# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://www.fortinet.com/blog/threat-research/circle-of-the-fraud-more-information-about-bitcoin-orcus-rat-campaign.html adobe.br.com bitcolntalk.com bitcolntalk.org bltcointalk.com bltcointalk.org bltcolntalk.com bltcolntalk.org githvb.com qithub.org qunthy.org wcx.nz wex.ac.nz wex.ms # Reference: https://twitter.com/oguzpamuk/status/1165739004974817280 # Reference: https://app.any.run/tasks/bc90ea8c-24fd-43d1-a831-2246eca40e32/ 65.49.81.174:1337 # Reference: https://twitter.com/JayTHL/status/1188666712813719552 # Reference: https://www.virustotal.com/gui/ip-address/176.227.191.12/relations # Reference: https://www.virustotal.com/gui/file/ab27de99f9af5b25c51a452734624d275be3f375acb8e2e196753f58edd7ff61/detection 176.227.191.12:1337 176.227.191.12:8080 fbkw.tk glared.ga kekw.tk # Reference: https://www.virustotal.com/gui/file/246ed49ede850eaafddff2794415bb71eca90238b8c3ef7969f2a2d9247761a5/detection 176.227.191.12:10134 # Reference: https://www.virustotal.com/gui/file/ba6ac57263f886ec57dbc7d91705bc997a6ee9e0e4753bb1e28036245fa5d954/detection 176.227.191.12:1564 # Reference: https://www.virustotal.com/gui/file/abbf1a3dc2074173f0679edbc25b7e835a799684151f4f5ceb2174515a30f2b6/detection 176.227.191.12:2002 # Reference: https://www.virustotal.com/gui/file/a83458a20fa9f2dd5f58d8bb0b08f9e3c64640b4898d14d4f1494130b9ef2357/detection 176.227.191.12:6666 # Reference: https://www.virustotal.com/gui/file/84a550cd5c0ab129a3e7ddf222e6e20b30e8126abf297d1765c17ef079c8ca9e/detection 176.227.191.12:7007 # Reference: https://twitter.com/JayTHL/status/1199555057513046017 # Reference: https://www.virustotal.com/gui/file/49bd78001249923b28dc30e6c52e121fea38fb58f29c15968379488b4de53c30/detection # Reference: https://www.virustotal.com/gui/file/fc04d2256cdf30a4fcf5eba79c9d451e3e3d20ba01740edce82c0fe697ffa191/detection 6.6.6.6:5631 warfram3client.duckdns.org # Reference: https://www.virustotal.com/gui/file/f1e09e33334341d3a91e93a1cf44d5c4d7ac420c5e7a1b7d608b6388174de1d0/detection 154.234.192.165:500 # Reference: https://twitter.com/JAMESWT_MHT/status/961905004960468992 # Reference: https://app.any.run/tasks/d8405f6a-e8a5-45e0-abd2-c7fa5ec899ec/ stinkletjet.me # Reference: https://twitter.com/James_inthe_box/status/948880929342173184 88.150.189.98:9989 # Reference: https://twitter.com/James_inthe_box/status/913131729233133568 212.83.170.126:2325 # Reference: https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html # Reference: https://www.virustotal.com/gui/file/6554fabddabac2b14cb3209393a13471e7fe985750f1a9a8f030d1ebbc8dff35/detection 172.111.160.213:10134 # Reference: https://www.virustotal.com/gui/file/851f5ea787e9a287880c4a6d05c57e1014605e9a42bae5e3cf770fcd0fe8fb3a/detection 192.69.169.25:10132 ssniper.duckdns.org # Reference: https://www.virustotal.com/gui/file/bf9bb8e1d8bf2de2b73ae7c8e8c5c58083ebe55b0981364e4b976260b3880350/detection 162.200.139.146:1337 voltaire.zapto.org # Reference: https://www.virustotal.com/gui/file/14eb56236bfd39bd8f7cf62c1ec4d50aeaac64d1e17ebf6772a3c259959e0bbb/detection 162.200.139.146:1604 # Reference: https://www.virustotal.com/gui/file/a7d7820eb3ac86718b610030e814fc10da5bc9e5612f35a640e797e23fba6ca4/detection mistervoltaire.duckdns.org # Reference: https://www.virustotal.com/gui/file/11f1090f1ae7cf8bb9a811f7eb6e1f18d33bd44d639e06e031d0ba071eaabd23/detection 185.101.92.3:1919 # Reference: https://www.virustotal.com/gui/file/05040a3af990ed78d087cbaa1e29220f2810b200ce6a0db37dfe869c93381379/detection 104.244.75.220:9340 # Reference: https://www.virustotal.com/gui/file/933dc2ab7637ebaa57187cd43b1ea700499ea53a0e2e5ef7c768b0d43833532b/detection 193.56.28.134:2222 # Reference: https://app.any.run/tasks/5308b1f1-fc1d-41df-9a51-36d9f209caba/ 13.68.91.206:9337 # Reference: https://www.virustotal.com/gui/file/48be5ae5cb8e6155352d0936f4785d3da1c1e2a8d0f86f14b240627b378f3a56/detection 66.26.181.172:10134 # Reference: https://www.virustotal.com/gui/file/3fea35061269dd2ecfd1a3561d6490df0586584fd7273510da3602359128e9cf/detection 185.114.225.60:1337 # Reference: https://www.virustotal.com/gui/file/352d043e9d06d67fbc5250dd1183edf4b6b6efc72c86584ab1af183034e345c2/detection 104.128.234.104:1337 takethei.duckdns.org # Reference: https://www.virustotal.com/gui/file/f456d4d5a9233fd787622e0827eeaf5a945e1a808de5312fb57fe4d8feaacecc/detection 45.76.57.32:1337 # Reference: https://www.virustotal.com/gui/file/906f097c2e91c5fafcc8a4d5b480e6cb89d45977d799615a68d6f0689e6c3a52/detection 185.198.26.245:1337 # Reference: https://www.virustotal.com/gui/file/65f750af58456ce7ff79936dba02c53bb4802f0c9acd81e7e37039a21ed06063/detection 206.189.192.66:1337 # Reference: https://www.virustotal.com/gui/file/802f6b02bcfe6cb847a055acdceb8ce3caf1cee6a42ea82baa13e510288bca0d/detection 185.198.26.245:1337 192.169.69.25:1337 # Reference: https://www.virustotal.com/gui/file/6df589eb6933aecc36c73ec13878188843ff7ea2754dc4e05906846524ee99d5/detection 51.68.92.105:1337 1337hax0rs.hopto.org # Reference: https://www.virustotal.com/gui/file/72a9bcb559629c758cbc4da43d78ff0402eee8b1037534fd50d9c5c9435b8f67/detection 185.114.225.60:1337 51.68.81.247:1337 # Reference: https://www.threatcrowd.org/malware.php?md5=2777e5b529531cb2ce4dfaf51e029cc1 menusbyxarva.tk menusbyxarva.ga menusbyxarva.ml menusbyxarva.cf # Reference: https://twitter.com/abuse_ch/status/1233659527989325825 35.192.205.70:6969 # Reference: https://www.virustotal.com/gui/file/aa43e982c2852d515224124f835c5222895525d4dfba78215dfab38421448197/detection 196.89.40.35:3365 # Reference: https://www.virustotal.com/gui/file/713111b19f47264a55f126daeb8e0cdcfa477caad3c62dafceb6dfb726a9b858/detection 91.218.65.24:3333 # Reference: https://www.virustotal.com/gui/file/4491b49ec07c3c0cb02ce71fe84f42dc3f51e31d37d2773d81a64c27fa266076/detection 91.218.65.24:10134 # Reference: https://www.virustotal.com/gui/file/0f788b53c047325fa4478a4e35532547fb4e6f16c14d9b7bc6d7eb2606faa25e/detection 91.218.65.24:5634 # Reference: https://www.virustotal.com/gui/file/dd746a6d73f73034d24ae56938ad02370bbdade419c2bfe7cebba1efb9c29072/detection 91.218.65.24:1337 # Reference: https://www.virustotal.com/gui/file/10f9c60cae4b545950b7c92893d5c163f5a7d961346f2b3e9f3cc98069e509db/detection 91.218.65.24:7777 # Reference: https://www.virustotal.com/gui/file/edf5f9bb676e7108c411eed1c1cd1cd322621b7f874b67dc585828dc9d9c5214/detection 140.82.57.249:9876 # Reference: https://app.any.run/tasks/4348840b-74d2-4a36-8b4f-30f7c5c78ac4/ 193.161.193.99:40601 nickman12-40601.portmap.io # Reference: https://www.virustotal.com/gui/file/6610169683c653daa73ebbe240ab6aedbdf029cc1dec4b72e7573b2a6fda61c0/detection 116.39.19.117:3 # Reference: https://www.virustotal.com/gui/file/1110bec1dada5b6ed0042149c1941db248277f3b2b409f693f46e0930920f788/detection 121.130.181.73:3 # Reference: https://www.virustotal.com/gui/file/c65a4ac63d28c402afd57b79e12c6d61105d6d6a01860876bfa44efd797689dc/detection 141.255.154.37:1212 141.255.146.73:1212 # Reference: https://app.any.run/tasks/d334bd67-4079-452e-88be-d924ba7203cd/ 89.208.221.195:14500 # Reference: https://www.virustotal.com/gui/file/4ef58d34d748aae0e1143faba71238eb9910cea26cbc530d8d3c125d8c60789e/detection 88.123.12.74:20030 # Reference: https://app.any.run/tasks/1e5abf39-f919-41c8-954d-d72874ce6a15/ 144.202.9.121:101 # Reference: https://app.any.run/tasks/294f5e39-60d3-4f96-9fc0-65935ce602dd/ 185.239.242.234:1738 # Reference: https://app.any.run/tasks/f34ccc3a-6b82-4aa0-867a-ebf3a9f669ae/ 5.83.160.177:60011 82.228.72.90:60011 macronemmanuel.tk # Reference: https://app.any.run/tasks/b25b2ef4-14cd-42c2-a59b-e336fcd05149/ 178.150.186.188:7771 kirill2811.ddns.net # Reference: https://app.any.run/tasks/ea5216eb-a0d4-4848-8c94-f613809f31a3/ 13.58.162.35:8739 orcushack.ddns.net # Reference: https://www.virustotal.com/gui/file/f02a7e84be2f16d0367b4f01781e6b10d6ff522c767d2294349b233e4c7195b1/detection 45.140.146.29:10134 # Reference: https://app.any.run/tasks/7adda6c1-ff18-4d63-9a17-b3a6941ba473/ 193.161.193.99:27371 ParadoxZenon-27371.portmap.io # Reference: https://twitter.com/petrovic082/status/1357973355165585408 # Reference: https://app.any.run/tasks/891171ac-402b-49ca-b121-b0e04560e90e/ 193.161.193.99:51357 reqwah-51357.portmap.host # Reference: https://app.any.run/tasks/2ff5f3ba-fb88-4abc-bec8-6f2e79cb59e8/ 145.249.220.15:10134 skalede767.hopto.org # Reference: https://app.any.run/tasks/64263906-2813-42a1-b04b-5a103e23738f/ 3.128.190.178:1604 orcustop4ik.duckdns.org # Reference: https://www.virustotal.com/gui/file/b2b168bf95857cebb26045f1c8f393aff09126a78f3030a172a160ac4854ccff/detection 31.220.4.216:55551 # Reference: https://www.virustotal.com/gui/file/5519951fbf86c9b18e4aee9ad22be8ca31bd84f5b4cccebf76b4aa47eb2c9ce2/detection 145.249.216.199:10134 danst9364.hopto.org # Reference: https://www.virustotal.com/gui/file/ff9f613548004aa9b8fecf065df4e430300333ebb8f9f8797a2325c6200f01ab/detection newgate.publicvm.com # Reference: https://otx.alienvault.com/pulse/6093db7387777eeb731864eb briaseynan.xyz 6yis.hyperfast.ru # Reference: https://app.any.run/tasks/0d7bb251-7761-484b-a05f-3df038d36c3a/ 109.108.78.4:6666 vertik.ddns.net # Reference: https://otx.alienvault.com/pulse/60b22df3fe03195e2183cc9d mehack1234567.ddns.net # Reference: https://otx.alienvault.com/pulse/60bcb9f5d4b06e9237fc4c77 dbxzpalgedvrvpunalvkzafpwztssi-21177.portmap.io stormy.webhop.me # Reference: https://tria.ge/210712-c9zwaz3llj/behavioral2 3.137.146.78:6666 # Reference: https://tria.ge/210627-txnqrvge6e 3.143.239.116:10134 # Reference: https://tria.ge/210629-3betpwy4qj 74.201.28.60:4296 # Reference: https://www.virustotal.com/gui/file/e8038cddd13b772e9179b731d54685773013add7ae588ecf2aa88559cf075b9f/detection http://178.5.71.180 nzxtsh.duckdns.org # Reference: https://www.virustotal.com/gui/file/02612058d7fd3c873536b1d2fec693ccbc3b2fb74352bdad919a0d48654526a4/detection 167.99.165.142:8012 rawrxdd.duckdns.org # Reference: https://app.any.run/tasks/5ff6bb0f-acc1-4d81-9bda-92f140b3d833/ 209.209.113.53:1900 # Reference: https://app.any.run/tasks/d52d1285-d1a2-41a8-b934-51046efa2745/ 3.19.130.43:19001 adenere.duckdns.org alabay22212.ddns.net asdasdsaads.ddns.net biiilasks.ddns.net cehitop.ddns.net drakaaa.ddns.net fevertoxs.duckdns.org googleapis2m.duckdns.org iadalbaebidaun.ddns.net javaservices.ddns.net laserhost.ddns.net mehack1234567.ddns.net meowlin.duckdns.org nnnnssss123.ddns.net soda1234.ddns.net WindowsAuthentication324-49629.portmap.host yrayra.hopto.org # Reference: https://www.virustotal.com/gui/file/0da086f1094a7cb89a1f1046fb4b70d291e305dfa94c842ab03b1c129c0d2694/detection 213.183.58.24:6318 servicesone.duckdns.org # Reference: https://www.virustotal.com/gui/file/5002a9dc45ff0997c96b0ede268dc9dce7764a3eb1245486f2049d6bebf452b2/detection 2.99.226.190:10134 quack11.ddns.net # Reference: https://www.virustotal.com/gui/file/86d82d0589be7238b9b50a7bdc9a5316588e4adfaa98b573fad179d37b813deb/detection maks5554378.zapto.org # Reference: https://otx.alienvault.com/pulse/6241a471e7789affc7863540 # Reference: https://www.virustotal.com/gui/file/653265698129dc5ef061e964f35dbe0bc28c367aa0b1697c48c74105ec4acd0c/detection # Reference: https://www.virustotal.com/gui/file/5920b674bf1462108adb923ca041f10408833f8f2be2207140d651de4c3567cc/detection 25.20.118.185:10134 79.105.117.169:10134 # Reference: https://www.virustotal.com/gui/file/560f386039cad5c2d9c3b21537f7fc0001d8bd3974f752b9d2b409defda45fb5/detection 3.141.177.1:11897 # Reference: https://www.virustotal.com/gui/file/11ca697e07adf990a5e1b84685ef12a11805a6f37d9515daf2519f3728b06270/detection 158.58.172.55:43586 dexx12.ddns.net # Reference: https://www.virustotal.com/gui/file/d7d9cd6cc6d2becd8e0d2526b9cf22a82582c0e06970788fe5d9a0f44297e520/detection 79.176.141.253:1604 79.178.241.165:1604 xeirz.ddns.net # Reference: https://www.virustotal.com/gui/file/389b36c46d4bd5a2227d7dc65230536cb318e71a9c591878e9a6c319665f5917/detection 128.59.46.86:3456 orcus.nyashteam.ml # Reference: https://www.virustotal.com/gui/file/26d8398a40af0e5d8d6502e761cdc57d0b83f14a55c453b373211d392df4b619/detection 96.81.132.123:7007 sr.fbkw.ru # Reference: https://www.virustotal.com/gui/file/1e9fa3fe7ea9623548f0bb27b43f3cf7edbbd8d86611995caed3e85d6bb45baa/detection 176.227.191.12:2002 s0.kekw.ru # Reference: https://www.virustotal.com/gui/file/1e5baed9725fdd5f257faee6822f2abe6bcc3835f4d34798047f6dd42ac30950/detection 176.227.191.12:1564 s1.kekw.tk # Reference: https://www.virustotal.com/gui/file/84a550cd5c0ab129a3e7ddf222e6e20b30e8126abf297d1765c17ef079c8ca9e/detection 176.227.191.12:7007 # Reference: https://www.virustotal.com/gui/file/4191e8e2d78daa7f7dd3dd728e4a284e6dd217be80b71c5215839a447952ce2a/detection # Reference: https://www.vmray.com/analyses/_vt/4191e8e2d78d/report/network.html 142.126.195.122:10134 mvncentral.zapto.org # Reference: https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/ # Reference: https://app.any.run/tasks/55dce88d-b52c-4a51-b3c8-b8e6dcff0b13/ # Reference: https://www.virustotal.com/gui/file/6e4a1ceaa4080025f7993880cd650a10283555d8bae65c0db421b539e5450517/detection # Reference: https://www.virustotal.com/gui/file/258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1/detection 209.25.140.180:52932 209.25.141.180:52932 katana.lol fire-possibility.at.playit.gg joe.katana.lol # Reference: https://asec.ahnlab.com/ko/45153/ (Chinese) minecraftrpgserver.com # Reference: https://www.virustotal.com/gui/file/9c55028fbc8ff81990e3cb7040fd196acbd24c3753f7583cac02b0295b323fba/detection 147.185.221.223:5433 209.25.141.223:5433 been-david.at.playit.gg # Reference: https://www.virustotal.com/gui/file/372f3033e983a5a4a1f862382f8545ef68ac514a870c8cb44b8c426a86a724df/detection 185.65.135.178:56406 # Reference: https://twitter.com/Gi7w0rm/status/1652641640593408006 # Reference: https://www.virustotal.com/gui/file/796ba530098b895341962be8f2c0de6acc18a3edcc5ed9dd2fac7867c0047fe1/detection # Reference: https://www.virustotal.com/gui/file/9a719d2a58ba7b9d2579cf439de6ab66561d940a9a230c05af2690633c299420/detection # Reference: https://www.virustotal.com/gui/file/9c776fd6ea5b02869f9ad5f5a7c74dcfe4d215de1b07d192f67216118e75938a/detection 45.66.230.222:6547 astaroth.gleeze.com slava3256.ddns.net slava3257.ddns.net # Reference: https://www.virustotal.com/gui/file/7b137c1e9aaa4503a7fa5d3450b9260f6eadf11166ab4ac9c600bd08e0ae68c3/detection 87.225.125.214:2466 rdpread.dynnamn.ru # Reference: https://twitter.com/James_inthe_box/status/1702051656400355468 # Reference: https://app.any.run/tasks/c7677991-3e52-41be-9659-b50d0f1b2296/ 147.185.221.16:43179 # Reference: https://www.virustotal.com/gui/file/07b742c9303e04be588f20f51d68828cae04a1af02cb6d09a9d935007dbb4906/detection 86.105.9.67:5650 realitygaming.us sellygg.tk ab.realitygaming.us blog.sellygg.tk # Reference: https://www.virustotal.com/gui/ip-address/31.44.184.200/relations # Reference: https://www.virustotal.com/gui/file/0eeea482e545c545cb0d2cb997f637799b97b2b29548afd9ef93519eac72cbe9/detection sudorat.ru sudorat.top api.sudorat.top client.sudorat.top lk.sudorat.top 10135.client.sudorat.top 27976.client.sudorat.top 40004.client.sudorat.top 40005.client.sudorat.top # Reference: https://threatfox.abuse.ch/ioc/1165776/ 116.122.117.97:8081 # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-10-11) http://154.244.248.129 http://154.245.216.63 1.54.107.38:4444 116.103.214.233:1024 116.103.214.233:21 116.103.214.233:42132 116.103.214.233:8080 116.103.214.233:9025 138.197.66.62:22169 150.107.2.102:8080 16.170.253.123:10134 163.5.215.221:10134 164.68.126.53:1111 164.68.126.53:4444 164.68.126.53:8888 164.68.126.53:8899 164.68.126.53:9999 185.217.1.136:49411 188.27.189.65:8080 199.195.249.36:25535 2.58.56.242:3306 202.95.14.178:9993 210.6.234.3:2053 27.124.4.200:6606 52.59.165.93:10134 81.161.229.20:6969 85.209.176.26:1337 86.126.5.18:8080 89.208.105.120:4242 95.142.46.208:10134 # Reference: https://threatfox.abuse.ch/ioc/1191761/ 88.119.171.56:443 # Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Orcus_Rat/orcus_c2s_initial_collection.txt 100.126.50.154:10134 104.158.167.45:10134 104.248.32.109:22998 107.182.128.18:3030 109.134.115.180:1746 109.171.5.62:7139 111.90.146.85:1730 122.186.23.243:10134 128.59.46.185:10832 128.59.46.185:1707 128.59.46.185:20954 128.59.46.185:44657 128.59.46.185:50272 128.59.46.185:58101 134.122.63.65:2000 135.125.148.130:10134 136.144.41.171:10134 138.2.146.162:3544 146.70.143.176:81 147.185.221.16:18245 147.185.221.229:56094 149.154.69.124:2010 168.61.96.29:25565 176.107.177.67:10134 178.209.51.192:2777 179.43.176.20:5555 18.221.17.220:1604 180.92.195.68:25565 183.80.186.171:4444 185.163.47.163:10134 185.204.3.21:10134 185.205.239.197:13666 185.209.23.119:10134 185.217.1.185:911 185.231.155.9:39747 185.41.154.105:587 185.68.21.102:1738 185.94.29.170:10134 188.227.85.44:6969 193.111.248.239:10134 193.124.57.113:10134 193.124.67.212:10134 193.138.195.211:10134 193.161.193.99:47693 193.161.193.99:57974 193.161.193.99:58729 193.169.255.152:6969 193.242.166.48:1234 194.233.31.117:4444 194.26.192.209:1920 194.87.18.67:2004 195.128.126.234:10134 195.154.226.17:1338 195.2.78.34:10134 20.185.191.252:2021 20.89.177.186:21245 209.25.141.181:28100 209.25.141.181:31468 209.25.141.181:40489 216.250.97.121:50721 217.114.43.29:1268 23.227.201.233:10134 23.95.231.205:7077 25.34.63.249:10134 27.124.18.69:6606 31.173.170.243:7777 31.214.245.166:1738 31.214.245.229:3399 35.241.200.200:10112 35.241.200.200:10120 35.241.200.200:10122 35.241.200.200:10129 37.19.221.138:59263 37.252.7.150:7776 37.46.150.253:1337 40.125.65.33:10134 45.132.105.122:10134 45.146.253.103:420 45.81.39.83:3456 46.35.26.183:41763 5.187.49.231:1339 5.249.161.198:10134 5.83.161.4:10134 51.161.61.86:10134 51.79.39.250:10134 51.89.228.214:10134 52.88.36.247:50679 67.242.2.35:10134 68.219.181.16:443 68.40.140.30:10134 78.135.85.3:10134 78.198.121.158:5555 79.112.157.89:1337 84.200.206.239:7667 84.201.188.25:5566 84.201.188.25:7007 84.201.188.25:8621 84.21.172.55:1339 84.211.45.112:1085 84.211.45.238:1085 87.255.6.145:1577 88.123.101.135:1610 88.14.71.230:10134 91.121.185.43:5075 91.211.248.213:11134 91.218.65.24:6178 92.222.72.160:2341 92.240.245.63:10134 93.108.180.0:4444 93.180.147.254:10134 94.103.87.238:10135 94.60.124.63:4444 95.181.157.49:1738 98.229.214.124:10134 6012.punkdns.pw betadns.phatbois.biz cbm.adenz.top cedricklegends.ddns.net client1111.ddns.net colorfuldreams.hopto.org cuveehackedurpc.ddns.net distance-deutsche.at.ply.gg dololow.ddns.net dontreachme2.ddns.net eta.ne.virus.ne.trogaj.mena.kstati.putinso.site flutrdp.duckdns.org gaygolovorez.chickenkiller.com gerkadas.ddns.net gethack.ddns.net glukozer.go.ro i-stole-your.pw icontrolyou.servepics.com iknowyoumissme.ddnsfree.com isnadsknsbs-38398.portmap.host jewstew.hopto.org kisliycorporait.hopto.org microsoftupdateserver1.ga mistyyy.hopto.org myvpsvps.ddns.net orcusratanondomain.sytes.net owo-whats-this.duckdns.org ozones.ddns.net powerdirector.store putinso.site raiday.ml rat.i-stole-your.pw richhost.ddns.net s1.putinso.site s7vety-47169.portmap.host s7vety-64001.portmap.io satanishere-48375.portmap.io server-cheatchard.ddns.net serverguedin.ddns.net sinistar.visigradstats.xyz solution-fiscal.at.ply.gg sonkalicloud.ddns.net tcp.access.ly tecster.cloudns.cx teen-harvest.at.playit.gg texeshserver.ddns.net tokyonights.pdns.stream tools.3utilities.com vacation-family.at.ply.gg vosal78394-35496.portmap.io warframeclient.duckdns.org # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-11-22) http://154.245.132.20 104.168.163.193:8080 183.80.187.20:4444 27.124.6.248:6606 42.114.153.115:4444 # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2023-12-17) http://154.243.252.14 http://154.244.157.117 http://154.245.225.202 http://197.119.113.44 1.54.172.244:4444 146.235.217.116:1268 15.235.3.1:2000 18.192.31.165:11009 185.196.10.32:6004 194.26.192.11:10137 206.84.153.217:8888 206.84.154.119:8888 213.57.235.107:10134 216.170.120.141:42069 27.124.3.19:6606 31.44.184.52:11426 31.44.184.52:30202 31.44.184.52:41931 31.44.184.52:49810 31.44.184.52:51799 31.44.184.52:51972 31.44.184.52:61946 39.44.128.21:8888 45.204.82.103:6606 45.204.82.82:6606 46.55.218.169:1337 46.8.52.208:49160 5.78.108.0:10134 61.92.130.64:2053 91.92.244.15:6969 91.92.246.10:10134 SATANishere-48375.portmap.io dfwfdsfsdasd.project-nightfall.com groups-opportunity.at.ply.gg living-progressive.at.ply.gg # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-01-24) http://154.244.175.192 http://154.245.115.235 http://197.119.135.90 188.27.189.141:8080 42.114.153.12:4444 58.187.115.100:4444 # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-02-04) http://197.119.141.49 http://20.163.19.3 http://20.240.201.149 154.212.146.81:6606 188.26.86.131:8080 39.38.245.19:8888 45.94.31.205:6969 73.3.46.163:4855 77.246.110.208:1337 77.246.110.208:8888 # Reference: https://threatfox.abuse.ch/browse/malware/win.orcus_rat/ (# 2024-02-12) http://154.245.7.231 http://154.245.89.99 http://197.119.85.192 103.13.210.210:8080 123.206.29.183:10134 134.255.254.225:5051 188.27.175.18:8080 86.126.4.236:8080 94.156.64.66:8080