# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.malware-traffic-analysis.net/2018/07/05/index.html desjardinscourriel818654.pw # Reference: https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1 desjardinsmail6as6545g.pw # Reference: https://twitter.com/James_inthe_box/status/1099365566928760834 # Reference: https://pastebin.com/C5XYY221 # Reference: https://www.virustotal.com/gui/ip-address/77.83.174.70/relations http://77.83.174.70 77.83.174.70:2077 thedokatrade.com highnoon2.com copylanco.com glekrg.com # Reference: https://twitter.com/James_inthe_box/status/1079757827030142976 # Reference: https://www.virustotal.com/gui/ip-address/5.45.73.63/relations http://5.45.73.63 5.45.73.63:2131 donbwh.com # Reference: https://twitter.com/BroadAnalysis/status/967357851520897024 http://94.242.198.167 ebalodauna1488.com printscreens.info # Reference: https://twitter.com/JAMESWT_MHT/status/927523630778650627 bmwfastcar1337.com # Reference: https://twitter.com/anyrun_app/status/912276794648272897 # Reference: https://app.any.run/tasks/f1a72d72-2e96-4d8b-9ad7-1f74e162d585 overwbuff.com http://195.123.211.9 195.123.211.9:13378 # Reference: https://twitter.com/JAMESWT_MHT/status/906086386377379845 pudgenormpers.com # Reference: https://twitter.com/VK_Intel/status/1135507293573931008 # Reference: https://www.virustotal.com/gui/file/11918aadc1e4942a1e458afab5c10971fb87d84b693b2c31f5497aa289fa20da/detection 176.119.30.142:8765 # Reference: https://twitter.com/VK_Intel/status/1143606935373172736 31.7.62.214:443 # Reference: https://twitter.com/JAMESWT_MHT/status/1166106371403763714 179.43.146.90:443 # Reference: https://twitter.com/James_inthe_box/status/1178692652700590085 http://179.43.159.246 # Reference: https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html # Reference: https://otx.alienvault.com/pulse/5d9378b8f36a91c436c5f93c track.amishbrand.com gnf6.ruscacademy.in backup.awarfaregaming.com link.easycounter210.com # Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian) 185.225.17.66:443 # Reference: https://twitter.com/P3pperP0tts/status/1188946654768091136 http://179.43.146.90 # Reference: https://pastebin.com/iqcg0Ys7 http://185.225.19.35 # Reference: http://broadanalysis4.rssing.com/chan-65366183/latest.php http://91.243.80.120 http://94.242.198.167 179.43.191.122:2259 31.31.196.204:1488 94.242.198.167:1488 ebalodauna1488.com printscreens.info # Reference: https://twitter.com/tkanalyst/status/1196033182694379527 http://103.16.228.173 # Reference: https://twitter.com/VK_Intel/status/1196136022658207750 # Reference: https://www.virustotal.com/gui/ip-address/94.158.245.91/relations 94.158.245.91:1488 ololoev.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1199078758298206208 5.181.156.36:1321 # Reference: https://twitter.com/VK_Intel/status/1224647173872193538 gjuauyfhjha.cn sasggegzui.cn # Reference: https://twitter.com/JAMESWT_MHT/status/1222152295724593152 103.16.228.173:1488 # Reference: https://app.any.run/tasks/32eeb667-b66b-4dea-b343-ae43941f7b20/ micrdata.com safuuf7774.pw wobada.com # Reference: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ # Reference: https://github.com/pan-unit42/iocs/blob/master/NetSupportManager http://185.163.45.88 http://94.158.245.182 94.158.245.182:443 unclebillswv.com/verisign.php firstteamcareer.com/user.php busyserviceinc.com/webdoc.php edisonlee.net/maildir.phpq newtontool.ca/wp-contents.php brotherselectricco.com/host.php innovativemasonry.net/hostgator-welcome.php greenheartmed.org/captcha.php ultraeventgroup.com/wp-element.php jnachb.com/wp-comment.php adroitpmps.com/wp-list.php ledampenergy.net/wp-comment.php hostfleek.com/backup.msi alpinehandlingsystems.com/backup.msi jintsung.cn 4ourkidsky.com # Reference: https://twitter.com/killamjr/status/1234547286807584773 http://185.163.45.118 # Reference: https://twitter.com/malwrhunterteam/status/1236215722885464064 # Reference: https://www.virustotal.com/gui/file/870972fabfb6c59f1c3959cea9201d3c4d48756585970de869d063ec69983ab8/detection http://23.227.207.138 23.227.207.138:12233 browserinstallup.com # Reference: https://twitter.com/jcarndt/status/1241090163008307206 # Reference: https://app.any.run/tasks/b46069d5-ec22-481e-af2b-c14474978f79/ tardigradeventures.com # Reference: https://www.virustotal.com/gui/file/1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1/detection # Reference: https://twitter.com/olihough86/status/1243561290439839745 # Reference: https://app.any.run/tasks/aa3e41ee-b1c0-4333-939e-e4199c1daa56/ http://5.181.156.14 5.181.156.14:443 covidpreventandcure.com komnop.com # Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/ (# NetSupportManagerRAT) covidpreventandcure.com covidwhereandhow.xyz # Reference: https://twitter.com/malwrhunterteam/status/1255849588788953088 62.173.145.56:2721 avheaven.icu bssupport.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1260492238758588419 # Reference: https://app.any.run/tasks/0b4ce298-496a-4b15-9e94-0fbbb616422e/ 62.173.154.94:2145 avheaven.space brassaffid.com # Reference: https://twitter.com/jcarndt/status/1275108512046211074 # Reference: https://app.any.run/tasks/c9e195d3-227c-480a-8515-1cdadcf29485/ membersonlytraining.com # Reference: https://app.any.run/tasks/cc3ac8a1-394f-4488-89e1-6107017b2360/ http://45.133.245.57 # Reference: https://twitter.com/JAMESWT_MHT/status/1285170628656615424 # Reference: https://bazaar.abuse.ch/sample/8ab3b9367304dccac78095808260417a46c0f37720051592b9a32ba3b030743d # Reference: https://www.virustotal.com/gui/file/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345/detection http://62.173.138.41 62.173.138.41:2071 numienimfe2.com ysanhumeg1.com # Reference: https://www.virustotal.com/gui/file/72a908033a308ec5da4e384c2c6efb33405afc50688033849783267e6fb1bddc/detection http://5.45.74.219 # Reference: https://www.virustotal.com/gui/file/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b/detection http://45.133.245.192 # Reference: https://twitter.com/malware_traffic/status/1321482374044069888 http://46.17.106.230 46.17.106.230:3543 # Reference: https://www.virustotal.com/gui/file/8781b76845a95237e38d007e1ce0c5743e3eb95717e13b85a6b2a963cf4c0d2d/detection # Reference: https://www.virustotal.com/gui/file/5f7f2f6e7ed3cc8243fad060f0b64267ceb629456eab62215847419eb7f4494e/detection 192.169.6.95:3294 http://192.169.6.95 http://45.138.172.158 # Reference: https://twitter.com/cyb3rops/status/1372941834104807426 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf mgdsoufjgh4hgba.xyz nefvnvudygct4.xyz huntaget.cn moreeu.cn moreofit.cn torpoa.cn # Reference: https://www.virustotal.com/gui/file/2add4e3f9acd88b53c97989b309bccdf35456c444d7b4436bd0b9b04f1d16cf4/detection http://88.119.171.110 88.119.171.110:443 # Reference: https://www.virustotal.com/gui/file/672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca/detection http://37.61.213.242 37.61.213.242:2549 # Reference: https://www.virustotal.com/gui/file/45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7/detection http://46.161.40.59 46.161.40.59:3085 # Reference: https://www.virustotal.com/gui/file/c8425cf994f02784d3f8eeb570b6ac1edc5876908b64b40b532e2534a84a19ad/detection http://62.173.140.217 62.173.140.217:1337 coinduck.duckdns.org # Reference: https://www.virustotal.com/gui/file/c5962e29f3f752f3fe8ae5cef5022fb819eb8dfad91ba81c9e1ccd44ac8d5fd5/detection 185.156.172.130:2549 fiseddaniret1.com fiseddaniret2.com # Reference: https://www.virustotal.com/gui/file/131586137654c8774dc2ba571834e7d20881c53e2e91421fe832159004954ab8/detection http://1.254.1.1 http://192.64.119.126 visualmultiplicationsinc.club worktwork3.xyz # Reference: https://www.virustotal.com/gui/file/013928987cd0092ef2f5de55f2ae076ff67297ccd75bc6a2959eff4301591ddf/detection findmemolite.com dvqyswmvahrqd.cloudfront.net # Reference: https://github.com/pr0xylife/NetSupportRAT/commit/8ce0fa44a9a9c899031dc3340f23aa601e3ffeaa http://5.252.178.213 contentcdns.net # Reference: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee # Reference: https://www.virustotal.com/gui/file/552f65f0ae7b001df20dc2875b136f55669daa09ba02d10d9b688a3511cbb4ca/detection # Reference: https://www.virustotal.com/gui/file/ccc0204486cbf8b6db43711ddf8d847cfc15d5f713c60b53c461c4e4eeeb1a4f/detection # Reference: https://www.virustotal.com/gui/file/617c331b65e0d26e1e64a04f06555891e719b578fd2bdc41065458176821f0c1/detection http://149.28.68.114 http://194.180.158.173 http://45.76.172.113 http://45.77.87.77 http://5.252.178.213 http://87.120.8.141 aasdig8g7b448ugudf.cn asaasdivu73774vbaa33.cn businessaudit.tax hlmequipment.com mixerspring.cn nsncasicuasyca831cs3vvz.cn sjvuvja.com # Reference: https://twitter.com/idclickthat/status/1550876054440509445 # Reference: https://www.virustotal.com/gui/file/4a6e542f77e622f7084e5b5bddab43ae4e80a07ade56e3063e3959fd03040dd0/detection http://95.217.35.62 95.217.35.62:1337 pokemongo-nft.io # Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Riskware/Riskware%20-%2008082022 # Reference: https://www.virustotal.com/gui/file/080fa496d57ca79f09b2717b384a3a34080bbfcef8a1198bbea1901e4b571991/detection http://108.61.207.16 108.61.207.16:49760 telemetry-cdn-ny.com # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-08-16%20NetSupport%20RAT%20IOCs http://23.88.96.2 asdbgbwi8ww.icu # Reference: https://twitter.com/pollo290987/status/1561042448683618304 http://151.236.14.69 7nt.at # Reference: https://twitter.com/0xToxin/status/1558007700180582400 duvje6egvuas.com sdhbuh474jhguakfi3jgh3.cn # Reference: https://github.com/executemalware/Malware-IOCs/commit/5db274edcb157e7d003c1201211674b6bc140fc2 http://78.47.32.144 asdjdoo3vsd.icu # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-08-22%20NetSupport%20RAT%20IOCs http://167.235.67.199 ghev.top tojh5roh4.top # Reference: https://twitter.com/mojoesec/status/1561805273651617793 52226asdiobioboioie.com jjdfu.fun # Reference: https://twitter.com/phage_nz/status/1562229369669828608 aisdyhvuekmfa33.cn dfuy.fun iurb.top sdfijiusgydygbugjsadifr.com # Reference: https://twitter.com/pollo290987/status/1562535463251898369 asdbjhsdf63.cn rijd.fun sadvi8ejvas.icu sdsdfnjdsfhis6g4fr.com # Reference: https://tria.ge/220829-t7q4vacahl/behavioral2 adhkjdlkasd.icu riut.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-09-08%20NetSupport%20RAT%20IOCs ghvab.xyz # Reference: https://twitter.com/pollo290987/status/1568312124799176704 http://103.153.183.74 # Reference: https://twitter.com/pollo290987/status/1570114932041043972 http://94.130.179.90 fbueg.top # Reference: https://twitter.com/pollo290987/status/1572284261721591808 http://78.47.255.163 eruge.xyz # Reference: https://twitter.com/pollo290987/status/1573375977178234881 http://88.198.178.95 fygba.fun # Reference: https://twitter.com/pollo290987/status/1574770057460211712 http://78.47.81.171 gunbj.top # Reference: https://twitter.com/nosecurething/status/1574939506566135809 fhb7dhb8z84ehg.xyz rgkiboinas.men sdgjoujhbsiuhdisd.com # Reference: https://twitter.com/pollo290987/status/1576941098483998722 http://75.102.34.39 # Reference: https://twitter.com/pollo290987/status/1578047035793711110 http://23.88.52.251 db8ew.top # Reference: https://twitter.com/pollo290987/status/1580579019543568385 # Reference: https://twitter.com/phage_nz/status/1592273345185468416 # Reference: https://tria.ge/221114-1cg11sab4z/behavioral1 # Reference: https://www.virustotal.com/gui/file/2a968ae38c10430c37a108f6919d0d5eb4e8e10415f927437a051e1fbd3ae7d4/detection # Reference: https://www.virustotal.com/gui/file/157b4754d3cc372bb4b236c37036eb0729cff6bba01220f3d0cc1c9f340d68ea/detection 176.113.115.91:2145 31.41.244.112:2145 89.185.85.44:2145 89.208.103.208:2145 8ltd8.com npinmclaugh11.com npinmclaugh14.com # Reference: https://www.virustotal.com/gui/file/05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13/detection http://140.82.15.232 140.82.15.232:2970 # Reference: https://www.virustotal.com/gui/file/498d6c9301e100f9b7752a6ee34b6873747efa876a9767f51c8eb8dd6a2ff63a/detection http://116.202.22.58 sdfuubw.icu # Reference: https://isc.sans.edu/diary/rss/29170 # Reference: https://otx.alienvault.com/pulse/6352a4f01abba547918c8a4d http://176.124.216.159 176.124.216.159:5511 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-10-26%20NetSupport%20RAT%20IOCs she32rn1.com # Reference: https://www.virustotal.com/gui/file/bfa0f0a9d939eb766c9fd81be03e3b2cd4ed43b977832a21e73156a7201ff1ed/detection http://193.106.191.152 185.158.251.35:4421 193.106.191.152:4421 dcejartints16.com dcejartints17.com # Reference: https://github.com/pan-unit42/tweets/blob/master/2022-12-28-IOCs-for-NetSupport-RAT-infection.txt http://89.185.85.44 # Reference: https://www.virustotal.com/gui/file/058118f80fc1a977d07f012560d2ca6109709d20ba6a81e017f294f6e37f2f28/detection 151.236.14.69:2940 pinustamilbe10.com # Reference: https://twitter.com/x3ph1/status/1612583145257275392 # Reference: https://twitter.com/x3ph1/status/1612636188212338690 gkdkr.icu gubje.top noinmsyvhruhjbi4hs.cn sdvubjser.top # Reference: https://www.virustotal.com/gui/file/e0f1dc2d0d42622578b3d4e609a5f428edcc41273c60640711f092570cda132c/detection http://142.132.188.48 fasfybue.icu rgkiboinas.men # Reference: https://twitter.com/BroadAnalysis/status/1613255257789693953 http://94.158.244.38 52226asdiobioboioie.com # Reference: https://www.virustotal.com/gui/file/12d2c229d192506c13f8dfbb5e9edb5b9b369a6e0b5ddc7cb2647d02d7fcdae5/detection http://194.180.174.152 194.180.174.152:1203 pro1vin7ce.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-27%20GoogleAds_NetSupport%20RAT%20IOCs http://185.161.210.23 # Reference: https://twitter.com/dlevyny7/status/1619081793344512000 # Reference: https://www.virustotal.com/gui/ip-address/185.161.210.23/relations # Reference: https://www.virustotal.com/gui/file/8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6/detection anydeks-access.com mindamiedolis19.com # Reference: https://twitter.com/1ZRR4H/status/1620141013686968320 http://176.124.216.31 # Reference: https://twitter.com/crep1x/status/1620542075082260480 # Reference: https://tria.ge/230131-z4s2xscd3t/behavioral2 any-desk-app.life audacity-app-official.site canva-app-official.site handbrake-app-official.site ledger-app-official.site libreoffice-app-official.site teamviewer-app-official.site tronlink-official.site dkimqwertyasd.com harddrystamp.com # Reference: https://twitter.com/Iamdeadlyz/status/1626286424713736194 # Reference: https://www.virustotal.com/gui/file/2bee969bf4dd2fc0e5b6de9f835a037b486fe6f599ec20485231710b06033837/detection # Reference: https://www.virustotal.com/gui/file/84520291f6556c00cb44314d2994037e0b098bc97c73826c6b6d3e03564b243d/detection http://89.107.10.44 89.107.10.44:9999 arponet.duckdns.org # Reference: https://twitter.com/Iamdeadlyz/status/1626286411879190528 http://195.133.197.185 pokemoncards-nft.com # Reference: https://twitter.com/AnFam17/status/1628995393143832576 94.158.244.118:1203 # Reference: https://twitter.com/nosecurething/status/1631005059302522900 dssdgihbiuieyygvkdsiy4.cn gunhdr.top # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-09-v10262/351 gybvhxu.top itugbjhb.xyz # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-03-23%20NetSupport%20RAT%20IOCs http://116.203.241.111 dirjbrb.fun dvjurtt.top sdfojbeufibibsuu8u.cn # Reference: https://twitter.com/JAMESWT_MHT/status/1641700979434217475 glorrytertyds1.com glorrytertyds15.com howcankfhns.com ktalarisa18.com ktalarisa19.com plshaquntarav31.com plshaquntarav32.com uzurtela1.com uzurtela42.com xjmko311.com # Reference: https://twitter.com/JAMESWT_MHT/status/1641714810696998916 http://51.195.53.204 dcanalirder12.com dcanalirder15.com jalalymola11.com jalalymola17.com mindamiedolis20.com whatulookingat.duckdns.org # Reference: https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html # Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt # Reference: https://otx.alienvault.com/pulse/6424417d4f7e34fdcc85af29 alle13net1.com alle13net2.com comes1.com comes2.com gattri1.com gattri2.com installer-xvpn-g.site installer-xvpn-h.site installer-xvpn-k.site installer-xvpn-n.site irbxvpn.site irexvpn.site irfxvpn.site irhxvpn.site irixvpn.site irkxvpn.site irqxvpn.site irtxvpn.site iruxvpn.site irwxvpn.site manigiajabae32.com manigiajabae35.com neskrab1.com neskrab2.com nesupcli.com uhcoxvpn.site # Reference: https://twitter.com/1ZRR4H/status/1643512391940952064 # Reference: https://www.virustotal.com/gui/ip-address/162.33.178.129/relations http://91.107.198.110 gsdgtruhu45.cn irejhg.fun retbr.fun tumnt.top # Reference: https://www.virustotal.com/gui/file/12e68953eac99f92a4bad4dc8263fd21837a119ec3830569c3f6205b2bc4726c/detection rtern.top # Reference: https://www.virustotal.com/gui/file/12e68953eac99f92a4bad4dc8263fd21837a119ec3830569c3f6205b2bc4726c/detection dfrgb.fun # Reference: https://twitter.com/abuse_ch/status/1646397352469577728 # Reference: https://www.virustotal.com/gui/file/26cad4ec29bc07d7b2c32c94dbbef397391babf1c78cc533950b325aaf11bba8/detection http://79.137.207.54 79.137.207.54:5222 balbalz1.com # Reference: https://twitter.com/StopMalvertisin/status/1648223628067237890 # Reference: https://twitter.com/souiten/status/1648250631600373760 # Reference: https://www.virustotal.com/gui/file/e927e79de25207d548965e90ec87c26021b9549b5108ac0de99cc9c85556841b/detection http://87.251.67.111 87.251.67.111:1935 glazgo141.com glazgo142.com # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-04-17%20NetSupport%20RAT%20IOCs http://23.88.125.55 erbieiv.top rubjbz.fun ssgdubuerx4.cn # Reference: https://twitter.com/pollo290987/status/1653139934956363777 # Reference: https://twitter.com/pollo290987/status/1653486646774362112 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-01%20NetSupport%20RAT%20IOCs # Reference: https://www.virustotal.com/gui/file/e3d142307cbbf3d0d8eac76364993e52833d1ba7318a9ca93dc7f950c49e8ec5/detection http://195.201.237.50 eduvu.top erigb.top sdjbizirebz.cn # Reference: https://twitter.com/pollo290987/status/1653796442723475458 asdyg.fun dsauvsiv.top # Reference: https://twitter.com/pollo290987/status/1654206717251530753 # Reference: https://www.virustotal.com/gui/file/026d17e445821b1d208cb399f451f688f2ba1882a0596661c5d728213aa70e18/detection http://193.233.232.218 http://89.22.237.94 89.22.237.94:5222 blahadfurtik.com blahadfurtik2.com # Reference: https://www.virustotal.com/gui/file/2ba36fbdb1ade985521f651d2fef8667b788658b87423297fddb88f70fbbd411/detection http://79.137.203.68 79.137.203.68:5222 hdwarframebot.com # Reference: https://twitter.com/pollo290987/status/1654357341314117633 dsauvsiv.top erivhx.fun # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-04%20NetSupport%20RAT%20IOCs dubhd.top # Reference: https://twitter.com/pollo290987/status/1654540593756872706 http://45.138.74.89 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-08%20NetSupport%20IOCs # Reference: https://www.virustotal.com/gui/file/9488e05b2be4ef6494ed61a15246de5a1b9e2e7a1673c660a35a162a4e29f339/detection http://94.130.187.192 pruvb.fun # Reference: https://twitter.com/pollo290987/status/1658540867840270337 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-15%20NetSupport%20RAT%20IOCs http://128.140.14.43 sdfhr.top tryxe.fun sasfyvuaseyzzs.cn # Reference: https://gist.github.com/kirk-sayre-work/1a7ec92ab9018ffac71ee5826de9aba8 http://193.233.233.92 http://91.193.43.96 # Reference: https://twitter.com/JAMESWT_MHT/status/1658779419043942402 # Reference: https://www.virustotal.com/gui/file/d885b84d8d8059451a119b32d164280284d428350d2bfcfaf7b84f1b2223a42a/detection 176.124.198.7:5222 alnama.net/realty/license.php itsupportadminguy.info/itsurjia/homeps.php /itsurjia/homeps.php # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-18%20NetSupport%20RAT%20IOCs rszee.top # Reference: https://threatfox.abuse.ch/ioc/1119451/ 77.105.146.153:5222 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-23%20NetSupport%20RAT%20IOCs http://5.75.145.41 ergtu.top reubhh.fun sertte56gzxes.cn /rt.php?i=NOT-A-RESEARCHER # Reference: https://tria.ge/230526-gyq19sea99/behavioral11 91.215.85.180:5222 # Reference: https://twitter.com/JAMESWT_MHT/status/1662371119532318720 # Reference: https://tria.ge/230527-hj77nsba65/behavioral2 # Reference: https://www.virustotal.com/gui/file/faf9b23508c4445bf9017cacb3b4f08f39d0cd0cd48cc17156320abb6083d9c7/detection http://188.227.59.169 http://80.66.88.143 80.66.88.143:1935 golden-scalen.com xoomep1.com xoomep2.com # Reference: https://twitter.com/doc_guard/status/1668890440324579329 # Reference: https://www.virustotal.com/gui/file/7e9362b520bf227bfa1c152710b76b7ff83f41f4a7cae42bbb3cfa1473bb0edc/detection http://91.107.213.253 sizie.fun # Reference: https://www.virustotal.com/gui/file/0ab1ccca6453218c59fbff6aa2af85ec62a790bcf18426a86f12ba5fe9ed96b3/detection asuxtp.fun # Reference: https://www.virustotal.com/gui/file/2817e17cbaa3588d1f1d8fb8a371489693bbdea53a05a34fac71b41bf91e7081/detection fyzyxe.top # Reference: https://twitter.com/FirstWatchCyber/status/1678473223678074882 # Reference: https://www.virustotal.com/gui/ip-address/143.244.162.145/relations # Reference: https://www.virustotal.com/gui/ip-address/157.90.249.226/relations asfgze.fun digibi.fun regibd.fun sdguzx.fun ahmgbgjhdlmmlnf.top cmbefalcljjblia.top deediinlfifelek.top ejhbmdagngcglaf.top jenililhdcaegeg.top kiknaijcgclkdnl.top knifdjhlkchdaic.top nbjhllilknbjldk.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-07-13%20AsyncRAT%20IOCs prigze.top zegfze.top # Reference: https://gist.github.com/kirk-sayre-work/f9748c3cae156b56a0751679085b3f8e bisiv.top dubpv.top eovze.fun igsufb.top izrvb.top lvuse.top lvvmze.top sdifiv.top tvfzie.top vizhez.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-07-24%20AsyncRAT%20IOCs rigjz.fun # Reference: https://twitter.com/abuse_ch/status/1685911335719100416 # Reference: https://www.virustotal.com/gui/ip-address/176.111.174.101/relations # Reference: https://twitter.com/JAMESWT_MHT/status/1685921789539389440 # Reference: https://twitter.com/JAMESWT_MHT/status/1685923203141582848 # Reference: https://www.virustotal.com/gui/file/37cb07ef75c90beb2af9df3faf02283c71ef48cbffce24bcd46049b38939d26b/detection # Reference: https://www.virustotal.com/gui/file/5e6c05f47399616a63798cb40df75b90912f3dffa84b310ee26db960fc62522f/detection # Reference: https://www.virustotal.com/gui/file/b75b778b3ca3698225351e0e36376be5da90ec890f4dcf5db970a1f08d8ed37c/detection http://95.179.150.54 http://95.179.189.207 95.179.189.207:1313 95.179.150.54:1315 95.179.150.54:1414 archivde.xyz luckyday0728.org sambireact1.com sambireact2.com unclesrug31.com unclesrug32.com yeah07.online # Reference: https://www.virustotal.com/gui/file/c395a71bfd66e923a94cbdc32e5257e51e43b3262bdbd2c75afb36fefed9f3b8/detection http://94.158.247.27 94.158.247.27:5051 conluase62.com # Reference: https://twitter.com/x3ph1/status/1686554084294152192 94.158.247.23:5050 magydostravel.com # Reference: https://www.virustotal.com/gui/file/6318e4335b1098781e35d7464d20b7f92015e86f21c5aad3147e18d6bf9bba7d/detection http://94.158.244.41 # Reference: https://www.virustotal.com/gui/file/18f2356888cd0909399b77211c732a3f808b06b4fd740e32c5e8105193296706/detection http://91.215.85.176 91.215.85.176:5222 norominis1.com norominis2.com # Reference: https://bazaar.abuse.ch/sample/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/ # Reference: https://www.virustotal.com/gui/file/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/detection # Reference: https://www.virustotal.com/gui/file/845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c/detection http://185.225.75.33 185.225.75.33:443 # Reference: https://bazaar.abuse.ch/sample/933861b75227a3f4727b5872fa9da1b049e420632f8a9198987e8bfbaf7da9e6/ # Reference: https://www.virustotal.com/gui/file/5ffb5e9942492f15460e58660dd121b31d4065a133a6f8461554ea8af5c407aa/detection http://45.15.158.212 45.15.158.212:1412 jokosampbulid1.com jokosampbulid2.com # Reference: https://twitter.com/malware_traffic/status/1691546307683352576 # Reference: https://www.virustotal.com/gui/file/de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59/detection http://94.156.6.111 94.156.6.111:443 xcelcareers.com # Reference: https://twitter.com/1ZRR4H/status/1692484935947563405 # Reference: https://www.virustotal.com/gui/ip-address/64.52.80.202/relations eyftze.top # Reference: https://www.virustotal.com/gui/file/38669dd5ccced3c29f3eb6bad7a04fbdc2cc81ea6f7c76b03cf1c4fee6c5f3f0/detection http://185.163.45.36 185.163.45.36:5051 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-22%20AsyncRAT%20IOCs rigujze.fun # Reference: https://www.virustotal.com/gui/file/00c9a25198c62d243549a458be44f24a71bc999bdb279fc6336ddedeccf637a1/detection # Reference: https://threatfox.abuse.ch/ioc/1152573/ http://79.137.205.69 79.137.205.69:3725 falafelgoo1.com # Reference: https://www.virustotal.com/gui/file/cf4b26813e325da0c821da65e1417bea0045f8349204518b58381609b6662803/detection # Reference: https://www.virustotal.com/gui/file/8d0f88f0a641392f67dcba2a15d18dc3023bc3de35d6ed6e4664948ed928d36e/detection http://94.158.244.56 # Reference: https://www.virustotal.com/gui/file/9f5feccfcce9d5a6af03e983c7fce6a38cf40fd0cfc518a612c696c572ba2fd5/detection http://139.60.163.37 139.60.163.37:2940 pinustamilbe12.com # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-29%20AsyncRAT%20IOCs easdiv.top # Reference: https://twitter.com/0xToxin/status/1697254384932184572 # Reference: https://app.any.run/tasks/fc8794c8-ef16-4102-9be4-70b5745c08ab/ zpeifujz.top # Reference: https://gist.github.com/kirk-sayre-work/f3ff9633cea04c7eed5f00962a6a666d docusec.top eividsy.top euuvua3.top fahzza.fun fiauta.top fuzuci.top prizba.top rubize.top saifozi.fun sdfuzien.top secdoct.top sevyr.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-31%20NetSupport%20RAT%20IOCs # Reference: https://www.virustotal.com/gui/file/d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8/detection http://5.252.177.126 http://5.252.178.51 5.252.177.126:443 5.252.178.51:443 # Reference: https://www.virustotal.com/gui/file/9101403bb729cabebd79206aad130293890154cd7a6fba3417471a645ea3ef25/detection # Reference: https://www.virustotal.com/gui/file/1b74c1fcbe83096cd703bfe9343163894f3a0a83c3708edf97fac42c43ebee83/detection http://5.42.82.229 http://79.137.205.69 5.42.82.229:3725 79.137.205.69:3725 # Reference: https://www.virustotal.com/gui/file/343d63ff67300da163c035fd16eeaf73ca0d8b472725be1cf501addbc205c487/detection 79.137.202.177:3725 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-09-05%20AsyncRAT%20IOCs sdfuvy.top # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-09-07%20AsyncRAT%20IOCs ehxevg.top # Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-09-10) # Reference: https://www.virustotal.com/gui/file/cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32/detection http://5.39.110.142 http://5.79.72.218 http://91.92.242.229 5.39.110.142:1770 5.79.72.218:1770 91.92.242.229:443 pkvithtosh11.com pkvithtosh17.com # Reference: https://www.virustotal.com/gui/file/6a507c4b04ecd8052a518e77c2cadaf32b89018ae7bc7857b0b799c82c8fe23b/detection http://185.163.46.93 # Reference: https://www.virustotal.com/gui/file/4a9f42167f399abfbb42a5ee4d52922eb3f7f1ce88d23824f01d13e50609b8b9/detection http://94.158.245.150 # Reference: https://www.virustotal.com/gui/file/c38c08aa33317d483b8c3f2572189deffd054a8805d463ef2437d4e7aa458436/detection http://95.216.186.137 95.216.186.137:2701 dmforinenam17.com dmforinenam18.com # Reference: https://www.virustotal.com/gui/file/1a011068e00ff24aaef338efc5d21f51abbf47cf1f1006b1b79c78bc84b1d3c6/detection http://5.252.178.48 5.252.178.48:443 # Reference: https://threatfox.abuse.ch/ioc/1183943/ http://5.252.177.214 5.252.177.214:443 # Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-10-12) http://5.252.177.111 5.252.177.111:443 sdjfnvnbbz.pw # Reference: https://twitter.com/reecdeep/status/1715053326859895210 # Reference: https://www.virustotal.com/gui/file/c418c883f8d85ed6de3ca033f925c29bf5f5ef4926d62e04d61b6c015dbeb841/detection # Reference: https://www.virustotal.com/gui/file/d4085ca36709f3b3a2d5a38cba70fbcd439dbc3be024c29829bfa10d8ef44f53/detection orivzije.top # Reference: https://twitter.com/x3ph1/status/1719115004530581756 # Reference: https://www.virustotal.com/gui/file/18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d/detection # Reference: https://www.virustotal.com/gui/file/2725bdb19861c6bd2d4156040473da04abe32c8701e6a7d0cbeeca8425127c10/detection http://185.163.47.243 185.163.47.243:443 # Reference: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ # Reference: https://www.virustotal.com/gui/file/b910500a9fce47fa4db13b2ad2aea72f20df4743a66b6099fb4b9a4d71912e50/detection http://79.137.206.37 79.137.206.37:133 wsus-isv-internal.tech wsus-isv-local.tech # Reference: https://twitter.com/JAMESWT_MHT/status/1719446999420846529 # Reference: https://www.virustotal.com/gui/file/2a2d79f2b08ecfc76c536c2c9f17922f8272ada7ee318e359529a38d769973ac/detection # Reference: https://www.virustotal.com/gui/file/f21aea9606f94eba27674cfb40a4aeccd5c73577a3997e4687accc63eaa2efa7/detection sduyvzep.top /m0t3hg0h8uyx /wsjdfghd # Reference: https://twitter.com/reecdeep/status/1720122106854166900 # Reference: https://app.any.run/tasks/5139943d-a620-4a3b-a062-264460825126/ lzlzy4e.top # Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-11-07) http://185.163.47.137 http://5.181.156.60 http://91.92.242.5 185.163.47.137:443 5.181.156.235:443 5.181.156.60:443 91.92.242.5:443 91.92.244.196:443 91.92.247.248:443 # Reference: https://www.virustotal.com/gui/file/48ff224a396a4583990cb16a88a555817bff10ffbd85597ad941c6d2f5e78dda/detection speedsupport.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1727335614805078515 # Reference: https://www.virustotal.com/gui/file/3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b/detection http://185.225.17.47 185.225.17.47:136 glaciecrw.cfd huggertlow.top # Reference: https://twitter.com/1ZRR4H/status/1731019006318985352 # Reference: https://www.virustotal.com/gui/file/0fdc3d43677d406fb68b434d25a5757f5981ecc19ec616f8ddcd9126ba548014/detection 46.149.74.125:1061 andater393.net svanaten1.com svanaten2.com # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-12-22%20AsyncRAT%20IOCs # Reference: https://app.validin.com/axon?source=DNS&zone_filter=top&limit=100&type=ip&find=206.166.251.17 prozvegz.top sossoshn.top ruzivre.top # Reference: https://www.virustotal.com/gui/file/01caca23428e0f6d56feda4b411d989f4b0c8ad4dd28664f5f2b7de428b76004/detection http://194.38.21.53 194.38.21.53:1203 # Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2024-01-24) 136.244.108.223:1411 152.89.218.212:443 185.163.46.93:443 185.26.239.180:443 45.61.147.162:3301 45.67.230.205:443 5.181.156.45:443 91.92.245.80:443 94.158.244.56:443 94.158.245.150:443 # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-01-23%20NetSupport%20RAT%20IOCs hsdiagnostico.com # Reference: https://twitter.com/1ZRR4H/status/1750170408463008120 # Reference: https://www.virustotal.com/gui/file/a04f3d2be0b51c4c302bc4b881ee6c6b507bc432272fc37d7c531060607e7932/detection blawx.com/letter.php defigmi.com/1/GetData.php core-click.net helasirasi.com helasiras1i13.com # Reference: https://www.virustotal.com/gui/file/09c64c1e380b08904417424f0335f960ae10bebb57dda489028084db71fb6a17/detection http://95.142.47.11 95.142.47.11:1203 # Reference: https://twitter.com/doc_guard/status/1764652970682048592/history # Reference: https://www.virustotal.com/gui/file/56fe0d3edd415c0ca1b7fc7bf960300e085465cd2a6d0ec3600191aac25a66e4/detection # Reference: https://www.virustotal.com/gui/file/7144b8408b3ad9ae2d035cf122f9311673a38e9f26177c3c12d390c68ecb54b4/detection http://79.132.130.233 79.132.130.233:443 compactgrill.hu # Reference: https://twitter.com/seguridadyredes/status/1767900519094235335 # Reference: https://twitter.com/1ZRR4H/status/1767915425097044097 # Reference: https://www.virustotal.com/gui/file/387b55861b370471596725c10e55a33e82834f711aa24b01cd23a9ac9f27a721/detection http://192.236.192.48 rahnoturkey.com nes.cosmopeople.in /nyhjkszpcccggjukfgnattexybnfgziizyh.txt # Reference: https://twitter.com/k3yp0d/status/1767934844061794764 # Reference: https://www.virustotal.com/gui/file/f72cb853fcec9002c9c5fb978bc5ebcd0e6d4b86cc4a778d5fd4c2c7dc619095/detection custompcadvisor.com # Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-03-21%20FakeUpdates_IOCs http://5.181.156.5 5.181.156.5:443 # Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-03-27-IOCs-for-Google-ad-leading-to-Netsupport-RAT.txt http://45.155.249.55 45.155.249.55:443 # Generic trails /iplog/newg.php /JSX/testpost.php /fakeurl.htm