpv /give-me-ffpv /i_am_ready /is-bekle /is-cmd-shell /is-enum-driver /is-enum-faf /is-enum-path /is-enum-process /is-logs /is-processes /is-ready /is-readyrecordid /is-recving /is-rinoy /is-rlsartg /is-sending /is-sxtyuig /im-azerty /send-to-me| /update-status|