# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: netwiredrc, netwire, wirenet

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-EK/detailed-analysis.aspx

mommyreal.ddns.net

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-CC/detailed-analysis.aspx

wwfvpsv9.serveftp.com

# Reference: https://www.cyren.com/blog/articles/bad-things-come-in-pairs-3004

dinesaad.hopto.org

# Reference: https://twitter.com/James_inthe_box/status/1044616045560967168

cboss33.hopto.org

# Reference: https://twitter.com/James_inthe_box/status/1044365272675573760

natigr.ddns.net
projectadmin.camdvr.org

# Reference: https://twitter.com/James_inthe_box/status/1044231367347732480

ddns.catamosky.biz

# Reference: https://twitter.com/Racco42/status/1042056130577489928

lagos042.ddns.net
manuel3.publicvm.com

# Reference: https://twitter.com/VK_Intel/status/983940199603474432

snoopdmoney2018.sytes.net
snoopdmoneybkup.sytes.net

# Reference: https://www.virustotal.com/#/file/a095a7acda9c73fc89bfbc170bbec75a4572c75114e1687a7c212e9228915945/detection
# Reference: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3966&sid=a2bb410851e96a6bb24b90b65966112f&start=300#p32187

ola100.hopto.org

# Reference: https://twitter.com/malwrhunterteam/status/1106264932230852608

62.210.10.245:4000

# Reference: https://twitter.com/malwrhunterteam/status/1105163365209554951

amazonsprime.duckdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1107630659957329921

leew.linkpc.net

# Reference: https://twitter.com/James_inthe_box/status/1022228835616473088

onetimeade.linkpc.net

# Reference: https://twitter.com/malwrhunterteam/status/1096760442133856256

jackas.gotdns.ch

# Reference: https://maskop9.tech/index.php/2019/01/30/analysis-of-netwiredrc-trojan/
# Reference: https://app.any.run/tasks/e1d7034b-c866-4cef-8d55-04405cd2a81d

109.230.199.103:3360

# Reference: https://twitter.com/James_inthe_box/status/1118217392851566593

havemercy.mooo.com

# Reference: https://twitter.com/malwrhunterteam/status/1122081049809432576

netzirecolq.gleeze.com

# Reference: https://twitter.com/MalwareConfig/status/748754926319181824

socratecafu.zapto.org

# Reference: https://twitter.com/MalwareConfig/status/748754880869707776

monarch01.no-ip.org

# Reference: https://twitter.com/MalwareConfig/status/748625532993019904
# Reference: https://malwareconfig.com/config/d5ce94e9264321d398767c1e3d1a5835/

46.244.10.196:3480

# Reference: https://twitter.com/MalwareConfig/status/748625240486477825

jack.redirectme.net

# Reference: https://twitter.com/Jouliok/status/1123141238197248001
# Reference: https://app.any.run/tasks/9de6804d-2e31-4f55-a225-d99191196803

duc1234.duckdns.org
91.192.100.57:32144

# Reference: https://twitter.com/ps66uk/status/1104050986031767552
# Reference: https://app.any.run/tasks/4b6c4b34-7bc3-41ca-8a35-78399db8e591
# Reference: https://twitter.com/wwp96/status/1165981094958784513
# Reference: https://app.any.run/tasks/6158df64-fbd4-4ca1-a447-c2464ba3a063/

akconsult.linkpc.net
105.112.51.164:2014
185.84.181.94:2018

# Reference: https://twitter.com/luc4m/status/1092365190497255424

checker00.gotdns.ch

# Reference: https://twitter.com/luc4m/status/1072888268528779264

pd1n.ddns.net

# Reference: https://twitter.com/Racco42/status/1062633238802378752

wealthyadmin.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1059464666672332800

favor.duckdns.org

# Reference: https://twitter.com/Racco42/status/1057317617260736513

godalmighty.ddns.net

# Reference: https://twitter.com/ps66uk/status/1050043711135068161

185.101.93.198:8681

# Reference: https://twitter.com/James_inthe_box/status/1115624726695514113

masterhugo231.servecounterstrike.com

# Reference: https://twitter.com/James_inthe_box/status/1065330244746268672

185.84.181.80:3360

# Reference: https://twitter.com/avman1995/status/1060818874789179392

ddns.unknajiamu.xyz

# Reference: https://twitter.com/pollo290987/status/907273472786812928

199.16.199.2:36133

# Reference: https://twitter.com/JAMESWT_MHT/status/906146267763486720

egonbute.duckdns.org

# Reference: https://twitter.com/Antelox/status/894901722497208321

192.223.25.72:1777

# Reference: https://twitter.com/JayTHL/status/751123206468046848

businessdb3.duckdns.org

# Reference: https://twitter.com/malware_traffic/status/714819056218406914

marchborn.no-ip.biz

# Reference: https://twitter.com/James_inthe_box/status/1123236500311724032

bazwire.sytes.net

# Reference: https://twitter.com/fe7ch/status/1126132771800395777

usb.mine.nu
message-whatsapp.com
zr.webhop.org
enz.webhop.org

# Reference: https://twitter.com/Racco42/status/1132935875430670337
# Reference: https://twitter.com/Racco42/status/1136593634650927105

96.47.239.229:3999

# Reference: https://twitter.com/James_inthe_box/status/1133344506814668800

160.116.15.155:3360

# Reference: https://twitter.com/raby_mr/status/1136889525060325376
# Reference: https://app.any.run/tasks/03268b84-b31c-4a32-a87b-95e7aa4cf8a9/

102.165.38.139:33
heritage.nflfan.org

# Reference: https://www.fireeye.com/blog/threat-research/2014/04/crimeware-or-apt-malwares-fifty-shades-of-grey.html

c0der.zapto.org
rglink77.no-ip.biz

# Reference: https://twitter.com/James_inthe_box/status/1138454939045453825

enginekeys.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1140571341344538625

duc1234.duckdns.org

# Reference: https://twitter.com/daphiel/status/1141625032801693696 (# CVE-2019-11707)
# Reference: https://twitter.com/cybsecbot/status/1141610397931323393
# Reference: https://www.virustotal.com/gui/file/07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4/detection (# OSX Netwire/Wirenet)

185.49.69.210:80 
89.34.111.113:443
a678157.oicp.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1142038342583894017

packgeddhl.myddns.me

# Reference: https://twitter.com/HerbieZimmerman/status/1142085603368079361
# Reference: https://app.any.run/tasks/f61c3c81-52aa-4e11-b746-c7c27bc3b7f4/

gojust.publicvm.com

# Reference: https://twitter.com/killamjr/status/1145110513371820033
# Reference: https://twitter.com/killamjr/status/1145114752890413057

185.247.228.73:9510

# Reference: https://pastebin.com/S4ggik78

maxmini.duckdns.org

# Reference: https://twitter.com/killamjr/status/1146521318503964678
# Reference: https://app.any.run/tasks/1c48f325-f211-4442-8cd4-03ed4cd9e538/

88.208.246.122:4110
longman001.chickenkiller.com

# Reference: https://twitter.com/James_inthe_box/status/1146468739493199873

chance2019.ddns.net

# Reference: https://twitter.com/DynamicAnalysis/status/1148316218199334912

69.30.232.86:2030
docusmart.hopto.org

# Reference: https://twitter.com/James_inthe_box/status/1148966237684133888

mickeyjones.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1149004873653899264

haroldberry1.mooo.com

# Reference: https://twitter.com/JayTHL/status/1149014369642172418

fada101.servehttp.com

# Reference: https://twitter.com/dvk01uk/status/1149610977219846149
# Reference: https://app.any.run/tasks/7e3d8fe0-fc60-4525-9351-4240177616d4/

160.202.163.246:6969
microsoft.btc-crypto-rewards.cash

# Reference: https://twitter.com/Racco42/status/1158729618389643264
# Reference: https://app.any.run/tasks/3e1c3fc4-166c-4164-afc5-f34bb3a066c7/

213.227.155.190:5868
halwachi50.mymediapc.net

# Reference: https://twitter.com/James_inthe_box/status/1164299477127028736

23.105.131.221:6050

# Reference: https://twitter.com/James_inthe_box/status/1164964895764299776

204.152.219.82:9008

# Reference: https://twitter.com/de_aviation/status/1097547526763433985

beltalus.ns1.name
maxmini.duckdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1169168426750894081
# Reference: https://app.any.run/tasks/abb12ce8-d6c6-4cf9-a9d6-8ad22d6cd2e1/

79.134.225.61:5552
info1.nowddns.com

# Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745
# Reference: https://app.any.run/tasks/751de56d-4df8-478f-92da-931edaf643bb/
# Reference: https://app.any.run/tasks/3f018342-f6f0-4908-b0c8-f54e1d250463/

79.134.225.103:39560
wealthyblessed.warzonedns.com

# Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745
# Reference: https://app.any.run/tasks/98de7c91-253e-4a55-aa90-51720e2bef92/

79.134.225.61:5552
info1.nowddns.com

# Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745
# Reference: https://app.any.run/tasks/6f2eca0b-e39d-48f8-a132-e4ad2d597c2b/
# Reference: https://app.any.run/tasks/6ee3328e-fd0b-4fa1-9292-c5d0fae7fd1f/

103.200.6.79:39760
melvintravel.ddns.net

# Reference: https://twitter.com/KorbenD_Intel/status/1169996681259245569

netwire.daniel2you.com

# Reference: https://twitter.com/0xFrost/status/1174391265707941889
# Reference: https://app.any.run/tasks/96dd442a-86e8-4c2b-9a33-401a04d58c5d/

103.200.5.128:39460

# Reference: https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html

185.165.153.219:3366
gbam0001.duckdns.org

# Reference: https://twitter.com/wwp96/status/1178693615440277504
# Reference: https://app.any.run/tasks/883bcaa9-150d-4e66-b107-6c6676f222e3/

185.217.1.148:5868
halwachi50.mymediapc.net

# Reference: https://twitter.com/0xFrost/status/1179128508817260545

trippleboss.warzonedns.com

# Reference: https://twitter.com/wwp96/status/1181651448439791616

rownip.mooo.com
rownip.dyndnss.net
rowanyne.ooo
rownip.eastus.cloudapp.azure.com
rownip.eastus2.cloudapp.azure.com 
rownip.tk
rownip.webredirect.org

# Reference: https://twitter.com/w3ndige/status/1171159313865465856
# Reference: https://app.any.run/tasks/5d43972b-352b-4e1d-b856-90c7176205b4/

109.202.103.170:8733
109.202.107.10:8733
213.152.161.229:8733