# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://hackforums.net/printthread.php?tid=5655422 # Reference: https://twitter.com/r3dbU7z/status/1347527548977242116 # Reference: https://www.virustotal.com/gui/file/6cd557cb2582ab5cf8d0e77131479ab91c00bfdf9c775c170809d5265bf0477a/detection 107.191.47.239:3333 176.31.105.53:3333 45.32.233.191:3333 51.144.104.161:3333 51.144.119.120:3333 54.37.7.208:3333 94.23.251.22:3333 107.191.47.239:7777 176.31.105.53:7777 45.32.233.191:7777 51.144.104.161:7777 51.144.119.120:7777 54.37.7.208:7777 94.23.251.22:7777 minergate.com pool.minergate.com xmr.pool.minergate.com miningpoolhub.com minexmr.com pool.minexmr.com moneropool.com crypto-pool.fr dwarfpool.com xmrpool.eu prohash.net nanopool.org ethereumpool.co suprnova.cc siamining.com # Reference: https://www.virustotal.com/gui/file/7738ad1029f1709ec86c8ba24e04b3f71edf671b64681b884ccd70725a1674a5/detection 94.130.143.162:45700 # Reference: https://www.multipool.us/ multipool.us # Reference: https://mining-help.ru/ mining-help.ru # Reference: https://xmrminer.cc/ xmrminer.cc # Reference: https://www.monero.how/tutorial-how-to-mine-monero supportxmr.com monero.hashvault.pro monerohash.com monero.crypto-pool.fr xmrpool.net poolmining.org pool.xmr.pt xmr.prohash.net xmr.poolto.be # Reference: http://www.gandalph3000.com/ gandalph3000.com # Reference: https://pangolinminer.com/ pangolinminer.com # Reference: https://hellominer.com/ hellominer.com # Reference: https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt # coinhive.com # coin-hive.com # jsecoin.com # reasedoper.pw # mataharirama.xyz # listat.biz # lmodr.biz # minecrunch.co # minemytraffic.com # crypto-loot.com # Reference: https://www.virustotal.com/#/file/179c5390ba2023402283104fd85d6394033976bc2f21e45d32e7557cafaa7d41/detection sparechange.io # Reference: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html 8282.space 3389.space # Reference: https://github.com/xmrig/xmrig/blob/master/src/net/strategies/DonateStrategy.cpp fee.xmrig.com # Reference: https://www.securityhome.eu/malware/malware.php?mal_id=7994909645aa0b75fc035d0.43847858 donate.xmrig.com # Reference: https://isc.sans.edu/forums/diary/What+is+going+on+with+port+3333/23215 mine.moneropool.com pool.cortins.tk pool.supportxmr.com xmr.crypto-pool.fr xmrpool.eu # Reference: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ koto-pool.work # Reference: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang 134.209.104.20:51640 minerxmr.ru # Reference: https://twitter.com/bad_packets/status/1100625553822867456 119.23.222.239:26590 # Reference: https://twitter.com/James_inthe_box/status/1115591879586795521 47.97.119.5:19988 # Reference: https://twitter.com/infosec_dude/status/1117450131417313280 # Reference: https://www.virustotal.com/gui/ip-address/45.43.27.214/relations # Reference: https://twitter.com/James_inthe_box/status/1117881448151666688 45.43.27.214:17555 r.twotouchauthentication.online # Reference: https://twitter.com/luc4m/status/1123126706943008768 139.224.15.175:26591 # Reference: https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github zarabotaibitok.ru 61.128.111.164:3335 # Reference: https://twitter.com/raby_mr/status/1133347073154097153 # Reference: https://app.any.run/tasks/7e23f973-5f69-4ef0-af26-427e975e308d/ # Reference: https://www.virustotal.com/gui/file/272e25e3aa9d792281a282c2f6cd40d59c5b8fe432ae93bb5015899ceb173dd1/behavior/Dr.Web%20vxCube # Reference: https://www.virustotal.com/gui/ip-address/94.130.64.225/relations # Reference: https://www.virustotal.com/gui/ip-address/46.4.119.208/relations 46.4.119.208:45700 94.130.64.225:45700 # Reference: https://github.com/guardicore/labs_campaigns/blob/master/Nansh0u/mining_pools_domains.md lokiturtle.herominers.com trtl.cnpool.cc turtle.miner.rocks trtl.pool.mine2gether.com # Reference: https://twitter.com/liuya0904/status/1135901420958281729 noobxmr.com minexmr.cn moriaxmr.com viaxmr.com xmr-us.suprnova.cc xmr.bohemianpool.com xmr-usa.dwarfpool.com miners.pro zer0day.ru # Reference: https://twitter.com/malware_traffic/status/1138999824613687298 # Reference: https://twitter.com/VK_Intel/status/1139926661162512384 # Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-14-tofsee-spambot-modules.notes.vk.txt 185.181.165.20:8087 # Reference: https://twitter.com/Artilllerie/status/1115258738368294913 185.212.129.80:8087 # Reference: https://otx.alienvault.com/pulse/5d0773672ba7e7853c4ad5cf 185.161.70.34:3333 202.144.193.184:3333 205.185.122.99:3333 # Reference: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/ (# Mining hosts) system-update.info system-check.services 185.193.126.114:443 185.193.126.114:8080 82.221.139.161:8080 # Reference: https://twitter.com/28bit/status/1159906315642253312 121.42.151.137:28850 # Reference: https://twitter.com/James_inthe_box/status/1165005466419658753 3.120.209.58:8080 # Reference: https://habr.com/ru/company/pt/blog/466877/ (Russian) 154.16.67.133:80 # Reference: https://twitter.com/Paladin3161/status/1171766464560238593 # Reference: https://pastebin.com/YWXQFF3Q http://185.141.25.35 solarray.club # Reference: https://twitter.com/pancak3lullz/status/1174012227130679297 65.154.226.109:14100 70.42.131.189:14100 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/ pool.usa-138.com xmr.usa-138.com # Reference: https://twitter.com/MalwareTechBlog/status/1190730471321112577 # Reference: https://otx.alienvault.com/pulse/5dbdf437299aea7cd396cd26 # Reference: https://www.virustotal.com/gui/file/8a87a1261603af4d976faa57e49ebdd8fd8317e9dd13bd36ff2599d1031f53ce/detection # Reference: https://www.virustotal.com/gui/file/037dbddeda76d7a1be68a2b3098feabfbf5400a53e2606f5a0e445deb2e42959/detection 5.100.251.106:52057 # Reference: https://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ myxmr.pw xmr.5b6b7b.ru # Reference: https://www.virustotal.com/gui/file/f99833ef4d4bcb6cf9abcaee6edd3d1ba5b5825af4fd3f609654d343b137a8af/detection 91.121.140.167:3333 # Reference: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf pool.supportxmr.com pool.minexmr.com pool.support pool.monero.hashvault.pro xmrpool.eu cryptonight-hub.miningpoolhub.com xmrpool.net xmr.nanopool.org mixpools.org minergate.com viaxmr.com moriaxmr.com xmr.suprnova.cc moneroocean.stream xmrpool.eu xmrpool.de poolto.be mineXMR.com xmr.prohash.net sheepman.mine.bz xmr.mypool.online bohemianpool.com moneropool.com moneropool.nl iwanttoearn.money pool.xmr.pt monero.crypto-pool.fr monero.miners.pro minercircle.com monero.lindon-pool.win cryptmonero.com teracycle.net ratchetmining.com dwarfpool.com monerohash.com monero.us.to usxmrpool.com xmrpool.xyz minemonero.gq alimabi.cn pooldd.com monero.riefly.id # Reference: https://blog.talosintelligence.com/2020/01/vivin-cryptomining-campaigns.html # Reference: https://otx.alienvault.com/pulse/5e29b7189d749995b2d4ea71 # Reference: https://www.virustotal.com/gui/file/6bc118693d6e69081e5f39fdab20a613d7536d3199c029562c192c5dbc9d1d1c/detection 37.59.43.136:4444 37.59.54.205:4444 # Reference: https://app.any.run/tasks/d6c87295-24a2-48eb-aef0-d3d5ac4ad2ae/ # Reference: https://mining.bittube.app/ mining.bittubeapp.com # Reference: https://www.virustotal.com/gui/file/5eda21ea41febbdc5b69840894cb37cba8206f2865dc07e2cb85c29db5240d04/detection # Reference: https://www.virustotal.com/gui/ip-address/163.172.204.213/relations # Reference: https://www.virustotal.com/gui/ip-address/163.172.204.219/relations 163.172.204.213:3333 163.172.204.219:3333 163.172.207.198:3333 163.172.207.71:3333 crypto-pool.info monero-master.crypto-pool.fr pool.4i7i.com xmr.ip28.net xmr.simka.pw xmrpool.me xmr.crypto-pool.info xmrf.520fjh.org xmrf.fjhan.club xmr.somec.cc pool.somec.cc # Reference: https://www.first.org/resources/papers/amsterdam2019/FIRST-TC-pres-v1.1.pdf # Note: page 31 # Reference: https://www.virustotal.com/gui/ip-address/163.172.226.194/relations # Reference: https://www.virustotal.com/gui/domain/xmr.crypto-pool.fr/relations # Reference: https://www.virustotal.com/gui/file/87f9a5a38c1dce92317c50fe66f2fdc0fcfac19f0ea58951b9a3e747915c1827/behavior/Rising%20MOVES # Note: different ports used 163.172.114.218 163.172.203.178 163.172.204.213 163.172.204.219 163.172.205.136 163.172.206.67 163.172.207.166 163.172.207.198 163.172.207.69 163.172.207.71 163.172.207.88 163.172.224.101 163.172.226.114 163.172.226.120 163.172.226.128 163.172.226.137 163.172.226.194 163.172.226.218 # Reference: https://www.virustotal.com/gui/file/fbcdd5c542bb5c66303e621829f0cd654be0bfb38ed0c50a335ef3c9dae0201f/detection 138.201.20.89:45700 138.201.27.243:45700 78.46.87.181:45700 88.99.142.163:45700 # Reference: https://www.virustotal.com/gui/file/c3affb76ff0fad78d77b0153b5c2a99d5bbd8d829ef13661c0af58d2988db344/detection 149.210.234.234:3333 litecoinpool.org # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1240732487195688962 covid19crypto.com # Reference: https://blog.360totalsecurity.com/en/crazycoin-the-master-of-double-mining-double-white-utilization-and-resource-utilization/ 47.101.30.124:13531 47.108.119.77:6000 f2pool.com hns.f2pool.com xmr.f2pool.com # Reference: https://github.com/Monero-Monitor/monero-monitor/blob/master/data/html/options.html monero.crypto-pool.fr monerohash.com moneropool.com drill.moneroworld.com cryptmonero.com xmr.prohash.net xmr.alimabi.cn xmrpool.eu supportxmr.com minexmr.com # Reference: https://www.virustotal.com/gui/file/eaef82223eeb8cf404a1d46613d36b9e582304b215201b5e557db578dd73e04e/behavior/Dr.Web%20vxCube 37.59.43.131:5555 37.59.43.136:5555 91.121.2.76:5555 37.59.45.174:5555 176.9.2.144:5555 78.46.91.134:5555 78.46.89.102:5555 37.187.154.79:5555 37.59.54.205:5555 37.59.55.60:5555 # Reference: https://s.tencent.com/research/report/948.html (Paragraph 6) # Reference: https://otx.alienvault.com/pulse/5e863edb03f9ddbc8bc15b60 103.195.4.139:443 178.128.108.158:443 68.183.182.120:443 # Reference: https://www.virustotal.com/gui/file/455224893e266c7f5781bdc2e0c1cbb1a4f3c71c8a63ba7c690cd3067949ed5c/detection 178.63.48.196:5555 # Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt minerpool.pw /xmrig/ # Reference: https://www.virustotal.com/gui/file/a38216166e363d752f37bdf0419d2e2694279beab8df66d40f56c679563e7a4f/detection pool.hashvault.pro # Reference: https://www.virustotal.com/gui/file/f47aa2f661eec457e659d0c0867902e4ed851993f8b884e03c22e27403f4876c/detection # Reference: https://www.virustotal.com/gui/file/6eb73cfa98e35282a6f9a6d028f3f5ad84cf29ed4deb33b262d682c8bd246466/detection # Reference: https://www.virustotal.com/gui/file/44cd3c7c0acb590fd5f1d5175171accedc602c702139ea47017dea782b859a8b/detection # Reference: https://www.virustotal.com/gui/domain/hex7e4.ru/relations 134.122.57.234:3333 185.212.128.180:8080 45.61.136.51:3333 45.61.136.51:8080 97.68.239.202:3333 d1pool.ddns.net d5pool.us xmr.hex7e4.ru xxx.hex7e4.ru # Reference: https://www.virustotal.com/gui/file/f0fa9f69e15c349511fc1d2928507a69aefa908726d5c3aa5cd7e3ae83b412c5/detection 107.175.127.22:6661 emercoin.com emercoin.net emergate.net seed.emercoin.com seed.emercoin.net seed.emergate.net # Reference: https://twitter.com/r3dbU7z/status/1323120001604341760 13.77.155.141:5000 xmr.bepooh.com # Reference: https://www.virustotal.com/gui/file/f1f8d8e09da07736059c4388bfdf35318d3e34726c5d362c5f986e5ed8d6a0d4/detection 51.81.245.40:5555 us-west.minexmr.com webservicepag.webhop.net # Reference: https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/ # Reference: https://otx.alienvault.com/pulse/5fad78631749dbff71a31f55 # Reference: https://www.virustotal.com/gui/ip-address/178.128.242.134/relations # Reference: https://www.virustotal.com/gui/ip-address/185.92.222.223/relations # Reference: https://www.virustotal.com/gui/file/58bb90f11070a114442c4fa1cbbccefadcdf954510ae2b8d91c9b22b1a8a42d5/detection 178.128.242.134:443 185.92.222.223:443 104.140.244.186:3333 37.59.44.193:3333 45.136.244.146:3333 94.23.23.52:3333 donate.ssl.xmrig.com donate.v2.xmrig.com randomx.xmrig.com # Reference: https://twitter.com/r3dbU7z/status/1326915356028493826 131.153.76.130:3333 # Reference: https://www.virustotal.com/gui/file/91c051a316c234d4f29a1ae939baa2b3ce28d8cc536442fc829c268d72b1cbcd/detection 109.94.208.3:28734 110.93.227.135:28734 182.1.2.238:28734 27.67.182.91:28734 35.225.125.226:28734 37.214.86.162:28734 89.183.110.221:28734 93.81.162.103:28734 # Reference: https://twitter.com/r3dbU7z/status/1330843370244214784 bizxmr.cc # Reference: https://www.virustotal.com/gui/file/f2519c4978dd4339e0b625b875343bb4ae03c504268da799c4ec694802770585/detection # Reference: https://twitter.com/rootprivilege/status/1331348542028275712 198.50.168.213:6233 198.50.152.135:6233 149.56.122.72:6233 144.217.67.71:6233 144.217.111.81:6233 192.99.233.217:6233 149.56.122.79:6233 192.99.203.53:6233 198.50.168.213:6234 198.50.152.135:6234 149.56.122.72:6234 144.217.67.71:6234 144.217.111.81:6234 192.99.233.217:6234 149.56.122.79:6234 192.99.203.53:6234 mine.zpool.ca # Reference: https://www.virustotal.com/gui/file/a037c15659d91a7555fbd0ec17978c26f7974ea66909c8732629c4a1ec961f14/detection 209.141.35.17:8080 66.70.218.40:8080 xmr.givemexyz.in # Reference: https://www.virustotal.com/gui/ip-address/3.120.98.217/relations 3.120.98.217:8080 # Reference: https://www.virustotal.com/gui/file/49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a/detection 172.65.200.133:3380 # Reference: https://www.virustotal.com/gui/file/a8174c8d4169bafa791bdaba5033bf0b67a6ab7dde9a362c5f04ac6d2088a677/detection 172.65.200.133:3357 # Reference: https://www.virustotal.com/gui/file/692627b99dc224be5f31321b5628c9736bc0b43a87358ccf544e39453d27eb4e/detection # Reference: https://www.virustotal.com/gui/file/1d8c8e42e73eea50e0ca09124c0c2c3e7da21c5b232246129528cc955dc5a25f/detection 172.65.200.133:3333 172.65.245.55:3333 # Reference: https://www.virustotal.com/gui/file/f89c6d288cadbd5924496b664f6138c14523c338bef44407c0ed1a449b11e466/detection # Reference: https://www.virustotal.com/gui/file/8b7aac6ab2d4b4a128c11c02b9b0269c08dec2c935c92e45804756a4ee5878e5/detection 172.65.195.177:3341 172.65.200.133:3341 # Reference: https://www.virustotal.com/gui/file/fd1d919e012353386a9d20af761109eaaa3099eec0bebec107b3bf000348f3fe/detection 172.65.200.133:3375 # Reference: https://www.virustotal.com/gui/file/1d1d2b6edf51a4262795b2d99f4bf21f2c71b68d2001f74a6d1b24b077a890f0/detection 172.65.200.133:3334 # Reference: https://www.virustotal.com/gui/file/09fb4ee5038c7f273273642b83926c84361ef34ae43ac835542c1ff065734437/detection 172.65.200.133:3347 # Reference: https://www.virustotal.com/gui/file/a9510408f55684801300e3bcb9df0405bd620091dc635493b190dc749d743f93/detection 172.65.192.67:3353 172.65.196.90:3353 172.65.200.133:3353 172.65.223.147:3353 172.65.229.122:3353 172.65.255.250:3353 # Reference: https://twitter.com/IntezerLabs/status/1341010531902050305 # Reference: https://www.virustotal.com/gui/ip-address/80.211.206.105/relations # Reference: https://www.virustotal.com/gui/file/1ce687b9d97bc0932bc3bc107a6b5c9363bb5a6f1c2391a59f1664dfa68a2228/detection # Reference: https://www.virustotal.com/gui/file/b0c8667eba81af1069e310055acea49e4f08fed8a071cb33da64a3d1e154d75d/detection # Reference: https://www.virustotal.com/gui/file/402ce23a6b8c718d31a203eb27d1ac97dc614499b542ab630afcb5ac629d934a/detection # Reference: https://www.virustotal.com/gui/file/603585df24d799e13d80145f071b2fbc3d81493d098a0df5e474ef4405b61fe4/detection # Reference: https://www.virustotal.com/gui/file/3373bdf62d72c6f8ab62797aeda4f2b993f0d950964c3b5f9b8f96774abc25a6/detection # Reference: https://www.virustotal.com/gui/file/037f28da0a7e825a21176c27123c9333bca46d37a8faf378c31766b82c653bbb/detection # Reference: https://www.virustotal.com/gui/file/64db532ccfa34e01e697e68d5ee6d7360c9641440c38d2fd7850687837b24039/detection # Reference: https://www.virustotal.com/gui/file/ee1024af67999dad6fc7a202f200526f70d54afbdf39f53121b020510fb103b8/detection # Reference: https://www.virustotal.com/gui/file/b0adb691cf67bbe881c5b1946eb31f99fdddacef06078b94b8fe56a611bbe897/detection # Reference: https://www.virustotal.com/gui/domain/donate.graef.in/relations 15.236.100.141:10001 15.236.100.141:10128 18.180.72.219:10001 18.180.72.219:10128 3.125.10.23:10001 3.125.10.23:10032 3.125.10.23:10128 34.252.195.254:10032 34.252.195.254:10128 80.211.206.105:5555 donate.graef.in donate2.graef.in xmrigcc.graef.in # Reference: https://www.virustotal.com/gui/ip-address/61.147.103.140/relations # Reference: https://www.virustotal.com/gui/file/e52afc60918b6ba83cff5362344b4d712e9fa29b639ee70e25c1c650bf93360d/detection 61.147.103.140:20570 # Reference: https://www.virustotal.com/gui/file/b7be211bbc842b461f8b729c3b6105c855df563e7b11e4fc51aaf9cafe250526/detection 185.154.13.213:3333 # Reference: https://twitter.com/r3dbU7z/status/1341352776459272195 54.188.223.206:10128 # Reference: https://twitter.com/r3dbU7z/status/1344547651564539904 149.248.6.193:13531 # Reference: https://www.virustotal.com/gui/file/cd889a03ea69d14e772e1f0996dedf7fd18cc927de21d40785f5942320e35cd1/detection 47.100.95.105:13531 # Misc (incidents) 213.252.245.67:450 213.252.245.67:453 213.252.245.67:454 213.252.245.67:457 213.252.245.157:450 213.252.245.157:451 213.252.245.157:452 213.252.245.157:454 213.252.245.157:457 213.252.245.197:451 213.252.245.197:452 213.252.245.197:453 213.252.245.197:454 213.252.245.197:457 213.252.245.223:450 213.252.245.223:451 213.252.245.223:452 213.252.245.223:457 # Reference: https://s.tencent.com/research/report/1213.html # Reference: https://www.virustotal.com/gui/domain/mine.c3pool.com/relations 91.121.140.167:443 101.32.73.178:15555 116.203.61.78:15555 119.28.4.91:15555 149.202.214.40:15555 158.247.195.181:15555 3.112.214.88:15555 3.18.108.36:15555 35.153.203.86:15555 35.163.175.186:15555 47.241.2.137:15555 51.75.75.163:15555 52.195.14.54:15555 54.180.146.246:15555 mine.c3pool.com # Reference: https://www.virustotal.com/gui/domain/winxmr.club/relations winxmr.club # Reference: https://twitter.com/r3dbU7z/status/1348015427541151745 # Reference: https://www.virustotal.com/gui/file/f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a/relations monerogb.com monerorx.com # Reference: https://www.virustotal.com/gui/file/fd18bea214ae854e69e6775f6cdebb6bd6d378dee7854924cf3ae3bfb5173b94/detection 139.99.120.50:7777