# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: dinihou, duhini, hworm, h-worm, wshrat # Reference: https://twitter.com/DissectMalware/status/986467663353442305 pm2bitcoin.com # Reference: https://twitter.com/Racco42/status/1047173279553900551 toheeb.publicvm.com # Reference: https://twitter.com/Racco42/status/1044562743519584257 185.141.27.177:4123 # Reference: https://twitter.com/Racco42/status/1040353263579738113 # Reference: https://app.any.run/tasks/f6eca300-7137-4e88-bd28-7f9a507a17d3/ 46.243.189.128:6969 # Reference: https://twitter.com/Racco42/status/1053747018835869696 fud.fudcrypt.com # Reference: https://twitter.com/Racco42/status/1102879193631731713 185.198.26.245:3843 # Reference: https://twitter.com/Racco42/status/1110868159492489216 brothersjoy.nl newmenow.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1016808667692204032 windefendeupdate.duckdns.org # Reference: https://twitter.com/Jan0fficial/status/1009009607988187137 # Reference: https://pastebin.com/MxR1p5wG stanman.linkpc.net # Reference: https://twitter.com/avman1995/status/963273945955864577 ines0049.ddns.net # Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/ 149.28.14.103:535 # Reference: https://twitter.com/pmelson/status/1119756002503606272 updatesystem.linkpc.net # Reference: https://twitter.com/Racco42/status/1120981890947854336 185.101.94.172:3018 # Reference: https://twitter.com/Racco42/status/1121350734350413824 # Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/ 194.187.249.104:7777 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09 105.105.218.193:4433 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection updatefacebook.ddns.net 197.162.66.49:2 # Reference: https://twitter.com/chen_erlich/status/1121406324884086787 # Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection 23.227.201.158:3047 # Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a office-update.services 104.24.112.139:2082 # Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513 savelifes.tech # Reference: https://twitter.com/James_inthe_box/status/1138092566820212737 doughnut-snack.live mynameisstaff.warzonedns.com # Reference: https://twitter.com/luc4m/status/1138430833533104128 unknownsoft.duckdns.org # Reference: https://twitter.com/Racco42/status/1139458016611356672 sirkashmoremoney.duckdns.org # Reference: https://twitter.com/Racco42/status/1139461501113311232 chance2019.ddns.net # Reference: https://twitter.com/HONKONE_K/status/1141181986523844612 bylgay.hopto.org microsoftoutlook.duckdns.org soucdtevoceumcuzao.duckdns.org # Reference: https://twitter.com/Bank_Security/status/1141388470293655552 # Reference: https://pastebin.com/P4h3NHJE tcoolsoul.com # Reference: https://twitter.com/Racco42/status/1143054336563564544 # Reference: https://twitter.com/dvk01uk/status/1143027551151042560 # Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/ microsoft.btc-crypto-rewards.cash 160.202.163.246:9966 185.247.228.14:7755 # Reference: https://twitter.com/coderippers/status/1154003951152484352 9d1.myq-see.com mzu.publicvm.com # Reference: https://twitter.com/Timele9527/status/1159673642332016640 mmksba.dyndns.org 64.188.25.230:4455 # Reference: https://twitter.com/smica83/status/1166275236741955585 dbin240.ddns.net # Reference: https://twitter.com/luc4m/status/1166765980489584640 91.132.139.181:9999 # Reference: https://twitter.com/wwp96/status/1171069954881392641 # Reference: https://app.any.run/tasks/d3b840d6-520a-4529-a561-b2ce8c05b432/ 79.134.225.72:1104 165.22.129.173:7756 ablerightventures.duckdns.org pluginsrv1.duckdns.org # Reference: https://twitter.com/Paladin3161/status/1172178725959397378 plunder.nsupdate.info # Reference: https://twitter.com/malware_traffic/status/1172610957929062410 81.92.202.176:5200 tain0077.warzonesdns.com # Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816 pleasurekeys.hopto.org suzuki-dc.biz unknownsoft.duckdns.org # Reference: https://www.virustotal.com/gui/domain/dz47.cf/relations dz47.cf # Reference: https://www.threatcrowd.org/listMalware.php?antivirus=Worm.VBS.Dinihou 4ever4.zapto.org 999mostafa999.no-ip.org 999mostafa999.sytes.net aboodzainuddin.ddns.net adda.no-ip.org adolf2013.sytes.net alfhaddd-hakr.no-ip.biz anarqe77.no-ip.biz anassrojola.ddnsking.com androidupdate.myq-see.com avg-antivirus.zapto.org blackr00t5.no-ip.org blkisdz.ddns.net bog5151.zapto.org bogus911.no.ip.biz bogus911.no-ip.biz brigittenetwork.hopto.org chrome00.sytes.com chuckey1.no-ip.org cupidon.zapto.org desermyth.dyndns.org devil.hopto.org diiimaria.zapto.org dmar123.no-ip.biz dodaaa.zapto.org dz-drs.no-ip.biz dz47.myq-see.com elisou19.ddns.net eroor.ddns.net exxilero.ddns.net ffff99fff.no-ip.biz gerssy.zapto.org google-1.linkpc.net google00.ddns.net google7.no-ip.org greekwebtv.viewdns.net h-w0rm.zapto.org hadizz.no-ip.biz haydar93.no-ip.biz helps.zapto.org introworld.no-ip.org introworld.zapto.org iphack.no-ip.info j2w2d.no-ip.biz jaberlovee.ddns.net jhk.no-ip.org khalode4me.no-ip.biz killer---204.no-ip.biz king25.zapto.org kiyoma200.no-ip.biz klonkino.no-ip.org kusaisouf.no-ip.org lastdance.ddns.net lolokamal.zapto.org maxxx12.serveftp.org maxy.no-ip.info mda.no-ip.org memo8.no-ip.org memo9.no-ip.org mesopotemia222.zapto.org microsoftsystem.sytes.net microsoftwindows.sytes.net migalou2012.no-ip.biz mlcrosoft.serveftp.com monas04.no-ip.info mootje01.no-ip.org mrkiller.no-ip.org nouna1985.no-ip.org pilo-raouf.no-ip.biz pscho546.hopto.org qqwe.hopto.org qwqhack.no-ip.biz redex.no-ip.info righi.linkpc.net rndaso.no-ip.info romyo333.sytes.net ronaldo-123.no-ip.biz s-mz.sytes.net saifnjrat55.no-ip.biz sexcam.3utilities.com shawaf.sytes.net sidisalim.myvnc.com smoky29902332.hopto.org swanox.no-ip.org tariqalr.zapto.org terminator9.zapto.org twiti2390.no-ip.biz vpn-hacker.no-ip.biz waforex2011.no-ip.info winup.serveftp.com wkooora.sytes.net wvvw.sytes.net x.dvr-ddns.com yah00.sytes.net ycemufkk6g.bounceme.net youcef142.no-ip.biz ysf.no-ip.biz # Reference: https://www.securityhome.eu/malware/malware.php?mal_id=51549698551bff97f583c51.51712090 abdnjworm.no-ip.biz abocasse.zapto.org ahmedghost.no-ip.info b-trese.no-ip.biz boucraa.no-ip.org dd.no-ip.bz debili1.no-ip.biz fuck-all.no-ip.info hackers1990.no-ip.org heartbraker.no-ip.biz jnyn-99.no-ip.org mda.no-ip.org mmrick.zapto.org mntm.no-ip.biz mootje01.no-ip.org mozaya46415.zapto.org rouge166821.no-ip.biz vanonymous.no-ip.org vichtorio-israeli.zapto.org zkzak.np-ip.biz # Reference: http://ddos-info.weebly.com/blog/h-worm-plus-public-in-depth-analysis adamdam.zapto.org adolf2013.sytes.net ahmad212.no-ip.biz alii007.zapto.org am1.no-ip.info ballgogo.no-ip.biz basss.no-ip.info bg1337.zapto.org bog5151.zapto.org dataday3.no-ip.org docteuur13.no-ip.org doda.redirectme.net dzhacker15.no-ip.org g00gle.sytes.net gerssy.zapto.org googlechrome.servegame.com hackediraq.no-ip.biz hackeralbasrah.no-ip.biz hattouma12.no-ip.biz hmode123.no-ip.biz karimstar.zapto.org kiyoma200.no-ip.biz koko.myftp.org mda.no-ip.org medolife.no-ip.biz microsoftsystem.sytes.net mootje01.no-ip.org msgbox.zapto.org new-hacker.no-ip.org njnj.redirectme.net no99.zapto.org noooot.no-ip.biz pess-123.zapto.org pess-12.zapto.org portipv6.redirectme.net ronaldo-123.no-ip.biz sawdz.no-ip.biz securityfocus.bounceme.net shagagy21.no-ip.biz sidisalim.myvnc.com silent9.zapto.org terminator9.zapto.org vpn-hacker.no-ip.biz xbox720.zapto.org xkiller.no-ip.info yahia17.no-ip.org zeusback.no-ip.biz zoia.no-ip.org # Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Jenxcus#tab=2 # Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2 a.servecounterstrike.com eqe.sytes.net jnj.redirectme.net winlogon.servecounterstrike.com 3dmntk.no-ip.biz 999mostafa999.no-ip.biz 9d1.no-ip.org a.servecounterstrike.com abanas19.no-ip.biz abdo1abdo.no-ip.biz adolf2013.sytes.net ahmad909.no-ip.biz ajeeb.zapto.org ali2010.no-ip.biz aljabiry1.no-ip.biz alnazee.no-ip.org alnazee.no-ip.org alsha2e.zapto.org amere-ali.no-ip.biz aore.no-ip.org asmarany.no-ip.biz asmarany.np-ip.biz aymen112233.no-ip.org bifrost-jordan.zapto.org big-hack.no-ip.com blackhawk.myftp.biz cggfhddsscds.no-ip.biz cxxz.no-ip.biz damla.no-ip.org dhuaa.no-ip.org dnsip.servehttp.com doopy99.zapto.org fadliking.sytes.net fons.no-ip.info frostate.no-ip.biz ghoster13.no-ip.biz gmail2013.no-ip.info hackeralbasrah.no-ip.biz haedar.no-ip.biz hanan96.no-ip.bizport iraqi2013.servemp3.com jn.redirectme.net klagord.no-ip.org kurd2013.no-ip.biz localh0st.servehttp.com loll1.no-ip.biz m4b.no-ip.org mda.no-ip.org microsoftsystem.sytes.net milito.no-ip.org mohez.no-ip.org msy.myvnc.com naza.no-ip.biz new-hacker.no-ip.org oscar-bif.zapto.org portipv6.redirectme.net pthacker.no-ip.org ramadan.zapto.org sdgsg.no-ip.biz shawaf.sytes.net shee5iq.no-ip.biz shee5iq.no-p.biz sro7.no-ip.info systemsxp.sytes.net theghostholako.no-ip.org thescorpionking.no-ip.org utilesat.zapto.org uty.myq-see.com wahidhackerdz.no-ip.biz xkiller.no-ip.info xmx.no-ip.info xxsc.no-ip.org xxxxxx.no-ip.biz yahoomail.3utilities.com zilol.no-ip.org # Reference: https://twitter.com/Racco42/status/1174605204353949697 # Reference: https://app.any.run/tasks/27a475ac-c113-49be-b947-f580662600e4/ 91.132.139.181:9999 # Reference: https://twitter.com/Littl3field/status/1174624023709454336 178.124.140.148:3571 # Reference: https://www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf dz47.servehttp.com maroco.linkpc.net maroco.myq-see.com maroco.redirectme.net # Reference: https://twitter.com/pmelson/status/1175928909264838660 185.251.38.91:5555 # Reference: https://twitter.com/dvk01uk/status/1176483058058440705 # Reference: https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc/ 192.169.69.25:7757 79.134.225.100:2813 2813.noip.me # Reference: https://twitter.com/Racco42/status/1178932126588297217 45.79.41.137:2344 # Reference: http://blog.morphisec.com/hworm-houdini-aka-njrat chroms.linkpc.net finix5.hopto.org finixalg11.ddns.net salh.linkpc.net # Reference: https://twitter.com/fletchsec/status/1179891198615531521 # Reference: https://www.hybrid-analysis.com/sample/a1da7465c3893cb30408820ee821210c0c1c008dcfde0af167f33e9db61975a2/5d965b610288389582043002 186.85.86.96:1235 nfiefbwihf48h9wun3foisnc98ehfb9uwfu.duckdns.org # Referencce: https://twitter.com/Racco42/status/1131130800630579200 admin1960.linkpc.net savelifes.tech # Reference: https://twitter.com/Racco42/status/1111615130272444416 181.52.113.177:8105 socketw3.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1092764605766483969 194.5.99.53:5732 # Reference: https://twitter.com/luc4m/status/1092483141619601408 easyresa.ddns.net shkis.publicvm.com # Reference: https://twitter.com/luc4m/status/1073257560625569792 goz.unknowncrypter.com # Reference: https://twitter.com/Racco42/status/1064880890277494785 185.141.27.177:6544 # Reference: https://twitter.com/DissectMalware/status/1008387935199260672 suport.ddns.net # Reference: https://twitter.com/DissectMalware/status/986467663353442305 # Reference: https://www.hybrid-analysis.com/sample/f0a1aeaf2a6f3c6098696d3802675097072459b89213177f1e4f1494a67c250a 185.209.85.177:5000 # Reference: https://twitter.com/Racco42/status/1017007079813451778 tune.tym-internationals.com # Reference: https://twitter.com/Racco42/status/995955505221730304 ihsann.casacam.net # Reference: https://app.any.run/tasks/505c6e4c-723b-46b0-8917-c200c65817ea/ 181.215.247.18:3339 185.198.59.114:5000 # Reference: https://twitter.com/Racco42/status/982731639301267459 lordsdoing2017.ddns.net # Reference: https://github.com/silence-is-best/c2db#dunihi 192.186.145.93:8885 # Reference: https://github.com/silence-is-best/c2db#houdini-aka-vjworm-vjw0rm jihanenouhaila.ddns.net # Reference: https://twitter.com/Racco42/status/1183666041706168321 194.5.98.216:10122 # Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923 # Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/ 186.147.55.19:5473 186.147.55.19:8371 186.147.55.19:8372 192.169.69.25:8370 mozillamaintenanceservice.duckdns.org papeleradereciclaje.duckdns.org seguridaddewindows.duckdns.org # Reference: https://app.any.run/tasks/1bd816aa-3764-480e-ba70-b57b36551bc7 # Reference: https://www.virustotal.com/gui/ip-address/213.208.152.217/relations nascoman.ddnsgeek.com 213.208.152.217:14337 60.50.181.240:14337 # Reference: https://www.virustotal.com/gui/ip-address/79.134.225.80/relations 79.134.225.80:7776 # Reference: https://pastebin.com/29uSdMAk 185.165.153.172:3642 homi.doomdns.org # Reference: https://twitter.com/wwp96/status/1193987577323360256 # Reference: https://app.any.run/tasks/dc2b37db-6f22-4d4c-b13e-ae863ddc9004/ 185.165.153.45:2014 # Reference: https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated/ # Reference: https://otx.alienvault.com/pulse/5dcad67ae098a56db0a277d5 # Reference: https://www.virustotal.com/gui/file/d55d5b0c6f41cc6a86764a07715a1a38f2fddda9b90ec641d902be8946939d14/detection # Reference: https://www.virustotal.com/gui/ip-address/185.84.181.102/relations # Reference: https://www.virustotal.com/gui/ip-address/193.56.28.179/relations 185.165.153.14:4132 185.84.181.102:5478 193.56.28.134:5478 07actnewdocreview.servebeer.com 247accountreview.hopto.org 2d0low.warzonedns.com acountfordocreview.redirectme.net alertnewdoc.3utilities.com aloc21.ddns.net alphazone12.bounceme.net britianica.uk.com cboss33.hopto.org glotin.zapto.org hazaz12.hopto.org info1.nowddns.com kartelicemoney.duckdns.org newdocreviewonline.3utilities.com omada91.ddns.net ubadaddy.ddns.net zamza.hopto.org # Reference: https://twitter.com/Racco42/status/1194915765755031554 185.29.10.15:7777 # Reference: https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ # Reference: https://otx.alienvault.com/pulse/5dd27af757b18947b0544345 # Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ 192.119.111.4:4521 192.119.111.4:4587 # Reference: https://twitter.com/cyber__sloth/status/1197120949755219968 microsoftntdll.sytes.net # Reference: https://twitter.com/JayTHL/status/1199347277510270977 188.76.111.76:21125 # Reference: https://www.virustotal.com/gui/file/ca4299f39f28700d8e667451f756fb9637403bb2051d916e90378afe15ff3a57/detection 188.76.111.76:21926 # Reference: https://www.virustotal.com/gui/file/ed7e46b0cf27b8f728cdd71a7c4ae98afde8d2e63f0817eb322c8e77bdd767c5/detection new2019.mine.nu webhoptest.webhop.info # Reference: https://www.virustotal.com/gui/file/141d48379222c0866a009713d0fd18d5ab6ceb5d98a93f63f2c9f1b9aea25f25/detection 192.236.194.169:4422 192.236.194.169:4455 31.13.79.17:4433 31.13.82.23:4433 mmksba.dyndns.org mmksba.simple-url.com # Reference: https://www.virustotal.com/gui/file/b7f8a55906d7246ab2b6222f10f38e33947aaa9d0e2a182688129386b11b0759/detection 176.58.72.195:4424 5.133.24.135:4424 mmksba100.linkpc.net # Reference: https://www.virustotal.com/gui/file/d4055047fcbc3424694d071ab30c96b696aa47353464e2a648627aaae5474493/detection 103.136.43.131:1425 138.68.229.219:7744 159.65.75.168:7744 192.169.69.25:1425 192.169.69.25:7744 # Reference: https://www.virustotal.com/gui/file/929e7fdd01a604fa8070d752365af3651f6ac82fd90e4fd6eb8c7e10b1d0711f/detection 185.92.220.177:3030 sokomoko.duckdns.org xbacks.duckdns.org # Reference: https://www.virustotal.com/gui/file/2ab9443a1d793828f9adfe0736bb7a9b45cc6d968847b5f75fcce678af71424f/detection 192.69.169.25:1000 njhost.hopto.org todoaqui.duckdns.org # Generic trails /give-me-chpv /is-cmd-shell /is-enum-driver /is-enum-faf /is-enum-path /is-enum-process /is-logs /is-processes /is-ready /is-recving /is-rinoy /is-rlsartg /is-sending /is-sxtyuig