# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: Yellow Cockatoo RAT, Polazert, solarmarker # Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf # Reference: https://redcanary.com/blog/yellow-cockatoo/ # Reference: https://otx.alienvault.com/pulse/5faf00679c90b876019cc653 # Reference: https://otx.alienvault.com/pulse/5fcab7a1accb28c015a5717d blackl1vesmatter.org gogohid.com mixblazerteam.com spacetruck.biz vincentolife.com # Reference: https://www.virustotal.com/gui/file/dbba731937d435681ed98af6e42ab52d53af4f9ebe8db955a2b4b9ab63b4b06c/detection http://5.254.118.226 # Reference: https://www.virustotal.com/gui/file/38508585ab7911fa8c6475b14086e11db6e829c541b392634bcc921ae6cdda35/detection http://216.230.232.134 # Reference: https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer # Reference: https://www.virustotal.com/gui/file/e3680602deb66e1196bcffe531cdeeab32663efc62c5e16178a0f9f4df745007/detection # Reference: https://www.virustotal.com/gui/file/8447b77cc4b708ed9f68d0d71dd79f5e66fe27fedd081dcc1339b6d35c387725/detection http://37.120.237.251 http://45.42.201.248 # Reference: https://www.virustotal.com/gui/file/60c570bd5f5f0d8ea3760317f9becaa78a9be16b2fb2dc7399bf270ca855c0a1/detection http://45.146.166.186 # Reference: https://twitter.com/th3_protoCOL/status/1488508291642626057 # Reference: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/ http://104.223.123.7 http://146.70.24.173 http://146.70.41.157 http://149.255.35.179 http://167.88.15.115 http://185.244.213.64 http://188.241.83.61 http://192.121.87.53 http://216.230.232.134 http://23.29.115.175 http://37.120.237.251 http://37.221.114.23 http://45.146.165.221 http://45.42.201.248 http://46.102.152.102 http://5.254.118.226 http://69.46.15.151 http://91.241.19.110 http://92.204.160.110 http://92.204.160.233 abocomteamsd.site chargraman.ml passesleeson.site pdfdocdownloadspanel.site sseiatca.site triplegnuise.site # Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2021-November/030492.html noelfpar.com # Reference: https://www.virustotal.com/gui/file/e2ee962de73184eb406a9b403a87b4a8b2d8dc2a2b048977748a0273d1f90ab6/detection http://146.70.88.119 # Reference: https://unit42.paloaltonetworks.com/solarmarker-malware/ http://146.70.101.97 http://146.70.53.153 http://37.120.247.199 http://37.221.113.115 http://84.252.95.225 http://89.44.9.108 http://92.204.160.101 http://92.204.160.114 # Reference: https://twitter.com/SquiblydooBlog/status/1515345814314373123 # Reference: https://www.virustotal.com/gui/file/8aaf2a9920c23cbccf4ee9686679ad605ed3943685e80855192cdaf27913d9b7/detection http://86.106.20.155 # Reference: https://tria.ge/220421-q74hdsbaan http://37.120.247.120 # Reference: https://www.virustotal.com/gui/file/c884f80accda415c39632e495f11e1d143649d0439d6eecd8a9d4851d041c444/detection http://146.70.71.174 # Reference: https://tria.ge/220706-15rqxshffj/behavioral2 http://146.70.124.83 # Reference: https://twitter.com/embee_research/status/1546735163996254208 http://194.15.216.126 # Reference: https://twitter.com/SquiblydooBlog/status/1552736298024243201 # Reference: https://tria.ge/220728-vv9k4ahfc8/behavioral1 http://37.120.198.209 # Reference: https://twitter.com/embee_research/status/1567905607943950341 http://85.17.9.107 # Reference: https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2_FgRr3aN.pdf http://176.113.115.125 http://45.135.232.131 http://45.155.204.139 digitalagencylks.com hosthotelsshtus.com # Reference: https://twitter.com/SquiblydooBlog/status/1574669745651163137 # Reference: https://tria.ge/220926-xqpq8schej/behavioral2 http://146.70.53.146 # Reference: https://twitter.com/SquiblydooBlog/status/1578083067893252108 # Reference: https://www.virustotal.com/gui/file/e0f268e1bff8974b728315707386b2b2fe70fa1701047976f0911bc2622e8de0/detection http://176.223.140.177 # Reference: https://twitter.com/SquiblydooBlog/status/1588965633752199168 # Reference: https://tria.ge/221105-wcz5dabbgj/behavioral2 http://146.70.147.41 # Reference: https://twitter.com/luke92881/status/1591149451472941058 # Reference: https://app.any.run/tasks/eb4e5142-4d0d-4a2f-86b2-4228410922d8/ http://85.17.9.32 # Reference: https://twitter.com/SquiblydooBlog/status/1598942566170652673 http://78.135.73.155 # Reference: https://twitter.com/SquiblydooBlog/status/1604494175956869122 # Reference: https://www.virustotal.com/gui/file/d5d9368aa2419cdecd951091cddfc9227ab49fb554e53099378a2ef7aae5a012/detection http://185.73.202.88 # Reference: https://twitter.com/AnFam17/status/1613586031328071707 http://67.43.233.154 # Reference: https://twitter.com/SquiblydooBlog/status/1618570847719149568 # Reference: https://www.virustotal.com/gui/file/2bf0a64fe7aea262c96fc7d52b1e28486ff607caa9513fd88583e19454f9c500/detection http://146.70.161.126 # Reference: https://www.virustotal.com/gui/file/a13278be27e4b0c38d7102496f3d4fcfb31cf710389edee244a4c5dd40055c4f/detection http://91.206.178.144 # Reference: https://twitter.com/AnFam17/status/1679592168514637825 http://78.135.73.180 # Reference: https://twitter.com/SquiblydooBlog/status/1688885798890860544 http://193.29.56.179 http://91.206.178.106 # Reference: https://twitter.com/SquiblydooBlog/status/1690139830984814594 http://212.237.217.133 http://78.135.73.160 # Reference: https://twitter.com/SquiblydooBlog/status/1692485583250260204 # Reference: https://tria.ge/230818-lcavdaaa9w/behavioral2 http://146.70.40.228 # Reference: https://twitter.com/SquiblydooBlog/status/1695193593365877084 http://146.70.125.68 http://46.30.188.221 # Reference: https://threatfox.abuse.ch/browse/malware/win.solarmarker/ http://146.70.149.55 http://146.70.86.142 http://185.94.191.54 http://217.138.215.105 drumlinsecurity.com fzthemes.site nakamurav.com # Reference: https://twitter.com/SquiblydooBlog/status/1699475399363657912 # Reference: https://tria.ge/230906-t5rycshg24/behavioral2 http://185.236.203.159 http://78.135.73.148 # Reference: https://twitter.com/SquiblydooBlog/status/1701636445977317474 http://37.120.198.226 # Reference: https://twitter.com/SquiblydooBlog/status/1703115443181863325 # Reference: https://tria.ge/230916-wmkgnsce5z/behavioral2 # Reference: https://www.virustotal.com/gui/file/13a1bead1187cbc6072c410501a417b812e82f1bbbf6a93deaab26ae5ea67628/detection http://185.243.115.88 http://91.206.178.109 # Reference: https://twitter.com/SquiblydooBlog/status/1704903699863142748 # Reference: https://tria.ge/230921-tjd5dabc25/behavioral2 http://146.0.79.28 # Reference: https://twitter.com/SquiblydooBlog/status/1707428017906090325 # Reference: https://tria.ge/230928-r1yh8scb2t/behavioral2 http://146.70.92.153 http://2.58.14.246 # Reference: https://twitter.com/SquiblydooBlog/status/1709843190511980791 # Reference: https://www.virustotal.com/gui/file/b55b93ec2e7b962840adfacb4e6007c620f6e7fc9a1289825b44b1376a5cc081/detection http://146.70.145.224 # Reference: https://threatfox.abuse.ch/browse/malware/win.solarmarker/ (# 2023-10-15) http://146.70.104.173 http://146.70.157.224 http://146.70.86.140 # Reference: https://twitter.com/SquiblydooBlog/status/1717464614403735562 http://146.70.71.135 # Reference: https://twitter.com/SquiblydooBlog/status/1719319531305206184 http://146.70.121.88 # Reference: https://twitter.com/SquiblydooBlog/status/1720425728171192445 # Reference: https://tria.ge/231103-nhx8zabe67/behavioral2 http://146.70.80.79 http://212.237.217.136 http://91.206.178.109 # Reference: https://twitter.com/SquiblydooBlog/status/1721960346468958442 # Reference: https://www.virustotal.com/gui/file/5abc14737cb65a1e645bd5a2e3301b0e3e1e861a184034a6cc67ce57ee38f448/detection http://78.135.73.176 # Reference: https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html # Reference: https://otx.alienvault.com/pulse/654a4773d937d004abd51d9a http://146.70.101.83 http://185.243.112.60 # Reference: https://twitter.com/SquiblydooBlog/status/1724534553350398338 http://146.70.104.176 http://146.70.80.66 # Reference: https://twitter.com/SquiblydooBlog/status/1727439342627607028 # Reference: https://tria.ge/231122-t1eggadf67/behavioral1 http://185.73.202.68 http://2.58.14.183 http://91.206.178.109 # Reference: https://www.esentire.com/blog/solarmarker-to-jupyter-and-back # Reference: https://otx.alienvault.com/pulse/655e0d4bc019edf8513f0b15 # Reference: https://www.virustotal.com/gui/file/e4a5e529975f1beb46b2d6d30fc4bc52f77ce3dfdec1186aca45b2c8e3e50251/detection http://146.70.169.170 http://23.29.115.186 # Reference: https://www.virustotal.com/gui/file/a07b1cf78a54dae125dd8a0bde61dd58f4efcf7a798172613e951ba3a180f2e9/detection http://217.138.215.85 # Reference: https://twitter.com/SquiblydooBlog/status/1730602235824836815 # Reference: https://tria.ge/231201-q923caac6v/behavioral2 http://193.29.104.25 # Reference: https://twitter.com/SquiblydooBlog/status/1736449300870176925 http://2.58.15.214 http://67.43.234.48 # Reference: https://twitter.com/SquiblydooBlog/status/1740129178190778571 # Reference: https://www.virustotal.com/gui/file/a31d955304360eade30679137269659a9c7b1e53aecb2eb7e616a4ad0f91c655/detection http://146.70.145.242 http://78.135.73.165 # Reference: https://twitter.com/luke92881/status/1747241778883748186 # Reference: https://www.virustotal.com/gui/file/6c89c09213a79a917a97f4531b9ef01da8feee805d2d3b7de92a831dbec9a7e6/detection # Reference: https://www.virustotal.com/gui/file/c34b7f29d9f7b8031d8dd86730473753e616644323a634167fbf853a6e5fc704/detection http://146.70.92.187 # Reference: https://twitter.com/luke92881/status/1751968350689771966 # Reference: https://www.virustotal.com/gui/file/5a2fb6d7bc028fc8d4cd5933acb8f85bffe7358372171a9f1598b478e65673e8/detection # Reference: https://www.virustotal.com/gui/file/59b22f656ce9285f837706d3a2ca952c6008524d8f26c16cfdc36a06ddfe1368/detection http://146.70.161.15 # Reference: https://twitter.com/SquiblydooBlog/status/1765169390369046597 # Reference: https://tria.ge/240305-3hsqtace5s/behavioral1 http://52.142.223.178