# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: 888rat, gaza007, loda, lodalogger, lodarat # Reference: https://twitter.com/James_inthe_box/status/1047193599660576768 torrentfreak.duckdns.org # Reference: https://twitter.com/DynamicAnalysis/status/1166433211548913668 79.134.225.71:7070 plunder.nsupdate.info # Reference: https://twitter.com/425a_/status/1166792682812952576 # Reference: https://app.any.run/tasks/9654615e-a7d4-4f08-b29a-3a05d7012646/ 172.111.184.248:5000 faith.dns-cloud.net # Reference: https://app.any.run/tasks/919aede4-0cb3-42c6-a2df-cda9221cf38b/ monlait-57586.portmap.host 193.161.193.99:37659 # Reference: https://app.any.run/tasks/a0ac054a-1776-4121-978a-c5e5dfcd9bc0/ adomazmc.duckdns.org # Reference: https://app.any.run/tasks/c4f94b73-2d0d-40e1-9c1b-d0c34b0c37d7/ battying.duckdns.org 88.150.227.112:11361 # Reference: https://app.any.run/tasks/376bbb21-01c0-4ebf-8441-2acd7bdcce80/ 79.142.76.244:11361 # Reference: https://twitter.com/killamjr/status/1192967390910394368 # Reference: https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/ # Reference: https://app.any.run/tasks/279e3b22-239a-470a-b3aa-63e3cefd8e75/ 193.161.193.99:37659 monlait-57586.portmap.host # Reference: https://www.virustotal.com/gui/file/a402b91d84f226b0cbbe9c5f4fd8e079ace27a8dc66047d6e10685462e2b26bf/detection 142.44.161.51:7070 # Reference: https://twitter.com/killamjr/status/1221484462342459392 # Reference: https://app.any.run/tasks/5bb47889-64a6-40bf-a77d-0ba2b2578942/ 79.142.76.244:64735 breakthrough.hopto.org # Reference: https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html # Reference: https://otx.alienvault.com/pulse/5e4460cce66c474d5bb319a1 4success.zapto.org breakthrough.hopto.org success20.hopto.org # Reference: https://www.virustotal.com/gui/file/e17570bb819f551412fec0cd61acc3b9d832f8990894c392c44ff00f9958d801/detection 79.142.76.244:53916 # Reference: https://www.virustotal.com/gui/file/e80013a61796dac4c6d90283a2b956e005605d188d5127ff57552bfad64ecac7/detection 79.142.76.244:2089 # Reference: https://www.virustotal.com/gui/file/861f52459f96e434a6e5f9a96153e781f31cfa60d9979b7fa94ee42892a674e7/detection 79.142.76.244:4676 # Reference: https://www.virustotal.com/gui/file/fbdc8ef710f6210128d96f4a1b195c11ae0c30e526d552d792824239460e23d7/detection 88.150.227.112:4676 # Reference: https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html # Reference: https://www.virustotal.com/gui/file/0d181658d2a7f2502f1bc7b5a93b508af7099e054d8e8f57b139ad2702f3dc2d/detection # Reference: https://www.virustotal.com/gui/file/05d2fa5bb97f37edaaff99f58ffedbd438e928fb3881ede921a19b07fb884b0b/detection # Reference: https://www.virustotal.com/gui/file/866397c8db26190c5a346bd863d9beb81e53d96011af9a3be6eeb713bbb57287/detection # Reference: https://www.virustotal.com/gui/file/2d317bcccea4739b2deefcc3b14cf5eafe147162f62c5ff1288db3635b5c3f10/detection 172.111.203.72:4000 174.126.51.178:1543 46.243.136.238:4000 roodan888tools.atwebpages.com # Reference: https://www.virustotal.com/gui/file/1d2f52ed77b7e4cf1e9cbdb849b17fe0e8c6c75e4584a473368a0affc6cdfc42/detection 107.175.145.170:1336 # Reference: https://www.virustotal.com/gui/file/32398f9c7ae23b1efbaf973b7ee2c02bc8e1e39136ed2b84d66b5bb1c21d20c2/detection 194.187.251.163:9735 setupbases.awsmppl.com # Reference: https://www.virustotal.com/gui/file/5452c3094aa6f0c9502bdd114a577b6fd5ce65c9b9fe40f24b0aa7c2d121d1cf/detection 82.246.130.70:1605 lazytoxic.ddns.net # Reference: https://twitter.com/Racco42/status/1334846921568088064 # Reference: https://app.any.run/tasks/c7fc7a6b-0d28-4994-a44c-0e07ebaf7d98/ 178.162.204.238:50253 tmlo.awsmppl.com # Reference: https://twitter.com/bl4ckh0l3z/status/1344624887713947648 # Reference: https://www.virustotal.com/gui/file/fb16f8f7d8b7432fbf799a645bee85f621fe8aae4f6b2bbdbcb981e420516476/detection 193.161.193.99:48855 hackerisback-48855.portmap.host # Reference: https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html # Reference: https://otx.alienvault.com/pulse/6022bda96385aadedec48a26/ av24.co bangladesh-bank.com bdpolice.co bracbank.info isiamibankbd.com lap-top.xyz zep0de.com info.v-pn.co # Reference: https://twitter.com/wwp96/status/1371439283563823110 # Reference: https://app.any.run/tasks/dfd6425b-3acd-4a6f-9220-3649557d0e42/ 69.12.88.10:80 # Reference: https://www.virustotal.com/gui/file/c3c96926ad669bc7b7d227e92576aa525b36ed34e101f8a90577fabd5e186eeb/detection 194.5.98.212:4001 # Reference: https://www.virustotal.com/gui/file/53b7637945616f51b0ffa4de5c35685b87b2039473ebc4f69a1fb581c6236d19/detection 188.244.63.241:4000 # Reference: https://twitter.com/pollo290987/status/1410547188699176960 # Reference: https://www.virustotal.com/gui/file/ee0abbecbe6b11ec824eae85a9b2a3a320cb705770c201361409ea3e5c6bbb73/detection 79.159.238.125:49811 # Reference: https://www.virustotal.com/gui/file/ad35057e3d652b30e43c1812c0147e5307ccf6aa92046eb2e00725d26d7664b1/detection 78.189.177.240:4000 # Reference: https://twitter.com/malwrhunterteam/status/1449375270910234628 # Reference: https://twitter.com/LukasStefanko/status/1450007904413749248 # Reference: https://www.virustotal.com/gui/file/7090c9075201589ca10073aa7292eceed05dc95d5fa792d7607aa73a6b94284b/detection 193.161.193.99:50727 888ratsetup-50727.portmap.host # Reference: https://twitter.com/alberto__segura/status/1450372347572244485 # Reference: https://www.virustotal.com/gui/file/6c454bda271d459ed3325ac77ef503972d170d099f53623c057d02d194a295de/detection 193.161.193.99:31594 0pcnerd0-31594.portmap.host # Reference: https://www.virustotal.com/gui/file/2a53718b727ac8a57a3845cb79ca2f8f7cc78709267e89a6b8b0ccbb4f5444ff/detection 207.204.249.34:30040 # Reference: https://www.virustotal.com/gui/file/ae5b35dbed15013e4abf4ec50ee119c70f9d151206e27a77768ab619222252a4/detection 77.78.103.126:5050 insidentlyururmom.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1507453853704228867 # Reference: https://app.any.run/tasks/9e9f5102-66af-4bf0-b69a-5f0fb0c8623c/ 3.128.107.74:8080 # Reference: https://www.virustotal.com/gui/file/52d60333dd75c0f9aa6ddefe840f22bb5906319c5f21a8edbfbeb118488df19c/detection 187.20.18.202:32400 anonimouspuro.ddns.net # Reference: https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/ # Reference: https://otx.alienvault.com/pulse/6139c6cffcb1a0ba0ed60bc5 888-tools.com apkup.xyz # Reference: https://www.virustotal.com/gui/file/0aeea48dc9c774a36110cb4c41168552c7b438b2e5ab16ed91a4e901da8d1299/detection 194.5.98.212:5552 # Reference: https://blog.talosintelligence.com/get-a-loda-this/ 193.161.193.99:64721 catkiller7767-64721.portmap.io # Reference: https://threatfox.abuse.ch/browse.php?search=tag%3Aloda 109.248.150.140:4000 13.40.105.36:4000 165.22.244.84:4000 178.73.192.65:1199 185.140.53.161:1999 185.140.53.198:62748 192.99.175.89:4000 194.132.123.93:9800 194.187.251.163:58867 194.5.98.212:5005 195.123.221.123:7842 46.246.82.70:1199 79.142.76.244:9735 # Reference: https://twitter.com/r3dbU7z/status/1597741682023608320 # Reference: https://twitter.com/r3dbU7z/status/1599488540291010560 # Reference: https://www.virustotal.com/gui/file/00973673a54cfd2a206c7695fa86077d1a1803629d7207b1e5fb295255a25ae2/detection 102.42.212.43:5552 198.20.177.229:6666 aboreda.linkpc.net secs.publicvm.com test202022.ddns.net upload.mywire.org # Reference: https://twitter.com/r3dbU7z/status/1599918165600784384 evilteam.ddnsgeek.com genesh.publicvm.com munroe.work.gd sdf65dsf5df4dfs5555e8.ooguy.com semdoublebacks5f.ooguy.com # Reference: https://twitter.com/r3dbU7z/status/1599920683428982784 arieldon.linkpc.net kimo.camdvr.org pacsez.linkpc.net # Reference: https://www.virustotal.com/gui/file/f3a12208a4c61a4a8fbc72a6d52c1b8ba69b08205711f80a05bbb1f3f90129ba/detection 91.109.180.7:4000 1988.hopto.org # Reference: https://threatfox.abuse.ch/browse/malware/win.loda/ 3.141.204.47:27816 # Reference: https://twitter.com/jaydinbas/status/1618944624902692865 # Reference: https://www.virustotal.com/gui/file/86a95def10c2b7a23b7762126f12203915d83d3d27263cc002f6602c7f01ddd2/detection 185.254.96.226:4000 # Reference: https://twitter.com/James_inthe_box/status/1629225692188782593 # Reference: https://app.any.run/tasks/f19dfba1-d71e-43b1-867b-e20d8f6a52e6/ 194.187.251.115:62848 # Reference: https://www.virustotal.com/gui/file/292a0489b67040746e3ea18988e036b74eaad99d537f0b7f0e2df43dd7b43747/detection 194.5.98.207:4000 46.246.14.7:4000 46.246.14.9:4000 46.246.26.11:4000 46.246.80.12:4000 46.246.80.23:4000 46.246.84.15:4000 46.246.84.5:4000 46.246.86.22:4000 46.246.86.6:4000 # Reference: https://www.virustotal.com/gui/file/fa237d90f2875ec6cabcefc252e1de9f9cc30c49db5d5da151e393352b675133/detection 213.152.162.15:4110 213.152.162.15:42525 213.152.162.15:4833 213.152.162.15:49094 213.152.162.15:8848 outside-agent.duckdns.org # Reference: https://twitter.com/pollo290987/status/1654218416218161153 # Reference: https://www.virustotal.com/gui/file/c96f47b80211ab0b02937f6fa95f5ae2f2dc521278d2a340cb5d45f1b938a52d/detection 104.128.188.112:8050 # Reference: https://threatfox.abuse.ch/browse/malware/win.loda/ (# 15 Jun 2023) 104.243.251.229:5552 149.50.211.160:7777 172.111.138.100:5552 185.241.208.138:4000 2.58.56.188:4000 46.105.113.84:4000 46.246.14.12:1199 # Reference: https://www.virustotal.com/gui/file/4155a4cdb62c2e3849aba731beabc52b8544f0bf7ad8fa17d4da80d757a50d12/detection 80.69.173.234:6942 tempdomain.duckdns.org # Reference: https://www.virustotal.com/gui/file/8d4263b12ae83ca07541c5077b66dff28c40609183f15ca244fcea310fc23e43/detection 185.244.31.57:61 lexdeerex.duckdns.org # Reference: https://www.virustotal.com/gui/file/8f77248b0b07ff8f2ee5c6a18c1257b8ef6d653014df768457792ef2988fc50e/detection 193.161.193.99:53926 mogrem-53926.portmap.host # Reference: https://www.virustotal.com/gui/file/2d6b1ad6c5c98ea2c89c0b0d88d8743c89929adae06ffed93ee31cbd993843c2/detection 3.138.180.119:10364 3.22.15.135:10364 # Reference: https://www.virustotal.com/gui/file/98600c65ed44e40bee4c5e07742c9f7bfd18f1ab2bca469f0ddf5c17581abd76/detection 20.219.120.27:4000 # Reference: https://www.virustotal.com/gui/file/2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97/detection 165.22.244.84:4000 vbot.ddns.net # Reference: https://www.virustotal.com/gui/file/1aef8bcb98f2c4717c12da09c86794253e11864636cb19c14f9bd53ab5aa3394/detection 147.185.221.180:30225 # Reference: https://www.virustotal.com/gui/file/052fba70767b01cb674b9311a220181a87bdf47161280bb6335c6024e163139c/detection 37.0.14.214:35152 presh147osidufhj.ddns.net # Reference: https://twitter.com/1ZRR4H/status/1729713083004641491 # Reference: https://www.virustotal.com/gui/ip-address/46.246.80.17/relations http://46.246.80.17 46.246.80.17:443 armenia2024.duckdns.org poconoconcertchorale.org puertocol20.duckdns.org servicios-cne.duckdns.org # Reference: https://www.virustotal.com/gui/file/1fdbe240bd927bb80694c7f2c73731d1dc2aebe2e2ebe4a2db1a9616c8298251/detection 46.246.26.19:4000 # Reference: https://www.virustotal.com/gui/file/b9cdf70b71fa9f216dd7ad40d77d893ba095059d6f3beb7c4ed9bc5cb46ce784/detection 46.246.82.8:2054 # Reference: https://www.virustotal.com/gui/file/c734a5e8ec10c0a9e8b82f01e96ecadf9888b8a651fe2710630e056590862289/detection 46.246.4.6:4000 # Reference: https://www.virustotal.com/gui/file/292a0489b67040746e3ea18988e036b74eaad99d537f0b7f0e2df43dd7b43747/detection 46.246.12.20:4000 # Reference: https://threatfox.abuse.ch/browse/malware/win.loda/ (# 2023-12-17) 167.88.166.159:4000 171.252.110.10:5736 213.152.161.20:17149 45.155.249.183:1337 # Reference: https://www.virustotal.com/gui/file/f70317a8c80a5dd5e7e6be4fa7ad7fa6f78c05b1de3bb6c98978913bc2ae3a27/detection 105.191.48.145:5588 # Reference: https://www.virustotal.com/gui/file/38ddb1173e31e882adfaf20f6f7ddaee582d041504743330d4497a315b097f33/detection 102.101.209.215:5588