# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: aggha, dtloader, haggah, negasteal, pretoria

# Reference: https://twitter.com/James_inthe_box/status/1040718336173137920

host2.azaronline.com

# Reference: https://twitter.com/avman1995/status/1039929322612641792

mail.efx.net.nz

# Reference: https://twitter.com/James_inthe_box/status/1039878859007569920
# Reference: https://www.virustotal.com/#/ip-address/37.59.117.243

http://37.59.117.243

# Reference: https://twitter.com/avman1995/status/1040493935234371584

ftp://ftp.fasttradeco.com

# Reference: https://twitter.com/MalwareHunterBR/status/1016486687059402752

herosoup.org

# Reference: https://twitter.com/ViriBack/status/983011333506588672
# Reference: https://pastebin.com/nwWHHFe0
# Reference: http://tracker.viriback.com/dump.php (# 2019-11-04, AgentTesla)

http://190.97.166.194
190.97.166.194:8080
aaatechh.com
agent.rooderoofing.com.au
arbistars.com
bobby.ziraat-helpdesk.com
brther-group.com
callvaxglobal.com
captainbugattiautos.com
ceoinboxs.com
chibu.ziraat-helpdesk.com
chisom.ziraat-helpdesk.com
dashi-dashi.ziraat-helpdesk.com
data-startssllink.com
eizzy.haoldd.com
elb.haoldd.com
emaaiil-163.com
emy.agrillcs.com
etvidanueva.com
excelaires.com
ezeoma.agrillcs.com
figure.agrillcs.com
files.ziraat-helpdesk.com
flopdlsofrd.com
forteol.com
free.agrillcs.com
grindtreu.online
haoldd.com
ike.agrillcs.com
isa.haoldd.com
jboy.agrillcs.com
jizzy.ziraat-helpdesk.com
joe.ziraat-helpdesk.com
kc.ziraat-helpdesk.com
kelvin.agrillcs.com
kodarkalaris.com
magnaki.com
marchforward.usa.cc
mi.haoldd.com
milonestlevevy.com
oceantrading-jp.co
okey.haoldd.com
pounds.ngrok.io
prominienttec.com
shileniniliv.com
siamzime.com
sindevil.com
sm.rooderoofing.com.au
small-kelly.agrillcs.com
tonishl.ga
tonishl.ml
uccftl.org
valedein.com
workupdates.net
yg.haoldd.com
zomcnxbilo.com

# Reference: https://twitter.com/James_inthe_box/status/1046070749138735110

shahrproject.ir/wp--admin/

# Reference: https://twitter.com/James_inthe_box/status/1044198938847244289

moranhq.duckdns.org

# Reference: https://twitter.com/Jan0fficial/status/1047023512383311873

venividivici.host

# Reference: https://twitter.com/Jan0fficial/status/1047051546851254272

etvidanueva.com/photos/images/WebPanel/login.php
etvidanueva.com/photos/images/fulls/WebPanel/login.php

# Reference: https://twitter.com/Jan0fficial/status/1047053960689987584

allpeople.cc/WebPanel/

# Reference: https://twitter.com/James_inthe_box/status/1047495498867728384

hp-compoundlng.com/zuniga/zuniga.php

# Reference: https://twitter.com/avman1995/status/1046620646137102336

repoyochar2u.ddns.net
repoyochar2u.hopto.org

# Generic callback path

/zuniga.php

# Reference: https://twitter.com/Racco42/status/1055370151984537602

ftp.dolphins-gb.com

# Reference: https://twitter.com/casual_malware/status/1107441450415992832

rat8882018.bounceme.net

# Reference: https://twitter.com/ItsReallyNick/status/925754844706689024

regiusersme63.com
twendekazi.co.ke

# Reference: https://twitter.com/JAMESWT_MHT/status/1111231704847581185

server15.thcservers.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1117787548787597313
# Reference: https://app.any.run/tasks/a7f299b3-0b84-4403-a75f-7fb45700e14e

severeweatheralerts02.severeweatheralerts.net

# Reference: https://otx.alienvault.com/pulse/5cb636d8706621055e694e0a
# Reference: https://twitter.com/_cpresearch_/status/1118201474809462784

checkoutspace.com

# Reference: https://twitter.com/dvk01uk/status/1137669359273435138
# Reference: https://app.any.run/tasks/318a9aa9-8c2e-4d21-9a4c-aa023de19d74/

mail.trezaexim.com

# Reference: https://twitter.com/Lvanoel/status/1140500849904537600
# Reference: https://app.any.run/tasks/b4361590-d24e-4a4d-a273-5776ee377b08/

mail.jyotistrips.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1142020465063538689
# Reference: https://app.any.run/tasks/1f643b34-6d92-4bb6-88e1-2aa21e524d20/

mail.crypy.top

# Reference: https://twitter.com/killamjr/status/1143288308300013568

vr9519.club

# Reference: https://twitter.com/B1naryG/status/1143818690040860673
# Reference: https://app.any.run/tasks/3b4e7470-3144-47e3-8caf-ad069c4a5419/

algadeed-com.ga
mail.sweeddehacklord.us

# Reference: https://github.com/pan-unit42/iocs/edit/master/agenttesla/agenttesla_panels.txt

123.makologg.website
13020.vhost.myvirtualserver.de
13140.vhost.myvirtualserver.de
a-work.info
addmehosts.com
admin.downloadtip.club
agenttesla.com
agentteslapanel.site
airnicoltd.biz
appleconnect.online
blasternoon.ru
blockchian.us
bossbadoo123.000webhostapp.com
brunam90.me
cellularwizard.biz
china-smi.biz
classicfllters.com
cloud9files.net
coleweinman1.000webhostapp.com
combinaparts.com
comebackto.info
compassiwater.com
cp.gonerallying.com
csgoshuffle.trade
cyberfreakz.cf
daalkha.com
darkmat3r-v3nom.lawcost.com
davcandle.life
defaomfg.com
diplomaticcourier.net
dongabito.com
douglascellings.com
dovemessengers.com
dropped.cf
e-paymentonline.online
egoigwe.date
elihanss.ru
emailaccountsupdate.com
emybeks.diplomaticsecurityservicelondon.com
essentialsupdate.com
exam2quiz.com.ng
eyeover.it
fash2v.com
fbillion.essentialtechsolutions.com
frank.diplomaticsecurityservicelondon.com
franklinpanel.xyz
frankpanel.xyz
friendfinances.com
fundz1st.fav.al
futurarice.com
graficafolha.com.br
halifacxz.com
helofitsol.com
hiflowwing.com
hopewordnlos.info
hoplikes.com
hp.gonerallying.com
hugoslyltd.com
hummerenergyinc.com
hustle.paneltesla.net
ibouz.co.business
icoud.online
iiltd.xyz
januoey.com
jerelpacks.com
jpoffice2017.xyz
karmakintra.com
kf3nqetgl3p3qlvnl4ze.ru
kidertalerz.com
killatenderz.com
kolapharma.com
koloongroupinc.ru
lakhakaidea.com
libazo.com
magosnegt.net
maxibrainz.net
mctagents.ml
mgelectroncs.com
miloill.com
mitch.sudimex.ml
mnbvcxzus.com
mogosan.com
mqbearing.club
mrabengo.com
nckportugal.com
nellsonn.com
newseuro2015.org
nexuscoltd.com
notifuls.com
onlinesypoi.com
optifinecapes.us
panel.profitstakers.com
panelci.xyz
panelone.xyz
panelp.xyz
paneltesla.net
pansha.regworldmail.com
pegeng-ch.com
petush32.beget.tech
picasuminion.com
plasdic.com
pron.wonkarima.ru
robphish.xyz
rootjoy20.net
roperspump.com
saintahotel.com
secpolicy.info
senator1st.fav.al
sender.agenttesla.com
shalla.eyeofbangladesh.com
shingrela.com
signaturehealthcarltd.com
smartmanber.com
someshitejob.ru
sosignshome.com
steamstatus.pw
stlmre.xyz
suabepga.net
suchsuggestions.com
sweed-office.comie.ru
syncav.ms-sync.com
t1st.fav.al
t2st.fav.al
t3st.fav.al
t4st.fav.al
t5st.fav.al
tecomou1d.com
tesla.dailyawamitime.com
tesla.lawcost.com
teslalogs.club
toke.paneltesla.net
tokimecltd.ru
tomfill.xyz
trade-accounts.com
transfoffer.com
transstates.us
u-nyx.ru
ugo.diplomaticsecurityservicelondon.com
upgr-serv.com
vacanzaimmobiliare.it
vimeostream.com
viprecycleresourcesltd.com
vivaasindustry.com
weviio.com
wlttraco.com
womensmuseumca.org
wonkarima.ru
xbool.ru
xboolean.com
xz2dtd11bm97h36.host
yeubiope.com
you.paneltesla.net
yyyxyyxxyxxx.xyz
zjxhqd.com

# Reference: https://twitter.com/killamjr/status/1145131854984556545

spellsove.duckdns.org

# Reference: https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

Oralbdentaltreatment.tk
aelna.com
aiaininsurance.com
aidanube.com
anernostat.com
blssleel.com
bwayachtng.com
cablsol.com
candqre.com
catalanoshpping.com
cawus-coskunsu.com
crosspoiimeri.com
dougiasbarwick.com
erieil.com
etqworld.com
evegreen-shipping.com
gufageneys.com
hybru.com
intermodaishipping.net
jltqroup.com
jyexports.com
kayneslnterconnection.com
kn-habour.com
leocouriercompany.com
lnnovalues.com
mglt-mea.com
mti-transt.com
profbuiiders.com
quycarp.com
regionaitradeinspections.com
repotc.com
rsaqencies.com
samhwansleel.com
serec.us
snapqata.com
spedaqinterfreight.com
sukrltiv.com
supe-lab.com
sweed-office.comie.ru
sweed-viki.ru
sweeddehacklord.us
sweedoffice-bosskobi.duckdns.org
sweedoffice-chuks.duckdns.org
sweedoffice-goodman.duckdns.org
sweedoffice-kc.duckdns.org
sweedoffice-olamide.duckdns.org
sweedoffice.duckdns.org
usarmy-mill.com
virdtech.com
willistoweswatson.com
wlttraco.com
worldjaquar.com
xlnya-cn.com
zarpac.us
zurieh.com

# Reference: https://twitter.com/stoerchl/status/1157237675302240257

serverstresstestgood.duckdns.org

# Reference: https://twitter.com/dvk01uk/status/1159391837553090560

server1.monovm.com

# Reference: https://any.run/report/3c240ee0a740b57daea65b81faa99b951731f23c694bb5b6964b553152ee8d6c/1561dcbd-2a96-469a-8822-7cf9d495441e

helsanaa.com

# Reference: https://app.any.run/tasks/ab36a3dc-063e-41ee-8077-dc501f4d1403/
# Reference: https://brica.de/alerts/alert/public/1263301/agenttesla-keylogger-and-binary-options-scam/

mail.tendertradeforex.co.uk

# Reference: https://app.any.run/tasks/c1c8ad7a-f1d0-4ddf-b1d7-648d8f097ef8/

smtp.odogwugroup.icu

# Reference: https://app.any.run/tasks/d4aff5ad-9b44-42f0-8165-74731e1114c4/

smtp.rexsativa.com

# Reference: https://app.any.run/tasks/df208288-e4f1-4efd-99ee-12c2e37905c4/

mail.interflow.com.pk
tfvn.com.vn

# Reference: https://app.any.run/tasks/8b18fd2b-2610-49b0-9dea-55b45742adc5/

smtp.iconic-qrp.com

# Reference: https://app.any.run/tasks/8b668f18-5854-43ef-a2af-f4e8ee9b9b55/

server1.monovm.com

# Reference: https://twitter.com/dvk01uk/status/1171723427138420738
# Reference: https://app.any.run/tasks/fef429fb-bec4-4368-9b3e-9e37866221c7/

mail.appliedfuturevison.com

# Reference: https://twitter.com/wwp96/status/1173611784743378944
# Reference: https://app.any.run/tasks/948a6bd8-0cfb-4a82-a3f9-1e631965900b/

workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com

Reference: https://app.any.run/tasks/43064ac6-b617-44c8-8942-bacf12288dfc/

smtp.uml-db.com

# Reference: https://app.any.run/tasks/7545bb05-60f9-4995-b6ee-e5b32a8783ec/

smtp.nifl.icu

# Reference: https://twitter.com/Lvanoel/status/1173838721201922048
# Reference: https://app.any.run/tasks/1b86cdd7-f235-4159-ab74-127bd0d0912a/

5.9.3.218:26
mail.siicegypt.com

# Reference: https://twitter.com/reecdeep/status/1174270764461244417
# Reference: https://app.any.run/tasks/f3372717-35fb-43fc-aa1e-073bc762c39e/

198.187.29.188:26
mail.cjcurrent.com

# Reference: https://twitter.com/wwp96/status/1176581010554793984
# Reference: https://app.any.run/tasks/ed1bc8c6-d83b-4dfd-9b6e-2b3ad128c83a/

server263.web-hosting.com

# Reference: https://twitter.com/wwp96/status/1178661072993173504

smtp.kobitek-tr.com

# Reference: https://www.virustotal.com/gui/url/752918f8cfbeff0e6bbb5f0c62edc1bedca657b5eb659ab07d610260e3b7a48d/details
# Reference: https://urlhaus.abuse.ch/url/235725/
# Reference: https://any.run/report/2ff7a5b19dbf914d2607623b255fc392b20e86a61109cac6de96cf214e88f963/2a188e52-c397-4805-b62a-faefe02c9d8f

wirelord.us

# Reference: https://precisionsec.com/threat-intelligence-feeds/agenttesla/

khotawa.com
xdzzs.com
demo.shopping.co.mz

# Reference: https://urlhaus.abuse.ch/url/236622/

decodes.in

# Reference: https://urlhaus.abuse.ch/url/236510/

cafe-milito.com

# Reference: https://urlhaus.abuse.ch/url/235644/

mpsoren.cc

# Reference: https://urlhaus.abuse.ch/url/235546/

alhaji.top

# Reference: https://twitter.com/0xFrost/status/1179459193662853120

smtp.alliadintl.com

# Reference: https://app.any.run/tasks/5434da4e-e090-4642-be8d-a0117eaeb143/

smtp.alfe-eng.net

# Reference: https://twitter.com/MrGlaive/status/987780707551469569
# Reference: https://www.virustotal.com/gui/file/281053cbe38ffb8634e33d8a42ab772fb334de9e0a94af370a2426e00a502d6b/detection

mail.crosspolimeri-com.ga

# Reference: https://twitter.com/wwp96/status/1188897624776216576
# Reference: https://www.virustotal.com/gui/ip-address/79.134.225.125/relations

olodofries.ddns.net
victoryinkings.ddns.net

# Reference: https://twitter.com/ViriBack/status/1189329887074619395
# Reference: https://app.any.run/tasks/4fb9044e-3ab4-4475-94d0-0070bef4acdc/

52.15.102.232:16654

# Reference: https://twitter.com/wwp96/status/1189564875040788480

smtp.krisorigin.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1192365857810341888

ftp.kassetiabi.ee

# Reference: https://app.any.run/tasks/ab049db9-c6b6-4fc5-9052-1e27dd897f18

crilod.com

# Reference: https://twitter.com/P3pperP0tts/status/1193202523974389760

eastbrightness.com

# Reference: https://twitter.com/James_inthe_box/status/1193965109552406528

webtoall.in/men/inc/c7afb5603b20fe.php

# Reference: https://twitter.com/w3ndige/status/1194263536572207104

ftp.hotnails.ee

# Reference: https://www.virustotal.com/gui/file/88195f6db022c6008fb958dffcb3ab7bfcb2cab063ea4af0e228fc33abab7e7b/detection

192.3.24.147:5200

# Reference: https://www.virustotal.com/gui/file/94ec08ac699040cca3bd81024e2ae842dec93146e066ea8332a4c990b9db5726/detection

192.69.169.25:54901
dboy.duckdns.org

# Reference: https://twitter.com/wwp96/status/1203003462746804225

smtp.tkbill.biz

# Reference: https://twitter.com/wwp96/status/1203003008822452225

mail.garlascontrol.com

# Reference: https://twitter.com/wwp96/status/1203006028998205442

smtp.juili-tw.com

# Reference: https://www.virustotal.com/gui/file/d80bd95f435fc2b41a60a4412ec3c38cc2024c57048047c1e679e4df2d93a88c/detection

91.193.75.181:90
lexdemall.duckdns.org

# Reference: https://www.virustotal.com/gui/file/5229dd43528a6fedaa89771dfcac9789fc0ac6f3297b83f9a5d15e4f55ebe9bd/detection

46.85.239.38:1994
79.134.225.42:1994
sandra.hopto.org

# Reference: https://www.virustotal.com/gui/file/bfc6098802823eaf83b3f49cba4b515076ce4889c192f7961bd0d55bcde4c83e/detection

79.134.225.121:5288

# Reference: https://www.virustotal.com/gui/file/40ebfd1d5b2e140d8d147f8cd304f6f3f5795591b4883cf21012a350f1b941c5/detection

79.134.225.7:8152

# Reference: https://www.virustotal.com/gui/file/9f750443a7f48cbdb29cf846bba9fe467233e6f11a9f7c70215c7eaeea38b6fb/detection

151.106.56.110:3606
moneytrade.trade

# Reference: https://twitter.com/JayTHL/status/1214332738167287810
# Reference: https://pastebin.com/raw/c2JsbUeh

adoptfashions.tk
agatamodels.ml
ahphaeg.ml
ahphaeg.tk
aldohawater.tk
allinkenya.ml
allinkenya.tk
alojobs.ml
andreyhosting.com
archiself.tk
artateknik.tk
avjrggs.ml
bargainsnyc.ml
baristageek.ml
bedrocktire.tk
blazonjewelry.ml
blazonjewelry.tk
bodyfitny.ml
boisegmc.ml
boisegmc.tk
bokkhao.ml
bokkhao.tk
bounuspornos.ml
brazosvalleypts.ml
bunnyby.ml
buyshares.ga
buyshares.ml
carriven.tk
casualfiber.tk
chefport.tk
chenfqi.tk
citjunta.ml
clanliqr.ml
coffeeod.tk
conanandjasmine.ml
cpajwood.ml
cpajwood.tk
cpanel.sunlitcars.tk
demonm.tk
destaquefitness.tk
dlskoda.ml
dombasticknas.tk
drysupplies.tk
dwgdhfy.tk
ecuacentauro.ml
ecuacentauro.tk
eleganteclub.ml
eleganteclub.tk
endzoneswagger.ml
endzoneswagger.tk
ezmoneymyteam.ml
fanbcanton.ml
finddrives.ml
finddrives.tk
fllwme.ml
fourwheller.tk
gbbpestcontrol.tk
greatpurity.ml
greatpurity.tk
hemorroidehq.ml
hemorroidehq.tk
henriquepneus.tk
hostarctic.ml
ilovesweetie.ml
ilovesweetie.tk
imagoindia.ml
instantqual.ml
interoutesme.tk
itechcity.ga
itechcity.ml
jademodern.tk
kedaisuki.ml
kedaisuki.tk
kinofkenefret.ml
laluney.ml
layingday.tk
lebanonoil.ml
lebanonoil.tk
litse.ml
lscucusc.tk
lvmotorsports.ml
lvmotorsports.tk

# Reference: https://twitter.com/wwp96/status/1214939236195086337
# Reference: https://app.any.run/tasks/fa148110-1474-4c52-b9f7-264bca3a41a1/

limmergarden.com/pa/webpanel/inc/5d54ff24322827.php

# Reference: https://app.any.run/tasks/3403cffd-adef-40bd-ac59-53edab63a0e1/

ftp.myloginoffice3.com

# Reference: https://www.virustotal.com/gui/file/7d8909c7fcb490c98941f17d30179cf932231f0a82ce25c8343fd8904fea802a/detection

185.38.151.11:50472

# Reference: https://www.virustotal.com/gui/file/31644ce7e514cdf426d1ab3e36d2ebd37068d66eb164f0d6d6ab87ab0471f897/detection

185.38.151.11:56769
185.38.151.11:61321

# Reference: https://www.virustotal.com/gui/file/da09ac88b81d53207f01371dacc653437e95b9da05ea982d397fce8c033c2ce6/detection

185.38.151.11:61628
185.38.151.11:63603

# Reference: https://www.virustotal.com/gui/file/d7eb28958866d10626c0a7f5974e32da9a7e1ad988fe09dc48ac01d103da6ace/detection

185.38.151.11:50041

# Reference: https://www.virustotal.com/gui/file/682fbcd0f7299831baca107e58095772cb425437c7d4f1cd08d81ba4d4d353a4/detection

185.27.134.11:36951

# Reference: https://www.virustotal.com/gui/file/d02569687c55976dc1fea3fbfb031a821d4072cac3971b3bf97cb6877b72e32a/detection

185.27.134.11:32281

# Reference: https://www.virustotal.com/gui/file/cffed6d9add784bf2951db23c55fb44c201535cf0417b46ced760cbf05cccbda/detection

185.27.134.11:14908
185.27.134.11:24257

# Reference: https://www.virustotal.com/gui/file/5657b7923550dc5e89b5048c7a74f665cb29aaa923ba8fe114f98bc449e81d1b/detection

185.27.134.11:21389
185.27.134.11:29037
185.27.134.11:49162

# Reference: https://twitter.com/wwp96/status/1219614957416873984
# Reference: https://app.any.run/tasks/c510f521-e3c2-45d9-98a9-b6c329189db1/

kironofer.com/webpanel/inc/d380803e561db4.php
kironofer.com/webpanel/login.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1219902709882662912
# Reference: https://app.any.run/tasks/cb6f47d6-61b4-4298-a0cf-117eea65dca0/

91.82.85.66:21
91.82.85.66:33132
ftp.metris3d.hu

# Reference: https://www.virustotal.com/gui/file/434ee3a7d5f1d23b7d2a2ca22bbf197b1275ff1bd11b03c11cfc45a6cae5fd11/detection

45.74.1.8:1122

# Reference: https://twitter.com/_lockhum/status/1220774737435074561

limmergarden.com/pa/webpanel/login.php

# Reference: https://www.virustotal.com/gui/file/4202c3c6970a870ce7fb6826dc69422c83de9da2462e28e2162a237579ff5192/detection
# Reference: https://www.virustotal.com/gui/file/8e9a4181cfd63b6d2a32352882d7022670236a5bdd0b824b547e69fde5b20c13/detection

nortonlilly.info

# Reference: https://www.virustotal.com/gui/file/67e30c288e1025728c58ad7093e34ea97d7f1e5f3c4450859e9de775e49f4dca/detection

185.244.30.53:4782

# Reference: https://twitter.com/cocaman/status/1222227693099462656
# Reference: https://app.any.run/tasks/193b764b-c408-4226-9a66-8400d1b1f4f9/
# Reference: https://www.virustotal.com/gui/ip-address/1.217.125.148/relations

1.217.125.148:8080
web.riderit.com

# Reference: https://twitter.com/wwp96/status/1222261603028152326
# Reference: https://app.any.run/tasks/227edd93-0480-404d-a7b8-0da81c2b3ce7/

78.142.19.101:587

# Reference: https://twitter.com/wwp96/status/1222262561296519168

smtp.xyzdomain.us

# Reference: https://app.any.run/tasks/3d1f67f1-6384-4980-a2e7-20ea0c0c8523/

smtp.dynamics-id.com

# Reference: https://twitter.com/wwp96/status/1222569538094534656
# Reference: https://app.any.run/tasks/6782cb3d-bd47-4351-977e-7b0bb14ae649/

effetka.com

# Reference: https://twitter.com/wwp96/status/1222575075028807681
# Reference: https://app.any.run/tasks/b71139f8-e198-4ebc-8b72-7e6399442199/

67.215.224.83:21

# Reference: https://twitter.com/wwp96/status/1223258955989815301

dkjpipnigproducts.com

# Reference: https://www.virustotal.com/gui/file/e9ae77ff1f9146e6c5296dfafb93c43ce062348136a4091d74087d603e2a18b8/detection

185.148.241.50:4782
23.105.131.230:4782

# Reference: https://www.virustotal.com/gui/file/f92ffc14ebc9ea2be74f7a6f73fa2055e345a42428171cee6491e6903816dce3/detection

varancha.com

# Reference: https://twitter.com/wwp96/status/1228359538505658371

dembal.com

# Reference: https://www.virustotal.com/gui/file/6fe5eed4b01642b919c7670f09548bce679233d8d522b20c36c29ed6fad0614d/detection

176.57.209.21:31177

# Reference: https://www.virustotal.com/gui/file/cb3534e092ee89bb8c1c4adb12a7a42a46629f0f939c13ad12be001ac1f7bb94/detection

176.57.209.21:46975

# Reference: https://app.any.run/tasks/24809127-df0b-4e16-9c94-35450bd9f283/

cydelink.com
officearchives.duckdns.org

# Reference: http://tracker.viriback.com/dump.php (# snapshot 2020-02-23)

190.97.166.194:80
190.97.166.194:8080
79.134.225.77:44
aaatechh.com
agent.rooderoofing.com.au
arbistars.com
bauremediaus.com
bawsymoney.ga
brther-group.com
callvaxglobal.com
captainbugattiautos.com
ceoinboxs.com
credoaz.com
data-startssllink.com
deveinsun.com
emaaiil-163.com
emtelakproperties.com
eqtweb.com
etvidanueva.com
excelaires.com
flopdlsofrd.com
forteol.com
goldenfuturepower5.com
grindtreu.online
groupbizconsulting.com
impulsefittness.info
ipblasta.com
kironofer.com
kodarkalaris.com
limmergarden.com
magnaki.com
milonestlevevy.com
milux-my.com
mshhmasvx.com
nortonlilly.info
oceantrading-jp.co
pounds.ngrok.io
prominienttec.com
shileniniliv.com
siamzime.com
sindevil.com
sm.rooderoofing.com.au
softtouchcollars.com
speedfolks.com.ng
svmarketingindia.com
telewire.online
uccftl.org
usarmyvacations.info
valedein.com
varancha.com
wieda-mc.com
workupdates.net
zomcnxbilo.com

# Reference: https://www.virustotal.com/gui/file/ae5d91ffad3a752a7568bc1197770f0ba06f33ba567740c4a18ca7bf0be6dc85/detection

168.235.111.253:1078

# Reference: https://twitter.com/wwp96/status/1232323995933929474

hitek-pk.com

# Reference: https://app.any.run/tasks/4630ac10-0749-4c13-ab1b-90f2c27c9c14/

prodiggy.xyz

# Reference: https://app.any.run/tasks/510f53d6-553e-4dae-a629-ae24c10e19ca/

office-cleaner-commander.com

# Reference: https://www.virustotal.com/gui/file/0a25a76d3b998edf56357790356abac4dd2d275c144e8d640f0c4bb4249d03a7/detection

79.134.225.75:1717
indigo22.publicvm.com

# Reference: https://www.virustotal.com/gui/file/25623344c636700823f0927a1c784b06a016b73dfa5083dc2d92baf1b40c2b71/detection

79.134.225.74:7688

# Reference: https://app.any.run/tasks/2e8a87dc-28e5-466d-8b48-772962c5515e/
# Reference: https://www.cert.hr/PhishCoviD
# Reference: https://www.virustotal.com/gui/ip-address/77.83.117.234/relations

77.83.117.234:587
aodeindustry.icu
deepsaeemirates.com
emmannar.com
bisol.icu
bkfglobal.icu
allcare-in.icu

# Reference: https://www.virustotal.com/gui/file/daf5e6207242777ec4cf6defdb9783ee4a109784de6e4be0dab7795eb8e3fd3b/detection

178.124.140.148:9955

# Reference: https://www.virustotal.com/gui/file/809f119816b9937ddc40b8821a8256373b1acfb029c9d1a226a0a402bb901e3c/detection

178.124.140.144:9955

# Reference: https://www.virustotal.com/gui/file/53f46d8f5cb827c8fd27acdb2ae47babc71a7bc9189dca78f759bb222972a06f/detection

185.19.85.172:9955

# Reference: https://www.virustotal.com/gui/file/c21528cb1bc34467b51f355d2a5ab00e5c93dc85daa288f758cb32b62c70d247/detection

129.56.115.44:9955

# Reference: https://www.virustotal.com/gui/file/c56ed81b368a4569017dc1fa62d66aa09bae779079db07e6d37057979553fb88/detection

185.19.85.158:9955

# Reference: https://www.virustotal.com/gui/file/6fc77a77ea8a0f5b9159cb397fbce10ad9db993bec824da3607d887763a4d84d/detection

129.56.24.87:9955

# Reference: https://www.virustotal.com/gui/file/22f01bda2127d3ae0a430f926e03f2fb91077f1df236de440e896cfb808e6571/detection

91.189.180.211:9955

# Reference: https://app.any.run/tasks/b46ab76d-67c1-4446-8e46-cb06ba4b56b9/

ehbsd.ueuo.com

# Reference: https://app.any.run/tasks/e7c0011c-965c-4f60-882d-c1635524d592/

mujhedilsena.com

# Reference: https://twitter.com/gorimpthon/status/1242842075202109440

http://216.170.114.99

# Reference: https://www.virustotal.com/gui/domain/goldenlion.sg/relations

goldenlion.sg/file01/
goldenlion.sg/blacky2/
goldenlion.sg/white/

# Reference: https://www.virustotal.com/gui/domain/getegroup.com/relations

getegroup.com

# Reference: https://app.any.run/tasks/50fefae3-86a8-463f-b73f-30b4578255fb/

easydatatransfercleansystemprofessional.duckdns.org

# Reference: https://app.any.run/tasks/fff397ba-c5b8-4db0-91ea-49a10e5ac00d/

sterilizationvalidation.com

# Reference: https://twitter.com/James_inthe_box/status/1245706675266306049

proyectomontvento.com/img/files/class/webp/

# Reference: https://twitter.com/James_inthe_box/status/1247162504293179392
# Reference: https://twitter.com/JayTHL/status/1247163058071523328

pussyclub88.com

# Reference: https://csirt.bank.gov.ua/news-ioc/78 (Ukrainian)
# Reference: https://www.virustotal.com/gui/domain/unlimitedimportandexport.com/detection
# Reference: https://app.any.run/tasks/21ca8f99-92aa-47a5-8787-846ab59f5841/

unlimitedimportandexport.com

# Reference: https://twitter.com/James_inthe_box/status/1252657380807938049

nabionov.net

# Reference: https://www.virustotal.com/gui/domain/rabok.io/relations

rabok.io

# Reference: https://www.virustotal.com/gui/file/0cc36114a155515acdf192cbde8cc6f2eb5bfc833920075ee5deb156944371eb/detection

185.140.53.129:8323
xacnsnva.bounceme.net

# Reference: https://unit42.paloaltonetworks.com/silverterrier-covid-19-themed-business-email-compromise/

coffiices.com

# Reference: https://www.virustotal.com/gui/file/fdd40bcfba668b785d404214fd35db117b186e21944b24f16540cce86f7bec78/detection

103.133.109.74:3050

# Reference: https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
# Reference: https://otx.alienvault.com/pulse/5ecebea5f3c7fdfd2f5f9cd9

atn-com.pw

# Reference: https://www.virustotal.com/gui/domain/mechnicsde.dp.ua/relations

mechnicsde.dp.ua

# Reference: https://www.virustotal.com/gui/file/29d2c857add67db5ea4fa1265d6799f72436443ef37ebe6b552884f7f08c99ba/detection

209.58.144.239:1738
dimitriv.duckdns.org

# Reference: https://twitter.com/benkow_/status/1270278177336803331

bpoxnet.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1270997007180730368
# Reference: https://app.any.run/tasks/4dede486-355d-4e84-874c-d9318532db23/

http://193.42.96.111

# Reference: https://twitter.com/Bl4ng3l/status/1272531788678729732

spdodoma.com/jss/1156000032.jpg

# Reference: https://app.any.run/tasks/de803f92-9a35-43b2-a84b-53b596893de4/

mail.marpx.website

# Reference: https://twitter.com/JAMESWT_MHT/status/1273562883578880000

strahovka-osago.com/coer/2031777055.jpg

# Reference: https://twitter.com/James_inthe_box/status/1273983069435789316

http://180.214.236.98

# Reference: https://www.virustotal.com/gui/file/183112cc344d1629e2d63bde89fee8fd7040a70b53c695e843e6892dfb4c4c63/detection

185.244.30.14:20391
papauwa.ddns.net

# Reference: https://app.any.run/tasks/7d8686b5-5caa-481b-ba4a-d4c6822db49c/
# Reference: https://app.any.run/tasks/a2eb93fc-69f0-4188-b679-5031e0e7c7ed/

mangero.xyz
arnoldz.xyz
admaris.ir

# Reference: https://pastebin.com/Hc73BzJT

alconalu.com
cotextrucking.com

# Reference: https://app.any.run/tasks/b11c3add-4e16-4213-a6ab-ccbecf96b09b/
# Reference: https://app.any.run/tasks/581eaa08-bc27-486f-a9d4-602c7ae9eec9/
# Reference: https://twitter.com/James_inthe_box/status/1283032875311366144

terminal6.veeblehosting.com

# Reference: https://twitter.com/jorgemieres/status/1286664575094489088

capurgol20.duckdns.org

# Reference: https://twitter.com/Circuitous__/status/1276560882538098690
# Reference: https://urlhaus.abuse.ch/url/408906/

biz9holdings.com

# Reference: https://app.any.run/tasks/cfc6df5f-b76c-4605-9778-f96726605e99/

nilemixitupd.biz.pl
ftp.skibokshotell.no

# Reference: https://twitter.com/FewAtoms/status/1290349522519035912
# Reference: https://www.virustotal.com/gui/file/d4f8eae80bb2920ec10ea6e90d791fc0f76f314aac007bc38b83135953dbc103/detection

mcmegypt.com

# Reference: https://www.virustotal.com/gui/file/f8399ec31dccdddd06367504c0c6d331dacff38ec3d1f1645568f1bff9d4a0c1/detection

197.210.227.183:9090
79.134.225.72:9090
xinpincompany.hopto.org

# Reference: https://twitter.com/malware_traffic/status/1298294672037687298

proofbookonline.com

# Reference: https://www.virustotal.com/gui/file/449bdfca4b826617cead9ace5d890474da8b93ea6f0db80748ed22e58dc7fc3e/detection

185.244.30.18:2130
storyofpadi.ddns.net

# Reference: https://www.virustotal.com/gui/file/b1764510611e4e9c5be024338e1bb63b817069026ff7b996a3dff043e6d8d211/detection

paypalonlineservicesupport.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1303621011754176514

hnyuosun.com

# Reference: https://twitter.com/Racco42/status/1314272782210011136
# Reference: https://app.any.run/tasks/53148132-2406-43d9-a26c-fa1617632caa/

smtp.redan-co.xyz

# Reference: https://www.virustotal.com/gui/file/c857aa386c8aded608ace202e5600221a141a24e88475fa328a686e6e0f75a40/detection
# Reference: https://www.virustotal.com/gui/file/f6eab127647b1a3d51f9599db90ab31b53f7b9fdb5d30d18dada555019d16abc/detection

185.165.153.140:1942
atu042.hopto.org

# Reference: https://twitter.com/Racco42/status/1317228045581910017
# Reference: https://app.any.run/tasks/b13e5a82-35ce-4213-bf4f-1079436eabb5/

smtp.pharco--corp.com

# Reference: https://twitter.com/Racco42/status/1317232384006291457
# Reference: https://app.any.run/tasks/df756035-0ec2-428e-87fd-fa2f4f36f438/

smtp.millacfood.com

# Reference: https://www.virustotal.com/gui/file/a68f82eeab67310e50631899bb57fdac1e81c6b2d04db87c8aa564ff2cc18748/detection

ebop.website

# Reference: https://twitter.com/JAMESWT_MHT/status/1319932531039404032
# Reference: https://www.virustotal.com/gui/file/cb684c1c98ba73f221a21ae1641011a67ae0d70022278b9136a9bb43b33ea593/detection

http://75.127.1.211

# Reference: https://twitter.com/James_inthe_box/status/1321088232512106502
# Reference: https://twitter.com/Racco42/status/1321232006424989699
# Reference: https://www.virustotal.com/gui/file/4fbea091009ae3c79eae3794ef4477055b3e8902e08a8565ef25f90489a2f08c/detection
# Reference: https://www.virustotal.com/gui/file/eb706251924a534e026bfbe209d235c134402c6d12512dca0e0ae14212e715fa/detection
# Reference: https://app.any.run/tasks/33299243-9f66-4a81-a222-9d0dc5e130d4/

ahgwqrq.xyz
/getrandombase64.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1322176161326182401
# Reference: https://www.virustotal.com/gui/domain/efiigbo9.duckdns.org/relations
# Reference: https://www.virustotal.com/gui/file/7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e/detection

efiigbo9.duckdns.org

# Reference: https://www.virustotal.com/gui/file/4d956c02c96695cf1535084515e37263c5391ea36802b1100d9809aa3759e4e7/detection

105.112.25.62:1970
francovibes.hopto.org

# Reference: https://www.virustotal.com/gui/file/f6dae5ff37232524f545d43bc3de780c98b0ad6ccdc2058b5e7b35c046a1bd8a/detection

185.140.53.187:4284

# Reference: https://www.virustotal.com/gui/file/f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69/detection

79.134.225.109:1985

# Reference: https://twitter.com/wwp96/status/1328340118579654656
# Reference: https://app.any.run/tasks/97a9483e-5c62-46e2-9b78-fefd1dff32de/

aarque.co
/inc/4b1cea4932c6b7.php

# Reference: https://twitter.com/ViriBack/status/1330309562990211073

http://103.207.39.131

# Reference: https://twitter.com/ffforward/status/1334115405825236997
# Reference: https://pastebin.com/raw/ZgDtALAD
# Reference: https://bazaar.abuse.ch/sample/ac84fce48dc5fc0ece582c6cd8f5486d044f48f2923e949d27c5ea44cb0a80a0/

abualrejall.com
adempolsoya.com
adikoss.com
ahrran.com
al-babtainsa.com
andms-kr.com
aprco-eg.com
arisstoncavi.com
bellaphavma-kamph.com
cbm-lb.com
ccppmde.com
cerafluxx.com
chinetychemical.com
chplubb.com
contactmail-office.com
de-oculus.com
decescoter.com
ebankinghbl.com
eccolabb.com
eexxonmobil.com
energy-tubor.com
eversaillogisttics.com
fehemco.com
fermson.com
flamengo-importexport.com
forrebright.com
fuhennei.com
gj-de.com
glud-marsstrand.com
hschain-cn.com
hzdjjm.com
inter-chamie.com
jvlphar.net
ka-mann.com
kimiarra.com
kulinichi-ua.com
lesanor.com
luboccc.com
mecckey.com
milllefood.com
oceanstars-my.com
praaj.net
praticompeny.com
rsships.net
specsccorp.com
ssecop.com
td-tubor.com
technology-visions.com
tsakerr.com
tyimble.com
ullusoyun-tr.com
unishipss.net
vs-vossloh-schwabe.com
wiillow.com
ximyiopal.com
y1ss-tw.com
yuballes.com

# Reference: https://twitter.com/wwp96/status/1337109603151122432
# Reference: https://www.virustotal.com/gui/file/cd508affafb2152aa3511774518e1a4a150eb68f62d65208b0d477e83d0306a2/detection
# Reference: https://www.virustotal.com/gui/file/21c51bed18906fb1c167adb68146e2765d7a901f19f59029f3e58218b3ac1c37/detection

http://69.174.99.26

# Reference: https://twitter.com/wwp96/status/1339011510480351232

http://103.145.254.114

# Reference: https://twitter.com/ffforward/status/1339129811810324483

http://103.207.39.131

# Reference: https://www.virustotal.com/gui/file/838d8a1b9095168c1c0c24449b62ab0c9eece8211381e59c5f1b8889d1c618af/detection

193.109.78.38:53285
viceka.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8d1fd0a9544e74bfec387ed16ade3f9ec6b334476f0ef0e984420b4923c8f624/detection

megad.cc

# Reference: https://www.virustotal.com/gui/file/111ef2f9f0ede9903cc9382a92a3c4273c306900e8cb576de0b7730db52a7e85/detection

adobelink.me

# Reference: https://www.virustotal.com/gui/file/73a6e350cb3935c52e604e48831e708851373419f08ac128d1a8c7c5b17ed872/detection

95.72.66.155:1313
port15e.zapto.org

# Reference: https://www.virustotal.com/gui/file/40699c32fb147942f1d06f3520793f8a7f516f1d5bb03ab8e3c5c78f821cf425/detection

megaplast.co.rs/zin/WebPanel/api.php

# Reference: https://twitter.com/James_inthe_box/status/1349360887186874371

http://64.188.18.218

# Reference: https://twitter.com/James_inthe_box/status/1352326755348955137
# Reference: https://www.virustotal.com/gui/ip-address/193.239.147.103/relations

http://193.239.147.103

# Reference: https://www.virustotal.com/gui/file/6d02531e14e00f91302c4c7ff8141a1576c1da976e97d2367f828ef3248ac3c3/detection

0ffice365-seccure-email.bid

# Reference: https://app.any.run/tasks/a6789a42-f9eb-45be-a2e6-a0d939ba28fd/

http://193.56.28.231

# Reference: https://twitter.com/James_inthe_box/status/1313832984303157250
# Reference: https://app.any.run/tasks/5ddfb57a-bc6b-42bb-a042-f906e5a2cabb/
# Reference: https://www.virustotal.com/gui/file/bc7900c1440c578c0dc0de73889755bbbf9e43026d8beafe83dbdc5d76dd6a62/detection

http://193.56.28.228

# Reference: https://www.virustotal.com/gui/file/8175783100320f5dba70e2af0005134d2b85d7c5c26e97f438248112fd7a4d93/detection

194.5.98.98:3850
nanopc.linkpc.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1357260178635243520
# Reference: https://app.any.run/tasks/a2fe9cdb-7af6-44e5-99ca-d924c96d2b72/

http://103.133.105.179
mylundisfarbigthenyouthink.blogspot.com
tumlundlynikyho.blogspot.com

# Reference: https://app.any.run/tasks/247c3559-47e7-4734-9c5d-aa6bda2b1cc0/

papagunnakjllidmc.blogspot.com
titupatiyannala-myrynaal.blogspot.com

# Reference: https://twitter.com/reecdeep/status/1357641303404785668

hera.lt/Alpha8.jpg

# Reference: https://twitter.com/reecdeep/status/1359048494716223488
# Reference: https://app.any.run/tasks/fee7ff1c-30a0-4105-a1fe-e1a51b854e5b/

131.153.50.170:21
131.153.50.170:53008
hera.lt/Delta2.jpg
takumacakrajaya.com

# Reference: https://www.joesandbox.com/analysis/271782/0/html
# Reference: https://www.virustotal.com/gui/file/800b9a74773f65fcc72d5247cae562f48a58f89b2ff4b4dcddd909f5a241512b/detection

191.101.158.161:19900
obereagujnr.hosters.xyz

# Reference: https://www.virustotal.com/gui/file/84f10aaf283d608045856ac47832e5fe0daf99c14c0a9d0b06c8a55eba871489/detection

stermacos.com
smtp.stermacos.com

# Reference: https://app.any.run/tasks/f0463337-7b01-4b6a-b29c-5cb10c90fb7d/
# Reference: https://www.virustotal.com/gui/file/26c1c6119602bc2ceac63642f79552150b4d017c76608759ede90c2d169f7aee/relations

f0514607.xsph.ru

# Reference: https://twitter.com/reecdeep/status/1361260530766393344
# Reference: https://www.virustotal.com/gui/domain/elit-tehnica-md.com/detection

elit-tehnica-md.com
smtp.elit-tehnica-md.com

# Reference: https://twitter.com/reecdeep/status/1361590430513721344

electro-plomb.cf
mail.electro-plomb.cf

# Reference: https://app.any.run/tasks/ddf138f6-fc15-423e-af69-a752d4331bd8/

uhbddr.hr/J12.jpg
192.254.234.35:21
192.254.234.35:33912

# Reference: https://www.virustotal.com/gui/file/d6ab2482f2cc150b157f0cb92cc5a7a335ca739bb54236260bc7149b04731986/detection

http://192.236.147.189

# Reference: https://www.virustotal.com/gui/file/794122575d9d6cbd27ac687debab80f93f018f4b6aeb86a3fcaa397196e8f91b/detection

http://86.105.252.11
86.105.252.11:30003

# Reference: https://www.virustotal.com/gui/file/442d4d7d0a01819d30b20234bc6ae1d0d1978408055424c298b7902be978c7c5/detection

f0512634.xsph.ru
deffind.xyz
investment-properties.xyz
yrhealth.xyz

# Reference: https://twitter.com/whitehoodie4/status/1362731135411830786
# Reference: https://tria.ge/210219-q5bg7eq2ge/behavioral1

grupocolors.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1363844361419698176

2yhLxjzcOr.com

# Reference: https://app.any.run/tasks/5a2a50a5-87ea-4ff1-a50a-decd569257ec/

coroloboxorozor.com

# Reference: https://twitter.com/wato_dn/status/1366259334955499524
# Reference: https://tria.ge/210301-7z5cpr6z82/behavioral1

tumharimaakachodamarunmaine.blogspot.com

# Reference: https://twitter.com/James_inthe_box/status/1366397526761345026
# Reference: https://app.any.run/tasks/5758e658-cf48-46dd-9863-e97a64e9e484/
# Reference: https://www.virustotal.com/gui/file/01b0b39d33017efb3ff557717b7fa2890f255eef89fcbcc5e824f5df9adc9300/detection

osndjdjjjdjshgaggdkf.com

# Reference: https://www.virustotal.com/gui/file/1458e55e8b7800f8a2dc372e725451619f74f0fb90a3331ca48477e0439b4ef9/detection

casadointercabio.com

# Reference: https://twitter.com/reecdeep/status/1367775820199174149

greatdeck.co
liverpoolofcfanclub.com

# Reference: https://www.virustotal.com/gui/file/bc18b4ebadebcd99e132e8a5cc420450c9ba077ba94c8c9a014e614707b5b6de/detection

31.220.4.216:7009
async.3utilities.com

# Reference: https://www.virustotal.com/gui/file/0d9826e88c7debfc212d3023500e1bf09f456cc29ffe1bfaba7dbdddc1afa20c/detection
# Reference: https://www.virustotal.com/gui/file/0d9826e88c7debfc212d3023500e1bf09f456cc29ffe1bfaba7dbdddc1afa20c/detection

31.220.4.216:18253
1.18253.date
1.18253.loan

# Reference: https://twitter.com/reecdeep/status/1370289498093989890
# Reference: https://app.any.run/tasks/e0781546-757c-4178-bc9a-5b8efa795645/

irtec-irrigetion.com

# Reference: https://twitter.com/pmmkowalczyk/status/1370814727912308740

stdyrmtcntlenverpfbi.dns.army

# Reference: https://twitter.com/reecdeep/status/1371423263126065152
# Reference: https://app.any.run/tasks/ce3b9d6e-048f-43dd-b854-a30e7ceab70a/

classicsteelengineering.com
liverpooldabestteamoftheworld.com

# Reference: https://twitter.com/fr0s7_/status/1371383578488098818
# Reference: https://app.any.run/tasks/1228a454-1a45-47fa-bd8a-200eb2398fec/

tumharimaakachodamarunmain.blogspot.com

# Reference: https://twitter.com/pmmkowalczyk/status/1371918255242280965

miratechs.gq

# Reference: https://twitter.com/reecdeep/status/1372111826662608896

snow-whyperlimited.com

# Reference: https://www.virustotal.com/gui/file/45ba43813271c0c4d377338c381992cd5b0220b80c00cffc0b284f84cc0aee66/detection

79.134.225.13:7771

# Reference: https://www.virustotal.com/gui/file/130c76c60f44867be9e8986dbff2d2f035837a15f00d00d2976bc230e0070128/detection

79.134.225.13:8763

# Reference: https://www.virustotal.com/gui/file/0cd598c06841affaf7389f5a3cec84e4da0d7515f3da40b450f2dc7c7ae12938/detection

79.134.225.43:58103
strongodss.ddns.net

# Reference: https://www.virustotal.com/gui/file/990df8e02a4bb9340ab3303a87f2939847653652d9b78819a253c8dde0ed056c/detection

0k10dk21kkeok2e.online

# Reference: https://twitter.com/reecdeep/status/1373906756628283393
# Reference: https://app.any.run/tasks/ab09b467-a977-4536-ac5e-455e904513fb/

107.180.26.185:21
107.180.26.185:50329
107.180.26.185:50538

# Reference: https://twitter.com/pmmkowalczyk/status/1374000718194077698
# Reference: https://www.virustotal.com/gui/file/9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7/detection

jiratane.com
specfloors.net/dev/

# Reference: https://twitter.com/JAMESWT_MHT/status/1373998230455848968

curidesigner.com

# Reference: https://twitter.com/jorgemieres/status/1375161202716868613

surestdysbonescagexc.dns.army

# Reference: https://otx.alienvault.com/pulse/605c7c7cba2960e10fea8007

seno.ddns.net

# Reference: https://www.virustotal.com/gui/file/f083c3c1f115a2674dff82d859f3d67faca6e9c8e971f7164caf99954376a0cc/detection

194.5.97.7:6060
bohemianbenz.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1377261276674490368
# Reference: https://app.any.run/tasks/f41044b0-c0b7-40f7-ab07-38c274036efc/

humtotmharyhain.blogspot.com

# Reference: https://twitter.com/reecdeep/status/1377624305400438787
# Reference: https://www.virustotal.com/gui/domain/lfsqatar.com/detection

lfsqatar.com

# Reference: https://www.virustotal.com/gui/file/e7f4a5644698b66fd28ca7f0e4fcdc06fb1d09b0e29977d887854a5fec6cfc8b/detection

209.127.18.121:3918
uhie.hopto.org

# Reference: https://www.virustotal.com/gui/file/352c3aac62d88e75e1655d9d67facd8ac7823b619f6c7e527437821b8ec42bfd/detection

giftbizz.com
patlod.com
wwwjinsha937.com

# Reference: https://www.virustotal.com/gui/file/8e15f76149baa634caba6bcb021a5793f9b86c6290247d62a3f9628e5e147c7f/detection

x11fdf4few8f41f.com

# Reference: https://twitter.com/dms1899/status/1244596518402785280
# Reference: https://twitter.com/FewAtoms/status/1245700149952872448
# Reference: https://twitter.com/James_inthe_box/status/1245706266464288775
# Reference: https://twitter.com/p5yb34m/status/1252660135408750597
# Reference: https://www.group-ib.com/blog/rats_nigeria
# Reference: https://www.virustotal.com/gui/file/281896c20c9ae01b1a4ddc590c5cec454865cd95aaa7e53aac436a3b89889486/detection
# Reference: https://www.virustotal.com/gui/file/2b43e9f848b8f0db1cce7da920fb3d970a47d61d3250f87419d1bdbb980d9d18/detection

office-archive-index.com
office-archive-reserve.com
office-cleaner-commander.com
office-cleaner-indexes.com
office-cloud-reserve.com
office-updates-index.com

# Reference: https://twitter.com/ps66uk/status/1379408490960130048
# Reference: https://app.any.run/tasks/6abf3b2c-9e92-4f76-81d5-06898cfb3f3e/

http://193.56.29.192

# Reference: https://twitter.com/ps66uk/status/1379467933932519436
# Reference: https://www.virustotal.com/gui/file/53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25/detection

newblogheresee.blogspot.com

# Reference: https://www.virustotal.com/gui/file/7aeaa9cbabc54c36844d5852172c449865bf4c524693ae7aa9909b87627052fa/detection

myliverpoolnews.cf

# Reference: https://www.virustotal.com/gui/file/9c4baba8ae680070c8ef4afaa7fd5fd41b5828f94581f4e228dd6439b9a5aaa7/detection

23.105.131.188:1605
frlumi.ddns.net

# Reference: https://twitter.com/reecdeep/status/1382247034091155456
# Reference: https://www.virustotal.com/gui/domain/cometshippings.com/detection

cometshippings.com

# Reference: https://twitter.com/58_158_177_102/status/1382254845659291650
# Reference: https://tria.ge/210414-aqahkvar82/behavioral2

http://193.56.29.110
ajmeinthakahowahun.blogspot.com

# Reference: https://twitter.com/fr0s7_/status/1382582635239723011
# Reference: https://www.virustotal.com/gui/domain/murjatumanhus.fun/relations

murjatumanhus.fun

# Reference: https://twitter.com/avman1995/status/1384742543133339653
# Reference: https://app.any.run/tasks/68d2c9b5-3ffb-40e0-8f1c-269353da0bfd/
# Reference: https://www.virustotal.com/gui/domain/mesco-midhco.com/detection

mesco-midhco.com

# Reference: https://twitter.com/reecdeep/status/1384844628478898181
# Reference: https://app.any.run/tasks/d5ae94e7-f656-455c-a039-9ebf7f8ac9e5/

alramzpakistan.com

# Reference: https://twitter.com/TeamDreier/status/1384236371787669507
# Reference: https://bazaar.abuse.ch/sample/87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0/
# Reference: https://app.any.run/tasks/9024ab96-72f5-492b-83b3-b28adf4f949f/

mmwrlridbhmibnr.ml

# Reference: https://www.virustotal.com/gui/file/037ec548399a3c68670044bf3a0154940e0d6597b1576a68f7172bb14a3c28c2/detection

annyms2stdygeneratga.dns.army

# Reference: https://twitter.com/James_inthe_box/status/1386676931354058753
# Reference: https://app.any.run/tasks/f219d3f9-546d-429f-9110-9805ef69357e/
# Reference: https://www.virustotal.com/gui/domain/s-handels-gmhb.com/detection

s-handels-gmhb.com

# Reference: https://www.virustotal.com/gui/file/dff471fd645f164bf8759605546dfef1f74b95929c028ef1e14e2786ac7a3ef2/detection

91.109.176.9:3762

# Reference: https://app.any.run/tasks/5758e658-cf48-46dd-9863-e97a64e9e484/

chelseafc.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
liverpoolfc.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
mancity.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
manutd.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
realmadrid.com/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html
/base/dOVkcmMWSJnEtaXdENzqlBWragOdo.html

# Reference: https://www.virustotal.com/gui/file/0b0ae0604da1b3d48393ae594610c5a93d7e45e3d6e6c302e04c2bcc878ff485/detection
# Reference: https://otx.alienvault.com/pulse/5db6734a077f7acc6698e6bc

osasmail.xyz

# Reference: https://twitter.com/KorbenD_Intel/status/1387795001388711944

kgift.kozow.com

# Reference: https://twitter.com/58_158_177_102/status/1387779300749938695

yahameinhunbusorkoinai.blogspot.com

# Reference: https://www.virustotal.com/gui/file/b4fe1a5d89c5f0e19c6db5b460ad93df2006fc3b62f5ae748e416750c6a890eb/detection
# Reference: https://www.virustotal.com/gui/file/44e857aa5103c72bb638310b4c20fc9be367b55d7f8e6dd324170183a727b5bd/detection

197.210.85.24:54888
79.134.225.48:54888
celebrity.hopto.org

# Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676

p8hj.blogspot.com

# Reference: https://www.virustotal.com/gui/file/ed5cd113b4ddbcad39f3537fc84910227304e41599b89bd9dd0115b499bdb207/detection

tr1.hostgator.com.tr

# Reference: https://www.virustotal.com/gui/file/9861e34bd20a94000ac5c06ef9fce446a4e5decb41f27d579e2e35620dc8dde3/detection

clicklenderz.com
/mynewapi.php

# Reference: https://www.virustotal.com/gui/file/50da4e2f7fd094921570faaa6834e1d5fcc61f5e1eadce59d151885c150e84e1/detection
# Reference: https://www.virustotal.com/gui/file/a2edbc3290d45107090ad4e2a5dfea2de5d1286ae04c5c5c995a7bcf02d57bed/detection

141.255.152.11:21212
crowminer.duckdns.org
huginodinmunin.ddns.net

# Reference: https://www.virustotal.com/gui/file/0bb31a305b6b16a94fe83f388d8fa7a1a72c648ff5441768d33508365a2930b2/detection
# Reference: https://www.virustotal.com/gui/file/b00589191bd96a88aa489c1222d1f42dfe1647adb1f529a12ed93725f98aa78f/detection

185.140.53.138:7077
185.140.53.175:7077
79.134.225.74:7077
7077life.myq-see.com

# Reference: https://www.virustotal.com/gui/file/f26a629ef6ef3753876a8b72e4863d67a550afe8579a6bffcd864c6c572d6f0a/detection

hbnboz.com

# Reference: https://www.virustotal.com/gui/file/534407733556dc9a993d73261613e4713d0a1b3c9b7f61ec5983e39a0641815e/detection

ldvamlwhdpetnyn.ml

# Reference: https://www.virustotal.com/gui/file/7c18130345c95d1cd852af2bbf0fad2d72d4097725dbd334f1d0ab66720c43c6/detection

jejendjcjfhh.com

# Reference: https://www.virustotal.com/gui/file/fc08332ad4efc478a9d79a342e433935d10e72b6f7868ec7e8708a365bd2d607/detection

179.43.140.164:53855
179.43.140.185:53855
88.214.207.96:53855
greencodeteam.top

# Reference: https://www.virustotal.com/gui/file/2e81ce0a08b7e6ad6210b1068d6583628d8ebb11d93ce4f1b424fede249a39df/detection

xwjhdjylqeypyltby.ml

# Reference: https://www.virustotal.com/gui/file/c841bc4893813d54a5b6d044bafa4d50bc508a8d0ff0eafa1f395cd1db98ee6e/detection

mmwrlridbhmibnr.ml

# Reference: https://twitter.com/gorimpthon/status/1394600529469210624
# Reference: https://tria.ge/210518-hpxbx989hs

http://103.151.125.220
/mastermana/black/login.php
/mastermana/black/inc/

# Reference: http://tracker.viriback.com/dump.php (# Agenttesla)

http://216.170.123.125
http://216.170.123.13
http://217.138.205.178
http://34.223.60.188
http://46.183.221.44
http://63.250.45.177
2020bill.com

# Reference: https://www.virustotal.com/gui/file/52ddff83875d402cf2affb82aff8ca1d3a7e96cbd689e638578f6d0d44ecbdca/detection

197.210.226.215:1880
wiz121.ddns.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1399689971401900036

http://103.114.107.28
/me/web10/inc/

# Reference: https://twitter.com/pmmkowalczyk/status/1397516983994826756
# Reference: https://www.virustotal.com/gui/file/fe4d94656809accd8f12c53c3c2a572c22beefd0c10914bcbe2b0f4566a88b31/detection

rdnsanom.xyz

# Reference: https://www.virustotal.com/gui/file/21a80acf73e3f20e162bcd9e70aafa28681be230056a51bd92677a554e6d3ad9/detection

51.222.195.7:33750
rainboyant.ddns.net

# Reference: https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant
# Reference: https://otx.alienvault.com/pulse/60be05932c2ce1ef655b0bb5

p8hj.blogspot.com

# Reference: https://otx.alienvault.com/pulse/60c1fff1d997ae68cafccd5b

ergerge.top

# Reference: https://twitter.com/tosscoinwitcher/status/1403434626224300039

mail-wagruhyoja.xyz

# Reference: https://www.virustotal.com/gui/file/62a342d89280c6964e64997fa0bc97a5812181f0f22d93740d7196a96c81f769/detection

aquilarysalas.com

# Reference: https://app.any.run/tasks/f371191d-7049-49c8-96b8-fa4c7ee5de68/

apdocroto.gq

# Reference: https://tria.ge/210428-jdbysa1gks/behavioral1

extendonetwork.com/puZyLuatL0W/04.html
jarettwalen.com/vspeL07tgk5F/04.html

# Reference: https://tria.ge/210505-rcetwslzqn

justverify.online/ZKrubZZn5V/04.html
thersnyc.com/fxcS6exSJr0/04.html

# Generic

/custom/alien/html/base/
/webpanel-cent
/webpanel-divine
/webpanel-donald
/webpanel-ele
/webpanel-essen
/webpanel-oba
/webpanel-ice
/webpanel-ice3
/webpanel-master
/webpanel-nana
/webpanel-st
/webpanel-street
/webpanel-trade
