# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.malware-traffic-analysis.net/2018/07/05/index.html desjardinscourriel818654.pw # Reference: https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1 desjardinsmail6as6545g.pw # Reference: https://twitter.com/James_inthe_box/status/1099365566928760834 # Reference: https://pastebin.com/C5XYY221 # Reference: https://www.virustotal.com/gui/ip-address/77.83.174.70/relations http://77.83.174.70 77.83.174.70:2077 thedokatrade.com highnoon2.com copylanco.com glekrg.com # Reference: https://twitter.com/James_inthe_box/status/1079757827030142976 # Reference: https://www.virustotal.com/gui/ip-address/5.45.73.63/relations http://5.45.73.63 5.45.73.63:2131 donbwh.com # Reference: https://twitter.com/BroadAnalysis/status/967357851520897024 http://94.242.198.167 ebalodauna1488.com printscreens.info # Reference: https://twitter.com/JAMESWT_MHT/status/927523630778650627 bmwfastcar1337.com # Reference: https://twitter.com/anyrun_app/status/912276794648272897 # Reference: https://app.any.run/tasks/f1a72d72-2e96-4d8b-9ad7-1f74e162d585 overwbuff.com http://195.123.211.9 195.123.211.9:13378 # Reference: https://twitter.com/JAMESWT_MHT/status/906086386377379845 pudgenormpers.com # Reference: https://twitter.com/VK_Intel/status/1135507293573931008 # Reference: https://www.virustotal.com/gui/file/11918aadc1e4942a1e458afab5c10971fb87d84b693b2c31f5497aa289fa20da/detection 176.119.30.142:8765 # Reference: https://twitter.com/VK_Intel/status/1143606935373172736 31.7.62.214:443 # Reference: https://twitter.com/JAMESWT_MHT/status/1166106371403763714 179.43.146.90:443 # Reference: https://twitter.com/James_inthe_box/status/1178692652700590085 http://179.43.159.246 # Reference: https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html # Reference: https://otx.alienvault.com/pulse/5d9378b8f36a91c436c5f93c track.amishbrand.com gnf6.ruscacademy.in backup.awarfaregaming.com link.easycounter210.com # Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian) 185.225.17.66:443 # Reference: https://twitter.com/P3pperP0tts/status/1188946654768091136 http://179.43.146.90 # Reference: https://pastebin.com/iqcg0Ys7 http://185.225.19.35 # Reference: http://broadanalysis4.rssing.com/chan-65366183/latest.php http://91.243.80.120 http://94.242.198.167 179.43.191.122:2259 31.31.196.204:1488 94.242.198.167:1488 ebalodauna1488.com printscreens.info # Reference: https://twitter.com/tkanalyst/status/1196033182694379527 http://103.16.228.173 # Reference: https://twitter.com/VK_Intel/status/1196136022658207750 # Reference: https://www.virustotal.com/gui/ip-address/94.158.245.91/relations 94.158.245.91:1488 ololoev.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1199078758298206208 5.181.156.36:1321 # Reference: https://twitter.com/VK_Intel/status/1224647173872193538 gjuauyfhjha.cn sasggegzui.cn # Reference: https://twitter.com/JAMESWT_MHT/status/1222152295724593152 103.16.228.173:1488 # Reference: https://app.any.run/tasks/32eeb667-b66b-4dea-b343-ae43941f7b20/ micrdata.com safuuf7774.pw wobada.com # Reference: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/ # Reference: https://github.com/pan-unit42/iocs/blob/master/NetSupportManager http://185.163.45.88 http://94.158.245.182 94.158.245.182:443 unclebillswv.com/verisign.php firstteamcareer.com/user.php busyserviceinc.com/webdoc.php edisonlee.net/maildir.phpq newtontool.ca/wp-contents.php brotherselectricco.com/host.php innovativemasonry.net/hostgator-welcome.php greenheartmed.org/captcha.php ultraeventgroup.com/wp-element.php jnachb.com/wp-comment.php adroitpmps.com/wp-list.php ledampenergy.net/wp-comment.php hostfleek.com/backup.msi alpinehandlingsystems.com/backup.msi jintsung.cn 4ourkidsky.com # Reference: https://twitter.com/killamjr/status/1234547286807584773 http://185.163.45.118 # Reference: https://twitter.com/malwrhunterteam/status/1236215722885464064 # Reference: https://www.virustotal.com/gui/file/870972fabfb6c59f1c3959cea9201d3c4d48756585970de869d063ec69983ab8/detection http://23.227.207.138 23.227.207.138:12233 browserinstallup.com # Reference: https://twitter.com/jcarndt/status/1241090163008307206 # Reference: https://app.any.run/tasks/b46069d5-ec22-481e-af2b-c14474978f79/ tardigradeventures.com # Reference: https://www.virustotal.com/gui/file/1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1/detection # Reference: https://twitter.com/olihough86/status/1243561290439839745 # Reference: https://app.any.run/tasks/aa3e41ee-b1c0-4333-939e-e4199c1daa56/ http://5.181.156.14 5.181.156.14:443 covidpreventandcure.com komnop.com # Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/ (# NetSupportManagerRAT) covidpreventandcure.com covidwhereandhow.xyz # Reference: https://twitter.com/malwrhunterteam/status/1255849588788953088 62.173.145.56:2721 avheaven.icu bssupport.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1260492238758588419 # Reference: https://app.any.run/tasks/0b4ce298-496a-4b15-9e94-0fbbb616422e/ 62.173.154.94:2145 avheaven.space brassaffid.com # Reference: https://twitter.com/jcarndt/status/1275108512046211074 # Reference: https://app.any.run/tasks/c9e195d3-227c-480a-8515-1cdadcf29485/ membersonlytraining.com # Reference: https://app.any.run/tasks/cc3ac8a1-394f-4488-89e1-6107017b2360/ http://45.133.245.57 # Reference: https://twitter.com/JAMESWT_MHT/status/1285170628656615424 # Reference: https://bazaar.abuse.ch/sample/8ab3b9367304dccac78095808260417a46c0f37720051592b9a32ba3b030743d # Reference: https://www.virustotal.com/gui/file/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345/detection http://62.173.138.41 62.173.138.41:2071 numienimfe2.com ysanhumeg1.com # Reference: https://www.virustotal.com/gui/file/72a908033a308ec5da4e384c2c6efb33405afc50688033849783267e6fb1bddc/detection http://5.45.74.219 # Reference: https://www.virustotal.com/gui/file/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b/detection http://45.133.245.192 # Generic trails /iplog/newg.php /JSX/testpost.php /fakeurl.htm