# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: buer, buerak

# Reference: https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
# Reference: https://otx.alienvault.com/pulse/5de7f39a22918ce26c2c2f1b

134.0.119.53:8080
173.212.204.171:443
185.130.104.187:443
45.76.247.177:8080
ffload01.top
garrisontx.us

# Reference: https://www.virustotal.com/gui/file/e7211c80d7f75f2bc5b82acce679c53d834b0a1c58e160b170f7da843e5bd3c9/detection

ortalrustytyo.com

# Reference: https://twitter.com/VK_Intel/status/1217905276545839105

megoliks.net

# Reference: https://twitter.com/VK_Intel/status/1220750726676336641

108.62.118.46:443

# Reference: https://www.virustotal.com/gui/domain/sikorskyleze.com/relations

sikorskyleze.com

# Reference: https://app.any.run/tasks/bc9f23f8-1754-4975-924a-6c1cb5eaa03f/

lodddd01.info

# Reference: https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/

kkjjhhdff.site
ldfidfa.pw
oderstrg.site

# Reference: https://www.proofpoint.com/uk/threat-insight/post/buer-new-loader-emerges-underground-marketplace

93345fdd.libertycolegios.com
jf8df87sdfd.yesteryearrestorations.net

# Reference: https://twitter.com/James_inthe_box/status/1194358787513077766
# Reference: https://www.virustotal.com/gui/file/fcdf29266f3508bd91d2446f20a73a811f53e27ad1f3e9c1f822458f1f30b5c9/detection
# Reference: https://twitter.com/James_inthe_box/status/1194367229879472129

itop01.top
loood1.top

# Reference: https://twitter.com/nao_sec/status/1254025079635075073
# Reference: https://app.any.run/tasks/9db8e3f8-bc1b-4a12-9a19-1681c6e27b8e/
# Reference: https://www.virustotal.com/gui/file/4e2a2755b00b276e03677a1444df7317bef390529fa774f9999f907cbce73157/detection

http://95.217.81.68/api/download/
http://95.217.81.68/api/downloadmodule/
http://95.217.81.68/api/update/
95.217.81.68:443
95.217.81.68:8080

# Reference: https://twitter.com/James_inthe_box/status/1254034019819220992
# Reference: https://app.any.run/tasks/c5e79956-bd0c-436b-9380-f4c3bcd5468f/

http://108.62.118.46/api/download/
http://108.62.118.46/api/downloadmodule/
http://108.62.118.46/api/update/
108.62.118.46:443
108.62.118.46:8080

# Reference: https://twitter.com/James_inthe_box/status/1258389737577934849

oopscll5.top

# Generic trails

/abc/traff.php
/dmi/traff.php
/nana/kum.php
