# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.malware-traffic-analysis.net/2018/07/05/index.html

desjardinscourriel818654.pw

# Reference: https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1

desjardinsmail6as6545g.pw

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834
# Reference: https://pastebin.com/C5XYY221
# Reference: https://www.virustotal.com/gui/ip-address/77.83.174.70/relations

http://77.83.174.70
77.83.174.70:2077
thedokatrade.com
highnoon2.com
copylanco.com
glekrg.com

# Reference: https://twitter.com/James_inthe_box/status/1079757827030142976
# Reference: https://www.virustotal.com/gui/ip-address/5.45.73.63/relations

http://5.45.73.63
5.45.73.63:2131
donbwh.com

# Reference: https://twitter.com/BroadAnalysis/status/967357851520897024

http://94.242.198.167
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/JAMESWT_MHT/status/927523630778650627

bmwfastcar1337.com

# Reference: https://twitter.com/anyrun_app/status/912276794648272897
# Reference: https://app.any.run/tasks/f1a72d72-2e96-4d8b-9ad7-1f74e162d585

overwbuff.com
http://195.123.211.9
195.123.211.9:13378

# Reference: https://twitter.com/JAMESWT_MHT/status/906086386377379845

pudgenormpers.com

# Reference: https://twitter.com/VK_Intel/status/1135507293573931008
# Reference: https://www.virustotal.com/gui/file/11918aadc1e4942a1e458afab5c10971fb87d84b693b2c31f5497aa289fa20da/detection

176.119.30.142:8765

# Reference: https://twitter.com/VK_Intel/status/1143606935373172736

31.7.62.214:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1166106371403763714

179.43.146.90:443

# Reference: https://twitter.com/James_inthe_box/status/1178692652700590085

http://179.43.159.246

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html
# Reference: https://otx.alienvault.com/pulse/5d9378b8f36a91c436c5f93c

track.amishbrand.com
gnf6.ruscacademy.in
backup.awarfaregaming.com
link.easycounter210.com

# Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian)

185.225.17.66:443

# Reference: https://twitter.com/P3pperP0tts/status/1188946654768091136

http://179.43.146.90

# Reference: https://pastebin.com/iqcg0Ys7

http://185.225.19.35

# Reference: http://broadanalysis4.rssing.com/chan-65366183/latest.php

http://91.243.80.120
http://94.242.198.167
179.43.191.122:2259
31.31.196.204:1488
94.242.198.167:1488
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/tkanalyst/status/1196033182694379527

http://103.16.228.173

# Reference: https://twitter.com/VK_Intel/status/1196136022658207750
# Reference: https://www.virustotal.com/gui/ip-address/94.158.245.91/relations

94.158.245.91:1488
ololoev.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1199078758298206208

5.181.156.36:1321

# Reference: https://twitter.com/VK_Intel/status/1224647173872193538

gjuauyfhjha.cn
sasggegzui.cn

# Reference: https://twitter.com/JAMESWT_MHT/status/1222152295724593152

103.16.228.173:1488

# Reference: https://app.any.run/tasks/32eeb667-b66b-4dea-b343-ae43941f7b20/

micrdata.com
safuuf7774.pw
wobada.com

# Reference: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
# Reference: https://github.com/pan-unit42/iocs/blob/master/NetSupportManager

http://185.163.45.88
http://94.158.245.182
94.158.245.182:443
http://unclebillswv.com/verisign.php
http://www.firstteamcareer.com/user.php
http://busyserviceinc.com/webdoc.php
http://edisonlee.net/maildir.phpq
http://newtontool.ca/wp-contents.php
http://brotherselectricco.com/host.php
http://innovativemasonry.net/hostgator-welcome.php
http://greenheartmed.org/captcha.php
http://ultraeventgroup.com/wp-element.php
http://jnachb.com/wp-comment.php
http://adroitpmps.com/wp-list.php
http://ledampenergy.net/wp-comment.php
http://hostfleek.com/backup.msi
http://alpinehandlingsystems.com/backup.msi
jintsung.cn
4ourkidsky.com

# Reference: https://twitter.com/killamjr/status/1234547286807584773

http://185.163.45.118

# Reference: https://twitter.com/malwrhunterteam/status/1236215722885464064
# Reference: https://www.virustotal.com/gui/file/870972fabfb6c59f1c3959cea9201d3c4d48756585970de869d063ec69983ab8/detection

http://23.227.207.138
23.227.207.138:12233
browserinstallup.com

# Reference: https://twitter.com/jcarndt/status/1241090163008307206
# Reference: https://app.any.run/tasks/b46069d5-ec22-481e-af2b-c14474978f79/

tardigradeventures.com

# Reference: https://www.virustotal.com/gui/file/1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1/detection
# Reference: https://twitter.com/olihough86/status/1243561290439839745
# Reference: https://app.any.run/tasks/aa3e41ee-b1c0-4333-939e-e4199c1daa56/

http://5.181.156.14
5.181.156.14:443
covidpreventandcure.com
komnop.com

# Generic trails

/iplog/newg.php
/JSX/testpost.php
/fakeurl.htm