# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bazar, trickbot, trickmo

# Reference: https://twitter.com/itaitevet/status/1035250414038474752
# Reference: https://pastebin.com/XT20EyJA

3gihg5esw7lxg2wh.onion

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=8442588975b9c69bf696447.83703696

/neam.meow

# Reference: https://myonlinesecurity.co.uk/trickbot-still-being-delivered-by-fake-payroll-emails/

/super.orb

# Reference: https://twitter.com/James_inthe_box/status/1047239965216665600
# Reference: https://twitter.com/James_inthe_box/status/1047241977043898368

/cantbe.played

Reference: https://www.malware-traffic-analysis.net/2018/10/05/index.html

/novich.gas

# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

excel-office.com

# Reference: https://app.any.run/tasks/fe58bf2c-065f-4505-a644-6baeeb7ee4cf

/78237_8219_9.php

# Reference: https://twitter.com/Racco42/status/1107351502878842880

/001928_112.php

# Reference: https://twitter.com/Racco42/status/1106547527334154240

/47238348_8820.php

# Reference: https://twitter.com/Racco42/status/1106225615705948167

/99208_929_991.php

# Reference: https://twitter.com/Racco42/status/1106201029127880704

/92112893892.php

# Reference: https://twitter.com/Racco42/status/1102869794502705152

/CPQpqCOuKV.php

# Reference: https://twitter.com/Racco42/status/1102590512228388866

/930_08.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353

/logHbst.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1109027309015715840
# Reference: https://app.any.run/tasks/738cc560-f3c6-4534-893d-3ea28dd60671

/shh.sshh

# Reference: https://twitter.com/Racco42/status/1110461029354487809

/993098_2.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1111236459930046464
# Reference: https://app.any.run/tasks/ca7a8278-2535-4101-b5be-ea70e7362617

/tot445/

# Reference: https://twitter.com/0bfusCat/status/1036577317190021127

95.213.251.200:443
/tt0002

# Reference: https://twitter.com/avman1995/status/1115514722751848448

3dnext.ru/43434673.php

# Reference: https://twitter.com/K_N1kolenko/status/1094871503303262208

/corona.mor

# Reference: https://twitter.com/JAMESWT_MHT/status/1117105783240577026

/7738_0019.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353
# Reference: https://twitter.com/K_N1kolenko/status/916192356847751168
# Reference: https://twitter.com/K_N1kolenko/status/900259914874073088

/worming.png

# Reference: https://twitter.com/K_N1kolenko/status/916551437647335424

/worming2.png

# Reference: https://twitter.com/K_N1kolenko/status/1017305694331121665

5g4c3a6jkk734fs5.onion

# Reference: https://twitter.com/malware_traffic/status/1118299982069628929

201.184.231.34:8082
/sat43/

# Reference: https://twitter.com/Racco42/status/1118476901876674561

/43455_5514_12.php

# Reference: https://twitter.com/malware_traffic/status/1119021844416405504

/8377_8298_99.php

# Reference: https://twitter.com/pancak3lullz/status/1106677558224060416
# Reference: https://twitter.com/pancak3lullz/status/1102629658221314048

103.119.144.250:8082
75.183.130.158:8082
/lib427/
/tot427/

# Reference: https://twitter.com/Racco42/status/1121379098834755584

/99200277_0.php

# Reference: https://twitter.com/James_inthe_box/status/1126175073759481857
# Reference: https://pastebin.com/T5U4SHQU

181.209.88.26:449
185.222.202.42:443
185.222.202.43:443
95.213.252.153:443
192.227.232.63:443
192.227.232.65:443
185.243.115.149:443
200.122.209.78:449
200.54.14.61:449
181.143.17.66:449
177.105.235.17:449
181.143.102.30:449
190.0.20.114:449
190.151.25.178:449
201.184.69.50:449
190.109.165.197:449
125.209.82.158:449
80.173.224.81:449
76.107.90.235:449
181.129.136.226:449
191.103.219.138:449
202.63.242.48:449
181.176.191.5:449
190.117.66.194:449
186.226.188.105:449
143.255.141.137:449
190.151.10.114:449
181.115.236.26:449
190.196.32.42:449
181.48.203.10:449
177.105.237.93:449
181.129.20.250:449
186.159.2.153:449

# Reference: https://twitter.com/malware_traffic/status/1128019457966735360
# Reference: https://twitter.com/malware_traffic/status/1136682537005305858

186.159.1.217:8082

# Reference: https://twitter.com/Racco42/status/1128955163023171584

/1124_938_0029.php

# Reference: https://twitter.com/binitamshah/status/1137743683586052096
# Reference: https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
# Reference: https://pastebin.com/wZ3R0gCa
# Reference: https://pastebin.com/ghGtMBLH

125.209.82.158:449
136.25.2.43:449
138.186.62.222:449
143.255.141.137:449
162.209.124.166:80
167.99.206.127:80
177.105.235.17:449
177.105.237.93:449
177.183.194.194:449
177.92.249.187:449
179.189.234.157:449
181.112.221.246:449
181.115.156.218:80
181.115.236.26:449
181.129.136.226:449
181.129.160.10:8082
181.129.20.250:449
181.129.49.98:449
181.143.102.30:449
181.143.17.66:449
181.176.191.5:449
181.209.88.26:449
181.48.203.10:449
181.57.97.138:80
185.117.73.140:443
185.183.96.219:443
185.198.57.70:443
186.10.243.70:8082
186.159.1.217:8082
186.183.151.194:8082
186.226.188.105:449
186.248.163.198:449
186.42.186.202:449
187.17.201.237:449
187.61.106.223:449
187.61.107.140:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
190.0.20.114:449
190.109.165.197:449
190.117.66.194:449
190.151.10.114:449
190.151.25.178:449
190.152.125.162:80
190.196.32.42:449
190.215.52.165:449
191.103.219.138:449
191.103.252.29:80
191.241.233.195:449
191.242.178.210:449
191.36.157.164:449
192.210.152.190:443
194.5.250.130:443
199.247.24.9:80
2.184.90.173:449
200.107.59.130:449
200.110.72.134:449
200.122.209.78:449
200.21.51.30:80
200.35.47.199:80
200.35.56.81:449
200.54.14.61:449
200.83.49.141:449
201.148.247.21:449
201.184.69.50:449
201.56.193.18:449
202.63.242.48:449
209.45.30.2:449
216.189.145.231:443
31.47.55.106:449
36.91.93.114:80
37.255.200.157:449
5.190.90.5:449
75.183.130.158:8082
76.107.90.235:449
80.173.224.81:449
85.133.183.174:449
85.209.162.148:443
90.215.52.165:449
91.242.178.210:449
91.98.159.58:449
93.115.146.119:449
93.115.147.198:449
94.101.182.156:449
97.87.127.198:80

# Reference: https://twitter.com/James_inthe_box/status/1090234438833778690
# Reference: https://app.any.run/tasks/5a12dfe2-ba7a-4efe-8062-d710e7350c94/

37.140.199.69:17655
37.140.199.69:25087

# Reference: https://twitter.com/ararora4/status/1144982095325990913
# Reference: https://garwarner.blogspot.com/2019/06/trickbot-new-injects-new-host.html

aefaldnessliverhearted.com
onlylocaltrade.com
remirollerros.com
wellsfargostrade.com

# Reference: https://twitter.com/malware_traffic/status/1146086054207873024

170.238.117.187:8082

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

mailchi.mp/d975f55661ef/4jzmygx2t9
pasini.info

# Reference: https://twitter.com/seguridadyredes/status/1054112048559329282

http://185.92.74.85/index.php
98.177.188.224:49225

# Reference: https://twitter.com/James_inthe_box/status/1151140239122894848
# Reference: https://pastebin.com/wTidM7a9

187.58.56.26:449
146.196.122.167:449
177.103.240.149:449
131.196.184.141:449
103.117.232.198:449
163.53.80.228:449
190.152.4.210:449
138.59.233.5:449
36.89.85.103:449
146.196.122.152:449
170.84.78.186:449
131.255.82.24:449
186.138.152.228:449
180.250.197.188:449
181.129.93.226:449
186.42.226.46:449
190.13.160.19:449
186.183.199.114:449
177.8.172.86:449
181.129.140.140:449
103.87.48.66:449
177.52.79.29:449
168.227.229.112:449
186.42.186.202:449
138.121.24.78:449
131.0.142.120:449
181.129.49.98:449
181.115.168.69:449
172.245.241.25:443
107.191.109.143:443
193.124.176.170:443
206.217.143.91:443
23.94.137.179:443
23.94.137.223:443
94.103.94.97:443
92.38.171.12:443
89.105.203.180:443
185.141.25.101:443
195.133.196.102:443
185.252.144.213:443
198.46.190.37:443
78.155.206.85:443

# Reference: https://twitter.com/Racco42/status/1151098878466416641
# Reference: https://pastebin.com/94cAWDHm
# Reference: https://twitter.com/jcarndt/status/1154731650145763328

/hollyhole/c644.php
/hollyhole951/c644.php

# Reference: https://twitter.com/malware_traffic/status/1151540706508464134

luxuryvailrentals.com

# Reference: https://otx.alienvault.com/pulse/5d2f644f8fe9174629471028
# Reference: https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

qqcore.co
util98.com

# Reference: https://twitter.com/malwrhunterteam/status/1151382643277213696

get-office365.live

# Reference: https://twitter.com/Racco42/status/1152202184685236232

alco.co.in/images/flash_viewer.php
aloe-drink.com/host.php
alternativemedicinenis.com.au/images/view.php
amanchemicalsindia.in/images/visual.php
ambari.co.in/images/view_install.php
ambivium.org/fonts/myriad-pro-installerr.php

# Reference: https://twitter.com/Racco42/status/1152202311982354433

abarkagambia.com/backup.php
acaciarodriguez.com/images/gif_animator.php
accompagnatricidilusso.net/media.php
admimm.cl/images/flash_download.php
adminsystemcr.com/images/watermarks.php
ahangamalmagate.co.za/images/image_resizer.php

# Reference: https://twitter.com/Racco42/status/1152202470971625473

ambrosiapanama.com/images/imagedb.php
amcgsr.com.mx/images/imageresize.php
abidyahya.com/wp-test.php

# Reference: https://app.any.run/tasks/d8abd914-eccb-47f3-9619-734159777e1c/

23.94.93.106:443
192.243.102.102:447

# Reference: https://twitter.com/malware_traffic/status/1154511610649538560 (# Trickbot VNC Module)

107.155.66.16:5900

# Reference: https://twitter.com/matte_lodi/status/1155815877905997824

altxcode.com

# Reference: https://twitter.com/MalHunters/status/1158262554935713794

107.181.175.122:443
185.65.202.127:443
195.123.243.60:443

# Reference: https://twitter.com/ps66uk/status/1158446041643081728

/recenorg.php

# Reference: https://app.any.run/tasks/9cc66fab-9dba-4471-b77c-2dc461006ff0/

46.30.42.245:80
162.248.225.20:443

# Reference: https://twitter.com/425A_/status/1159152546805628930
# Reference: https://app.any.run/tasks/687bafc0-9d7c-4dd4-acb6-9162589e4b87/

http://5.53.124.203/index.php

# Reference: https://twitter.com/ps66uk/status/1159395052893933568

/inputok.php

# Reference: https://twitter.com/James_inthe_box/status/1164269734193274881
# Reference: https://pastebin.com/2R5TUnJS

103.207.1.44:449
103.84.238.3:449
107.175.33.16:443
107.181.175.122:443
131.196.184.141:449
146.185.219.27:443
168.227.229.112:449
177.103.240.149:449
178.170.189.117:443
180.250.197.188:449
181.129.140.140:449
181.129.49.98:449
181.129.93.226:449
181.176.160.145:449
185.172.129.146:443
185.174.172.60:443
186.156.52.78:449
186.183.199.114:449
186.42.186.202:449
186.42.226.46:449
186.47.40.234:449
186.47.82.6:449
187.58.56.26:449
189.80.134.122:449
190.13.160.19:449
190.13.190.178:449
190.151.213.140:449
190.152.36.30:449
190.152.38.66:449
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.3.146.179:443
198.12.97.212:443
198.46.198.12:443
200.119.45.140:449
202.9.120.79:449
31.184.253.6:443
36.89.85.103:449
37.228.117.250:443
45.237.240.178:449
5.53.124.49:443
79.143.31.94:443
82.118.21.99:443
89.105.203.184:443

# Reference: https://twitter.com/nahamike01/status/1166309356574347264
# Reference: https://www.virustotal.com/gui/file/bb23200f9c2c5f7764383d34d5d31aad164cd4e0281085256457872dd1ee2a8d/detection

45.137.151.112:443

# Reference: https://twitter.com/OttoScav/status/1169737229310275589

170.238.117.187:8082
186.10.243.70:8082
190.119.180.226:8082
131.161.105.206:8082
103.116.84.44:8082
200.35.43.105:80
103.194.90.242:80
103.87.48.54:80
190.152.125.162:80
103.84.238.3:80
192.3.105.136:443
54.37.229.180:443
192.227.142.155:443
23.94.204.80:443
5.230.26.41:443
45.80.148.236:443

# Reference: https://twitter.com/Artilllerie/status/1169924303053303808
# Reference: https://pastebin.com/aFeeUMJJ

103.116.84.44:8082
103.194.90.242:80
103.207.1.44:449
103.84.238.3:449
103.84.238.3:80
103.87.48.54:80
107.155.137.12:443
107.173.160.18:443
107.173.160.19:443
107.173.160.22:443
107.173.90.220:443
131.161.105.206:8082
131.196.184.141:449
146.196.122.167:449
168.227.229.112:449
170.238.117.187:8082
177.103.240.149:449
181.112.159.70:449
181.129.49.98:449
181.129.93.226:449
181.129.96.74:449
181.176.160.145:449
185.142.99.59:443
185.235.130.84:443
186.10.243.70:8082
186.156.52.78:449
186.42.186.202:449
186.42.226.46:449
186.46.63.58:449
186.47.40.234:449
187.58.56.26:449
189.80.134.122:449
190.109.189.119:449
190.119.180.226:8082
190.13.160.19:449
190.13.190.178:449
190.144.89.82:449
190.151.213.140:449
190.152.125.162:80
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.227.142.155:443
192.3.104.38:443
192.3.105.136:443
200.119.45.140:449
200.29.106.33:449
200.35.43.105:80
23.94.204.80:443
31.202.132.179:443
36.89.85.103:449
37.187.186.7:443
45.80.148.236:443
5.230.26.41:443
54.37.229.180:443
68.168.123.85:443
79.124.49.206:443
95.174.65.246:443

# Reference: https://www.ncsc.gov.uk/news/ryuk-advisory
# Reference: https://otx.alienvault.com/pulse/5d108ad7a63b52237073efd1

177.183.194.194:449
177.52.28.238:449
177.52.79.29:449
186.248.163.198:449
186.42.186.202:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
191.241.233.195:449
200.107.59.130:449
200.110.72.134:449
200.35.56.81:449
200.83.49.141:449

# Reference: https://twitter.com/0XCHAR/status/1175154224046452742

rvmzrf24dgmr4tce.onion
107.155.137.8:447
107.173.160.29:447
145.239.188.95:447
178.157.82.135:447
178.170.189.239:447
185.250.204.126:447
195.123.221.104:447
195.123.221.178:447
195.123.238.36:447
195.123.247.27:447
23.95.214.138:447
37.228.117.65:447
45.8.126.5:447
46.4.167.254;447
5.53.124.55:447
91.92.128.237:447
92.63.102.212:447

# Reference: https://twitter.com/makflwana/status/1176877958473977857
# Reference: https://app.any.run/tasks/a7be32af-a368-4200-b8c6-9b64b2d170be/

http://144.91.69.195/solar.php
51.254.69.244:443

# Reference: https://pastebin.com/5XF67ZmJ

103.194.90.242:80
103.84.238.3:80
103.87.48.54:80
104.244.73.115:443
107.172.143.155:443
138.185.25.228:449
138.59.233.5:449
146.196.122.167:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.115.168.69:449
181.129.49.98:449
181.129.93.226:449
181.196.61.110:449
181.199.102.179:449
181.49.61.237:449
185.222.202.49:443
185.70.182.162:449
186.183.199.114:449
186.42.185.10:449
186.42.186.202:449
186.42.226.46:449
186.42.98.254:449
187.110.100.122:449
190.13.160.19:449
190.152.4.210:449
190.152.4.98:449
192.227.142.155:443
193.29.56.122:443
200.153.15.178:449
200.21.51.38:449
200.29.106.33:80
200.35.56.81:449
201.184.137.218:80
23.94.204.80:443
36.89.85.103:449
45.161.33.88:449
91.207.185.73:449

# Reference: https://twitter.com/killamjr/status/1181657813417959424

185.130.104.157:443

# Reference: https://twitter.com/malware_traffic/status/1182090303420997632

cardesign-analytics.com
dzbvyejoy81.com
t7763jykqeiy.com
/leo20/

# Reference: https://twitter.com/James_inthe_box/status/1182999215833677826

172.245.118.105:446

# Reference: https://twitter.com/0xFrost/status/1184189273010032640

185.79.242.204:449
194.5.250.82:443
194.5.250.83:443

# Reference: https://twitter.com/killamjr/status/1184204867545513987
# Reference: https://pastebin.com/1xzBiPm6

109.234.34.135:443
138.185.25.228:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.113.20.186:449
181.115.168.69:449
181.129.49.98:449
181.49.61.237:449
185.222.202.222:443
185.222.202.223:443
185.244.150.142:443
185.70.182.162:449
185.79.242.204:449
185.79.243.37:449
186.42.185.10:449
186.42.186.202:449
186.42.98.254:449
187.58.56.26:449
188.137.81.201:449
189.80.134.122:449
190.13.160.19:449
190.152.4.98:449
190.154.203.218:449
194.5.250.82:443
194.5.250.83:443
195.93.223.100:449
200.116.199.10:449
200.21.51.38:449
200.35.56.81:449
31.184.253.37:443
31.214.138.207:449
36.89.85.103:449
45.142.213.58:443
45.161.33.88:449
45.66.11.116:443
45.80.148.30:443
46.30.41.229:443
5.185.67.137:449
66.55.71.11:443
78.88.188.42:449
81.190.160.139:449
85.11.116.194:449
89.25.238.170:449
91.207.185.73:449
94.156.144.3:443

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html (# Win.Dropper.Trickbot-7340237-0)

46igeuohbyzeokpe.onion

# Reference: https://twitter.com/malware_traffic/status/1189950830448959488
# Reference: https://app.any.run/tasks/bec0f8ee-7050-4c37-999a-2a3c2f152c36/

144.91.79.12:443
85.204.116.139:443

# Reference: https://twitter.com/malware_traffic/status/1190026665952497667

185.222.202.192:443
185.99.2.104:447
186.71.150.23:449

# Reference: https://pastebin.com/29uSdMAk

192.3.104.46:443

# Reference: https://twitter.com/stecar792/status/1194746230997495808
# Reference: https://pastebin.com/SKBmjFGm

103.219.213.102:449
103.255.10.24:449
107.173.240.221:443
117.196.233.100:449
117.197.119.219:449
117.204.253.33:449
117.206.149.29:449
117.255.221.135:449
144.91.80.253:443
145.239.188.90:447
177.105.242.229:449
177.154.86.145:449
181.112.157.42:449
181.113.28.146:449
181.113.28.162:449
181.129.104.139:449
181.129.134.18:449
181.129.167.82:449
181.140.173.186:449
181.196.207.202:449
184.95.51.5:447
185.141.61.29:443
185.177.59.41:447
185.189.122.68:449
185.222.202.242:447
185.222.202.25:443
185.252.144.145:447
185.57.167.32:449
185.99.2.166:447
189.28.185.50:449
192.3.247.117:447
194.5.250.109:443
194.5.250.136:447
194.5.250.162:447
195.123.220.151:447
195.123.220.155:443
195.123.221.190:447
195.123.239.79:447
198.24.151.211:447
212.73.150.144:447
212.80.218.144:443
45.141.102.2:443
45.224.214.34:449
45.238.37.14:449
5.182.210.254:443
5.2.79.203:447
51.89.115.110:443
62.109.22.2:443
62.109.30.70:447
66.55.71.129:447
66.77.59.41:447
66.85.173.57:443
78.24.219.9:443
85.143.219.117:447
85.204.116.91:447
91.108.150.213:449
94.156.144.74:443
95.181.198.94:447
cmw5x56e4whk6dpx.onion

# Reference: https://twitter.com/malware_traffic/status/1196554607658459136
# Reference: https://app.any.run/tasks/1496c35f-f44a-4913-b7de-847a421bdfe1/

94.103.82.99:2050

# Reference: https://twitter.com/malware_traffic/status/1199082009387290630

190.142.200.108:449
200.21.51.38:449
5.34.176.212:447

# Reference: https://twitter.com/malware_traffic/status/1201890411343761409

157.25.102.50:80
185.62.189.132:443
64.44.133.151:443
66.55.71.152:447

# Reference: https://twitter.com/malware_traffic/status/1201923577689174016

107.172.82.165:80

# Reference: https://any.run/malware-trends/trickbot (Note: as seen on 2019-12-04)

qxq.ddns.net
thuocnam.tk
office.webxpo.us
driverconnectsearch.info

# Reference: https://otx.alienvault.com/pulse/5df0edc2630945dce885b806

qfcallc.com
chishir.com
carambaneed.club
kostunivo.com
northracing.net
mangoclone.com
excelestimation.com
sodonnews.com
onixcellent.com
cics.secureforge.info
wuniuqhi5byfc5qh.onion

# Reference: https://twitter.com/malware_traffic/status/1205171614788313101

172.82.152.136:443
198.46.161.213:443
23.94.70.12:443

# Reference: https://twitter.com/James_inthe_box/status/1205547881496641536
# Reference: https://www.virustotal.com/gui/file/bcc9b0a91e0280fdb89c20954c11f3555c335cc96e4742f7d7ad1a0238f97966/detection

91.134.14.26:443
93.190.143.26:443
spirrits.com

# Reference: https://twitter.com/smica83/status/1206957311668953088

100.38.123.22:443
181.123.59.111:443
181.126.80.118:443
73.179.178.78:443
75.110.250.89:443

# Reference: https://twitter.com/malware_traffic/status/1208205659466092544

181.129.104.139:449
51.89.204.240:447

# Reference: https://twitter.com/luc4m/status/1214981595301462017
# Reference: https://pastebin.com/qeQZP0Tu

5.182.210.109:443
36.89.85.103:449
45.137.151.198:443
46.174.235.36:449
51.89.115.124:443
78.24.223.88:443
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
131.161.253.190:449
146.185.253.191:443
164.68.120.60:443
170.84.78.224:449
171.100.142.238:449
172.82.152.11:443
180.180.216.177:449
181.112.157.42:449
181.113.28.146:449
181.129.104.139:449
181.129.134.18:449
181.140.173.186:449
181.196.207.202:449
185.141.27.190:443
185.177.59.163:443
185.213.20.246:443
186.71.150.23:449
186.232.91.240:449
188.120.254.68:443
188.165.62.34:443
190.214.13.2:449
195.123.220.178:443
198.23.209.201:443
200.21.51.38:449
200.127.121.99:449
202.29.215.114:449

# Reference: https://pastebin.com/GyzCEEXH

114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
131.161.253.190:449
146.185.219.31:443
164.68.120.60:443
170.84.78.224:449
171.100.142.238:449
176.119.159.204:443
180.180.216.177:449
181.112.157.42:449
181.113.28.146:449
181.129.104.139:449
181.129.134.18:449
181.140.173.186:449
181.196.207.202:449
185.62.188.83:443
185.99.2.149:443
186.232.91.240:449
186.71.150.23:449
190.214.13.2:449
195.123.221.194:443
195.123.240.81:443
198.23.209.201:443
198.8.91.10:443
200.127.121.99:449
200.21.51.38:449
202.29.215.114:449
23.95.231.187:443
36.89.85.103:449
46.174.235.36:449
5.182.210.109:443
5.182.211.44:443
5.2.76.122:443
51.89.73.159:443
64.44.133.157:443
79.174.12.245:443
85.143.219.230:443
92.63.105.138:443
95.181.198.151:443

# Reference: https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
# Reference: https://otx.alienvault.com/pulse/5e173a76a3ecc18449d121a0

kostunivo.com
magichere.icu
magikorigin.me
northtracing.net
traveldials.com
web000aaa.info
wizardmagik.best

# Reference: https://feodotracker.abuse.ch/browse/host/203.176.135.102/ (# Trickbot)
# Reference: https://www.virustotal.com/gui/ip-address/203.176.135.102/relations

203.176.135.102:80
203.176.135.102:8082

# Reference: https://twitter.com/reecdeep/status/1220678917448749057

185.159.82.182:80

# Reference: https://www.virustotal.com/gui/file/fe2c4521ea823e91f2bf43d3261d699b6e5dc077a87ff7adb79088bba73c5eb5/detection

5.182.210.226:443
104.168.96.113:443

# Reference: https://www.virustotal.com/gui/file/a2e3ebf2b30d9f0736e37346f33d7f18da4da9a44448e05bf4d3dada500a91b9/detection

107.173.26.231:447
181.129.104.139:449

# Reference: https://www.virustotal.com/gui/file/fe2c4521ea823e91f2bf43d3261d699b6e5dc077a87ff7adb79088bba73c5eb5/detection

5.2.75.167:443

# Reference: https://www.virustotal.com/gui/file/e71419cd556dd730ebee920968e97ff5a16441fcfe51cf7da616421d2011c5fb/detection

146.185.253.177:447
85.143.217.237:447
85.204.116.233:447

# Reference: https://app.any.run/tasks/8ece34b7-9b69-4698-87d2-e8f61aaf3437/

5.182.210.246:443
164.68.120.56:443

# Reference: https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html (# Win.Packed.TrickBot-7541396-1)

2cdajlnnwxfylth4.onion
teene.site

# Reference: https://twitter.com/malware_traffic/status/1221919676030042112
# Reference: https://www.virustotal.com/gui/ip-address/107.175.116.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.123.221.53/relations
# Reference: https://pastebin.com/YxFc5dgG
# Reference: https://app.any.run/tasks/b4d6f542-7582-4de9-87cd-d959e995b68d/
# Reference: https://app.any.run/tasks/c9f6e633-9784-4bee-96c5-d6803a7896b7/

107.175.116.133:80
185.66.12.59:447
195.123.221.53:443
195.123.221.53:447
195.158.224.103:447
5.182.210.230:443
78.24.221.145:447
92.63.98.59:447

# Reference: https://www.virustotal.com/gui/file/3193ec3b85f65b8b899ab5b189314e1eccfc61e098341397d76720c17f0a32b8/detection

162.247.155.133:447
198.8.91.25:447

# Reference: https://twitter.com/reecdeep/status/1218098821143703552

185.159.82.96:80

# Reference: https://pastebin.com/Mc1UwKae

103.94.122.254:8082
112.78.164.34:8082
190.100.16.210:8082
177.74.232.124:80
36.89.106.69:80
96.9.73.73:80
96.9.77.142:80
164.68.96.155:443
185.99.2.137:443
185.99.2.185:443
188.165.62.29:443
188.165.62.2:443
195.123.216.95:443
195.123.219.93:443
5.2.64.188:443
5.2.78.191:443

# Reference: https://github.com/SentineLabs/PowerTrick/commit/c046404538d11044f8df0ce98491292fe618660e

192.99.38.41:80
5.9.161.246:80
drive.staticcontent.kz

# Reference: https://twitter.com/reecdeep/status/1224333532681641985

91.196.70.100:80

# Reference: https://twitter.com/James_inthe_box/status/1224442114374717444

it-corp.info

# Reference: https://twitter.com/malware_traffic/status/1224476088946122752

212.109.195.175:447

# Reference: https://www.herbiez.com/?p=949

107.22.214.64:80
149.56.167.227:443
172.82.152.171:443
178.156.202.114:443
178.156.202.206:443
188.165.62.15:443
188.165.62.46:443
188.165.62.8:443
194.87.102.167:8082
194.87.102.36:443
199.181.238.221:443
199.181.238.224:443
210.16.102.251:443
217.12.210.54:447
37.59.80.96:443
46.105.238.157:443
5.152.210.176:443
5.2.65.130:443
5.2.76.34:443
51.254.164.249:443
66.85.27.165:443
67.21.84.23:443
84.238.198.166:449
84.40.65.85:449
89.46.222.240:443
89.46.222.246:443
91.139.236.92:449
95.154.199.118:1062
campusassas.com
campuslinne.com
changetheworld.bit

# Reference: https://twitter.com/nhs281/status/1228752573215248387
# Reference: https://app.any.run/tasks/cdc172e1-36e8-446d-b0bf-b860f312c26f/

185.11.146.86:443
185.45.193.76:443
51.254.164.240:443
5.2.78.70:443

# Reference: https://twitter.com/malware_traffic/status/1230214222111485953

185.62.188.10:443
192.3.124.40:80

# Reference: https://twitter.com/malware_traffic/status/1230260269596758016

195.123.220.154:447

# Reference: https://twitter.com/malware_traffic/status/1232370158494154754

45.138.72.155:443

# Reference: https://twitter.com/malware_traffic/status/1232782901927972865

104.237.194.147:80

# Reference: https://twitter.com/malware_traffic/status/1232790448051281921
# Reference: https://www.virustotal.com/gui/file/6f55f3b1415b5bf9dda57158f05fe628edb92b436887ad72f3d4bd108e8542d2/detection
# Reference: https://www.virustotal.com/gui/file/f9507a76801d5b1b83704a5019cdc312de18b004f16c5547b91b7dba086b2e29/detection

http://51.89.115.99
51.89.115.99:443
155.138.216.133:443
defenswin.com

# Reference: https://twitter.com/James_inthe_box/status/1233086420857708544
# Reference: https://www.virustotal.com/gui/ip-address/161.117.177.248/relations

barbeyo.xyz
basorkiq.host
emmnebuc.xyz
merystol.xyz
pnxkntdl.xyz
soficatan.site
tozcftdl.xyz
veqejzkb.xyz

# Reference: https://twitter.com/seguridadyredes/status/1234215349454876672/photo/1
# Reference: https://www.virustotal.com/gui/ip-address/107.172.208.30/relations

http://107.172.208.30

# Reference: https://twitter.com/Arkbird_SOLG/status/1234624555131555841
# Reference: https://www.virustotal.com/gui/ip-address/5.34.176.184/relations
# Reference: https://www.virustotal.com/gui/file/08ea96e4b9e71cc0281938d91fe7b12f77a2ade37845d1110afd75f225603bae/detection

http://5.34.176.184
5.34.176.184:443

# Reference: https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows
# Reference: https://otx.alienvault.com/pulse/5e5d7118fb2271f8aef65e39

insiderppe.cloudapp.net

# Reference: https://twitter.com/MalHunters/status/1069898222636679168
# Reference: https://pastebin.com/SUbUY0if

105.27.171.234:449
107.174.34.202:443
108.160.196.130:449
140.190.54.187:449
172.222.97.179:449
182.253.20.66:449
190.145.74.84:449
192.3.52.107:443
192.52.167.145:443
193.29.56.3:443
198.46.131.164:443
198.46.160.217:443
198.46.198.241:443
199.227.126.250:449
206.130.141.255:449
24.227.222.4:449
24.247.181.155:449
24.247.181.226:449
24.247.182.174:449
24.247.182.179:449
24.247.182.29:449
24.247.182.39:449
24.247.182.7:449
47.49.168.50:443
64.128.175.37:449
65.31.241.133:449
71.94.101.25:443
72.189.124.41:449
72.241.62.188:449
74.132.135.120:449
74.134.5.113:449
74.140.160.33:449
75.108.123.165:449
89.46.222.239:443
94.232.20.113:443
97.87.172.0:449

# Reference: https://twitter.com/malware_traffic/status/1235261812083482624

192.3.193.162:443
5.182.210.226:443
64.44.133.156:447

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Malware.Trickbot-7603048-1)

107.181.246.213:443
185.86.150.89:443
191.7.30.30:443
193.124.117.189:443
193.124.117.189:447
194.87.144.16:443
194.87.92.113:443
195.62.52.96:443
37.59.183.142:443
67.21.90.106:443
67.21.90.109:443
87.121.76.172:443
87.121.76.172:449
91.219.28.58:443
91.219.28.80:443
http://107.181.246.213
http://185.86.150.89
http://191.7.30.30
http://193.124.117.189
http://194.87.144.16
http://194.87.92.113
http://195.62.52.96
http://37.59.183.142
http://51.254.164.249
http://67.21.90.106
http://67.21.90.109
http://84.238.198.166
http://87.121.76.172
http://91.219.28.58
http://91.219.28.80

# Reference: https://twitter.com/JAMESWT_MHT/status/1237028470565240832
# Reference: https://www.virustotal.com/gui/ip-address/162.244.32.210/relations

162.244.32.210:443

# Reference: https://gist.github.com/kirk-sayre-work/3999514ffdd15923ac1290c4bd74d2b0

big-partynew.ru
birthdayeventdxb.com
bootiky.com
elievarsen.ru
luxjewelleries.com
wex-notdead.ru
gettonatissime.cyprustimbermerchants.com
lookmodeusa.com
vatonly.com

# Reference: https://www.virustotal.com/gui/ip-address/64.44.133.131/relations
# Reference: https://app.any.run/tasks/5c03c481-ab9a-4d3d-b22f-47cf859b9d6f/

http://64.44.133.131
146.185.253.176:447
51.254.164.245:443
64.44.133.131:447

# Reference: https://twitter.com/pancak3lullz/status/1240983894461231104
# Reference: https://www.virustotal.com/gui/ip-address/185.62.188.159/relations

http://185.62.188.159

# Reference: https://twitter.com/benkow_/status/1242457353070546944
# Reference: https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/ (# TrickMo variation)
# Reference: https://twitter.com/benkow_/status/1242526274217746432

facebouk.net
mcsoft365.com
pingconnect.net
web5401.com
webnat.host

# Reference: https://www.virustotal.com/gui/ip-address/195.123.220.193/relations

http://195.123.220.193
195.123.220.193:443

# Reference: https://twitter.com/AltShiftPrtScn/status/1243166479903834112
# Reference: https://blog.reversinglabs.com/blog/exposing-ryuk-variants-using-yara
# Reference: https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
# Reference: https://otx.alienvault.com/pulse/5e7cc5274bea708f20593bec

norulless.com

# Reference: https://twitter.com/malware_traffic/status/1243674365222322176

doha-media.com

# Reference: https://twitter.com/laskow26/status/1244576312724836352
# Reference: https://laskowski-tech.com/2020/03/29/opnsense-and-ssl-decryption-using-sslsplit/

http://172.245.156.138
http://51.254.164.244
http://51.254.164.245
172.245.156.138:443
51.254.164.244:443

# Reference: https://twitter.com/hatching_io/status/1246092812103421953
# Reference: https://tria.ge/reports/200403-3kjagsdnqa/behavioral1

109.86.227.152:443
111.69.87.59:449
138.34.32.218:443
138.34.32.74:443
158.58.131.54:443
173.26.243.116:443
182.253.210.130:449
185.146.156.237:443
185.159.129.78:443
185.228.232.13:443
187.163.215.32:443
199.250.230.169:443
200.2.126.98:443
201.174.70.238:443
209.131.236.23:443
36.74.100.211:449
45.56.2.247:443
47.40.90.210:443
62.31.150.202:443
66.229.97.133:443
66.232.212.59:443
67.159.157.150:443
73.107.42.28:443
77.246.158.173:443
86.61.177.139:443
91.235.129.69:443
93.109.242.134:443
95.213.191.30:443

# Reference: https://twitter.com/makflwana/status/1247779774623150080
# Reference: https://app.any.run/tasks/b3f18101-314e-47a6-bf21-d1ebc3820765/
# Reference: https://www.virustotal.com/gui/ip-address/194.5.250.189/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.123.239.194/relations

http://194.5.250.189
http://195.123.239.194
194.5.250.189:447
195.123.239.194:443

# Reference: https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/
# Reference: https://otx.alienvault.com/pulse/5e8e2c6890241d5f774cdea3
# Reference: https://otx.alienvault.com/pulse/5ebf07c5b90ea8b330e8561a

http://104.168.98.206
http://107.173.160.14
http://172.82.152.15
http://185.98.87.185
http://198.46.161.242
http://64.91.251.250
http://85.204.116.245

# Reference: https://bazaar.abuse.ch/sample/80d162a9d3998938dbf4e82b4411c7aebf3365bef53412c622de318062da3c70/

103.12.161.194:449
103.5.231.188:449
108.170.61.186:443
131.161.253.190:449
134.255.221.55:447
148.251.185.164:443
164.68.120.58:443
171.100.142.238:449
181.129.134.18:449
185.141.27.225:443
185.14.29.141:443
185.161.211.215:447
185.90.61.62:443
185.99.2.197:443
185.99.2.44:443
185.99.2.67:447
188.165.62.2:447
190.214.13.2:449
194.5.250.201:443
195.123.237.105:443
202.29.215.114:449
31.131.20.159:447
31.131.21.184:443
5.1.74.249:447
51.89.115.108:443
51.89.115.112:443
62.109.30.83:447
91.235.129.199:443
94.250.249.170:443
94.250.250.69:443

# Reference: https://twitter.com/malware_traffic/status/1252320726557827073

http://107.172.221.106

# Reference: https://twitter.com/malware_traffic/status/1252716888188227584
# Reference: https://app.any.run/tasks/dcc8420c-c71c-45f2-bdd6-40bf448d5dde/
# Reference: https://app.any.run/tasks/11e79d9c-b6c6-4980-98f0-b5a17bddb94f/
# Reference: https://app.any.run/tasks/796ceffe-4e46-49fc-80c5-32d5cd091fc3/
# Reference: https://www.virustotal.com/gui/ip-address/194.5.250.52/relations

http://62.171.152.105
http://194.5.250.52
194.5.250.52:443
194.5.250.52:447
fetitech.live

# Reference: https://twitter.com/James_inthe_box/status/1250907772494864384
# Reference: https://twitter.com/DynamicAnalysis/status/1252982471811043331
# Reference: https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/

petromltd.com
bestgame.bazar
forgame.bazar
newgame.bazar
portgame.bazar
thegame.bazar

# Reference: https://twitter.com/abuse_ch/status/1255413734325059586
# Reference: https://twitter.com/reecdeep/status/1255866535945568257
# Reference: https://bazaar.abuse.ch/sample/3008d3a85d42533167443e236755a01ae25d008728dbcd9630d99a42db30fbae/

chinatyres.net/IuNbOpen/oiUnbYATR.php

# Reference: https://thedfirreport.com/2020/04/30/tricky-pyxie/
# Reference: https://app.any.run/tasks/e4ab5166-07a5-4399-87d1-63e543f5c3b5/

103.227.147.82:449
110.232.76.39:449
110.93.15.98:449
122.50.6.122:449
148.251.185.186:443
151.80.212.114:443
164.132.255.19:443
176.119.159.147:443
178.156.202.251:443
185.234.72.193:443
185.234.72.50:443
185.99.2.152:447
188.119.113.60:443
190.136.178.52:449
194.5.250.200:443
200.171.101.169:449
217.12.209.159:443
217.12.209.176:447
217.12.209.244:443
36.91.45.10:449
45.6.16.68:449
5.182.210.178:443
5.182.210.30:447
5.196.247.14:443
51.254.164.243:443
51.89.115.121:443
93.189.42.81:443
96.9.77.56:449

# Reference: https://twitter.com/malware_traffic/status/1255939600184496130

dichthuatsnu.com/goodweb/

# Reference: https://twitter.com/malware_traffic/status/1256297802948399104

piedmontrescue.org/sport/

# Reference: https://twitter.com/James_inthe_box/status/1257418677760282624

spdtextile.com/sport/

# Reference: https://twitter.com/James_inthe_box/status/1257365981233635335

185.99.2.133:443

# Reference: https://twitter.com/VK_Intel/status/1258519788885700611
# Reference: https://www.virustotal.com/gui/file/9e4edad037a06e1cfa803adca84b3950b3e9fbe471397c71db53b0ab1510cc56/detection

http://193.38.54.106
http://45.148.120.176
193.38.54.106:443
45.148.120.176:443

# Reference: https://twitter.com/vk_intel/status/1259905046134829056
# Reference: https://otx.alienvault.com/pulse/5ebafadd0dddaee2f8bb193b

dns.dnsskype.com
dns2.dnsskype.com
dns3.dnsskype.com

# Reference: https://twitter.com/abuse_ch/status/1270740309140529152
# Reference: https://twitter.com/abuse_ch/status/1270773648262119424

copsbiau.monster
mnjcszrh.monster
shmbidgp.monster
vmrriktf.monster
ygzggxeh.monster

# Reference: https://twitter.com/reecdeep/status/1270961624954830848
# Reference: https://app.any.run/tasks/e26e317f-7ab5-4bca-b497-d14516332797/
# Reference: https://www.virustotal.com/gui/ip-address/85.204.116.100/detection

85.204.116.100:443
coprikompatt.com/autostart/apptrace.php

# Reference: https://twitter.com/reecdeep/status/1272782327278637057

134.119.191.11:443
185.99.2.65:443
5.1.81.68:443
51.81.112.144:443
memberlogin.cloud

# Reference: https://twitter.com/OttoScav/status/1272937840301813763
# Reference: https://twitter.com/OttoScav/status/1272984737343320065
# Reference: https://twitter.com/OttoScav/status/1272984829785767937
# Reference: https://twitter.com/OttoScav/status/1272984893040005120

103.111.83.246:449
107.175.72.141:443
110.50.84.5:449
134.119.191.21:443
182.253.113.67:449
185.14.31.104:443
185.90.61.9:443
185.99.2.66:443
192.3.247.123:443
194.5.250.121:443
200.107.35.154:449
36.66.218.117:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
78.108.216.47:443
80.210.32.67:449
85.204.116.216:443
91.235.129.20:443
95.171.16.42:443

# Reference: https://twitter.com/malware_traffic/status/1273007235115999233

195.123.221.93:443
85.143.222.208:447

# Reference: https://www.virustotal.com/gui/file/fd9a7d0013a7407a82d7ce662b5e3ec2d20b33681e1e3600e409b1ed8d086dfa/detection

217.12.209.60:443
217.12.209.60:80

# Reference: https://twitter.com/bit_dam/status/1275141957187244036

covidsonline.com

# Reference: https://twitter.com/reecdeep/status/1275316892635463680
# Reference: https://app.any.run/tasks/0efc7226-4b9e-4775-bf74-c54ea72997c5/
# Reference: https://app.any.run/tasks/2c8af64d-f294-4847-8f50-09f42eccee12/

lawyersblog.net

# Reference: https://bazaar.abuse.ch/sample/024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689/
# Reference: https://bazaar.abuse.ch/sample/04c2d16ee5463453c04a6b4645f6a36f2485d91bd86fb18a9ed20446fdc57728/

http://23.95.231.200

# Generic trails

/karlmarks.php
/Ui4VMX.php
/6ng688x8
/B1Dgs7jd
/DJNvad97v1
/DSKVJBdsj2
/DSVdv2vefasd
/DVkjbsdv37
/Huey4truyew7342
/Jygrfewhrbf3wr
/KJSDBViad7
/KVJbdisfv8sd
/SDVJKBsdkhv1
/SDVe2f2fds
/SDVjkhb7831r
/SDVsdv23
/SDVsdv23r
/YTWur324rwf5regd
/tt0002/
/djnvad97v1
/dvkjbsdv37
/hgx1bgs
/hrkddvsdv7
/qY3DRY3N
/qy3dry3n
/sdvsdv23r
/vbdh72F
/vdbh72f
/goodweb/pwofiles.php
/IuNbOpen/oiUnbYATR.php
/sport/rockstar.php
/Pan/dbloader.php/?func=
/zag/UpdateHelp.php
/zag/BorovHelp.php
/oiUnbYATR.php
/opwasaythatthisverygoodinfo.php
/pwofiles.php
