# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: netwiredrc, netwire, wirenet # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-EK/detailed-analysis.aspx mommyreal.ddns.net # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-CC/detailed-analysis.aspx wwfvpsv9.serveftp.com # Reference: https://www.cyren.com/blog/articles/bad-things-come-in-pairs-3004 dinesaad.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1044616045560967168 cboss33.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1044365272675573760 natigr.ddns.net projectadmin.camdvr.org # Reference: https://twitter.com/James_inthe_box/status/1044231367347732480 ddns.catamosky.biz # Reference: https://twitter.com/Racco42/status/1042056130577489928 lagos042.ddns.net manuel3.publicvm.com # Reference: https://twitter.com/VK_Intel/status/983940199603474432 snoopdmoney2018.sytes.net snoopdmoneybkup.sytes.net # Reference: https://www.virustotal.com/#/file/a095a7acda9c73fc89bfbc170bbec75a4572c75114e1687a7c212e9228915945/detection # Reference: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3966&sid=a2bb410851e96a6bb24b90b65966112f&start=300#p32187 ola100.hopto.org # Reference: https://twitter.com/malwrhunterteam/status/1106264932230852608 62.210.10.245:4000 # Reference: https://twitter.com/malwrhunterteam/status/1105163365209554951 amazonsprime.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1107630659957329921 leew.linkpc.net # Reference: https://twitter.com/James_inthe_box/status/1022228835616473088 onetimeade.linkpc.net # Reference: https://twitter.com/malwrhunterteam/status/1096760442133856256 jackas.gotdns.ch # Reference: https://maskop9.tech/index.php/2019/01/30/analysis-of-netwiredrc-trojan/ # Reference: https://app.any.run/tasks/e1d7034b-c866-4cef-8d55-04405cd2a81d 109.230.199.103:3360 # Reference: https://twitter.com/James_inthe_box/status/1118217392851566593 havemercy.mooo.com # Reference: https://twitter.com/malwrhunterteam/status/1122081049809432576 netzirecolq.gleeze.com # Reference: https://twitter.com/MalwareConfig/status/748754926319181824 socratecafu.zapto.org # Reference: https://twitter.com/MalwareConfig/status/748754880869707776 monarch01.no-ip.org # Reference: https://twitter.com/MalwareConfig/status/748625532993019904 # Reference: https://malwareconfig.com/config/d5ce94e9264321d398767c1e3d1a5835/ 46.244.10.196:3480 # Reference: https://twitter.com/MalwareConfig/status/748625240486477825 jack.redirectme.net # Reference: https://twitter.com/Jouliok/status/1123141238197248001 # Reference: https://app.any.run/tasks/9de6804d-2e31-4f55-a225-d99191196803 duc1234.duckdns.org 91.192.100.57:32144 # Reference: https://twitter.com/ps66uk/status/1104050986031767552 # Reference: https://app.any.run/tasks/4b6c4b34-7bc3-41ca-8a35-78399db8e591 # Reference: https://twitter.com/wwp96/status/1165981094958784513 # Reference: https://app.any.run/tasks/6158df64-fbd4-4ca1-a447-c2464ba3a063/ # Reference: https://twitter.com/killamjr/status/1192062400960315397 # Reference: https://app.any.run/tasks/48f13dd2-c3e2-4940-a1ac-dbb9a482cd10/ akconsult.linkpc.net 105.112.51.164:2014 185.84.181.94:2018 197.211.58.186:2014 # Reference: https://twitter.com/luc4m/status/1092365190497255424 checker00.gotdns.ch # Reference: https://twitter.com/luc4m/status/1072888268528779264 pd1n.ddns.net # Reference: https://twitter.com/Racco42/status/1062633238802378752 wealthyadmin.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1059464666672332800 favor.duckdns.org # Reference: https://twitter.com/Racco42/status/1057317617260736513 godalmighty.ddns.net # Reference: https://twitter.com/ps66uk/status/1050043711135068161 185.101.93.198:8681 # Reference: https://twitter.com/James_inthe_box/status/1115624726695514113 masterhugo231.servecounterstrike.com # Reference: https://twitter.com/James_inthe_box/status/1065330244746268672 185.84.181.80:3360 # Reference: https://twitter.com/avman1995/status/1060818874789179392 ddns.unknajiamu.xyz # Reference: https://twitter.com/pollo290987/status/907273472786812928 199.16.199.2:36133 # Reference: https://twitter.com/JAMESWT_MHT/status/906146267763486720 egonbute.duckdns.org # Reference: https://twitter.com/Antelox/status/894901722497208321 192.223.25.72:1777 # Reference: https://twitter.com/JayTHL/status/751123206468046848 businessdb3.duckdns.org # Reference: https://twitter.com/malware_traffic/status/714819056218406914 marchborn.no-ip.biz # Reference: https://twitter.com/James_inthe_box/status/1123236500311724032 bazwire.sytes.net # Reference: https://twitter.com/fe7ch/status/1126132771800395777 usb.mine.nu message-whatsapp.com zr.webhop.org enz.webhop.org # Reference: https://twitter.com/Racco42/status/1132935875430670337 # Reference: https://twitter.com/Racco42/status/1136593634650927105 96.47.239.229:3999 # Reference: https://twitter.com/James_inthe_box/status/1133344506814668800 160.116.15.155:3360 # Reference: https://twitter.com/raby_mr/status/1136889525060325376 # Reference: https://app.any.run/tasks/03268b84-b31c-4a32-a87b-95e7aa4cf8a9/ 102.165.38.139:33 heritage.nflfan.org # Reference: https://www.fireeye.com/blog/threat-research/2014/04/crimeware-or-apt-malwares-fifty-shades-of-grey.html c0der.zapto.org rglink77.no-ip.biz # Reference: https://twitter.com/James_inthe_box/status/1138454939045453825 enginekeys.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1140571341344538625 duc1234.duckdns.org # Reference: https://twitter.com/daphiel/status/1141625032801693696 (# CVE-2019-11707) # Reference: https://twitter.com/cybsecbot/status/1141610397931323393 # Reference: https://www.virustotal.com/gui/file/07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4/detection (# OSX Netwire/Wirenet) 185.49.69.210:80 89.34.111.113:443 a678157.oicp.net # Reference: https://twitter.com/JAMESWT_MHT/status/1142038342583894017 packgeddhl.myddns.me # Reference: https://twitter.com/HerbieZimmerman/status/1142085603368079361 # Reference: https://app.any.run/tasks/f61c3c81-52aa-4e11-b746-c7c27bc3b7f4/ gojust.publicvm.com # Reference: https://twitter.com/killamjr/status/1145110513371820033 # Reference: https://twitter.com/killamjr/status/1145114752890413057 185.247.228.73:9510 # Reference: https://pastebin.com/S4ggik78 maxmini.duckdns.org # Reference: https://twitter.com/killamjr/status/1146521318503964678 # Reference: https://app.any.run/tasks/1c48f325-f211-4442-8cd4-03ed4cd9e538/ 88.208.246.122:4110 longman001.chickenkiller.com # Reference: https://twitter.com/James_inthe_box/status/1146468739493199873 chance2019.ddns.net # Reference: https://twitter.com/DynamicAnalysis/status/1148316218199334912 69.30.232.86:2030 docusmart.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1148966237684133888 mickeyjones.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1149004873653899264 haroldberry1.mooo.com # Reference: https://twitter.com/JayTHL/status/1149014369642172418 fada101.servehttp.com # Reference: https://twitter.com/dvk01uk/status/1149610977219846149 # Reference: https://app.any.run/tasks/7e3d8fe0-fc60-4525-9351-4240177616d4/ 160.202.163.246:6969 microsoft.btc-crypto-rewards.cash # Reference: https://twitter.com/Racco42/status/1158729618389643264 # Reference: https://app.any.run/tasks/3e1c3fc4-166c-4164-afc5-f34bb3a066c7/ 213.227.155.190:5868 halwachi50.mymediapc.net # Reference: https://twitter.com/James_inthe_box/status/1164299477127028736 23.105.131.221:6050 # Reference: https://twitter.com/James_inthe_box/status/1164964895764299776 204.152.219.82:9008 # Reference: https://twitter.com/de_aviation/status/1097547526763433985 beltalus.ns1.name maxmini.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1169168426750894081 # Reference: https://app.any.run/tasks/abb12ce8-d6c6-4cf9-a9d6-8ad22d6cd2e1/ 79.134.225.61:5552 info1.nowddns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/751de56d-4df8-478f-92da-931edaf643bb/ # Reference: https://app.any.run/tasks/3f018342-f6f0-4908-b0c8-f54e1d250463/ 79.134.225.103:39560 wealthyblessed.warzonedns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/98de7c91-253e-4a55-aa90-51720e2bef92/ 79.134.225.61:5552 info1.nowddns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/6f2eca0b-e39d-48f8-a132-e4ad2d597c2b/ # Reference: https://app.any.run/tasks/6ee3328e-fd0b-4fa1-9292-c5d0fae7fd1f/ 103.200.6.79:39760 melvintravel.ddns.net # Reference: https://twitter.com/KorbenD_Intel/status/1169996681259245569 netwire.daniel2you.com # Reference: https://twitter.com/0xFrost/status/1174391265707941889 # Reference: https://app.any.run/tasks/96dd442a-86e8-4c2b-9a33-401a04d58c5d/ 103.200.5.128:39460 # Reference: https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html 185.165.153.219:3366 gbam0001.duckdns.org # Reference: https://twitter.com/wwp96/status/1178693615440277504 # Reference: https://app.any.run/tasks/883bcaa9-150d-4e66-b107-6c6676f222e3/ 185.217.1.148:5868 halwachi50.mymediapc.net # Reference: https://twitter.com/0xFrost/status/1179128508817260545 trippleboss.warzonedns.com # Reference: https://twitter.com/wwp96/status/1181651448439791616 rownip.mooo.com rownip.dyndnss.net rowanyne.ooo rownip.eastus.cloudapp.azure.com rownip.eastus2.cloudapp.azure.com rownip.tk rownip.webredirect.org # Reference: https://twitter.com/w3ndige/status/1171159313865465856 # Reference: https://app.any.run/tasks/5d43972b-352b-4e1d-b856-90c7176205b4/ 109.202.103.170:8733 109.202.107.10:8733 213.152.161.229:8733 # Reference: https://twitter.com/wwp96/status/1186998362626822149 # Reference: https://app.any.run/tasks/1fe1be54-9c9d-4ad0-91b6-f4433e6d1144/ 185.19.85.153:3393 # Reference: https://twitter.com/wwp96/status/1187023690636152832 # Reference: https://app.any.run/tasks/238a2b41-2fb5-495d-a686-2be8fa316bc5/ 79.134.225.103:52999 wealthismine.ddns.net # Reference: https://www.virustotal.com/gui/file/2dfab97454ee74f18367a763aadc5453aebc3382911b055ff27a1c3eed0040bd/detection 213.208.152.217:3363 # Reference: https://twitter.com/killamjr/status/1189717599040528386 # Reference: https://app.any.run/tasks/1818f7a8-166f-4d05-9dd2-d97ff5a86989/ 185.217.1.189:39766 officeraymed09eu.ddns.net # Reference: https://twitter.com/JayTHL/status/1189924963794460672 79.134.225.11:1199 # Reference: https://twitter.com/smica83/status/1190181597468856320 79.134.225.80:3360 # Reference: https://twitter.com/smica83/status/1190183906693267456 79.134.225.122:3360 # Reference: https://twitter.com/Paladin3161/status/1190247869145477120 25092019.is-a-geek.com # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/ip-address/185.165.153.221/relations 185.165.153.221:8973 185.165.153.221:9101 aspens.publicvm.com # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/ff0fb3dbc9170b42ca07bcbcca2c90dbe7e28eed7a6f8861cc91fcef691726d7/detection 79.134.225.78:1195 79.134.225.78:3941 79.134.225.78:5149 79.134.225.78:5541 79.134.225.78:9263 cowboyz.climatechangeawareness.uk guccimoney.duckdns.org teryts1802.sytes.net # Reference: https://pastebin.com/29uSdMAk fartgul.duckdns.org # Reference: https://twitter.com/smica83/status/1192788522631081985 185.165.153.113:32141 # Reference: https://twitter.com/James_inthe_box/status/1194265061163859968 noapology.duckdns.org # Reference: https://www.virustotal.com/gui/file/29fa90b1dfc3fdca476596c276eeb9f1ca26d9833e5e671280add24cb69c4b07/detection 185.165.153.55:2001 185.248.13.185:2001 blatter.ddns.net # Reference: https://www.virustotal.com/gui/file/fdffe9dc3b52438d2cfc8c753f564e087958e27a944e59a3ebbaf8e501c60ef5/detection 185.165.153.55:594 # Reference: https://www.virustotal.com/gui/file/b3d31835f0570ccea5b165a661ae7b37eaf38d1a00d6cec4c609fd862b508e71/detection 185.165.153.55:4050 mymy1.ddns.net # Reference: https://www.virustotal.com/gui/file/17c22ddbdcc06cb9710afcf54e1c0a0cdcb3e383650feaf4ffe9b2ad5455a9c4/detection noapology.climatechangeawareness.uk # Reference: https://www.virustotal.com/gui/file/ea8778e98950acaa214b5205b293e471a2d949b92d3ce8ffcd2fccf31e691839/detection 185.217.1.190:6898 # Reference: https://cyberweek.ae/materials/D4%20TRACK%202%20-%20APT%20Attacks%20On%20Crypto%20Exchange%20Employees%20-%20Heungsoo%20Kang.pdf # Reference: https://www.bleepingcomputer.com/news/security/firefox-0-day-used-in-targeted-attacks-against-cryptocurrency-firms/ # Reference: https://otx.alienvault.com/pulse/5dd2b6edd9073ebdde5eba8a # Reference: https://www.virustotal.com/gui/ip-address/185.162.131.96/relations analyticsfit.com athlon4free2updates1.com http://185.162.131.96 # Reference: https://twitter.com/James_inthe_box/status/1196509130841710592 almeenamarine.ddns.net # Reference: https://www.virustotal.com/gui/file/0240071a908a44d286964af67a947625c7df2a6994880a79c938d26822279b3d/detection 185.217.1.186:3366 # Reference: https://www.virustotal.com/gui/file/24cc43513c2e79676fdf20fab727ec9a3c98612b7ff00a6242076cbc90be6291/detection 185.217.1.186:3365 # Reference: https://twitter.com/wwp96/status/1196873873343561728 # Reference: https://app.any.run/tasks/05bf7c8e-8660-408e-af44-ee17bcc358e5/ 185.19.85.153:3393 # Reference: https://www.virustotal.com/gui/file/761e8b24bfbd4c31cfbabe2747daaa5d589e49204f3d2acd8a5493ca1f8293ec/detection 79.134.225.105:49012 electroking444.ddns.net # Reference: https://www.virustotal.com/gui/file/195f140234ec7779a7f769ed3770425d262c6f9e94d126b195b2804261c9f32d/detection 79.134.225.105:2803 onelove03.duckdns.org # Reference: https://www.virustotal.com/gui/file/c7bdb6a769b95c976c80bd0ea3c77d48ae8f99f8f0b3d714637630c43259209b/detection 79.134.225.89:32141 zlantan1234.duckdns.org # Reference: https://www.virustotal.com/gui/file/c4b5f36856320d553b73da3deb7b5a39ef0ba8026ae8278ec6496cb6bdd68486/detection popintertradeer.ddns.net # Reference: https://www.virustotal.com/gui/file/dd33019c84b905443de022d1ff40146e7d1a2b5b472a3e1589b0ecb36ee64555/detection 41.151.8.187:3360 # Reference: https://www.virustotal.com/gui/file/0fe9614c6c18c6d7276d23902d8e056589861969f6d6d5fdf239ddb6c7128424/detection 119.9.94.62:3360 # Reference: https://twitter.com/neonprimetime/status/1199711850931400706 79.134.225.90:7734 netupdate1.sytes.net # Reference: https://www.virustotal.com/gui/file/2dcde2c6679b4dbf7c7c6ba3bf6f078493f50117c7285654dc6d089d7d9c9f25/detection 79.134.225.90:62098 ashmwin.ddns.net # Reference: https://www.virustotal.com/gui/file/92698baf6b49c99930e0f43857b6d14b1de6cb44af749af015332be9d2f6bdad/detection 79.134.225.90:3923 105.112.105.226:3923 netupdate1.sytes.net # Reference: https://www.virustotal.com/gui/file/c103d6b1a8fd4dce11bcdcb55e18dabb58de76d5b196ff42095df7664e313b4e/detection 139.60.162.173:3535 # Reference: https://www.virustotal.com/gui/file/cd35a539d995fc9bd7fc844e4d1f6efb6187892298d1d1afce4b2c8e5b641c33/detection 212.83.170.126:111 # Reference: https://www.virustotal.com/gui/file/adf5565528a5c596d84b47b5433698b547b2183c2b86187cba3a9b892cd533d7/detection 79.134.225.59:4771 # Reference: https://twitter.com/ActorExpose/status/1200834171545030662 # Reference: https://app.any.run/tasks/1d10bdf0-38d2-49cc-a2cd-267e7c56daae/ 79.134.225.90:32141 zlantan1234.duckdns.org # Reference: https://www.virustotal.com/gui/file/370a5c3410e458a615cd1b1581b90273bac8df37c602c83f9d2e4c85deeb6278/detection 185.165.153.113:32141 # Reference: https://www.virustotal.com/gui/file/46222e44edf6d4f9caf9ee55824ce5e20dfcf274a167bcbdca8b5e9eab4f346e/detection 79.134.225.89:32141 # Reference: https://www.virustotal.com/gui/file/d240a2899287ffa85ae3f2041bde1c6cf60a094fa3716182fa5111a0e814b7a8/detection 192.69.169.25:2555 wellcomehome.duckdns.org # Reference: https://www.virustotal.com/gui/file/a9833ef2f0ff93c2d46eb4ca7783be91d0d065f5db97a521b1428a9022e0bbb6/detection 192.69.169.25:10155 # Reference: https://twitter.com/JayTHL/status/1200887119545327618 185.165.153.190:3360 cash001.duckdns.org # Reference: https://any.run/malware-trends/netwire (Note: as seen on 2019-12-04) sandra.myddns.me 888rats.duckdns.org slimyuyo.duckdns.org vemvemserver.duckdns.org special2019world.mymediapc.net 3forall2019.servesarcasm.com jiddeshot.duckdns.org saintjames.publicvm.com joeiyke22.duckdns.org youforbiden.duckdns.org 12345dick.duckdns.org win360s.ddns.net mozillamaintenanceservice.duckdns.org 2020dcr2ewert-24ee-4edb-80bf-82dab6f9b9d.duckdns.org akconsult.linkpc.net duckdns4.duckdns.org salesxpert.duckdns.org # Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Malware.NetWire-7428720-1) cobroserfinansa.com # Reference: https://www.virustotal.com/gui/file/457b80e5bf2bc7901917523960cc9db4c3f80089026408f564633dbee283fbce/detection 79.134.225.121:3410 # Reference: https://www.virustotal.com/gui/file/d922e9068964beed6b4b9d6dce99a06f915b1c772363f847eaaa6a82931cc15b/detection nasoo.duckdns.org # Reference: https://www.virustotal.com/gui/file/f7f3b8083532e5468fc0eb50ab0df6006eae1a69d39c6241aba2f45e178df6e6/detection 79.134.225.121:7075 # Reference: https://www.virustotal.com/gui/file/2c35359dda093b3635434d8c03cc2703af6ff54f5f775f50098ca837fef39a44/detection truckbase.duckdns.org # Reference: https://www.virustotal.com/gui/file/bfa46975f1df64a6e0a8c4cd4fd6dd11f94f0f1e943bdc53a3dbdd9701e6ea5d/detection raaqtwo.duckdns.org # Reference: https://www.virustotal.com/gui/file/958384b533e9c4818026a6cca852eafc0c0a046294cc65ec030d9b70396b24db/detection 185.165.153.22:5555 # Reference: https://www.virustotal.com/gui/file/e0b0e3fab013dc09b6bdf69205fc5307f2b3651076719221ac5877b5ec8586a2/detection 185.244.31.42:2803 # Reference: https://www.virustotal.com/gui/file/4671508d92b3e347306677e573de08e434d08b6a45ba2aa2a0bdf413aebed3c5/detection 212.7.192.243:2803 # Reference: https://www.virustotal.com/gui/file/456f728d0b77f1b7a7cf80eac04eefed51bac192d0e8b7d0a966036ffbc50c30/detection 91.193.75.153:3382 # Reference: https://www.virustotal.com/gui/file/5ce56dd34b245ccabdb0ca49291443547b3b78dbd1d22f971319082222d2df14/detection 91.193.75.153:2803 # Reference: https://www.virustotal.com/gui/file/cece77471974acf2571a11c9df849ecc5c0caec716a5133eca57088500671338/detection 192.169.69.25:3382 # Reference: https://www.virustotal.com/gui/file/c805a88f47d67b56d9ba5613dbeb69953162abd6134a920e378092e99e0bfb51/detection 79.134.225.71:3360 # Reference: https://www.virustotal.com/gui/file/21ad213538f2236ce466d5dd0a2ec0a0b97afa99e223e065131b608f49da8635/detection 79.134.225.119:3999 # Reference: https://www.virustotal.com/gui/file/fdbf4c73db81705a8a27703447d665f3806345bd046cd721b8e78dd4786d61c8/detection 79.134.225.60:1 fineware.ddns.net # Reference: https://www.virustotal.com/gui/file/03afbf2ae0de830ca39d35b5574dc38cdb66210b11f64d6d3cb0fab2168261a6/detection 193.160.10.83:1 cocaboss2017.hopto.org # Reference: https://www.virustotal.com/gui/file/cf1ca867f165ab67d102e6b918040e2e17fc1b5d1883d8f642019a17c8e6b8b2/detection 185.101.92.3:5553 qatar1.ddns.net # Reference: https://www.virustotal.com/gui/file/60d0357a80a01b899f289d690076a35cde6f89e1f72128ff6aca8d7595a2ef74/detection # Reference: https://www.virustotal.com/gui/file/47007057990f2e09ddedaf580bf5705fc0f7c9fed153bc7b1fe3b0d61001967a/detection 104.18.34.86:8888 104.18.35.86:8888 104.244.75.220:8888 nozomi.sakananoko.io # Reference: https://www.virustotal.com/gui/file/e0f8c12ff13dc56a9ba268873c9747c4ab40e462f7e842b24a018bab7e0a05aa/detection 168.235.111.253:5553 # Reference: https://www.virustotal.com/gui/file/ded798f496c5af0c00ce63c829f69c783c9f45ccf4f0e850f18740d85f201c13/detection # Reference: https://www.virustotal.com/gui/domain/spyzdns.pro/relations 104.152.208.211:5577 spyzdns.pro # Reference: https://www.virustotal.com/gui/file/ce1960525f5588b19f0c6de2026e02000518e2d3f8c5d23ea60e45849a04ee14/detection 104.152.208.211:1112 # Reference: https://www.virustotal.com/gui/file/bed345a08313800a40dc5c68f9084bf6063a4a430c88e410f0fe463eb5388b51/detection 154.16.201.10:1302 # Reference: https://www.virustotal.com/gui/file/aae2fc7d7b828a8d65382a2b5ccd4c490bc16bcdac1375d4e20cffa83aecdfe7/detection 82.118.21.3:1112 # Reference: https://www.virustotal.com/gui/file/46aefe90a8ea70f53e77cbc9942409479b95c0f264ac6082b1e1f502e30b13f7/detection 79.134.225.19:1112 # Reference: https://www.virustotal.com/gui/file/6e9d20cbacd0fd5a8f6b6a9971ef0a3587a50415993755069e17420d09d84c70/detection 23.254.203.242:1112 # Reference: https://www.virustotal.com/gui/file/f87b6d4cb39625b3c64c36e763a2098543d570208b9fd4d0f1940f0c34fa4073/detection 51.77.254.186:1112 # Reference: https://www.virustotal.com/gui/file/90a80ce3af5ec668660b8e993a4296b320422d40f8389d7e79f0482187ab36b5/detection 5.206.225.37:1112 # Reference: https://www.virustotal.com/gui/file/1b2cd3209d033f14cf9666e46cb989289f6a5e7c79d4c17ea30a619945fdbbf0/detection 91.193.75.130:1112 # Reference: https://www.virustotal.com/gui/file/3d9a9127438c6f2fc36d5b7b2a1841bc8316bef29fe7bd097c057c83a4eaa8f4/detection 79.134.225.112:4062 # Reference: https://www.virustotal.com/gui/file/1bbe5e5f6161da584298bc9e2ac3cb853d129d9050bc621fc6a84da55df7788d/detection wealthme.ddns.net # Reference: https://www.virustotal.com/gui/file/c7920d72eebb28b953909d9056c9b79eadefe0465b5d4ce1ca3d4ab5b15e5c59/detection 79.134.225.103:39561 79.134.225.112:39561 # Reference: https://www.virustotal.com/gui/file/01fe7838d971a668e602e176bde1de4bbb74146d00c515a6f9e1bd5e5206a70c/detection 79.134.225.97:6973 bcvfg.ru jhndfghjk5gf56.ru # Reference: https://www.virustotal.com/gui/file/6653b1a67dd2db3a54e6745b60a0288d8225046238792a631e40c97826cbd496/detection bmvmnfgfgfg.ru # Reference: https://www.virustotal.com/gui/file/45f44c19d5117803f5efad9208e31872c55296393eb0cf83665cf8299fbe28fb/detection 79.134.225.97:6974 # Reference: https://www.virustotal.com/gui/file/d64a2ac89a24a756d612afaa001a64fc32f35e870e4ffdfe8e0ed9252a31496f/detection 185.140.53.59:6974 dfgjhkg45fgd34231.ru # Reference: https://www.virustotal.com/gui/file/f003d02ca28dbecfbffed0c7ae263ac2262d6a822e9f048351e8f5df9a84b2df/detection 79.134.225.97:4000 netnet.mynumber.org # Reference: https://www.virustotal.com/gui/file/a70f7737b7a9d18db161e843c7f65f1dbff81fdb1fc021d284cac1d5a3e5a722/detection 185.140.53.95:39560 wealthyblessed.warzonedns.com # Reference: https://www.virustotal.com/gui/file/8ee1bb2ba20aea3d8aab5b3c075e0ad722b4f97e82105c41e671d7cabee46759/detection 185.244.129.107:3360 # Reference: https://www.virustotal.com/gui/file/ae62bc857e4d76badd722db97bbc62ae9f5b0d2f747182a0796eaf9582b98e24/detection 185.244.129.107:3361 # Reference: https://www.virustotal.com/gui/file/1bc2f5f12f36dbea6e40900c02c398273e2dc3de6d7a266f9dc9b3a582fb6912/detection 185.244.129.107:3363 # Reference: https://www.virustotal.com/gui/file/92edc5544cf9ac3b59927bb09d8e3a2247f90a34176a088522a10671a6c5f1e1/detection 185.244.129.107:1994 # Reference: https://www.virustotal.com/gui/file/d848def04aaee6e3dfd8928d7ba4342decad19b70f144c7991cb60bc05153c8c/detection 185.244.129.107:1875 # Reference: https://www.virustotal.com/gui/file/7c7fa82411896ca49680ace75afd36bf05bb241c53370a429d9e04751809bebb/detection 185.244.129.107:9999 # Reference: https://www.virustotal.com/gui/file/957375fb8a42d48c20f8d62910e69baafe698386b58d9ffd9da4db1f3d1ff360/detection 185.244.129.107:8888 # Reference: https://www.virustotal.com/gui/file/0dbe96acd7d8270e0b7f76ea14050de8e00aad2ea7da029ab16a2421112ff499/detection 185.244.129.107:1150 # Reference: https://www.virustotal.com/gui/file/8ca42be777002ed230c4874808e062274757bc89d46b9804f13c158e0a46c202/detection 185.244.129.107:6568 # Reference: https://www.virustotal.com/gui/file/3f84ee9d7f2976ce059f626bf8dedfbed5888195b2ec00346d6e1b4b0be47d47/detection 185.244.129.107:1959 # Reference: https://www.virustotal.com/gui/file/983ed3663de89038c3ce1afa88960e6b1a3108c76d7f473752d9aac98a6c123f/detection 185.244.129.107:4000 # Reference: https://www.virustotal.com/gui/file/0213918d41e2723ef382fad30b757ce9c6ee9f8e36ea659b1cf9f0e1253d2809/detection autos.duckdns.org # Reference: https://www.virustotal.com/gui/file/bbf315665776da8bbb6ee1e5c9bb651c29584fc2d6a0ed1fd9d9796ad5b58355/detection 79.134.225.118:5389 # Reference: https://www.virustotal.com/gui/file/2ad98734186b1f32bc4adcb1749d8fe35510bd24c661372431f786169616f841/detection 79.134.225.118:4000 # Reference: https://www.virustotal.com/gui/file/5c72d24d98219b4e3bda91e2714db3ce7066a3d6aed90052d357ad95b31f2b77/detection 91.193.75.66:2803 # Reference: https://www.virustotal.com/gui/file/908d291a14413c4f558ee3f8f5899b3068233e7c91b57838f5aec4704659256f/detection 91.189.180.199:3362 # Reference: https://www.virustotal.com/gui/file/86d169d2c9bb56c9114aa071246c6e6b59ae549096d4853cde68c3aa725f7a2b/detection 91.189.180.199:4050 # Reference: https://www.virustotal.com/gui/file/4e94d2474092220738319eece43e0c959a34339ab0871ccbd620f0366b4faf5c/detection 185.244.31.108:3340 # Reference: https://www.virustotal.com/gui/file/529275af456f0784e3d94186cd8293be54466fb14f8bf4b79d7465fb190cd83a/detection 91.189.180.199:2555 red.speedfastmaking.com # Reference: https://www.virustotal.com/gui/file/de3a58e51d2f1bccf64ad16c33065acf9943dc918d74fca52fc2ec874abe63ed/detection 45.89.175.161:3501 # Reference: https://app.any.run/tasks/cd62d754-9c3b-481d-a70f-34212efa4ca9/ 79.134.225.97:2556 # Reference: https://www.virustotal.com/gui/file/49593d50b98d8ab429704387e7a1663c5aa53aed6c007c17e960a7a3d435e72a/detection 79.134.225.73:1968 # Reference: https://www.virustotal.com/gui/file/3cebeb277998398307bc20b7f7461c996be6f4f899a95151563a0279715de2b4/detection 79.134.225.73:1969 # Reference: https://www.virustotal.com/gui/file/6a6826cbe38a06a2b381c208519c4891ccb95c49958c2173cd2eef3db62329eb/detection 103.200.6.79:5119 # Reference: https://www.virustotal.com/gui/file/67349f5ab9898c358616f3e9640430a093fb7e705d08bb4641f53202dc9e3bdc/detection 185.165.153.6:5119 # Reference: https://www.virustotal.com/gui/file/3eaed7ad25fc65b5593e21ade9fc28afd13d6655c9aa5574c124f89cb8bb2c76/detection 185.145.45.14:3535 # Reference: https://www.virustotal.com/gui/file/6cb7ff1dd549faef0e30bc2f9f5df36e99711a63587c83628fd948ffa8cda5de/detection 154.66.20.48:3535 # Reference: https://www.virustotal.com/gui/file/fed40b4cf9225ca3a8489371aa92ac7fc4ea6b51daaf5f47a5b3f3720d6db0bf/detection 160.152.47.124:3535 # Reference: https://www.virustotal.com/gui/file/7424c56def4e99420a78ccbc85233c5c78e2d2d737fe694be7709d2942b96f63/detection 184.75.209.164:3535 # Reference: https://www.virustotal.com/gui/file/0e475d21f42bef2896cd73dc0342b7ca8b65bd12da903a336df0378111be4506/detection 184.75.209.179:3535 # Reference: https://www.virustotal.com/gui/file/53cd0c05fa8b4d6fa119f040e239c4fb7e0698a8f3f90d18049b0055a8efa984/detection 185.244.30.4:3535 # Reference: https://twitter.com/wwp96/status/1214207875272368130 # Reference: https://app.any.run/tasks/1c9cbe8d-32fb-4b1b-966f-cfc818c61a3d/ 197.210.227.25:39874 hostnameddns.ddns.net # Reference: https://www.virustotal.com/gui/file/0e462e54bd7654bae356cab61bd82078a7a2acec32d49764fe70f5bd8e570dfc/detection 41.100.118.46:3360 41.100.27.46:3360 # Reference: https://www.virustotal.com/gui/file/a0c0926a0e658ab70618683faa119a239a79dbacbe31e26e847c850e6b108372/detection 128.90.105.67:3360 # Reference: https://app.any.run/tasks/0492ec43-72c7-4ce5-b149-bdf57ed43325/ hostnameddns.ddns.net 178.124.140.135:39874 # Reference: https://twitter.com/Racco42/status/1214549597072371712 # Reference: https://app.any.run/tasks/8b2089b9-7dcf-42a0-a693-ce1e695c6fd4/ 154.16.93.172:3363 # Reference: https://app.any.run/tasks/65e8f4f5-590e-4333-99fb-f88b9550edfc/ personnels.bdm-sa.fr 213.227.140.15:3360 # Reference: # Reference: https://twitter.com/ps66uk/status/1215035648899452929 185.103.96.151:3393 # Reference: https://twitter.com/Jouliok/status/1215152539672416256 # Reference: https://app.any.run/tasks/08b6f560-69ef-4691-8539-7610f185a24d/ 185.244.30.244:32002 glo1234.duckdns.org # Reference: https://app.any.run/tasks/9d77d904-0131-4176-bb78-c88c717f5923/ # Reference: https://app.any.run/tasks/0dea0f85-7de4-47b2-8b0b-05864253ee78/ siri1234.duckdns.org 185.244.30.244:32141 # Reference: https://app.any.run/tasks/8875db16-9f78-4856-8525-03ea1ba8cd0d/ mardjdf.ug kjsdtrfuyhgxcv.ru 185.244.30.74:6974 # Reference: https://www.virustotal.com/gui/file/e834928ef654d59252d621b946d4850bebcba0f0593d23b7a70bd41bb2e3b222/detection 154.120.86.70:39561 185.87.187.198:39561 79.134.225.103:39561 79.134.225.74:39561 79.134.225.91:39561 wealthyme.insidedns.com # Reference: https://twitter.com/ffforward/status/1219168656749481984 # Reference: https://app.any.run/tasks/25ac1017-8d38-461d-b4f4-2ece96e35d31/ 185.244.30.131:3382 teller92.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1221899988910796800 79.134.225.96:6556 # Reference: https://www.virustotal.com/gui/file/f761e3a2cc1998a331c3ea070dd1ec484e5c93c7a056917b0413d45d5dfb875c/detection mbvd.rapiddns.ru mbvd.zapto.org