# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html hackqz.f3322.org 120.209.40.157:8880 # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Nitol-P/detailed-analysis.aspx dingtao333.3322.org # Reference: https://twitter.com/securiteoff/status/739574861543149568 # Reference: https://www.virustotal.com/gui/file/20d841afa96e58fb7d2b4c5e8bb25d07ff36e25bbb14fc176f3f46c650cb016e/detection feng12763.3322.org qlsb.f3322.net # Reference: https://twitter.com/P3pperP0tts/status/1153026768590258179 520yxsf.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2012/2012-04-19-digging-into-the-nitol-ddos-botnet/digging-into-the-nitol-ddos-botnet.csv aisini1314.3322.org bcl5736120.3322.org ccddos.net erwbtkidthetcwerc.com fangqi.6600.org fangqi.7766.org fuck0313.6600.org guangkuo119.3322.org kankan902.3322.org ksattack.6600.org maguss.3322.org maple110.3322.org mybaccy.3322.org rterybrstutnrsbberve.com rvbwtbeitwjeitv.com sousou123.3322.org xin9liao.gnway.net xinxin168.3322.org xiong97.3322.org yezi999.3322.org ylddos.3322.org zwx5060.3322.org # Reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tale-of-the-two-payloads-trickbot-and-nitol/ # Reference: https://github.com/AlienVault-OTX/Threat-Trends/blob/master/MaliciousDomains_UmbrellaRanking.csv e.googlex.me # Reference: https://asec.ahnlab.com/1031 b.googlex.me # Reference: https://www.virustotal.com/gui/file/62010ae6b25999cbc37c935c163285f571294f4732965c66b9233a7573c13c10/detection w.googlex.me m.googlex.me # Reference: https://totalhash.cymru.com/network/?dnsrr:*.googlex.me w.googlex.me m.googlex.me googlex.me # Reference: https://twitter.com/pancak3lullz/status/748172641131847681 # Reference: https://www.virustotal.com/gui/ip-address/110.173.30.68/relations 110.173.30.68:1111 110.173.30.68:1150 110.173.30.68:1380 110.173.30.68:1472 110.173.30.68:2013 110.173.30.68:2014 110.173.30.68:6666 110.173.30.68:8080 110.173.30.68:8085 110.173.30.68:8089 xiaoaolong.f3322.org # Reference: https://twitter.com/pancak3lullz/status/744918444265578496 # Reference: https://www.virustotal.com/gui/file/a2d02236c2a9684310d95d5a98734d17d226da16607f98903e0a5f9d62298521/detection # Reference: https://www.virustotal.com/gui/file/40ac46478014d0a89f787c25dd380424b0e16913bd5ff03db90c32b75aa10c35/detection 173.254.236.5:8900 45.34.191.179:8900 119.147.145.218:8511 wx137672811.f3322.net # Reference: https://twitter.com/pancak3lullz/status/740562923639046146 # Reference: https://www.virustotal.com/gui/file/e39a3ca5574dfba2bd29a71b933c9bf22633baad10c7fcac5abbc700e5b8f175/detection 183.60.202.97:1993 longge520.f3322.net qlsb.f3322.net # Reference: https://twitter.com/pancak3lullz/status/739878964064194560 aabao.top a.aklianfa.com # Reference: https://www.virustotal.com/gui/domain/leiyan.hk/relations leiyan.hk # Reference: https://twitter.com/pancak3lullz/status/739573412973150208 zhaojinyi5045.f3322.org # Reference: https://twitter.com/pancak3lullz/status/742832969539158017 125.88.146.61:9595 hackxiao.top # Reference: https://www.virustotal.com/gui/file/9ea76521dacafc0437c12d3e7b2db5e4cd27054c476e87dfe9fb2934bbd3668b/detection gyddos.com # Reference: https://www.virustotal.com/gui/file/87c00a2dbc7aad92c63afe8633dde5253da9dd8c663dfe257ab17c087c967b16/detection 61.160.232.140:65534 5302000.publicvm.com # Reference: https://www.virustotal.com/gui/file/f5ce87456cad6b035e20df4e3c8cfd6f68353913dbb78be8383036842c54ec69/detection 103.226.124.222:65534 # Reference: https://www.virustotal.com/gui/file/a624fd04789db3e1327fd981ac01b79c1d432819e752291843e4e4778794d6aa/detection 112.74.75.143:6666 # Reference: https://www.virustotal.com/gui/file/96a8382fe8bd91e1cf9ab358cb03f597dc3bcef66503275c17b914e28b438c92/detection 210.222.25.223:6666 # Reference: https://www.virustotal.com/gui/file/22bd3e766de31699464b08467a47b6c44f4825e4984221f74209cdb9c2b26756/detection 61.84.56.105:1234 # Reference: https://www.virustotal.com/gui/file/1b9c5b63df29807ca8dd96c4878d33dc2b1a3bed6a11e8e7bb29ba7a868ac341/detection sexgb.codns.com # Reference: https://www.virustotal.com/gui/file/bcf7e416d7fdb066b831720789ffffcde71e4e1ba99294a159ff342175d9c069/detection 182.225.123.146:8080 tv1004.codns.com # Reference: https://www.virustotal.com/gui/file/6bf39bbb04edf94d46ba9f1a80ac41a3113eac9befc02dc72444aa8e5a68ea55/detection # Reference: https://www.virustotal.com/gui/file/4406f6e797db9308fb2e7d37483f96c71f91fadc98d45539bbe4137f6a8bb241/detection 173.208.243.3:8090 173.208.243.4:8914 74.91.16.130:8089 74.91.16.132:8914 74.91.16.133:6688 imddos.my03.com # Reference: https://www.virustotal.com/gui/file/8b7539df3ca2a8d75f9ce1da69b66b761ff1661fe42b03f18103cd0b0f068956/detection 103.30.40.76:881 103.70.77.18:881 185.207.154.26:881 185.207.154.91:881 185.239.225.133:881 193.42.27.224:881 194.156.132.105:881 222.186.59.89:881 23.236.68.162:881 23.236.68.175:881 23.236.68.185:881 23.236.68.213:881 23.236.68.213:9999 23.236.68.89:881 23.236.68.89:9999 23.236.68.99:881 43.224.249.211:881 45.116.77.70:881 45.116.77.70:9999 45.117.102.172:881 45.120.156.139:881 45.120.156.160:881 45.120.156.160:9999 45.120.156.178:881 45.120.156.178:9999 45.13.199.120:881 45.13.199.120:9999 45.137.10.85:881 45.138.81.176:881 45.138.81.176:9999 78.142.194.122:881 5123.2288.org # Reference: https://www.virustotal.com/gui/file/1d15ccc6dc69f1f0a40f2b1396220120577396a18a9d09ca79a0c267a50e23cf/detection 211.243.120.137:2 ghkdtldhs.p-e.kr # Reference: https://www.virustotal.com/gui/file/295708d2a5ebd22cebe29b3f23a74e2d6f7f1056715324b35f5afc5e1d30ea57/detection 112.152.98.136:1212 # Reference: https://www.virustotal.com/gui/file/3eb70dc98b72cb6e0350f99848e4312fa37ca279c16bb011a9ff676ce530b879/detection a1104.r-e.kr # Reference: https://www.virustotal.com/gui/file/4dea27a086a7fe58de28b8fcd61df55d8656dbcb1803e3ff385cb1e2beded384/detection chlehdgj.r-e.kr # Reference: https://www.virustotal.com/gui/file/54171f4fd9b873b381f597c5b029433d325f27f7d1f1b7b1a131aaf182a47fe6/detection 116.38.148.166:1542 118.40.137.174:1542 wnsdud0430.kro.kr # Reference: https://www.virustotal.com/gui/file/9619b87a5b19e587227eba60171d2763b1fe9f81b27c0207fb3d52233ffbd059/detection 116.38.148.174:1542 116.38.148.175:1542 # Reference: https://www.virustotal.com/gui/file/21f59a60d6632320cad5a25dad18ec42d57bb4d3aebd3afac85ba7d81a5e09f1/detection 175.118.59.183:8125 # Reference: https://www.virustotal.com/gui/file/eb1982fba971cd54894c5755c6bb239ef92b1afcf21f16329f16580f5a103847/detection 124.111.116.108:8125 # Reference: https://www.virustotal.com/gui/file/45b6991cbb39b1598a993ff5b36eafc1308488ebdade8dbda7fe5a5d86c712c4/detection 218.238.223.33:8080 sexymon12.kro.kr # Reference: https://www.virustotal.com/gui/file/4685ce889d2e1ea74385dc9d0da97f279e258db237ca3c057fca0017c011d874/detection 218.238.223.33:6414 # Reference: https://www.virustotal.com/gui/file/4f0248164f3d33045922b8fb8e049df752abb52a4682164aa0dfeff2c1711d89/detection # Reference: https://www.virustotal.com/gui/file/e0e00179548df8be9a772b12744810e6ee3a1e48af967c8af3495ed7c541fac4/detection 103.95.240.43:2018 105.234.35.162:2018 122.213.24.236:2018 124.98.73.100:2018 132.233.176.72:2018 136.106.125.33:2018 148.226.138.194:2018 153.22.87.11:2018 158.73.36.83:2018 164.144.233.221:2018 182.224.234.115:2018 182.224.234.115:2018 182.227.60.248:2018 189.156.42.74:2018 193.207.245.146:2018 202.76.11.129:2018 212.22.201.53:2018 218.91.182.254:2018 246.135.36.50:2018 253.205.144.251:2018 28.207.215.223:2018 43.249.242.252:2018 48.45.191.69:2018 49.175.99.121:2018 9.89.177.30:2018 95.79.19.64:2018 # Reference: https://www.virustotal.com/gui/file/fbbba2a2aadb00fdc81cbbd79523414297de75496ff3f2d11498fb1e5016d249/detection # Reference: https://www.virustotal.com/gui/file/13446373e14035431a35d0f9b1543cf5067c774b999f750fe43ba4e97ee66ab1/detection # Reference: https://www.virustotal.com/gui/file/f393bba5f1252dd68fec310b8f89cda0ec8f59816edb9602f5446df4ba6f6cb3/detection # Reference: https://www.virustotal.com/gui/file/09733d736979f2192a205d576ea3d792740a8cabef8b0e6827b824cc89ef7903/detection # Reference: https://www.virustotal.com/gui/file/96c68339d429c7bc375d18241952caf4e4c58b1c556aa66784288078a738c2d4/detection 101.152.154.58:1800 107.190.198.28:1800 114.249.167.81:1800 116.35.216.50:1800 118.134.172.15:1800 124.193.141.68:1800 128.78.147.2:1800 135.137.116.55:1800 136.121.120.128:1800 14.5.119.153:1800 14.5.119.153:8808 141.171.69.199:1800 142.48.159.25:1800 148.108.129.78:1800 15.187.26.11:1800 15.246.205.111:1800 152.248.134.12:1800 159.52.103.65:1800 165.90.147.35:1800 166.33.192.121:1800 169.161.107.143:1800 174.212.56.214:1800 175.198.201.12:1800 176.105.39.108:1800 176.34.121.22:1800 182.224.234.115:1800 187.234.223.9:1800 187.49.14.95:1800 190.143.255.30:1800 2.89.141.243:1800 200.147.27.118:1800 200.204.108.32:1800 201.87.103.17:1800 211.91.1.105:1800 212.73.235.170:1800 213.164.82.189:1800 217.77.220.79:1800 222.128.169.151:1800 222.17.210.157:1800 222.35.230.92:1800 247.29.146.10:1800 25.190.52.98:1800 252.63.182.76:1800 32.142.109.126:1800 32.60.209.254:1800 37.110.158.71:1800 37.193.185.198:1800 39.228.13.20:1800 4.242.51.24:1800 42.244.134.15:1800 44.149.116.88:1800 49.175.99.121:1800 50.172.115.7:1800 51.6.147.64:1800 55.93.90.75:1800 66.38.193.62:1800 67.180.18.75:1800 79.135.77.85:1800 84.135.45.77:1800 86.171.185.13:1800 89.186.249.149:1800 90.221.6.85:1800 94.92.185.5:1800 # Reference: https://www.virustotal.com/gui/file/b5fabc8dc9e2516642cac9e4bfbda280b6312f1ceb107436f723902c8ee2e841/detection 140.143.145.162:29134 # Reference: https://www.virustotal.com/gui/file/fe5855d961748d6922d5687f0d0f10f07e6c8555cc042d73ba1188801fab7367/detection gdownpack.jomodns.com # Reference: https://www.virustotal.com/gui/file/45d34e4733c9b34cf8e43e13515ebd02c5a3dc9a7a04304caea7f6199b3c1e8c/detection 175.210.132.122:3 194.120.222.177:3 207.217.235.199:3 21.190.31.193:3 218.35.210.186:3 45.232.19.203:3 56.176.248.190:3 # Reference: https://www.virustotal.com/gui/file/aaf036cbf8b7436e69dcc517576c4a01a002f1e204c729469e4217b71e1a8285/detection 49.166.162.113:8080 1145678.p-e.kr # Reference: https://www.virustotal.com/gui/file/e259c7d12802a94129632c8287da2ef5d6ca2f06cac46eb4a0e264e2e69ce5be/detection # Reference: https://www.virustotal.com/gui/file/03d1ae34d48f1da0515fd077dc3a3c9d368dd884a605ee30096c32b4d0469e37/detection 159.58.62.229:1900 172.155.75.252:1900 175.198.201.12:1900 18.56.156.205:1900 182.100.50.239:1900 206.14.37.248:1900 21.114.88.242:1900 217.213.11.235:1900 32.154.41.228:1900 42.98.143.215:1900 53.42.117.202:1900 66.140.130.225:1900 77.212.105.212:1900 8.112.53.218:1900 88.156.79.199:1900 bkhwa123.p-e.kr # Reference: https://www.virustotal.com/gui/file/2a315ec1fbd8a3dfb70ba259699a660389c8a13a158f0c29cace1e1d67131130/detection 121.164.182.43:7327 185.53.179.29:8889 # Reference: https://www.virustotal.com/gui/file/bcf17bd4576d7494a71db278478a1f78112324c5bf847853e4d82c6c8dcde604/detection # Reference: https://www.virustotal.com/gui/file/441f5b8b76b7708eec2250570c714e1d5a35e0bdc867cfae54d639b4b1c4a200/detection # Reference: https://www.virustotal.com/gui/file/a31a9f60e27390091a25f134511f09c7776efab4b758b99cfdfe0498f88caf6d/detection # Reference: https://www.virustotal.com/gui/file/4c9fdb66f53b71a4c98892b62b26939006dd5d6b6353795a6181767b9258e2cc/detection # Reference: https://www.virustotal.com/gui/file/3dcca6757b9dd064348e0897dca21bf4cb8d7a5ce3fa5f54d934e7748684d908/detection 105.209.90.18:2 108.20.136.155:2 116.153.65.5:2 12.195.52.15:2 129.250.78.28:2 143.214.133.34:2 148.108.158.204:2 149.28.251.67:2 153.159.107.21:2 182.227.151.35:2 220.122.152.173:2 220.122.152.173:3 36.109.39.24:2 47.54.142.11:2 60.151.26.34:2 71.95.129.21:2 81.167.103.8:2 95.10.116.31:2 # Reference: https://www.virustotal.com/gui/file/6e2bfdaf17806fa35c8b113fcf6931e22a6fcb8516c2f741bac6cbd63d62ca32/detection 220.122.152.173:12 # Reference: https://www.virustotal.com/gui/file/0a352acc084973c5ccbc13dd487fc5e3e746bb902c5420f98f6c74eb0c120c71/detection mhddos.kro.kr # Reference: https://www.virustotal.com/gui/file/37d02d69a4404525f924954e7ed61b389ae10283ca4cba9fa3e3a6fd66f5b102/detection # Reference: https://www.virustotal.com/gui/file/9bd0184051693d604f2b16ee748b3c4d1a9c988eef4f90fbd933db188dc7ab56/detection 31.13.72.54:6300 67.228.74.123:6300 85.155.231.209:6300 ziscoll.hopto.org # Reference: https://www.virustotal.com/gui/file/b7c16208e51ff8fed8e00a1a203b25f5dbab43f7dd3022f457995b8b726569c3/detection 211.209.68.52:4368 211.209.68.52:8080 211.209.68.52:8500 jjh0547.ddns.net # Referenc: https://www.virustotal.com/gui/file/7f3f596898d41c390b96b234f6c7e6582004e2d2f0915186f679c4e1d786dc84/detection 58.227.92.15:1234 # Reference: https://www.virustotal.com/gui/file/927d0f45bf59f19e915b8a8807372f547d151b60455a7fe40f696b8742d3ae3a/detection 103.101.205.121:7766 107.183.180.136:7766 110.42.0.146:53021 154.213.17.131:7766 43.230.144.18:7766 apple.vzboot.com