# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: dinihou, duhini, hworm, h-worm, wshrat

# Reference: https://twitter.com/DissectMalware/status/986467663353442305

pm2bitcoin.com

# Reference: https://twitter.com/Racco42/status/1047173279553900551

toheeb.publicvm.com

# Reference: https://twitter.com/Racco42/status/1044562743519584257

185.141.27.177:4123

# Reference: https://twitter.com/Racco42/status/1040353263579738113
# Reference: https://app.any.run/tasks/f6eca300-7137-4e88-bd28-7f9a507a17d3/

46.243.189.128:6969

# Reference: https://twitter.com/Racco42/status/1053747018835869696

fud.fudcrypt.com

# Reference: https://twitter.com/Racco42/status/1102879193631731713

185.198.26.245:3843

# Reference: https://twitter.com/Racco42/status/1110868159492489216

brothersjoy.nl
newmenow.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1016808667692204032

windefendeupdate.duckdns.org

# Reference: https://twitter.com/Jan0fficial/status/1009009607988187137
# Reference: https://pastebin.com/MxR1p5wG

stanman.linkpc.net

# Reference: https://twitter.com/avman1995/status/963273945955864577

ines0049.ddns.net

# Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/
# Reference: https://www.virustotal.com/gui/file/65d61cf1481749565fc8f4186c92c7b4f499b39e4d93295551ece4ec9560cd27/detection

149.28.14.103:535
149.28.14.103:80
mighty-dead.ddns.net
mighty-dead.spdns.de
mightydead.webredirect.org

# Reference: https://twitter.com/pmelson/status/1119756002503606272

updatesystem.linkpc.net

# Reference: https://twitter.com/Racco42/status/1120981890947854336

185.101.94.172:3018

# Reference: https://twitter.com/Racco42/status/1121350734350413824
# Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/

194.187.249.104:7777

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09

105.105.218.193:4433

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection

updatefacebook.ddns.net
197.162.66.49:2

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection

23.227.201.158:3047

# Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a

office-update.services
104.24.112.139:2082

# Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513

savelifes.tech

# Reference: https://twitter.com/James_inthe_box/status/1138092566820212737

doughnut-snack.live
mynameisstaff.warzonedns.com

# Reference: https://twitter.com/luc4m/status/1138430833533104128

unknownsoft.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139458016611356672

sirkashmoremoney.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139461501113311232

chance2019.ddns.net

# Reference: https://twitter.com/HONKONE_K/status/1141181986523844612

bylgay.hopto.org
microsoftoutlook.duckdns.org
soucdtevoceumcuzao.duckdns.org

# Reference: https://twitter.com/Bank_Security/status/1141388470293655552
# Reference: https://pastebin.com/P4h3NHJE

tcoolsoul.com

# Reference: https://twitter.com/Racco42/status/1143054336563564544
# Reference: https://twitter.com/dvk01uk/status/1143027551151042560
# Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/

microsoft.btc-crypto-rewards.cash
160.202.163.246:9966
185.247.228.14:7755

# Reference: https://twitter.com/coderippers/status/1154003951152484352

9d1.myq-see.com
mzu.publicvm.com

# Reference: https://twitter.com/Timele9527/status/1159673642332016640

mmksba.dyndns.org
64.188.25.230:4455

# Reference: https://twitter.com/smica83/status/1166275236741955585

dbin240.ddns.net

# Reference: https://twitter.com/luc4m/status/1166765980489584640

91.132.139.181:9999

# Reference: https://twitter.com/wwp96/status/1171069954881392641
# Reference: https://app.any.run/tasks/d3b840d6-520a-4529-a561-b2ce8c05b432/

79.134.225.72:1104
165.22.129.173:7756
ablerightventures.duckdns.org
pluginsrv1.duckdns.org

# Reference: https://twitter.com/Paladin3161/status/1172178725959397378

plunder.nsupdate.info

# Reference: https://twitter.com/malware_traffic/status/1172610957929062410

81.92.202.176:5200
tain0077.warzonesdns.com

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

pleasurekeys.hopto.org
suzuki-dc.biz
unknownsoft.duckdns.org

# Reference: https://www.virustotal.com/gui/domain/dz47.cf/relations

dz47.cf

# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=Worm.VBS.Dinihou

4ever4.zapto.org
999mostafa999.no-ip.org
999mostafa999.sytes.net
aboodzainuddin.ddns.net
adda.no-ip.org
adolf2013.sytes.net
alfhaddd-hakr.no-ip.biz
anarqe77.no-ip.biz
anassrojola.ddnsking.com
androidupdate.myq-see.com
avg-antivirus.zapto.org
blackr00t5.no-ip.org
blkisdz.ddns.net
bog5151.zapto.org
bogus911.no.ip.biz
bogus911.no-ip.biz
brigittenetwork.hopto.org
chrome00.sytes.com
chuckey1.no-ip.org
cupidon.zapto.org
desermyth.dyndns.org
devil.hopto.org
diiimaria.zapto.org
dmar123.no-ip.biz
dodaaa.zapto.org
dz-drs.no-ip.biz
dz47.myq-see.com
elisou19.ddns.net
eroor.ddns.net
exxilero.ddns.net
ffff99fff.no-ip.biz
gerssy.zapto.org
google-1.linkpc.net
google00.ddns.net
google7.no-ip.org
greekwebtv.viewdns.net
h-w0rm.zapto.org
hadizz.no-ip.biz
haydar93.no-ip.biz
helps.zapto.org
introworld.no-ip.org
introworld.zapto.org
iphack.no-ip.info
j2w2d.no-ip.biz
jaberlovee.ddns.net
jhk.no-ip.org
khalode4me.no-ip.biz
killer---204.no-ip.biz
king25.zapto.org
kiyoma200.no-ip.biz
klonkino.no-ip.org
kusaisouf.no-ip.org
lastdance.ddns.net
lolokamal.zapto.org
maxxx12.serveftp.org
maxy.no-ip.info
mda.no-ip.org
memo8.no-ip.org
memo9.no-ip.org
mesopotemia222.zapto.org
microsoftsystem.sytes.net
microsoftwindows.sytes.net
migalou2012.no-ip.biz
mlcrosoft.serveftp.com
monas04.no-ip.info
mootje01.no-ip.org
mrkiller.no-ip.org
nouna1985.no-ip.org
pilo-raouf.no-ip.biz
pscho546.hopto.org
qqwe.hopto.org
qwqhack.no-ip.biz
redex.no-ip.info
righi.linkpc.net
rndaso.no-ip.info
romyo333.sytes.net
ronaldo-123.no-ip.biz
s-mz.sytes.net
saifnjrat55.no-ip.biz
sexcam.3utilities.com
shawaf.sytes.net
sidisalim.myvnc.com
smoky29902332.hopto.org
swanox.no-ip.org
tariqalr.zapto.org
terminator9.zapto.org
twiti2390.no-ip.biz
vpn-hacker.no-ip.biz
waforex2011.no-ip.info
winup.serveftp.com
wkooora.sytes.net
wvvw.sytes.net
x.dvr-ddns.com
yah00.sytes.net
ycemufkk6g.bounceme.net
youcef142.no-ip.biz
ysf.no-ip.biz

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=51549698551bff97f583c51.51712090

abdnjworm.no-ip.biz
abocasse.zapto.org
ahmedghost.no-ip.info
b-trese.no-ip.biz
boucraa.no-ip.org
dd.no-ip.bz
debili1.no-ip.biz
fuck-all.no-ip.info
hackers1990.no-ip.org
heartbraker.no-ip.biz
jnyn-99.no-ip.org
mda.no-ip.org
mmrick.zapto.org
mntm.no-ip.biz
mootje01.no-ip.org
mozaya46415.zapto.org
rouge166821.no-ip.biz
vanonymous.no-ip.org
vichtorio-israeli.zapto.org
zkzak.np-ip.biz

# Reference: http://ddos-info.weebly.com/blog/h-worm-plus-public-in-depth-analysis

adamdam.zapto.org
adolf2013.sytes.net
ahmad212.no-ip.biz
alii007.zapto.org
am1.no-ip.info
ballgogo.no-ip.biz
basss.no-ip.info
bg1337.zapto.org
bog5151.zapto.org
dataday3.no-ip.org
docteuur13.no-ip.org
doda.redirectme.net
dzhacker15.no-ip.org
g00gle.sytes.net
gerssy.zapto.org
googlechrome.servegame.com
hackediraq.no-ip.biz
hackeralbasrah.no-ip.biz
hattouma12.no-ip.biz
hmode123.no-ip.biz
karimstar.zapto.org
kiyoma200.no-ip.biz
koko.myftp.org
mda.no-ip.org
medolife.no-ip.biz
microsoftsystem.sytes.net
mootje01.no-ip.org
msgbox.zapto.org
new-hacker.no-ip.org
njnj.redirectme.net
no99.zapto.org
noooot.no-ip.biz
pess-123.zapto.org
pess-12.zapto.org
portipv6.redirectme.net
ronaldo-123.no-ip.biz
sawdz.no-ip.biz
securityfocus.bounceme.net
shagagy21.no-ip.biz
sidisalim.myvnc.com
silent9.zapto.org
terminator9.zapto.org
vpn-hacker.no-ip.biz
xbox720.zapto.org
xkiller.no-ip.info
yahia17.no-ip.org
zeusback.no-ip.biz
zoia.no-ip.org

# Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Jenxcus#tab=2
# Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2

a.servecounterstrike.com
eqe.sytes.net
jnj.redirectme.net
winlogon.servecounterstrike.com
3dmntk.no-ip.biz
999mostafa999.no-ip.biz
9d1.no-ip.org
a.servecounterstrike.com
abanas19.no-ip.biz
abdo1abdo.no-ip.biz
adolf2013.sytes.net
ahmad909.no-ip.biz
ajeeb.zapto.org
ali2010.no-ip.biz
aljabiry1.no-ip.biz
alnazee.no-ip.org
alnazee.no-ip.org
alsha2e.zapto.org
amere-ali.no-ip.biz
aore.no-ip.org
asmarany.no-ip.biz
asmarany.np-ip.biz
aymen112233.no-ip.org
bifrost-jordan.zapto.org
big-hack.no-ip.com
blackhawk.myftp.biz
cggfhddsscds.no-ip.biz
cxxz.no-ip.biz
damla.no-ip.org
dhuaa.no-ip.org
dnsip.servehttp.com
doopy99.zapto.org
fadliking.sytes.net
fons.no-ip.info
frostate.no-ip.biz
ghoster13.no-ip.biz
gmail2013.no-ip.info
hackeralbasrah.no-ip.biz
haedar.no-ip.biz
hanan96.no-ip.bizport
iraqi2013.servemp3.com
jn.redirectme.net
klagord.no-ip.org
kurd2013.no-ip.biz
localh0st.servehttp.com
loll1.no-ip.biz
m4b.no-ip.org
mda.no-ip.org
microsoftsystem.sytes.net
milito.no-ip.org
mohez.no-ip.org
msy.myvnc.com
naza.no-ip.biz
new-hacker.no-ip.org
oscar-bif.zapto.org
portipv6.redirectme.net
pthacker.no-ip.org
ramadan.zapto.org
sdgsg.no-ip.biz
shawaf.sytes.net
shee5iq.no-ip.biz
shee5iq.no-p.biz
sro7.no-ip.info
systemsxp.sytes.net
theghostholako.no-ip.org
thescorpionking.no-ip.org
utilesat.zapto.org
uty.myq-see.com
wahidhackerdz.no-ip.biz
xkiller.no-ip.info
xmx.no-ip.info
xxsc.no-ip.org
xxxxxx.no-ip.biz
yahoomail.3utilities.com
zilol.no-ip.org

# Reference: https://twitter.com/Racco42/status/1174605204353949697
# Reference: https://app.any.run/tasks/27a475ac-c113-49be-b947-f580662600e4/

91.132.139.181:9999

# Reference: https://twitter.com/Littl3field/status/1174624023709454336

178.124.140.148:3571

# Reference: https://www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf

dz47.servehttp.com
maroco.linkpc.net
maroco.myq-see.com
maroco.redirectme.net

# Reference: https://twitter.com/pmelson/status/1175928909264838660

185.251.38.91:5555

# Reference: https://twitter.com/dvk01uk/status/1176483058058440705
# Reference: https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc/

192.169.69.25:7757
79.134.225.100:2813
2813.noip.me

# Reference: https://twitter.com/Racco42/status/1178932126588297217

45.79.41.137:2344

# Reference: http://blog.morphisec.com/hworm-houdini-aka-njrat

chroms.linkpc.net
finix5.hopto.org
finixalg11.ddns.net
salh.linkpc.net

# Reference: https://twitter.com/fletchsec/status/1179891198615531521
# Reference: https://www.hybrid-analysis.com/sample/a1da7465c3893cb30408820ee821210c0c1c008dcfde0af167f33e9db61975a2/5d965b610288389582043002

186.85.86.96:1235
nfiefbwihf48h9wun3foisnc98ehfb9uwfu.duckdns.org

# Reference: https://twitter.com/Racco42/status/1131130800630579200

admin1960.linkpc.net
savelifes.tech

# Reference: https://twitter.com/Racco42/status/1111615130272444416

181.52.113.177:8105
socketw3.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1092764605766483969

194.5.99.53:5732

# Reference: https://twitter.com/luc4m/status/1092483141619601408

easyresa.ddns.net
shkis.publicvm.com

# Reference: https://twitter.com/luc4m/status/1073257560625569792

goz.unknowncrypter.com

# Reference: https://twitter.com/Racco42/status/1064880890277494785

185.141.27.177:6544

# Reference: https://twitter.com/DissectMalware/status/1008387935199260672
# Reference: https://www.virustotal.com/gui/domain/suport.ddns.net/relations

141.255.145.240:233
141.255.145.255:233
141.255.145.87:233
141.255.146.205:233
141.255.146.59:233
141.255.148.251:233
141.255.148.91:233
141.255.149.205:233
141.255.151.184:233
141.255.152.112:233
141.255.153.20:233
141.255.153.7:233
141.255.155.127:233
141.255.157.34:233
141.255.158.240:233
141.255.158.49:233
141.255.158.62:233
141.255.159.223:233
179.89.100.165:233
196.70.42.129:233
93.182.168.132:233
93.182.168.14:233
93.182.168.15:233
93.182.168.16:233
93.182.168.29:233
93.182.168.31:233
93.182.168.36:233
93.182.168.6:233
93.182.168.8:233
93.182.169.10:233
93.182.169.29:233
93.182.169.30:233
93.182.169.32:233
93.182.170.11:233
93.182.170.141:233
93.182.170.145:233
93.182.170.33:233
93.182.170.5:233
93.182.171.131:233
93.182.171.146:233
93.182.171.164:233
93.182.171.22:233
93.182.171.25:233
93.182.171.26:233
93.182.171.5:233
93.182.172.21:233
93.182.173.20:233
93.182.173.21:233
93.182.173.37:233
93.182.173.6:233
93.182.174.23:233
141.255.145.240:322
141.255.145.255:322
141.255.145.87:322
141.255.146.205:322
141.255.146.59:322
141.255.148.251:322
141.255.148.91:322
141.255.149.205:322
141.255.151.184:322
141.255.152.112:322
141.255.153.20:322
141.255.153.7:322
141.255.155.127:322
141.255.157.34:322
141.255.158.240:322
141.255.158.49:322
141.255.158.62:322
141.255.159.223:322
179.89.100.165:322
196.70.42.129:322
93.182.168.132:322
93.182.168.14:322
93.182.168.15:322
93.182.168.16:322
93.182.168.29:322
93.182.168.31:322
93.182.168.36:322
93.182.168.6:322
93.182.168.8:322
93.182.169.10:322
93.182.169.29:322
93.182.169.30:322
93.182.169.32:322
93.182.170.11:322
93.182.170.141:322
93.182.170.145:322
93.182.170.33:322
93.182.170.5:322
93.182.171.131:322
93.182.171.146:322
93.182.171.164:322
93.182.171.22:322
93.182.171.25:322
93.182.171.26:322
93.182.171.5:322
93.182.172.21:322
93.182.173.20:322
93.182.173.21:322
93.182.173.37:322
93.182.173.6:322
93.182.174.23:322
141.255.145.240:323
141.255.145.255:323
141.255.145.87:323
141.255.146.205:323
141.255.146.59:323
141.255.148.251:323
141.255.148.91:323
141.255.149.205:323
141.255.151.184:323
141.255.152.112:323
141.255.153.20:323
141.255.153.7:323
141.255.155.127:323
141.255.157.34:323
141.255.158.240:323
141.255.158.49:323
141.255.158.62:323
141.255.159.223:323
179.89.100.165:323
196.70.42.129:323
93.182.168.132:323
93.182.168.14:323
93.182.168.15:323
93.182.168.16:323
93.182.168.29:323
93.182.168.31:323
93.182.168.36:323
93.182.168.6:323
93.182.168.8:323
93.182.169.10:323
93.182.169.29:323
93.182.169.30:323
93.182.169.32:323
93.182.170.11:323
93.182.170.141:323
93.182.170.145:323
93.182.170.33:323
93.182.170.5:323
93.182.171.131:323
93.182.171.146:323
93.182.171.164:323
93.182.171.22:323
93.182.171.25:323
93.182.171.26:323
93.182.171.5:323
93.182.172.21:323
93.182.173.20:323
93.182.173.21:323
93.182.173.37:323
93.182.173.6:323
93.182.174.23:323
141.255.145.240:324
141.255.145.255:324
141.255.145.87:324
141.255.146.205:324
141.255.146.59:324
141.255.148.251:324
141.255.148.91:324
141.255.149.205:324
141.255.151.184:324
141.255.152.112:324
141.255.153.20:324
141.255.153.7:324
141.255.155.127:324
141.255.157.34:324
141.255.158.240:324
141.255.158.49:324
141.255.158.62:324
141.255.159.223:324
179.89.100.165:324
196.70.42.129:324
93.182.168.132:324
93.182.168.14:324
93.182.168.15:324
93.182.168.16:324
93.182.168.29:324
93.182.168.31:324
93.182.168.36:324
93.182.168.6:324
93.182.168.8:324
93.182.169.10:324
93.182.169.29:324
93.182.169.30:324
93.182.169.32:324
93.182.170.11:324
93.182.170.141:324
93.182.170.145:324
93.182.170.33:324
93.182.170.5:324
93.182.171.131:324
93.182.171.146:324
93.182.171.164:324
93.182.171.22:324
93.182.171.25:324
93.182.171.26:324
93.182.171.5:324
93.182.172.21:324
93.182.173.20:324
93.182.173.21:324
93.182.173.37:324
93.182.173.6:324
93.182.174.23:324
suport.ddns.net

# Reference: https://twitter.com/DissectMalware/status/986467663353442305
# Reference: https://www.hybrid-analysis.com/sample/f0a1aeaf2a6f3c6098696d3802675097072459b89213177f1e4f1494a67c250a

185.209.85.177:5000

# Reference: https://twitter.com/Racco42/status/1017007079813451778

tune.tym-internationals.com

# Reference: https://twitter.com/Racco42/status/995955505221730304

ihsann.casacam.net

# Reference: https://app.any.run/tasks/505c6e4c-723b-46b0-8917-c200c65817ea/

181.215.247.18:3339
185.198.59.114:5000

# Reference: https://twitter.com/Racco42/status/982731639301267459

lordsdoing2017.ddns.net

# Reference: https://github.com/silence-is-best/c2db#dunihi

192.186.145.93:8885

# Reference: https://github.com/silence-is-best/c2db#houdini-aka-vjworm-vjw0rm

jihanenouhaila.ddns.net

# Reference: https://twitter.com/Racco42/status/1183666041706168321

194.5.98.216:10122

# Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923
# Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/

186.147.55.19:5473
186.147.55.19:8371
186.147.55.19:8372
192.169.69.25:8370
mozillamaintenanceservice.duckdns.org
papeleradereciclaje.duckdns.org
seguridaddewindows.duckdns.org

# Reference: https://app.any.run/tasks/1bd816aa-3764-480e-ba70-b57b36551bc7
# Reference: https://www.virustotal.com/gui/ip-address/213.208.152.217/relations

nascoman.ddnsgeek.com
213.208.152.217:14337
60.50.181.240:14337

# Reference: https://www.virustotal.com/gui/ip-address/79.134.225.80/relations

79.134.225.80:7776

# Reference: https://pastebin.com/29uSdMAk

185.165.153.172:3642
homi.doomdns.org

# Reference: https://twitter.com/wwp96/status/1193987577323360256
# Reference: https://app.any.run/tasks/dc2b37db-6f22-4d4c-b13e-ae863ddc9004/

185.165.153.45:2014

# Reference: https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated/
# Reference: https://otx.alienvault.com/pulse/5dcad67ae098a56db0a277d5
# Reference: https://www.virustotal.com/gui/file/d55d5b0c6f41cc6a86764a07715a1a38f2fddda9b90ec641d902be8946939d14/detection
# Reference: https://www.virustotal.com/gui/ip-address/185.84.181.102/relations
# Reference: https://www.virustotal.com/gui/ip-address/193.56.28.179/relations

185.165.153.14:4132
185.84.181.102:5478
193.56.28.134:5478
07actnewdocreview.servebeer.com
247accountreview.hopto.org
2d0low.warzonedns.com
acountfordocreview.redirectme.net
alertnewdoc.3utilities.com
aloc21.ddns.net
alphazone12.bounceme.net
britianica.uk.com
cboss33.hopto.org
glotin.zapto.org
hazaz12.hopto.org
info1.nowddns.com
kartelicemoney.duckdns.org
newdocreviewonline.3utilities.com
omada91.ddns.net
ubadaddy.ddns.net
zamza.hopto.org

# Reference: https://twitter.com/Racco42/status/1194915765755031554

185.29.10.15:7777

# Reference: https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ
# Reference: https://otx.alienvault.com/pulse/5dd27af757b18947b0544345
# Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/

192.119.111.4:4521
192.119.111.4:4587

# Reference: https://twitter.com/cyber__sloth/status/1197120949755219968

microsoftntdll.sytes.net

# Reference: https://twitter.com/JayTHL/status/1199347277510270977

188.76.111.76:21125

# Reference: https://www.virustotal.com/gui/file/ca4299f39f28700d8e667451f756fb9637403bb2051d916e90378afe15ff3a57/detection

188.76.111.76:21926

# Reference: https://www.virustotal.com/gui/file/ed7e46b0cf27b8f728cdd71a7c4ae98afde8d2e63f0817eb322c8e77bdd767c5/detection

new2019.mine.nu
webhoptest.webhop.info

# Reference: https://www.virustotal.com/gui/file/141d48379222c0866a009713d0fd18d5ab6ceb5d98a93f63f2c9f1b9aea25f25/detection

192.236.194.169:4422
192.236.194.169:4455
31.13.79.17:4433
31.13.82.23:4433
mmksba.dyndns.org
mmksba.simple-url.com

# Reference: https://www.virustotal.com/gui/file/b7f8a55906d7246ab2b6222f10f38e33947aaa9d0e2a182688129386b11b0759/detection

176.58.72.195:4424
5.133.24.135:4424
mmksba100.linkpc.net

# Reference: https://www.virustotal.com/gui/file/d4055047fcbc3424694d071ab30c96b696aa47353464e2a648627aaae5474493/detection

103.136.43.131:1425
138.68.229.219:7744
159.65.75.168:7744
192.169.69.25:1425
192.169.69.25:7744

# Reference: https://www.virustotal.com/gui/file/929e7fdd01a604fa8070d752365af3651f6ac82fd90e4fd6eb8c7e10b1d0711f/detection

185.92.220.177:3030
sokomoko.duckdns.org
xbacks.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2ab9443a1d793828f9adfe0736bb7a9b45cc6d968847b5f75fcce678af71424f/detection

192.69.169.25:1000
njhost.hopto.org
todoaqui.duckdns.org

# Reference: https://www.virustotal.com/gui/file/7aff993ed971c40aa483a334f5cb4c71e07278fb1a78d422c3d378bdb07360cd/detection

79.134.225.71:10001
thankyoulord.sytes.net

# Reference: https://twitter.com/wwp96/status/1211677791822983170
# Reference: https://app.any.run/tasks/aa27eb28-6432-4e46-891f-4cc804ff29d3/

37.120.145.184:9999
wshsoft.company

# Reference: https://www.virustotal.com/gui/file/dc99eb7e9bc0d251c19893f5fade268b5bcc7f148a2b549edd555758a1eb080d/detection

193.161.193.99:35778
193.161.193.99:47195
blackid-35778.portmap.io
blackid-47195.portmap.io

# Reference: https://www.virustotal.com/gui/file/053f4d8ec5c79e12c0214a38475d2adf80eb66dd910b279bd8547996bbc1be02/detection

vemvemserver.duckdns.org

# Reference: https://www.virustotal.com/gui/file/bedc43be4177fb73172a6ca0a9520e096b567fbfdb0c549b5aa65b2135268d56/detection

216.38.8.175:2356
216.38.8.175:2357
doughnuthoney.com
emisintl.com

# Reference: https://www.virustotal.com/gui/file/192d31f001c6551081873a98a4d14575bab6003f143e916fb9b7eeef4273bbf8/detection

186.85.86.50:8210
socketw4.duckdns.org

# Reference: https://www.virustotal.com/gui/file/a1215d5e03dbfce21bc1000f57e0ea955427bc3314471518b1771e4fbad53f67/detection

181.141.4.105:6363
microsuftplay656.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3f3989ddb1dd14df5b937cca78ec5e039e9cccad59e726c2196c758c2c5d0990/detection

185.165.153.14:4132

# Reference: https://www.virustotal.com/gui/file/ad3b52dccec40e7924bb59f320ae536e5eb2903456a284113bf9609ae2e582ab/detection

185.84.181.102:5478
193.56.28.134:5478

# Reference: https://www.virustotal.com/gui/file/64af7d8a5d13fc5523f55eaef17a5ae8bdbe69f47c4d77a6fa2273d3d751ea28/detection

175.140.1.8:14337
175.144.118.127:14337

# Reference: https://www.virustotal.com/gui/file/93201744ed9d58b1cfdffe2404abd8b43571c32aa894d2250226ae9bfa180cd0/detection

216.38.8.175:2359

# Reference: https://www.virustotal.com/gui/file/a82079d073c6aa574c7bdaf6fbb4d92150b589ac7c64cbc879493d347adec691/detection

79.134.225.105:9213

# Reference: https://www.virustotal.com/gui/file/368fbed374ff8ddcfdb713ab32b74e58611f0e399a1fb550294c087bea54dc71/detection

92.38.86.175:1337

# Reference: https://www.virustotal.com/gui/file/20a9591cddd7876dca477f912f4af83e4a7f859bbb6f618dbc64576a8680df1f/detection

69.171.224.40:9094
79.134.225.72:4132
toustruksd.mywire.org

# Reference: https://www.virustotal.com/gui/file/3c2596940559732bc88a38c163c70bf9f9a9d49fc065be8aa4bcef7a299418f2/detection

plugnsrv2.duckdns.org

# Reference: https://www.virustotal.com/gui/file/fea25a627fc28d92aea6a51b74d6b71ef9aae27fb9ca1f4041b262434423ee0a/detection

185.244.30.19:5000

# Reference: https://www.virustotal.com/gui/file/c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10/detection

194.5.98.46:4132

# Reference: https://www.virustotal.com/gui/url/76ac2d4c2a0552c632071f062bdaa4ea158b98b610305a35f51ffe5151964b5a/details

141.255.155.122:9988
wrk99.ddns.net

# Reference: https://app.any.run/tasks/7492c122-a646-468c-9531-50d40a2da425/

updatewinrar.duckdns.org
chance2019.ddns.net
185.165.153.165:1036

# Reference: https://app.any.run/tasks/90163f12-f649-4689-8e02-f8f0f036d0bb/

dhanaolaipallets.com
185.244.30.19:5000

# Reference: https://www.virustotal.com/gui/domain/dabadaba225.duckdns.org/relations

192.169.69.25:43300
dabadaba225.duckdns.org

# Reference: https://www.virustotal.com/gui/file/14862182488371811658558c0024e78b6d81419b4f2bdb8628e2184ccd9ebfff/detection

213.152.162.154:3903

# Reference: https://www.virustotal.com/gui/ip-address/197.27.69.48/relations

197.27.69.48:3010

# Reference: https://twitter.com/JAMESWT_MHT/status/1220027808791044096
# Reference: https://app.any.run/tasks/52b380ef-b29d-48fe-b63b-8160f4bec416/

194.5.99.45:44300
deepweb212.duckdns.org

# Reference: https://pastebin.com/0ZxSHAWi

192.169.69.25:44300

# Reference: https://www.virustotal.com/gui/file/581d0676872101e1eb9c3dab54da43eaf4bc70141ed1985e8c8018aea0418ed3/detection

192.169.69.22:8884
psnpsnpsn.duckdns.org

# Reference: https://www.virustotal.com/gui/file/221c20f334ad19314517b53b997694a8dfacb6974137686079f6c54449fa35dd/detection

192.169.69.22:1922

# Reference: https://www.virustotal.com/gui/file/24f2322b8ee33c26bddbf7aa62a8835cfa1a6c5145ca26ba3441254d7dbd9d35/detection
# Reference: https://www.virustotal.com/gui/file/f4f74c829121448d70bef413e6cd9c43f3de9084f03cf90656dcc0f1d5dce980/detection

joker500.mywire.org

# Reference: https://www.virustotal.com/gui/file/2550cd813fa1375087c78d715f182cb3b480254b741adaf442b1d9bdf479c4c4/detection

jbarynhsn.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3acbad45d8730e3658b6cf926339f239953dd933190f75cf9bb3db81c299c0c7/detection

79.134.225.24:70

# Reference: https://www.virustotal.com/gui/file/e91e821c14a5fe33982952d83be3917515e720dc8d6e7e91bc91b504a2fe7d95/detection

152.245.176.96:70
152.246.206.5:70
79.134.225.20:70

# Reference: https://www.virustotal.com/gui/file/7c85327300dcf7266b90c49c46a31d36de4689229f3433757cc451ec803aaccb/detection

185.62.189.77:5000

# Reference: https://app.any.run/tasks/06046cbc-8a54-4bfe-8297-372cd60eeb3a/

185.244.30.92:4587

# Reference: https://www.virustotal.com/gui/file/f0f425ab50a4839e3fcf9a69d944473ae37813e076aed3d6bc3b44ce8ae206b5/detection

95.233.69.34:1188

# Reference: https://www.virustotal.com/gui/file/e52ea99a66bcbed844d7ba2f439b59e45c2566e80dfa486f2392be4a38a0ee13/detection

79.35.43.177:81

# Reference: https://www.virustotal.com/gui/file/933b42479f92cc0682576621d139316a503e7217bb50fe0341405e8d6a60332d/detection

79.30.198.114:81

# Reference: https://www.virustotal.com/gui/file/77ba7bba82eabb82fd6d35ce24bf45150da2461cb0e6f794960b7ca0cb52e08e/detection

87.16.46.48:81
95.247.42.192:81

# Reference: https://www.virustotal.com/gui/file/9a73a75bfea3da19e4b3a9d0f92e611ad3c6fb2e17d92b927b89e4521d935b96/detection

79.33.46.247:81

# Reference: https://www.virustotal.com/gui/file/511c799d7b661092314c00b762f2e6726759d2bc699bcd8d16d2724610f2f290/detection

79.30.213.227:81

# Reference: https://app.any.run/tasks/83f88cce-cdf7-48d1-9915-4da55f6241a1/

sexylegs.ddns.net

# Reference: http://benkow.cc/export_rat.php  (Note: as seen on 2020-02-26 - filtered)

anahowa.duckdns.org
bellevie.duckdns.org
ghanaandco.sytes.net
loginsecure.mywire.org
mouqgsud.duckdns.org
ozill619.ddns.net
shore.kozow.com
ssss22.ddns.net
sub2.qaysarpizzajo.xyz
top2.alqaysarpizza.xyz
total-virus.myq-see.com

# Reference: https://app.any.run/tasks/e264efca-90d4-4c69-b86d-074e3f213ea5/

185.244.30.92:3546

# Reference: https://www.virustotal.com/gui/domain/arseisa.no-ip.org/relations

arseisa.no-ip.org

# Reference: https://www.threatminer.org/sample.php?q=3020b84a6e350dd10ad070aa184209b5

ali2627.ddns.net

# Reference: https://www.threatminer.org/sample.php?q=ce434374314444912254af88faa3c204

microsoftaccount.myvnc.com

# Reference: https://www.threatminer.org/sample.php?q=d499243df4e1405b18fd411032bcdedb

mimi06.zapto.org

# Reference: https://www.threatminer.org/sample.php?q=75be7737707a3c6fbb732d6c3fa46c99

tatabatata.hopto.org

# Reference: https://www.threatminer.org/sample.php?q=151e1983c54690c9d6972d91cb5f5011

xn8n8.sytes.net

# Reference: https://www.threatminer.org/sample.php?q=68217e8092e97336f143489a6cf9804d

23df.myq-see.com

# Reference: https://www.threatminer.org/sample.php?q=37d212a09a72bc79781b19311d061767

absiii.ddns.net
absikwt.ddns.net
absikwt88.ddns.net

# Reference: https://www.threatminer.org/sample.php?q=2b664826552bf37b23f185e7675f310c

avfucker.com

# Reference: https://www.threatminer.org/sample.php?q=3c6b003e50a9c72ed12942afe897718d

coobra.zapto.org

# Reference: https://www.threatminer.org/sample.php?q=7415faef2d164505e450e181b6d69d0d

ecu-sec.hacked.jp

# Reference: https://www.threatminer.org/sample.php?q=bac1e4bc667f3a14e83a82a8f029bc9e

hllll.no-ip.biz

# Reference: https://www.threatminer.org/sample.php?q=26a8615022bac8666804fe2f1add8ba6

jrmodas.no-ip.org

# Reference: https://www.threatminer.org/sample.php?q=2a2e7d3844f735687c8d8e8ad22112f4

kfr.sytes.net

# Reference: https://www.threatminer.org/sample.php?q=c0df9b9539b2b9a36d38340c24bb1f6a

ludvanjohnson.zapto.org

# Reference: https://www.threatminer.org/sample.php?q=9bbbcfd508fbe11ba52e4f4b1ed40e49

mlkm33.no-ip.biz

# Reference: https://www.threatminer.org/sample.php?q=1a82cbb7eb48319a6fe56ccaa4c1bba6

mzab47.myq-see.com

# Reference: https://www.threatminer.org/sample.php?q=38c6a71f408395993540493a5e2d0067

profess3ional.no-ip.biz

# Reference: https://www.threatminer.org/sample.php?q=209cc75973f0d896e078350eb404751a

raouf-vbs.no-ip.biz

# Reference: https://www.threatminer.org/sample.php?q=e6e7cd28c5f8a4fcf557d46d0efe9393

tcp.nightowldvr.com

# Reference: https://www.threatminer.org/sample.php?q=cb4ab603c5d31677099bf54805b95d54

tdiod.zapto.org

# Reference: https://www.threatminer.org/sample.php?q=9e55e00fd5e2420ad7b14adcf70f7e53

vipx.zapto.org

# Reference: https://www.threatminer.org/sample.php?q=bec5d7e5df05bd02d6ba81aeb29407ce

whisher.no-ip.org

# Reference: https://www.threatminer.org/sample.php?q=171dabfb315dec64e52691e93c432300

winup.publicvm.com

# Reference: https://www.threatminer.org/sample.php?q=e7b3ff4591a4c026bfdd9e42af03807c

wiredmax.no-ip.org

# Reference: https://www.virustotal.com/gui/file/db4fe7e43c19a1d17e4b7738c36b85ebfb5cc5d91db25ac5ac4b94af82a0b68a/detection

213.45.7.218:1188
sensual2020.ddns.net

# Reference: https://www.virustotal.com/gui/file/38df912352f1d4e3e871261be13ad8eef44dcf2979e6603f6888c531111d3ede/detection

82.55.251.22:1188

# Reference: https://www.virustotal.com/gui/file/17e58d20dbd15ecbf1ac9a8482b2273581860abbcfd3d093cbbdcbefa0d2a158/detection

82.61.221.212:1188

# Reference: https://www.virustotal.com/gui/file/9097ae5f5d63fa5a74c67384bcc6fee14e046d0c21a18424edc479f16052e8eb/detection

192.121.247.97:1414

# Reference: https://www.virustotal.com/gui/file/7a556ed1083575a556b4bc3b4b7e35c4419367e5bb0bcf7285e7862343022ec8/detection

194.35.115.16:1414

# Reference: https://www.virustotal.com/gui/file/c7f5e679b44ff70d1f0cb302b0727744decd967fd0984e6b5d62bbe904cf6a8f/detection

194.35.115.43:1414

# Reference: https://www.virustotal.com/gui/file/98644e0e9ec41617fb8baea461bd7eec879e8504397a01a2098ffe53d3564b38/detection

102.69.4.170:1414

# Reference: https://www.virustotal.com/gui/file/4f5e28b7c22bfb6d9c5279b5be1d7b62ddca3c94c1350f19b0e7dce309504bb5/detection

102.69.2.129:1414

# Reference: https://www.virustotal.com/gui/file/d8fefc2f17dff156f575c36b7fc2ce84f4f1d55b3bb01d9e29965478ee51a6eb/detection

172.111.196.133:1414

# Reference: https://www.virustotal.com/gui/file/063efa057d9ba0e91f3f9ca461cf73ad96e3ab67718a1c71e8143f477d7460bd/detection

102.69.4.88:1414

# Reference: https://www.virustotal.com/gui/file/5406475d295f7cb80a87dc2858d2af48594714d65a3bec9da048753f4116ada7/detection

46.243.141.97:1414

# Reference: https://twitter.com/Bl4ng3l/status/1236946300463190017
# Reference: https://app.any.run/tasks/62f5c5aa-4a3d-483f-a737-d3a39c20f7fd/

78.138.105.191:7504
pphndirmm.hopto.org

# Reference: https://www.virustotal.com/gui/file/36a8d97504bb0437a0dfdb35fcb161b8169f4b77c3a75184e40c4f129f1a61d7/detection

196.234.188.115:3008

# Reference: https://www.virustotal.com/gui/file/0d9cbd75a3a1f154b2cee4efe4bd6bf1ab00340f45289113ce6ab00fdd69cf27/detection

196.234.207.160:3008

# Reference: https://twitter.com/malwrhunterteam/status/1238790854514532353
# Reference: https://www.virustotal.com/gui/ip-address/181.141.13.108/relations

181.141.13.108:1900
marzo132020.duckdns.org
marzo42020.duckdns.org

# Reference: https://www.virustotal.com/gui/file/526bc4ebea1c78d540ffb273a477ede65d2e97fb2af35b7cea80d9de0ce13890/detection

149.200.190.218:190

# Reference: https://www.virustotal.com/gui/file/99b0705fb9c26482904efbb35507d9d6eed783414a9f85a03ebe169839fb2800/detection
# Reference: https://www.virustotal.com/gui/file/6f78d9ae6a2bed1789868849bd7cef8503973785193c8c3a20173104017b0057/detection

149.200.189.60:190

# Reference: https://www.virustotal.com/gui/file/570b6d49bb0667b868293bc432fe325f46237e1f8249d3756561a062986359df/detection

91.109.176.5:190

# Reference: https://www.virustotal.com/gui/file/cfb3b7886160198eb36879727e9c5a142f733af13acd65e3680e190f0dcdcefa/detection

188.247.73.175:190

# Reference: https://www.virustotal.com/gui/file/05910bef557bb3f0acbc198ae78017011c75349f45bac028f51d329436259279/detection

217.138.215.125:190

# Reference: https://www.virustotal.com/gui/url/609b9405352293863e2f41d5648a1861f4455f388e85e31d71b5ec60ab7989d4/details

185.19.85.155:9045

# Reference: https://www.virustotal.com/gui/file/2da8f420290e7068297d77c15aed0327eed74380cdc68e8990e2add41654bc57/detection

igfx.ddns.net

# Reference: https://www.virustotal.com/gui/file/27b749b33e052473fdd1045493b0eeca34a4b8a5e2863f2e838e561d60088880/detection

185.165.153.228:2014
kimjoy007.dyndns.org

# Reference: https://app.any.run/tasks/4b73163e-c948-43ce-ac2d-a2df4bddbab7/

192.169.69.25:8000

# Reference: https://www.virustotal.com/gui/file/f12113dfd58eebfc534a60d5b4d095f9bd6e1c4631fc2e15fa74e6b769dda6c0/detection

193.26.21.80:4025

# Reference: https://twitter.com/Racco42/status/1243523523013992448
# Reference: https://app.any.run/tasks/238a152a-5bb6-40a5-937a-e7b472957dee/

102.141.212.9:2003
2003wsh.ddns.net

# Reference: https://www.virustotal.com/gui/file/f26944ff49e0437533df291a1ce454631cbb77eae51e0757e2ca4393aeaed70b/detection

156.223.86.230:4000

# Reference: https://www.virustotal.com/gui/domain/uty2.no-ip.org/relations

204.95.99.86:5510

# Reference: https://twitter.com/0xCARNAGE/status/1246422142427770881
# Reference: https://app.any.run/tasks/a25d886d-bec7-43d4-9015-302f051844de/

192.169.69.25:8899

# Reference: https://www.virustotal.com/gui/file/51fba0dc5149e23b697d955c63feaec88cad72d77b97a02ec559ac8057edb569/detection

204.95.99.26:22
boss21121.no-ip.org

# Reference: https://bazaar.abuse.ch/sample/b8ac5893e69e9e99d02d7498c2a68ae4b44dcb025ec2886e46f0d1703ad93db9

185.62.58.109:2208
musicport.duckdns.org

# Reference: https://twitter.com/FaLconIntel/status/1255665102264528898
# Reference: https://app.any.run/tasks/3f461626-f5e7-4a6c-8b5b-f517bb5619e2/
# Reference: https://www.virustotal.com/gui/file/a609076b02f19b4dd1ce2b365cdfacd2bb89042fbede90b698a5a1f9003138b4/detection
# Reference: https://www.virustotal.com/gui/file/053721878d63edba7b43ea65c0fe11e6fdbdd969376d34a107d689609b47035f/detection

188.76.111.85:21125
191.101.124.8:21125
217.216.90.29:21125

# Reference: https://twitter.com/James_inthe_box/status/1257624020490436610

79.134.225.80:7060

# Reference: https://twitter.com/ActorExpose/status/1257617349286510593
# Reference: https://www.virustotal.com/gui/domain/dsaety.hopto.org/relations
# Reference: https://app.any.run/tasks/061c2039-0a08-48e6-bf99-f6c040586aa1/

79.134.225.80:807
dsaety.hopto.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1263801108444712967
# Reference: https://app.any.run/tasks/78c84285-5569-43bc-916a-8e2fa61010d2/

suka-mht.duckdns.org

# Reference: https://www.virustotal.com/gui/file/1e09e5b0f0a2b92dd508bd1b9a3d2094b16076e879e74a8e137ef92b10b0f7fa/detection

37.106.167.17:4343
94.99.52.125:4343
94.97.34.100:4343

# Reference: https://www.virustotal.com/gui/file/7e892538f59ed8025147b3a1c333ef39b9633b71dcccbd939157ed9ba7869032/detection

154.66.19.253:4191
ghostwsh4191.ddns.net

# Reference: https://www.virustotal.com/gui/file/20313c395789a155d8bc37d3ec617bd6641724e540246c088061c7ad06b6ec67/detection

31.13.76.16:7800
69.63.181.12:7800

# Reference: https://www.virustotal.com/gui/file/24ecc1a35f077c65e1fcc1a127ff3e6727808c2791fda3a0711a895bb450f9b2/detection

188.52.123.43:7800

# Reference: https://www.virustotal.com/gui/file/c67648c0016e1d66ec344ff329a3ab288ffca75034869e8606c736eb7d07dd8a/detection

188.52.27.9:7800

# Reference: https://www.virustotal.com/gui/file/0d6754f45501de6dd8f63917c09ab884691475a1e7da6f4c7458d578cc940544/detection

69.63.176.59:7800

# Reference: https://app.any.run/tasks/9c5d42c7-c22e-4070-b1cf-5a3bad6ffbc8/

84.38.134.21:6696

# Reference: https://www.virustotal.com/gui/file/2cc18a9def3d2f33ebfc7d6ec9e49fbf69259014376098842e378ca4376ff6f7/detection

185.22.32.53:1987
life698.ddns.net

# Reference: https://www.virustotal.com/gui/file/aa85a5f32b8f57f2714edfd8f18d7c6f8e0031667997dcb3e920515952658a50/detection

185.97.93.0:1987

# Reference: https://www.virustotal.com/gui/file/70c1dde88e26977f33048b549468d847c34e22e592c62d040564d7cf59a69446/detection

195.33.241.242:6464

# Misc (incidents)

tablet.system-ns.net

# Generic trails

/give-me-chpv
/give-me-ffpv
/i_am_ready
/is-bekle
/is-cmd-shell
/is-enum-driver
/is-enum-faf
/is-enum-path
/is-enum-process
/is-logs
/is-processes
/is-ready
/is-readyrecordid
/is-recving
/is-rinoy
/is-rlsartg
/is-sending
/is-sxtyuig
/im-azerty
/send-to-me|
/update-status|
