# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: netwiredrc, netwire, wirenet # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-EK/detailed-analysis.aspx mommyreal.ddns.net # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NetWire-CC/detailed-analysis.aspx wwfvpsv9.serveftp.com # Reference: https://www.cyren.com/blog/articles/bad-things-come-in-pairs-3004 dinesaad.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1044616045560967168 cboss33.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1044365272675573760 natigr.ddns.net projectadmin.camdvr.org # Reference: https://twitter.com/James_inthe_box/status/1044231367347732480 ddns.catamosky.biz # Reference: https://twitter.com/Racco42/status/1042056130577489928 lagos042.ddns.net manuel3.publicvm.com # Reference: https://twitter.com/VK_Intel/status/983940199603474432 snoopdmoney2018.sytes.net snoopdmoneybkup.sytes.net # Reference: https://www.virustotal.com/#/file/a095a7acda9c73fc89bfbc170bbec75a4572c75114e1687a7c212e9228915945/detection # Reference: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3966&sid=a2bb410851e96a6bb24b90b65966112f&start=300#p32187 ola100.hopto.org # Reference: https://twitter.com/malwrhunterteam/status/1106264932230852608 62.210.10.245:4000 # Reference: https://twitter.com/malwrhunterteam/status/1105163365209554951 amazonsprime.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1107630659957329921 leew.linkpc.net # Reference: https://twitter.com/James_inthe_box/status/1022228835616473088 onetimeade.linkpc.net # Reference: https://twitter.com/malwrhunterteam/status/1096760442133856256 jackas.gotdns.ch # Reference: https://maskop9.tech/index.php/2019/01/30/analysis-of-netwiredrc-trojan/ # Reference: https://app.any.run/tasks/e1d7034b-c866-4cef-8d55-04405cd2a81d 109.230.199.103:3360 # Reference: https://twitter.com/James_inthe_box/status/1118217392851566593 havemercy.mooo.com # Reference: https://twitter.com/malwrhunterteam/status/1122081049809432576 netzirecolq.gleeze.com # Reference: https://twitter.com/MalwareConfig/status/748754926319181824 socratecafu.zapto.org # Reference: https://twitter.com/MalwareConfig/status/748754880869707776 monarch01.no-ip.org # Reference: https://twitter.com/MalwareConfig/status/748625532993019904 # Reference: https://malwareconfig.com/config/d5ce94e9264321d398767c1e3d1a5835/ 46.244.10.196:3480 # Reference: https://twitter.com/MalwareConfig/status/748625240486477825 jack.redirectme.net # Reference: https://twitter.com/Jouliok/status/1123141238197248001 # Reference: https://app.any.run/tasks/9de6804d-2e31-4f55-a225-d99191196803 duc1234.duckdns.org 91.192.100.57:32144 # Reference: https://twitter.com/ps66uk/status/1104050986031767552 # Reference: https://app.any.run/tasks/4b6c4b34-7bc3-41ca-8a35-78399db8e591 # Reference: https://twitter.com/wwp96/status/1165981094958784513 # Reference: https://app.any.run/tasks/6158df64-fbd4-4ca1-a447-c2464ba3a063/ # Reference: https://twitter.com/killamjr/status/1192062400960315397 # Reference: https://app.any.run/tasks/48f13dd2-c3e2-4940-a1ac-dbb9a482cd10/ akconsult.linkpc.net 105.112.51.164:2014 185.84.181.94:2018 197.211.58.186:2014 # Reference: https://twitter.com/luc4m/status/1092365190497255424 checker00.gotdns.ch # Reference: https://twitter.com/luc4m/status/1072888268528779264 pd1n.ddns.net # Reference: https://twitter.com/Racco42/status/1062633238802378752 wealthyadmin.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1059464666672332800 favor.duckdns.org # Reference: https://twitter.com/Racco42/status/1057317617260736513 godalmighty.ddns.net # Reference: https://twitter.com/ps66uk/status/1050043711135068161 185.101.93.198:8681 # Reference: https://twitter.com/James_inthe_box/status/1115624726695514113 masterhugo231.servecounterstrike.com # Reference: https://twitter.com/James_inthe_box/status/1065330244746268672 185.84.181.80:3360 # Reference: https://twitter.com/avman1995/status/1060818874789179392 ddns.unknajiamu.xyz # Reference: https://twitter.com/pollo290987/status/907273472786812928 199.16.199.2:36133 # Reference: https://twitter.com/JAMESWT_MHT/status/906146267763486720 egonbute.duckdns.org # Reference: https://twitter.com/Antelox/status/894901722497208321 192.223.25.72:1777 # Reference: https://twitter.com/JayTHL/status/751123206468046848 businessdb3.duckdns.org # Reference: https://twitter.com/malware_traffic/status/714819056218406914 marchborn.no-ip.biz # Reference: https://twitter.com/James_inthe_box/status/1123236500311724032 bazwire.sytes.net # Reference: https://twitter.com/fe7ch/status/1126132771800395777 usb.mine.nu message-whatsapp.com zr.webhop.org enz.webhop.org # Reference: https://twitter.com/Racco42/status/1132935875430670337 # Reference: https://twitter.com/Racco42/status/1136593634650927105 96.47.239.229:3999 # Reference: https://twitter.com/James_inthe_box/status/1133344506814668800 160.116.15.155:3360 # Reference: https://twitter.com/raby_mr/status/1136889525060325376 # Reference: https://app.any.run/tasks/03268b84-b31c-4a32-a87b-95e7aa4cf8a9/ 102.165.38.139:33 heritage.nflfan.org # Reference: https://www.fireeye.com/blog/threat-research/2014/04/crimeware-or-apt-malwares-fifty-shades-of-grey.html c0der.zapto.org rglink77.no-ip.biz # Reference: https://twitter.com/James_inthe_box/status/1138454939045453825 enginekeys.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1140571341344538625 duc1234.duckdns.org # Reference: https://twitter.com/daphiel/status/1141625032801693696 (# CVE-2019-11707) # Reference: https://twitter.com/cybsecbot/status/1141610397931323393 # Reference: https://www.virustotal.com/gui/file/07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4/detection (# OSX Netwire/Wirenet) 185.49.69.210:80 89.34.111.113:443 a678157.oicp.net # Reference: https://twitter.com/JAMESWT_MHT/status/1142038342583894017 packgeddhl.myddns.me # Reference: https://twitter.com/HerbieZimmerman/status/1142085603368079361 # Reference: https://app.any.run/tasks/f61c3c81-52aa-4e11-b746-c7c27bc3b7f4/ gojust.publicvm.com # Reference: https://twitter.com/killamjr/status/1145110513371820033 # Reference: https://twitter.com/killamjr/status/1145114752890413057 185.247.228.73:9510 # Reference: https://pastebin.com/S4ggik78 maxmini.duckdns.org # Reference: https://twitter.com/killamjr/status/1146521318503964678 # Reference: https://app.any.run/tasks/1c48f325-f211-4442-8cd4-03ed4cd9e538/ 88.208.246.122:4110 longman001.chickenkiller.com # Reference: https://twitter.com/James_inthe_box/status/1146468739493199873 chance2019.ddns.net # Reference: https://twitter.com/DynamicAnalysis/status/1148316218199334912 69.30.232.86:2030 docusmart.hopto.org # Reference: https://twitter.com/James_inthe_box/status/1148966237684133888 mickeyjones.ddns.net # Reference: https://twitter.com/James_inthe_box/status/1149004873653899264 haroldberry1.mooo.com # Reference: https://twitter.com/JayTHL/status/1149014369642172418 fada101.servehttp.com # Reference: https://twitter.com/dvk01uk/status/1149610977219846149 # Reference: https://app.any.run/tasks/7e3d8fe0-fc60-4525-9351-4240177616d4/ 160.202.163.246:6969 microsoft.btc-crypto-rewards.cash # Reference: https://twitter.com/Racco42/status/1158729618389643264 # Reference: https://app.any.run/tasks/3e1c3fc4-166c-4164-afc5-f34bb3a066c7/ 213.227.155.190:5868 halwachi50.mymediapc.net # Reference: https://twitter.com/James_inthe_box/status/1164299477127028736 23.105.131.221:6050 # Reference: https://twitter.com/James_inthe_box/status/1164964895764299776 204.152.219.82:9008 # Reference: https://twitter.com/de_aviation/status/1097547526763433985 beltalus.ns1.name maxmini.duckdns.org # Reference: https://twitter.com/JAMESWT_MHT/status/1169168426750894081 # Reference: https://app.any.run/tasks/abb12ce8-d6c6-4cf9-a9d6-8ad22d6cd2e1/ 79.134.225.61:5552 info1.nowddns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/751de56d-4df8-478f-92da-931edaf643bb/ # Reference: https://app.any.run/tasks/3f018342-f6f0-4908-b0c8-f54e1d250463/ 79.134.225.103:39560 wealthyblessed.warzonedns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/98de7c91-253e-4a55-aa90-51720e2bef92/ 79.134.225.61:5552 info1.nowddns.com # Reference: https://twitter.com/P3pperP0tts/status/1169905372359839745 # Reference: https://app.any.run/tasks/6f2eca0b-e39d-48f8-a132-e4ad2d597c2b/ # Reference: https://app.any.run/tasks/6ee3328e-fd0b-4fa1-9292-c5d0fae7fd1f/ 103.200.6.79:39760 melvintravel.ddns.net # Reference: https://twitter.com/KorbenD_Intel/status/1169996681259245569 netwire.daniel2you.com # Reference: https://twitter.com/0xFrost/status/1174391265707941889 # Reference: https://app.any.run/tasks/96dd442a-86e8-4c2b-9a33-401a04d58c5d/ 103.200.5.128:39460 # Reference: https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing.html 185.165.153.219:3366 gbam0001.duckdns.org # Reference: https://twitter.com/wwp96/status/1178693615440277504 # Reference: https://app.any.run/tasks/883bcaa9-150d-4e66-b107-6c6676f222e3/ 185.217.1.148:5868 halwachi50.mymediapc.net # Reference: https://twitter.com/0xFrost/status/1179128508817260545 trippleboss.warzonedns.com # Reference: https://twitter.com/wwp96/status/1181651448439791616 rownip.mooo.com rownip.dyndnss.net rowanyne.ooo rownip.eastus.cloudapp.azure.com rownip.eastus2.cloudapp.azure.com rownip.tk rownip.webredirect.org # Reference: https://twitter.com/w3ndige/status/1171159313865465856 # Reference: https://app.any.run/tasks/5d43972b-352b-4e1d-b856-90c7176205b4/ 109.202.103.170:8733 109.202.107.10:8733 213.152.161.229:8733 # Reference: https://twitter.com/wwp96/status/1186998362626822149 # Reference: https://app.any.run/tasks/1fe1be54-9c9d-4ad0-91b6-f4433e6d1144/ 185.19.85.153:3393 # Reference: https://twitter.com/wwp96/status/1187023690636152832 # Reference: https://app.any.run/tasks/238a2b41-2fb5-495d-a686-2be8fa316bc5/ 79.134.225.103:52999 wealthismine.ddns.net # Reference: https://www.virustotal.com/gui/file/2dfab97454ee74f18367a763aadc5453aebc3382911b055ff27a1c3eed0040bd/detection 213.208.152.217:3363 # Reference: https://twitter.com/killamjr/status/1189717599040528386 # Reference: https://app.any.run/tasks/1818f7a8-166f-4d05-9dd2-d97ff5a86989/ 185.217.1.189:39766 officeraymed09eu.ddns.net # Reference: https://twitter.com/JayTHL/status/1189924963794460672 79.134.225.11:1199 # Reference: https://twitter.com/smica83/status/1190181597468856320 79.134.225.80:3360 # Reference: https://twitter.com/smica83/status/1190183906693267456 79.134.225.122:3360 # Reference: https://twitter.com/Paladin3161/status/1190247869145477120 25092019.is-a-geek.com # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/ip-address/185.165.153.221/relations 185.165.153.221:8973 185.165.153.221:9101 aspens.publicvm.com # Reference: https://pastebin.com/29uSdMAk # Reference: https://www.virustotal.com/gui/file/ff0fb3dbc9170b42ca07bcbcca2c90dbe7e28eed7a6f8861cc91fcef691726d7/detection 79.134.225.78:1195 79.134.225.78:3941 79.134.225.78:5149 79.134.225.78:5541 79.134.225.78:9263 cowboyz.climatechangeawareness.uk guccimoney.duckdns.org teryts1802.sytes.net # Refereence: https://pastebin.com/29uSdMAk fartgul.duckdns.org # Reference: https://twitter.com/smica83/status/1192788522631081985 185.165.153.113:32141 # Reference: https://twitter.com/James_inthe_box/status/1194265061163859968 noapology.duckdns.org # Reference: https://www.virustotal.com/gui/file/29fa90b1dfc3fdca476596c276eeb9f1ca26d9833e5e671280add24cb69c4b07/detection 185.165.153.55:2001 185.248.13.185:2001 blatter.ddns.net # Reference: https://www.virustotal.com/gui/file/fdffe9dc3b52438d2cfc8c753f564e087958e27a944e59a3ebbaf8e501c60ef5/detection 185.165.153.55:594 # Reference: https://www.virustotal.com/gui/file/b3d31835f0570ccea5b165a661ae7b37eaf38d1a00d6cec4c609fd862b508e71/detection 185.165.153.55:4050 mymy1.ddns.net # Reference: https://www.virustotal.com/gui/file/17c22ddbdcc06cb9710afcf54e1c0a0cdcb3e383650feaf4ffe9b2ad5455a9c4/detection noapology.climatechangeawareness.uk # Reference: https://www.virustotal.com/gui/file/ea8778e98950acaa214b5205b293e471a2d949b92d3ce8ffcd2fccf31e691839/detection 185.217.1.190:6898 # Reference: https://cyberweek.ae/materials/D4%20TRACK%202%20-%20APT%20Attacks%20On%20Crypto%20Exchange%20Employees%20-%20Heungsoo%20Kang.pdf # Reference: https://www.bleepingcomputer.com/news/security/firefox-0-day-used-in-targeted-attacks-against-cryptocurrency-firms/ # Reference: https://otx.alienvault.com/pulse/5dd2b6edd9073ebdde5eba8a # Reference: https://www.virustotal.com/gui/ip-address/185.162.131.96/relations analyticsfit.com athlon4free2updates1.com http://185.162.131.96 # Reference: https://twitter.com/James_inthe_box/status/1196509130841710592 almeenamarine.ddns.net # Reference: https://www.virustotal.com/gui/file/0240071a908a44d286964af67a947625c7df2a6994880a79c938d26822279b3d/detection 185.217.1.186:3366 # Reference: https://www.virustotal.com/gui/file/24cc43513c2e79676fdf20fab727ec9a3c98612b7ff00a6242076cbc90be6291/detection 185.217.1.186:3365 # Reference: https://twitter.com/wwp96/status/1196873873343561728 # Reference: https://app.any.run/tasks/05bf7c8e-8660-408e-af44-ee17bcc358e5/ 185.19.85.153:3393 # Reference: https://www.virustotal.com/gui/file/761e8b24bfbd4c31cfbabe2747daaa5d589e49204f3d2acd8a5493ca1f8293ec/detection 79.134.225.105:49012 electroking444.ddns.net # Reference: https://www.virustotal.com/gui/file/195f140234ec7779a7f769ed3770425d262c6f9e94d126b195b2804261c9f32d/detection 79.134.225.105:2803 onelove03.duckdns.org # Reference: https://www.virustotal.com/gui/file/c7bdb6a769b95c976c80bd0ea3c77d48ae8f99f8f0b3d714637630c43259209b/detection 79.134.225.89:32141 zlantan1234.duckdns.org # Reference: https://www.virustotal.com/gui/file/c4b5f36856320d553b73da3deb7b5a39ef0ba8026ae8278ec6496cb6bdd68486/detection popintertradeer.ddns.net # Reference: https://www.virustotal.com/gui/file/dd33019c84b905443de022d1ff40146e7d1a2b5b472a3e1589b0ecb36ee64555/detection 41.151.8.187:3360 # Reference: https://www.virustotal.com/gui/file/0fe9614c6c18c6d7276d23902d8e056589861969f6d6d5fdf239ddb6c7128424/detection 119.9.94.62:3360 # Reference: https://twitter.com/neonprimetime/status/1199711850931400706 79.134.225.90:7734 netupdate1.sytes.net # Reference: https://www.virustotal.com/gui/file/2dcde2c6679b4dbf7c7c6ba3bf6f078493f50117c7285654dc6d089d7d9c9f25/detection 79.134.225.90:62098 ashmwin.ddns.net # Reference: https://www.virustotal.com/gui/file/92698baf6b49c99930e0f43857b6d14b1de6cb44af749af015332be9d2f6bdad/detection 79.134.225.90:3923 105.112.105.226:3923 netupdate1.sytes.net # Reference: https://www.virustotal.com/gui/file/c103d6b1a8fd4dce11bcdcb55e18dabb58de76d5b196ff42095df7664e313b4e/detection 139.60.162.173:3535 # Reference: https://www.virustotal.com/gui/file/cd35a539d995fc9bd7fc844e4d1f6efb6187892298d1d1afce4b2c8e5b641c33/detection 212.83.170.126:111 # Reference: https://www.virustotal.com/gui/file/adf5565528a5c596d84b47b5433698b547b2183c2b86187cba3a9b892cd533d7/detection 79.134.225.59:4771 # Reference: https://twitter.com/ActorExpose/status/1200834171545030662 # Reference: https://app.any.run/tasks/1d10bdf0-38d2-49cc-a2cd-267e7c56daae/ 79.134.225.90:32141 zlantan1234.duckdns.org # Reference: https://www.virustotal.com/gui/file/370a5c3410e458a615cd1b1581b90273bac8df37c602c83f9d2e4c85deeb6278/detection 185.165.153.113:32141 # Reference: https://www.virustotal.com/gui/file/46222e44edf6d4f9caf9ee55824ce5e20dfcf274a167bcbdca8b5e9eab4f346e/detection 79.134.225.89:32141 # Reference: https://www.virustotal.com/gui/file/d240a2899287ffa85ae3f2041bde1c6cf60a094fa3716182fa5111a0e814b7a8/detection 192.69.169.25:2555 wellcomehome.duckdns.org # Reference: https://www.virustotal.com/gui/file/a9833ef2f0ff93c2d46eb4ca7783be91d0d065f5db97a521b1428a9022e0bbb6/detection 192.69.169.25:10155 # Reference: https://twitter.com/JayTHL/status/1200887119545327618 185.165.153.190:3360 cash001.duckdns.org # Reference: https://any.run/malware-trends/netwire (Note: as seen on 2019-12-04) sandra.myddns.me 888rats.duckdns.org slimyuyo.duckdns.org vemvemserver.duckdns.org special2019world.mymediapc.net 3forall2019.servesarcasm.com jiddeshot.duckdns.org saintjames.publicvm.com joeiyke22.duckdns.org youforbiden.duckdns.org 12345dick.duckdns.org win360s.ddns.net mozillamaintenanceservice.duckdns.org 2020dcr2ewert-24ee-4edb-80bf-82dab6f9b9d.duckdns.org akconsult.linkpc.net duckdns4.duckdns.org salesxpert.duckdns.org