# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://twitter.com/ScumBots/status/1047543566594179073 queda2122.ddns.net # Reference: https://twitter.com/ScumBots/status/1047422769712046080 trotokolenigers.onthewifi.com # Reference: https://twitter.com/ScumBots/status/1046815013401501701 mdformo1.ddns.net # Reference: https://twitter.com/ScumBots/status/1041469793625407489 farida.ddns.net # Reference: https://twitter.com/ScumBots/status/1037351538732294145 zxcvbn123456.ddns.net # Reference: https://twitter.com/ScumBots/status/1038158542736445441 mondns.myftp.biz # Reference: https://twitter.com/ScumBots/status/1040311939073826816 morfey.hldns.ru # Reference: https://twitter.com/ScumBots/status/1050046306016747521 office365update.duckdns.org systen32.ddns.net # Reference: https://twitter.com/ScumBots/status/1052526398924095488 quedabesouro.ddns.net # Reference: https://twitter.com/ScumBots/status/1053262497673891841 seekers.hopto.org # Reference: https://twitter.com/ScumBots/status/1054081645400260608 duckdate.duckdns.org # Reference: https://twitter.com/ScumBots/status/1063996828516012033 morfey.myftp.org # Reference: https://twitter.com/ScumBots/status/1064254932528832512 itachituff.duckdns.org # Reference: https://twitter.com/ScumBots/status/1067565492322410497 farida.ddns.net # Reference: https://twitter.com/ScumBots/status/1069517101654777857 updatefacebook.ddns.net # Reference: https://twitter.com/ScumBots/status/1080998862574309377 vivivi.myftp.org # Reference: https://twitter.com/ScumBots/status/1081317358206156800 nerv7.ddns.net # Reference: https://twitter.com/ScumBots/status/1081378115526582273 mondns.myftp.biz # Reference: https://twitter.com/ScumBots/status/1082132730715037696 queda212.duckdns.org # Reference: https://twitter.com/ScumBots/status/1089336859912744960 microsoftsecure.myq-see.com # Reference: https://twitter.com/ScumBots/status/1090260035312275456 498408.ddns.net olhomagicocdt.duckdns.org systenfailued.ddns.com.br # Reference: https://twitter.com/ScumBots/status/1090736985315201025 helloweenhagga.ddns.net helloweenhagga1.ddns.net helloweenhagga2.ddns.net helloweenhagga3.ddns.net # Reference: https://twitter.com/ScumBots/status/1095149123517534208 helloweenhagga4.ddns.net # Reference: https://twitter.com/ScumBots/status/1095760026923352066 updatesystem.linkpc.net # Reference: https://twitter.com/ScumBots/status/1097587061329154055 easykill.servebeer.com easykill1.servepics.com easykill2.servepics.com easykill3.servebeer.com # Reference: https://twitter.com/ScumBots/status/1098145754185633793 haggasinger.ddns.net haggasinger1.ddns.net haggasinger2.ddns.net # Reference: https://twitter.com/ScumBots/status/1101890548661698560 rat24695.ddns.net # Reference: https://twitter.com/ScumBots/status/1102445323417542658 mastermana1.serveirc.com mastermana2.serveirc.com mastermana3.serveirc.com mastermana4.serveirc.com # Reference: https://twitter.com/ScumBots/status/1103351296768331776 seskoal7rbe.ddns.net # Reference: https://twitter.com/ScumBots/status/1103751431318892546 fouirux-59789.portmap.io 81.106.30.119:4444 # Reference: https://twitter.com/ScumBots/status/1104736674087665665 173.46.85.160:5555 # Reference: https://twitter.com/James_inthe_box/status/1107686616624037890 # Reference: https://twitter.com/JAMESWT_MHT/status/1107682800134750211 nobody120.duckdns.org # Reference: https://twitter.com/ScumBots/status/1108802212543848450 5.9.171.235:333 # Reference: https://twitter.com/ScumBots/status/1110489582494203904 91.192.100.5:1604 # Reference: https://twitter.com/Racco42/status/1112628162872119296 82.223.9.232:98 # Reference: https://twitter.com/TweeterCyber/status/1112919582635745281 kronozzz2.duckdns.org # Reference: https://twitter.com/F_kZ_/status/1047054463570186241 37.187.155.228:85 nojjdjamel.hopto.org nojjdjamel2251.hopto.org # Reference: https://twitter.com/malware_traffic/status/935703820889358336 oamentyga.duckdns.org # Reference: https://twitter.com/Racco42/status/884324767809056768 37.187.92.171:621 # Reference: https://twitter.com/Racco42/status/882123509350236160 hagroonayazabiiiiii.com 82.165.147.250:621 # Reference: https://twitter.com/luc4m/status/1113433242689052672 oldmandnsch.duckdns.org # Reference: https://twitter.com/ScumBots/status/1117986483196055552 # Reference: https://twitter.com/ScumBots/status/1123048893170769922 # Reference: https://twitter.com/ScumBots/status/1123675214980833280 95.213.251.165:7070 95.213.251.165:9090 95.213.191.230:9090 # Reference: https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign frankmana.duckdns.org workfine11.duckdns.org oldmandnsch.duckdns.org blackhagga.duckdns.org skyrocket1.duckdns.org kronoz.duckdns.org oldmandnsch.duckdns.org kronozzz2.duckdns.org lulla.duckdns.org decent.myvnc.com decent5.myvnc.com jayztools1.ddns.net jayztools2.ddns.net jayztools3.ddns.net totallol.duckdns.org totallol1.duckdns.org totallol2.duckdns.org totallol3.duckdns.org decent2.myvnc.com decent3.myvnc.com decent1.myvnc.com decent4.myvnc.com jordanchen736.sytes.net jordanchen7361.sytes.net jordanchen7362.sytes.net jordanchen7363.sytes.net lalacious1.serveftp.com lalacious2.serveftp.com lalacious3.serveftp.com lalacious4.serveftp.com mastermana1.serveirc.com mastermana2.serveirc.com mastermana3.serveirc.com mastermana4.serveirc.com mastermana5.serveirc.com lullikhao.ddns.net lullikhao1.ddns.net lullikhao2.ddns.net bullol.duckdns.org cocomo.ddns.net haggasinger2.ddns.net haggasinger.ddns.net haggasinger1.ddns.net loramer1.ddnsking.com easykill.servebeer.com easykill3.servebeer.com easykill2.servepics.com easykill1.servepics.com easykill3.servepics.com helloweenhagga.ddns.net helloweenhagga3.ddns.net helloweenhagga4.ddns.net helloweenhagga2.ddns.net revengerx211.sytes.net revengerx212.sytes.net revengerx213.sytes.net revengerx214.sytes.net revengerx215.sytes.net revengerx216.sytes.net revengerx217.sytes.net revengerx218.sytes.net revengerx219.sytes.net revengerx210.sytes.net office365update.duckdns.org systen32.ddns.net bhenchood.ddns.net emmanuelstevo.ddns.net zinderhola1.ddns.net zinderhola.ddns.net myownlogs.duckdns.org cocomo1.ddns.net cocomo10.serveblog.net cocomo2.ddns.net cocomo2.serveblog.net cocomo3.serveblog.net cocomo4.serveblog.net cocomo5.serveblog.net cocomo6.serveblog.net cocomo7.serveblog.net cocomo8.serveblog.net cocomo9.serveblog.net mrcode.hopto.org mrcode1.hopto.org mrcode2.hopto.org pussi2442.ddns.net # Reference: https://twitter.com/malwrhunterteam/status/1076166793054556160 presentationx.sytes.net # Reference: https://twitter.com/ScumBots/status/1121497114532618246 5.9.171.229:777 # Reference: https://twitter.com/illegalFawn/status/1122767858126266368 jorenimo55.hopto.org # Reference: https://twitter.com/ScumBots/status/1126966907511480321 151.80.241.114:666 # Reference: https://twitter.com/HONKONE_K/status/1135760982385483777 queda212.duckdns.org # Reference: https://twitter.com/James_inthe_box/status/1144358899429986304 185.165.153.250:5478 193.56.28.134:5478 # Reference: https://twitter.com/ScumBots/status/1145116725970657281 93.90.193.146:213 # Reference: https://twitter.com/ps66uk/status/1145640316856340480 cheryl11.duckdns.org # Reference: https://twitter.com/powershellcode/status/1148234398703030273 bylgay.hopto.org microsoftoutlook.duckdns.org soucdtevoceumcuzao.duckdns.org # Reference: https://twitter.com/coderippers/status/1153267389632602114 # Reference: https://www.virustotal.com/gui/ip-address/105.112.98.242/relations 105.112.98.242:1040 blackhill.ddns.net isaacjekaguleri1234.ddns.net mbvd.hopto.org moneybag123.myftp.biz # Reference: https://twitter.com/coderippers/status/1154003951152484352 mzu.publicvm.com # Reference: https://twitter.com/ScumBots/status/1154429111198203910 204.152.219.67:1003 # Reference: https://twitter.com/RedDrip7/status/1154696058846322688 # Reference: https://ti.qianxin.com/blog/articles/gorgon-group-campaign-aggah-with-pastebin/ kronozzz2.duckdns.org microsoftoutlook.duckdns.org tonypp.duckdns.org yahakhan.duckdns.org zoebin.duckdns.org # Reference: https://twitter.com/Racco42/status/1158745916653920257 194.5.98.242:1212 # Reference: https://twitter.com/James_inthe_box/status/1165603800230481920 # Reference: https://www.virustotal.com/gui/ip-address/82.146.50.128/relations # Reference: https://www.virustotal.com/gui/ip-address/37.203.214.30/relations 37.203.214.30:5000 82.146.50.128:5000 ahhahaasdas.ddns.net dafg124.ddns.net darckcometa.ddns.net denisvpn2.ddns.net devedeev.hopto.org don4ik228.ddns.net ewqewqewq.ddns.net hostvimeworld.ddns.net killler40000.ddns.net lis1033.hopto.org makot123.ddns.net nikolaykolyabb.hopto.org noinmy.ddns.net werder3456.hopto.org anonim001.ddns.net asfadsvasdfsd.ddns.net hedswjhrjkwe.freedynamicdns.net matvey.ddns.net micromax111.ddns.net minecrafter1337.ddns.net nargaroth.ddns.net orcusbam.ddns.net q12345gg.hopto.org q312820ressivr.hopto.org syka228228ppppp.ddns.net talgat.ddns.net uksivthack.mein-vigor.de vhjrtyg.hldns.ru # Reference: https://twitter.com/de_aviation/status/1097547526763433985 helloweenhagga.ddns.net revengerx111.sytes.net # Reference: https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html qstorm.chickenkiller.com skymast231-001-site1.htempurl.com # Reference: https://twitter.com/ScumBots/status/1175338135573684224 3.19.114.185:11400 # Reference: https://blog.prevailion.com/2019/10/mastermana-botnet.html rgalldmn.duckdns.org speeddfox.duckdns.org # Reference: https://twitter.com/ScumBots/status/1180817132763963394 144.76.134.221:333 # Reference: https://twitter.com/P3pperP0tts/status/1181546654169800705 34.95.176.194:443 bkil.ddns.net # Reference: https://twitter.com/ScumBots/status/1184367636941029377 18.216.157.58:333 # Reference: https://twitter.com/ScumBots/status/1185658643720626176 193.161.193.99:56282 # Reference: https://twitter.com/ScumBots/status/1185983283408134145 192.241.133.27:5555 # Reference: https://twitter.com/ScumBots/status/1186745945154838528 148.251.11.102:333 # Reference: https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/ bhenchood.ddns.net blackhagga.duckdns.org bullol.duckdns.org cocomo.ddns.net cocomo1.ddns.net cocomo10.serveblog.net cocomo2.ddns.net cocomo2.serveblog.net cocomo3.serveblog.net cocomo4.serveblog.net cocomo5.serveblog.net cocomo6.serveblog.net cocomo7.serveblog.net cocomo8.serveblog.net cocomo9.serveblog.net cycbra.duckdns.org decent.myvnc.com decent1.myvnc.com decent2.myvnc.com decent3.myvnc.com decent4.myvnc.com decent5.myvnc.com easykill.servebeer.com easykill1.servepics.com easykill2.servepics.com easykill3.servebeer.com easykill3.servepics.com emmanuelstevo.ddns.net frankmana.duckdns.org haggasinger.ddns.net haggasinger1.ddns.net haggasinger2.ddns.net helloweenhagga.ddns.net helloweenhagga2.ddns.net helloweenhagga3.ddns.net helloweenhagga4.ddns.net jayztools1.ddns.net jayztools2.ddns.net jayztools3.ddns.net jordanchen736.sytes.net jordanchen7361.sytes.net jordanchen7362.sytes.net jordanchen7363.sytes.net kronoz.duckdns.org kronozzz2.duckdns.org lalacious1.serveftp.com lalacious2.serveftp.com lalacious3.serveftp.com lalacious4.serveftp.com loramer1.ddnsking.com lulla.duckdns.org lullikhao.ddns.net lullikhao1.ddns.net lullikhao2.ddns.net majorsss.duckdns.org mastermana1.serveirc.com mastermana2.serveirc.com mastermana3.serveirc.com mastermana4.serveirc.com mastermana5.serveirc.com mrcode.hopto.org mrcode1.hopto.org mrcode2.hopto.org myownlogs.duckdns.org office365update.duckdns.org oldmandnsch.duckdns.org pussi2442.ddns.net revengerx210.sytes.net revengerx211.sytes.net revengerx212.sytes.net revengerx213.sytes.net revengerx214.sytes.net revengerx215.sytes.net revengerx216.sytes.net revengerx217.sytes.net revengerx218.sytes.net revengerx219.sytes.net skyrocket1.duckdns.org systen32.ddns.net totallol.duckdns.org totallol1.duckdns.org totallol2.duckdns.org totallol3.duckdns.org workfine11.duckdns.org zinderhola.ddns.net zinderhola1.ddns.net # Reference: https://www.virustotal.com/gui/file/96a008b46c9acacccb03a31c01c9c28dac64b621eb819b8c92f242288207973a/detection 45.236.130.17:2022 d0rian2022.ddns.net # Reference: https://twitter.com/P3pperP0tts/status/1190316504304246786 156.215.159.57:333 lapoire1.hopto.org # Reference: https://twitter.com/ScumBots/status/1191396450497974274 193.161.193.99:56282 # Reference: https://twitter.com/JAMESWT_MHT/status/1193905361100644352 # Reference: https://app.any.run/tasks/d364f0d3-ed23-44ec-b230-351f75a5b0b3/ 192.169.69.25:5552 ytka.duckdns.org # Reference: https://twitter.com/JayTHL/status/1189578177368264704 nocbaba1.duckdns.org # Reference: https://www.virustotal.com/gui/file/639f527b10857a2ef47673e699818f3dd85524ec31a3d8f487e133c73ba4a186/detection 105.112.98.242:5198 # Reference: https://www.virustotal.com/gui/file/27621e43a8b7d8137c432702b03561de7590ef55d7df0c3ad1f296a2891dde79/detection 185.244.29.15:5198 mallorca.myftp.org # Reference: https://twitter.com/ScumBots/status/1197640092397064192 190.159.103.11:8080 # Reference: https://www.virustotal.com/gui/file/94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad/detection 40999up.sytes.net acecervolta.duckdns.org # Reference: https://www.virustotal.com/gui/file/ca3045208e641a504d71b95b312e23b5956540c42390d4fd5c73b0a592605ce2/detection 79.134.225.105:1515 # Reference: https://www.virustotal.com/gui/file/5fcf8adcf19a796ba5be6eafec26b0e735132fbdc9443e64a6622ddccbc622f9/detection anonyklax.duckdns.org # Reference: https://www.virustotal.com/gui/file/b8de1bc56ce012c92db35b2fa042cc64949b44561c8b99137b6b9d7352046bd2/detection 212.83.170.126:556 # Reference: https://www.virustotal.com/gui/file/9ad8e7da4c1659aa83b8c26be641cb813ca9b3b3ab66436d39c37355b2060dd8/detection 212.83.170.126:777 # Reference: https://www.virustotal.com/gui/file/57e4b72d810a2060fc33a66712099b1a1c380f6b48fc1b0d2ce551acd5a26280/detection 212.83.170.126:555 # Reference: https://twitter.com/0xCARNAGE/status/1200501488709226498 # Reference: https://app.any.run/tasks/c382b09f-03f7-4680-86c5-28316c5cc5e3/ reviewondoc.hopto.org # Reference: https://www.virustotal.com/gui/file/194318a6aa15e9b89493527e85e366a620375fb8276a99cbbe60e74c64007cdf/detection therazor.duckdns.org # Reference: https://www.virustotal.com/gui/file/53ff9d532c3deb4a523a837c7d0a5e1fc73d9d229505a9b21b9fa5c2e2a75b81/detection tripplegar.duckdns.org # Reference: https://www.virustotal.com/gui/file/978785aa90673c5ddc678f1018e3eda34ac89d74746da046c4264716b7ad90ac/detection raxixe.ddns.net # Reference: https://www.virustotal.com/gui/file/c0e1cefc0fa326e6fe9bc99b75f3efbe416288bdb9c15419f3d311c74a6d5159/detection 117.102.55.39:27015 196.194.129.126:27015 # Reference: https://www.virustotal.com/gui/file/a22e0bd4c7fb42f0eff06c79882c3978d36036b05365afce51a678940b77d2db/detection 117.102.49.165:27015 # Reference: https://www.virustotal.com/gui/file/866159f1b11fe095f44befc8f854d5088ad102ca5ee1596545551474159e3b54/detection 111.88.66.94:27015 196.62.171.212:27015 # Reference: https://www.virustotal.com/gui/file/f1c7e6b4718c11fdc2480758d92457c3cfb4b76f3904164c6a3385a79bb5129c/detection 82.165.189.152:12 rdp.dgsn.fr # Reference: https://www.virustotal.com/gui/file/0474fa430b2615ae160aad788b42af3c9c853a18f881d9f2b68142a7758cd677/detection 51.39.52.149:2303 # Reference: https://www.virustotal.com/gui/file/9ca36a408d5a16f3dc423b8d242f4e88801e8182af6ae3a11c7fc33bdb534f8e/detection 79.134.225.81:2303 # Reference: https://www.virustotal.com/gui/file/579dddb5b420ac1e3e0a7fb69aea0ce133a1abb19649e9077d9fad2587dee80f/detection alien007.my-firewall.org # Reference: https://www.virustotal.com/gui/file/ae8d20d5b490e43334f8338d3907f02030a2b41332ac23bbce2d450017bc8326/detection 192.253.246.145:8152