# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: gh0st, pcrat

# Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

bj6po.a1free9bird.com
beiyeye.401hk.com

# Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/

mdzz2019.noip.cn

# Reference: https://twitter.com/lazyactivist192/status/1112449219653193736
# Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations

z-hacker-y.win

# Reference: https://twitter.com/Jan0fficial/status/1102912998975434752
# Reference: https://pastebin.com/D2pUSzcS
# Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f

haohai.hopto.org
116.196.18.237:8082

# Reference: https://twitter.com/malware_traffic/status/949057588250865665
# Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html

etybh.com

# Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977

45.125.17.15:443

# Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906

nicetiss54.lflink.com

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0)
# Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af

278267882.f3322.org
850967012.f3322.org
a3328657.f3322.org
a678157.oicp.net
cfhx.f3322.org
ddos-cc.vicp.cc
guduyinan.gnway.com
guduyinan.gnway.net
jie0109.hackxd.net
linchen1.3322.org
q727446006.gicp.net
touzi1616.com
xm974192128.3322.org
xueyang22.gicp.net
y927.f3322.org
zy520.f3322.org
sweety2001.dating4you.cn
paleb.no-ip.org
honeypus.rusladies.cn
marina99.ruladies.cn
youwave932.no-ip.biz
x.93ne.com
ns1.helpchecks.at
ns1.helpchecks.by
ns1.helpchecks.com
ns1.helpchecks.eu
ns1.helpchecks.info
ns1.helpcheck1.com
ns1.helpcheck1.net
ns1.helpcheck1.org
mskgh.ddns.net
yeswecan.duckdns.org
sabridz.no-ip.biz
mskhe.ddns.net
karem.no-ip.org
cdn.zry97.com
dmar-ksa.ddns.net
alkhorsan2016.no-ip.biz
amiramir.noip.me
katarinasw.date4you.cn

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0)

79575465.f3322.net
chhacke.win
cx820329965.f3322.net
e2.luyouxia.net
guxiaosen.f3322.net
labixiaoxin.e2.luyouxia.net
mf123.f3322.net
mingyemo.3322.org
yaoyao.f3322.net

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0)

1321.f3322.org
254143.f3322.net
53ca.meibu.net
feng12763.3322.org
jwl520.xicp.net
pass.5sfox.com
pzss.f3322.org
pzss.foxdos.cc
separa.f3322.org
wfs2015.f3322.net

# Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584

haohai.ddns.net

# Reference: https://twitter.com/dcTavvy/status/1168906154602373122

154.221.22.25:8080

# Reference: https://twitter.com/killamjr/status/1196089316986032128
# Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/

106.54.57.80:8080

# Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection
# Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection

106.54.57.80:80
106.54.57.80:94

# Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0)

107.163.241.193:6520
107.163.56.251:6658
host123.zz.am

# Reference: https://twitter.com/pancak3lullz/status/743123575146586112

183.61.165.228:8000
243145432.f3322.org

# Reference: https://twitter.com/securiteoff/status/739622863485931520

qqqq374281.f3322.org

# Reference: https://twitter.com/pancak3lullz/status/739619999334031360

115.239.229.196:8090

# Reference: https://twitter.com/lazyactivist192/status/1214302017981702144

1j5p551644.iok.la

# Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection

218.94.148.242:2015
218.94.148.242:2554

# Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection

61.142.176.23:2014

# Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/

xilongxi.net
45.138.209.61:8080

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1)
# Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection

67.198.149.218:6720
67.198.149.220:8590

# Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264
# Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection

192.225.226.217:80

# Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection

192.225.226.217:8443

# Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection

192.225.226.217:443
192.225.226.217:53

# Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/

137.220.135.36:8000

# Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/

vip38000a.com
30.554205.com

# Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/

183.236.2.18:8888
haidishijie.3322.org

# Reference: https://twitter.com/wwp96/status/1232326236636090370
# Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb

425rt.rapiddns.ru
ref.tbfull.com

# Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
# Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27

cloud.newsofnp.com
load.collegesmooch.com
ssl.newsofnp.com

# Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02

chdvks88.dns0755.net

# Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection

101.200.58.177:16233

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1)
# Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations
# Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations

113.214.1.34:52
117.78.50.197:333
210.222.25.223:7718
210.222.25.223:7748
cq52.top
w1464642840.f3322.org
xiaoxinzadan.gicp.net

# Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection

210.222.25.223:8562

# Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection

107.163.56.243:18963
107.163.56.246:18530

# Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection

107.163.56.250:18963

# Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection

107.163.56.245:18963

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0)
# Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection
# Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection
# Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection
# Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection
# Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection
# Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection

106.9.144.132:7777
106.9.146.161:7777
116.62.168.250:24649
123.207.217.39:90
129.28.191.60:8000
129.28.191.60:99
174.128.255.252:8000
183.131.80.101:90
43.248.201.209:27268
49.232.147.19:8080
8686.f3322.net
ccidc.f3322.net
qqqqdddd.e2.luyouxia.net
qyefeng.vicp.net
wzbbk.com

# Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0)

1.93.49.73:2012
104.143.150.115:2012
142.4.97.105:2012
155604.f3322.org
182.91.107.168:2012
192.210.63.230:2012
198.74.98.230:2012
aa7899.f3322.org
j8666.f3322.org
jiuyin.f3322.org
kingsir.6600.org
linlinwoaini.f3322.org
q1299771210.f3322.org
qq0104.gicp.net
songkeliang.eicp.net
vves.3322.org
wuer1985.9966.org
xiaoxiannv.gnway.net
xiaozijun.f3322.org
xyllz.com
yangman520.f3322.net
youlanxiangyin.vicp.cc
yzc110110.meibu.net
zuoyi5201314.5166.info

# Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
# Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3

45.76.6.149:443
comcleanner.info
mlcrosoft.site

# Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection

103.133.177.250:4563
quasa.ddns.net

# Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection

103.40.101.68:4563

# Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection

43.248.11.151:4243
pclient.ddns.net
