# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.malware-traffic-analysis.net/2018/07/05/index.html

desjardinscourriel818654.pw

# Reference: https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1

desjardinsmail6as6545g.pw

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834
# Reference: https://pastebin.com/C5XYY221
# Reference: https://www.virustotal.com/gui/ip-address/77.83.174.70/relations

http://77.83.174.70
77.83.174.70:2077
thedokatrade.com
highnoon2.com
copylanco.com
glekrg.com

# Reference: https://twitter.com/James_inthe_box/status/1079757827030142976
# Reference: https://www.virustotal.com/gui/ip-address/5.45.73.63/relations

http://5.45.73.63
5.45.73.63:2131
donbwh.com

# Reference: https://twitter.com/BroadAnalysis/status/967357851520897024

http://94.242.198.167
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/JAMESWT_MHT/status/927523630778650627

bmwfastcar1337.com

# Reference: https://twitter.com/anyrun_app/status/912276794648272897
# Reference: https://app.any.run/tasks/f1a72d72-2e96-4d8b-9ad7-1f74e162d585

overwbuff.com
http://195.123.211.9
195.123.211.9:13378

# Reference: https://twitter.com/JAMESWT_MHT/status/906086386377379845

pudgenormpers.com

# Reference: https://twitter.com/VK_Intel/status/1135507293573931008
# Reference: https://www.virustotal.com/gui/file/11918aadc1e4942a1e458afab5c10971fb87d84b693b2c31f5497aa289fa20da/detection

176.119.30.142:8765

# Reference: https://twitter.com/VK_Intel/status/1143606935373172736

31.7.62.214:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1166106371403763714

179.43.146.90:443

# Reference: https://twitter.com/James_inthe_box/status/1178692652700590085

http://179.43.159.246

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html
# Reference: https://otx.alienvault.com/pulse/5d9378b8f36a91c436c5f93c

track.amishbrand.com
gnf6.ruscacademy.in
backup.awarfaregaming.com
link.easycounter210.com

# Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian)

185.225.17.66:443

# Reference: https://twitter.com/P3pperP0tts/status/1188946654768091136

http://179.43.146.90

# Reference: https://pastebin.com/iqcg0Ys7

http://185.225.19.35

# Reference: http://broadanalysis4.rssing.com/chan-65366183/latest.php

http://91.243.80.120
http://94.242.198.167
179.43.191.122:2259
31.31.196.204:1488
94.242.198.167:1488
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/tkanalyst/status/1196033182694379527

http://103.16.228.173

# Reference: https://twitter.com/VK_Intel/status/1196136022658207750
# Reference: https://www.virustotal.com/gui/ip-address/94.158.245.91/relations

94.158.245.91:1488
ololoev.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1199078758298206208

5.181.156.36:1321

# Reference: https://twitter.com/VK_Intel/status/1224647173872193538

gjuauyfhjha.cn
sasggegzui.cn

# Reference: https://twitter.com/JAMESWT_MHT/status/1222152295724593152

103.16.228.173:1488

# Reference: https://app.any.run/tasks/32eeb667-b66b-4dea-b343-ae43941f7b20/

micrdata.com
safuuf7774.pw
wobada.com

# Reference: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
# Reference: https://github.com/pan-unit42/iocs/blob/master/NetSupportManager

http://185.163.45.88
http://94.158.245.182
94.158.245.182:443
unclebillswv.com/verisign.php
firstteamcareer.com/user.php
busyserviceinc.com/webdoc.php
edisonlee.net/maildir.phpq
newtontool.ca/wp-contents.php
brotherselectricco.com/host.php
innovativemasonry.net/hostgator-welcome.php
greenheartmed.org/captcha.php
ultraeventgroup.com/wp-element.php
jnachb.com/wp-comment.php
adroitpmps.com/wp-list.php
ledampenergy.net/wp-comment.php
hostfleek.com/backup.msi
alpinehandlingsystems.com/backup.msi
jintsung.cn
4ourkidsky.com

# Reference: https://twitter.com/killamjr/status/1234547286807584773

http://185.163.45.118

# Reference: https://twitter.com/malwrhunterteam/status/1236215722885464064
# Reference: https://www.virustotal.com/gui/file/870972fabfb6c59f1c3959cea9201d3c4d48756585970de869d063ec69983ab8/detection

http://23.227.207.138
23.227.207.138:12233
browserinstallup.com

# Reference: https://twitter.com/jcarndt/status/1241090163008307206
# Reference: https://app.any.run/tasks/b46069d5-ec22-481e-af2b-c14474978f79/

tardigradeventures.com

# Reference: https://www.virustotal.com/gui/file/1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1/detection
# Reference: https://twitter.com/olihough86/status/1243561290439839745
# Reference: https://app.any.run/tasks/aa3e41ee-b1c0-4333-939e-e4199c1daa56/

http://5.181.156.14
5.181.156.14:443
covidpreventandcure.com
komnop.com

# Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/ (# NetSupportManagerRAT)

covidpreventandcure.com
covidwhereandhow.xyz

# Reference: https://twitter.com/malwrhunterteam/status/1255849588788953088

62.173.145.56:2721
avheaven.icu
bssupport.duckdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1260492238758588419
# Reference: https://app.any.run/tasks/0b4ce298-496a-4b15-9e94-0fbbb616422e/

62.173.154.94:2145
avheaven.space
brassaffid.com

# Reference: https://twitter.com/jcarndt/status/1275108512046211074
# Reference: https://app.any.run/tasks/c9e195d3-227c-480a-8515-1cdadcf29485/

membersonlytraining.com

# Reference: https://app.any.run/tasks/cc3ac8a1-394f-4488-89e1-6107017b2360/

http://45.133.245.57

# Reference: https://twitter.com/JAMESWT_MHT/status/1285170628656615424
# Reference: https://bazaar.abuse.ch/sample/8ab3b9367304dccac78095808260417a46c0f37720051592b9a32ba3b030743d
# Reference: https://www.virustotal.com/gui/file/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345/detection

http://62.173.138.41
62.173.138.41:2071
numienimfe2.com
ysanhumeg1.com

# Reference: https://www.virustotal.com/gui/file/72a908033a308ec5da4e384c2c6efb33405afc50688033849783267e6fb1bddc/detection

http://5.45.74.219

# Reference: https://www.virustotal.com/gui/file/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b/detection

http://45.133.245.192

# Reference: https://twitter.com/malware_traffic/status/1321482374044069888

http://46.17.106.230
46.17.106.230:3543

# Reference: https://www.virustotal.com/gui/file/8781b76845a95237e38d007e1ce0c5743e3eb95717e13b85a6b2a963cf4c0d2d/detection
# Reference: https://www.virustotal.com/gui/file/5f7f2f6e7ed3cc8243fad060f0b64267ceb629456eab62215847419eb7f4494e/detection

192.169.6.95:3294
http://192.169.6.95
http://45.138.172.158

# Reference: https://twitter.com/cyb3rops/status/1372941834104807426
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf

mgdsoufjgh4hgba.xyz
nefvnvudygct4.xyz
huntaget.cn
moreeu.cn
moreofit.cn
torpoa.cn

# Reference: https://www.virustotal.com/gui/file/2add4e3f9acd88b53c97989b309bccdf35456c444d7b4436bd0b9b04f1d16cf4/detection

http://88.119.171.110
88.119.171.110:443

# Generic trails

/iplog/newg.php
/JSX/testpost.php
/fakeurl.htm