# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery

list131.ignorelist.com

# Reference: https://twitter.com/guelfoweb/status/1105493553030053888
# Reference: https://twitter.com/JaromirHorejsi/status/1105447086361923584

schoolfurniturecompany.com

# Reference: https://twitter.com/x42x5a/status/1111247631223791617

tsesser.duckdns.org

# Reference: https://twitter.com/pollo290987/status/1113335382878425088

fada101.servehttp.com

# Reference: https://twitter.com/James_inthe_box/status/1113423296211562497

91.192.100.8:47583

# Reference: https://twitter.com/Racco42/status/1115259915877146625

maxcoopart80.ddns.net

# Reference: https://twitter.com/x42x5a/status/1116608057268527105
# Reference: https://app.any.run/tasks/e89ec46a-0637-4b24-9802-08cc19459bef

185.140.53.17:2888

# Reference: https://twitter.com/James_inthe_box/status/1118904407792345090

mydnssbox.gleeze.com

# Reference: https://reaqta.com/2019/04/ave_maria-malware-part1/

maxibrainz.warzonedns.com
91.192.100.61:2580

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# AveMaria)

tain.warzonedns.com
noreply377.ddns.net
server.mtcc.me
doddyfire.dyndns.org
toekie.ddns.net
warmaha.warzonedns.com
185.162.131.97:222

# Reference: https://twitter.com/Racco42/status/1130511314537918465

mailsle001.duckdns.org
mazzet990.duckdns.org

# Reference: https://twitter.com/Lvanoel/status/1131441015922057217
# Reference: https://app.any.run/tasks/b00d980c-615c-433a-b549-36253786f9cb/

145.239.202.109:1013
145.239.202.109:1018

# Reference: https://twitter.com/Racco42/status/1132911306472919040

hiswar45.warzonedns.com

# Reference: https://twitter.com/abuse_ch/status/1145697917161934856

fuckoffesetdetectmysleep.com

# Reference: https://twitter.com/HerbieZimmerman/status/1151196743201173507

respainc.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1151953182869741568

masterprof.warzonedns.com

# Reference: https://twitter.com/James_inthe_box/status/1156163867744935938

dephantomz.duckdns.org

# Reference: https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/

anglekeys.warzonedns.com

# Reference: https://twitter.com/ps66uk/status/1159446703185047552

95.168.191.77:1436
dd122.duckdns.org

# Reference: https://twitter.com/anyrun_app/status/1159700318478897152
# Reference: https://app.any.run/tasks/b89006cd-dba0-4bc3-8a16-002f4ccc416b/

37.120.159.243:21204
aidsweden.serveblog.net

# Reference: https://twitter.com/James_inthe_box/status/1161273917689880576

millionways.duckdns.org

# Reference: https://twitter.com/Lvanoel/status/1161511143174823936
# Reference: https://app.any.run/tasks/bf09de69-e3b4-41d6-9d1e-d4875f9bca16/

79.134.225.39:2134
ndubaba45.warzonedns.com

# Reference: https://twitter.com/killamjr/status/1163429097273516032

wealthyblessed.warzonedns.com

# Reference: https://twitter.com/tkanalyst/status/1167210316406484992
# Reference: https://app.any.run/tasks/bf11ba41-b5bf-4fed-8769-eebdf6b50760/

185.70.184.34:3367

# Reference: https://www.virustotal.com/gui/file/544b299edea483bae81f71b7225aaa835ab025bcb6bd79b2d4ea9e2fe015c28f/behavior/Tencent%20HABO

wealthyme.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/25a549daef7a464b48239af1d40f8aebba64dbadcbda0e99ce66b501aab7e36f/behavior/VirusTotal%20Jujubox

ebase.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd/behavior/VirusTotal%20Jujubox

warzo.duckdns.org

# Reference: https://www.virustotal.com/gui/file/7c76424b56e4a678617fa9020a57c8342947ad883f747344f14520dee6f124a9/behavior/Dr.Web%20vxCube

levelup.publicvm.com

# Reference: https://www.virustotal.com/gui/file/da626882f225ded5ba58cefb4585de0c5a42f8e5fc9eb5b7762ef297187bf3fc/behavior/Lastline

helloworld.ddnsking.com

# Reference: https://www.virustotal.com/gui/file/2fdb79ca19e2ff06973e49b53ae627adfdf34a6f166f167fbceebb6c1cd60da3/behavior/Lastline

millionways.duckdns.org

# Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/behavior/Lastline

amariceo.duckdns.org

# Reference: https://www.virustotal.com/gui/file/733a272f202c9917b877be278df24368daa6de101a2b804ccb45b48c6119c6fa/behavior/Lastline

eclass47.duckdns.org

# Reference: https://twitter.com/wwp96/status/1170333909982285824
# Reference: https://app.any.run/tasks/32422cdd-19d0-40cf-87d9-cb08e706405a/

185.165.153.12:1033
jsbcdns.warzonedns.com

# Reference: https://twitter.com/wwp96/status/1171410401885589509
# Reference: https://app.any.run/tasks/9e8d008e-653e-4af0-bfa4-ac05910853d4/

79.134.225.107:6703
naval.duckdns.org

# Reference: https://twitter.com/w3ndige/status/1179711138981957633
# Reference: https://app.any.run/tasks/a5a9e2f9-45bc-4760-8fad-3683d76aaf56/

94.237.114.17:59221
linuxpro1.warzonedns.com

# Reference: https://twitter.com/killamjr/status/1189750151155474432
# Reference: https://app.any.run/tasks/abcdb43f-c221-4ffe-9598-c7d6a2301395/
# Reference: https://www.virustotal.com/gui/file/80c027aea4017e2a6ef61cb5d2da2f5cd5c47a6bb082f3172be668fa85f3b3ef/detection

142.44.161.51:5371

# Reference: https://pastebin.com/29uSdMAk
# Reference: https://www.virustotal.com/gui/file/a75dad61090b4575f360310d59647560ce9faaff047ad7513fde736ea90aec4e/detection
# Reference: https://www.virustotal.com/gui/file/546dcac6a5fc155afcc19a4b74effff13414636362129cdbe73d47e994dc39b4/detection
# Reference: https://www.virustotal.com/gui/file/a2bf4a9a1d776cf793a97d0b6fc37b63dcb55f7e4793070df5cc265f59e06f97/detection

185.165.153.46:83

# Reference: https://pastebin.com/29uSdMAk
# Reference: https://www.virustotal.com/gui/file/c3b48986b1377673856f5500f9c79ec3de25c51c10e44e09e9385ce779dd0f6b/detection
# Reference: https://www.virustotal.com/gui/file/a11b7ef1b9ae4b05deec96035b8173d79861f3c661a66cb08ec5b7cb7993981a/detection

173.254.223.68:5005
37.49.225.237:5009
79.134.225.21:2244
favour.ddnsgeek.com

# Reference: https://twitter.com/wwp96/status/1191754793737428993
# Reference: https://app.any.run/tasks/941b2543-3fdf-49f1-ab81-4ef621930c66/
# Reference: https://app.any.run/tasks/461f8149-bc37-4081-920f-002c2ece10be/

185.165.153.150:6703
rentals.insidedns.com

# Reference: https://www.virustotal.com/gui/file/01018330ea410c2b49df4ec0ef0b5867a708b9102a780fa230aabf0391c0b82d/detection

craftedfollowing.duckdns.org

# Reference: https://www.virustotal.com/gui/file/cde18266fd65ee26cd546a95f7e3b629b4f13b8101d0a7ced282b2fee1d4c673/detection

185.222.202.74:1515
79.134.225.105:2404

# Reference: https://www.virustotal.com/gui/file/456b827c946facaadae9a11182d864e21db248f17a24309eaee0798c1043d5bb/detection

79.134.225.89:3366

# Reference: https://www.virustotal.com/gui/file/d84fdbc7ba1461fa0609661a13b434e2c791d6d0e6d2bba1c431175ad6d13731/detection

79.134.225.89:5200

# Reference: https://www.virustotal.com/gui/file/52cca8d3b984b5116ba625d2379b3d171e0e4a3d932a8afc740c136db2b611ea/detection

ventm.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection

75.127.5.164:4741

# Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/detection

185.244.31.248:4741

# Reference: https://www.virustotal.com/gui/file/6059d33a2b43a5a840dd6525d7eeae99675e969a7d34f9a3fde663abec093abd/detection

41.111.120.82:5200

# Reference: https://www.virustotal.com/gui/file/f73bb2cac3348f9a3154d9c3761aaab9480c22c90272b8c6a2d12d03026545bd/detection

185.62.190.76:5200

# Reference: https://www.virustotal.com/gui/file/f92a5c1fbc216d4fa074f16df7cd779c7df900a8c83850fa28d375ae651a1ede/detection

194.5.98.28:1033
jsbcdns.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/a059e3d18e6769f4b57c0e6703194d490d4acfaac10d51e97deccf97ebdc543b/detection

194.5.98.82:6093
importa.100chickens.me

# Reference: https://www.virustotal.com/gui/file/9c4d9735c010d737541d4992ea3263c7d9197892184ff1809b0bb57e4ce2f0fe/detection

51.77.254.184:2324
7fantasma.duckdns.org

# Reference: https://www.virustotal.com/gui/file/12ed11e75e0520eea52213b3f9f5f727d3639af2539d38642a2d8306ec19104a/detection

79.134.225.25:6558
chukdominic.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f617de752f017722e0771b83b3f69ce38a4ba84602511ba91fccb84ea2fda7fc/detection

192.169.69.25:4070
benzkartel.duckdns.org

# Reference: https://www.virustotal.com/gui/file/77819732b5a4837ca3594ef86d606a48c064441411d08a539514fcc5d91218cd/detection
# Reference: https://www.virustotal.com/gui/file/0a4462d6b14ff52e9b445e260194357900ba7dbbe80774eb010b44e1bd4ee9a9/detection

192.169.69.25:5399
eclass47.duckdns.org

# Reference: https://www.virustotal.com/gui/file/b7346a155d02bd68ff67f5546609f9d75057d5efd90a6376e977ef7ea869e2f2/detection

45.61.49.107:5240
tunechi101.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/07392385f56ddda989d5ad8bd8de01b108412982b159ac75e204be143d68b240/detection

185.62.188.136:5200

# Reference: https://www.virustotal.com/gui/file/dbfe4a369975251fd14e5d160f2edde33942723a9bb3b4e6b5f445dd5b9dc549/detection

75.127.5.164:4741

# Reference: https://www.virustotal.com/gui/file/c586ff7830ff31f8c053edb8f2629df87906bb01ec30f9e35bd29022ebea8419/detection

79.134.225.106:1177
praize19791.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d441cff2ab9244e49f4bc3b05eca90d9249a6e2618e5e4bd9b0a54097facb48b/detection

93.177.75.154:3151
dinibel11.webhop.org

# Reference: https://www.virustotal.com/gui/file/e066a5143b342f5c231f97bb7f4eb49635abcde57d786f33fa1038ddd6ede11a/detection

170.130.31.104:1670
madmulla.duckdns.org

# Reference: https://www.virustotal.com/gui/file/4b6259416f03b0f5af3674e7bd388a4463c24d21de53a02dfcb9c662adf22e8f/detection

172.93.228.235:5880
genericmoney.duckdns.org

# Reference: https://www.virustotal.com/gui/file/a24048a30789ba42ceb68f5cd75a408d5de9497cd5d2aa12b2577fcba6a69d9c/detection

192.69.169.25:5200
egonbute.duckdns.org

# Reference: https://www.virustotal.com/gui/file/bf81ce4168621e55a21d9f2dcb7a4ece8d36872ee6ef907345c99c272cea4e99/detection

79.134.225.58:7555

# Reference: https://any.run/malware-trends/avemaria (Note: as seen on 2019-12-04)

sub.winkcaffe.waw.pl
vemvemserver.duckdns.org
tain.rapiddns.ru
info1.duckdns.org
googleman.duckdns.org
moran101.duckdns.org
duc1234.duckdns.org
onelove03.duckdns.org
benzkartel.duckdns.org
westernautoweb.duckdns.org
qxq.ddns.net
kenw16570.ddns.net
johnevans04.ddns.net
sub007.duckdns.org
hustle4eva2.3utilities.com
sandshoe.duckdns.org
olavroy.duckdns.org
chance2019.ddns.net

# Reference: https://www.virustotal.com/gui/file/78ed84dd60c338ceb78a4d358f07437a383e435c385000404da66e570e2321cc/detection

91.193.75.181:3367

# Reference: https://www.virustotal.com/gui/file/7b15afbcaa1bcb0d2a6bdf83f6c93658817962b19c35326b8077d7be44b39a69/detection

79.134.225.71:5437

# Reference: https://www.virustotal.com/gui/file/b496ddb8d4c141887c11ea69fdce376b172a0fc194cb2de6c95599aecbb537ab/detection

cush007.ddns.net

# Reference: https://www.virustotal.com/gui/file/fe8703808c3f40b46b07af0e129c2102524347869710b02174c72a153d137760/detection

129.56.70.249:8282

# Reference: https://www.virustotal.com/gui/file/a984da90a5ad37b1ce550f33ff607095db19355c04025e38b3ee45ac8f693eb5/detection

79.134.225.39:9090
parospp.duckdns.org

# Reference: https://www.virustotal.com/gui/file/572f87602151f3338afa66ad3e732149fe3e360e3fa2e215f23a0a6925ce4d3d/detection

benrohr442.zapto.org

# Reference: https://www.virustotal.com/gui/file/f0f94d21b0f262127a2ded52cb7a1f4259f23dbf964d7df85d531c183212174b/detection

185.247.228.208:2888

# Reference: https://www.virustotal.com/gui/file/6bdff20a07a44acf12e43805c730c7ff7f38cbeafe921217c03d3dd1617a4880/detection

5.181.234.14:2888

# Reference: https://www.virustotal.com/gui/file/1b9ddb40b3935d58544774f7c6b7e95343be5dc0a8bf98b3105163a5afbb8c65/detection

79.134.225.71:84

# Reference: https://www.virustotal.com/gui/file/7b4f34a769a9e9c7c2624154a5573e195e0988cea062b374c03304f7478fc961/detection

79.134.225.71:5500
grounderwarone.freeddns.org

# Reference: https://www.virustotal.com/gui/file/e87773b992b99b6efd4c74e564d08eb67d315cc59d23a8c9b69abb33ea950dd4/detection

79.134.225.105:11896

# Reference: https://www.virustotal.com/gui/file/ac98d1565e8f687a0c631996c5029e6240f6e729042dca8e7858d35022b209b3/detection

marknagy44565-36386.portmap.host

# Reference: https://www.virustotal.com/gui/file/b7cf331992b5483898c5e8193c660a245b09bcb058988835a30cb1692892273c/detection

193.161.193.99:47765

# Reference: https://www.virustotal.com/gui/file/da2eb53310a9b8d6c4131288fcce98602f0e7b77085a02f7d7f69ac11565687b/detection

193.161.193.99:37648

# Reference: https://www.virustotal.com/gui/file/a0f6f5047ec47503ec7cbb61e04ebb9b97bfa9746392f7c3ed08182db8be8138/detection

193.161.193.99:45947
officialkezmuzik-45947.portmap.host

# Reference: https://www.virustotal.com/gui/file/5ff6e4edbf3c902b9a813d59800a60264373eb60f7babefe4dff54fedddb65e4/detection

185.101.92.3:1690

# Reference: https://www.virustotal.com/gui/file/ee4c2071e9030b4387111797f6d11f092f8781cdc5aac999139963fdcb63ff42/detection

185.140.53.95:5216

# Reference: https://www.virustotal.com/gui/file/15cae950567d2811ad51b7eb71c6b1bfc451548179931cdcfbbb498e24c2f661/detection

185.140.53.95:5200

# Reference: https://www.virustotal.com/gui/file/90852481986c5563f93a7615fd4a0f3d238ab62811603aca14585bcbd0c6e71c/detection

91.193.75.66:2088

# Reference: https://app.any.run/tasks/10544624-bea9-442e-98b9-8e862f612f6b/

ultrablank.linkpc.net
46.4.156.46:3008

# Reference: https://www.virustotal.com/gui/file/f100dd11620426161e6e36d5778c458dcb92b1cd551df338007bb52dfff4cdbc/detection

213.152.161.5:45315

# Reference: https://www.virustotal.com/gui/file/3c0180e5c2e750dd5f2af5d2cb94e17189b5e89381e8292b249eb02e7bdc7f37/detection

193.161.193.99:27190
scharo-27190.portmap.host

# Reference: https://www.virustotal.com/gui/file/a2f8c2d56df5bd28fe6524c0a41ecefbf43700f89c6bf083516109d021cb5a46/detection

193.161.193.99:2719

# Reference: https://www.virustotal.com/gui/file/e25774ea715ce20d9608948df1831b1f258df07e2b2065014c85c2fb6ad14213/detection

194.5.98.8:33033

# Reference: https://www.virustotal.com/gui/file/e909c918287b835821e26e1076693d426d127fdd5a589953deabf77717c2ef62/detection
# Reference: https://www.virustotal.com/gui/file/9826ff5418fe35cbab6465dd359968ffe56bd7b725dbc26d0d8d21c7e3dbc0ec/detection
# Reference: https://twitter.com/James_inthe_box/status/1214169622380834816

185.140.53.232:5211

# Reference: https://www.virustotal.com/gui/file/6733088fefa603350dd9904a49763b2e628c10f6f32a90e1f30789ae91b0bd28/detection

141.255.155.122:3008
palhacinhacker.ddns.net

# Reference: https://twitter.com/Racco42/status/1216993503118577665

79.134.225.103:5216

# Reference: https://www.virustotal.com/gui/file/1a0374f3f7a51bd877212c37b642a7980a27ea2b38c68b009a80ece64147beec/detection

141.255.154.127:5200
qayshaija.ddns.net

# Reference: https://www.virustotal.com/gui/file/03be3c7214fe1b769d22c4e8f93dab67b0d8aa399715bea4e37529438300f376/detection

141.255.147.80:5200

# Reference: https://www.virustotal.com/gui/file/b1d85b2e44628774c5706b05ba05a3ff66976258d3bbeeadb5db33fa0778341b/detection

179.180.11.89:5061
179.180.11.89:6008

# Reference: https://www.virustotal.com/gui/file/e92ba8c91051a2491c7b0c7a6310a3381734c11e54045e687c1591e2d757d8ab/detection

187.59.229.214:5200

# Reference: https://www.virustotal.com/gui/file/dd6a6d312452055ab81cee64848fa088feab2c197c177d10b9edc4569739954a/detection

177.133.237.246:5000

# Reference: https://www.virustotal.com/gui/file/3c8c14bc831c980fb43d33d23b59e2932785f410228908e17e69a9485b1893c6/detection

179.162.69.48:2020
191.35.36.143:2013

# Reference: https://www.virustotal.com/gui/file/87571c558c0c211cd407d87217a3a64240736fb6645919e970dadef3680975ef/detection

177.133.235.48:6606
177.133.235.48:8808
177.133.235.48:9830

# Reference: https://www.virustotal.com/gui/file/d5b2fbcf5a08b47f077f7ef5b703fb54c6d5b35af67a7d5d5a57d70d045b9ef4/detection

191.250.235.230:83
191.250.235.230:200

# Reference: https://www.virustotal.com/gui/file/ed3e1f7e8672d12735ca0e61a0d148d77c19c11e1857433d511ad91d84885207/detection

191.32.188.158:83
191.32.188.158:200
191.32.188.158:6060

# Reference: https://www.virustotal.com/gui/file/935226940893b40ce02be1230be2df7dce8cbd846013543298bf1d3d191462f2/detection

177.157.217.116:83
177.157.217.116:200
177.157.217.116:6060

# Reference: https://www.virustotal.com/gui/file/ed30e9e2d1ff9616faf3c5a67fec892453294b7e6b3f56aa3c8d265f4b04e56d/detection

179.183.44.100:83
179.183.44.100:200
179.183.44.100:6060

# Reference: https://www.virustotal.com/gui/file/c9a7c30772ea01a05608d2eea76f2863aec5cd35d0512ae64c914d224bc5a2fe/detection

191.35.44.154:83

# Reference: https://app.any.run/tasks/941be3bd-df60-4b2f-a187-7d7c924ab0fa/

info1.dynu.net
185.19.85.177:5552

# Reference: https://app.any.run/tasks/ce150998-fd3f-4c31-bf55-21f04c5a65b6/

108.61.178.121:5252

# Reference: https://app.any.run/tasks/d68dbb4d-232b-4fcb-8d9a-abd4f3e97118/

79.134.225.29:1960

# Reference: https://www.virustotal.com/gui/file/a62fe2c19d26ca8461fcd98993124b43a32629e25f801b78c680f209310632e3/detection

45.147.228.135:5200

# Reference: https://app.any.run/tasks/d280eef6-999f-4287-a6a0-02a450178525/

147.135.100.70:5200

# Reference: https://twitter.com/KorbenD_Intel/status/1227346517960167424
# Reference: https://www.virustotal.com/gui/file/f1b85bfab8eea64e43bce246eaa9cecea2b39013f210a7951d933a93c8242f39/detection

179.43.166.45:1194

# Reference: https://app.any.run/tasks/364eba32-8d5d-4705-98c5-ba9ccc82912c/

185.140.53.245:5200

# Reference: https://app.any.run/tasks/ff7b2301-a409-47ae-a005-bcad22c85850/

66.154.98.108:24045

# Reference: https://twitter.com/wwp96/status/1230504598852526080
# Reference: https://app.any.run/tasks/75847a13-7af5-435e-a42e-d2baf062fa23/

111.90.146.27:66

# Reference: https://www.virustotal.com/gui/file/084d5e723767035ee218186a0c7d35523875d2852f4779a582944cb3b7e2a988/detection

45.247.223.97:2020

# Reference: https://app.any.run/tasks/ce245328-2593-4f8c-8ace-e3b089739c98/

147.135.100.70:3380

# Reference: https://app.any.run/tasks/ae902f14-c192-4ed0-b85c-707fd2fe9f68/

193.161.193.99:27522
server12511.sytes.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1238208398069465088
# Reference: https://app.any.run/tasks/552ebaee-410b-4928-bcb2-7d65f7666297/

185.244.30.26:5157
notmine.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2c9e8db68838c23e36adf1b4add15c79dc8be361a1f3110005ed12308eb4f606/detection

79.134.225.74:4531
t3am007.dynu.net

# Reference: https://www.virustotal.com/gui/file/234ff45642617c1afbfeba3c88d42dcdf4742d3951d0f6d7e0687bf9619c03b5/detection

79.134.225.87:5200

# Reference: https://www.virustotal.com/gui/file/6e0636df4571d7dfa44c3451e0a869119d9763f877c77469aa15890cb098b880/detection

79.134.225.113:1972

# Reference: https://app.any.run/tasks/dec1759f-0b65-42a5-b9b5-4a8026abc2ed/

79.134.225.123:5200

# Reference: https://www.virustotal.com/gui/file/f8a43d2ec2692d54c75bed8a5ddfcd2e3c0b8414e2d5f2b9e89948e0354957b7/detection

185.19.85.155:1960

# Reference: https://www.virustotal.com/gui/file/c1757ac3a2e435f607ec591c58d747407951158cd534c4efa3ef2f66520918b6/detection

185.165.153.39:8021

# Reference: https://twitter.com/James_inthe_box/status/1242183150022701062

fuckrat.000webhostapp.com

# Reference: https://clickallthethings.wordpress.com/2020/03/23/avemaria-rat-xls-ads-and-eqnedt32/
# Reference: https://app.any.run/tasks/ce33bea3-9f2d-4507-ae43-2a96bb814bc5/

5.199.143.127:5200

# Reference: https://www.virustotal.com/gui/file/36c4c7d76f7de9b21530cb4bdd38320e1255b0275b5d7999628e95f52839026a/detection

185.165.153.90:5200

# Reference: https://www.virustotal.com/gui/file/995ce74589c2ee66545a62d9f715b26735a5a18106015f1f3179629d83a55e9c/detection

45.147.231.168:5200
phantom101.duckdns.org

# Reference: https://www.virustotal.com/gui/file/a58d37e03d37e6ba7fe426e2f8bc3e4a3c3618d8eae9cb7f9f62b391b92fce82/detection

91.218.65.24:5200

# Reference: https://www.virustotal.com/gui/file/16063a26361551b941684b336e20e311da78f53d65c803cf55b2290ccd2c42c5/detection

91.218.65.24:1515

# Reference: https://app.any.run/tasks/1f1d77d3-f131-46ac-b3f6-ea3705c65690/

94.177.123.177:52544

# Reference: https://www.virustotal.com/gui/file/9b96a245dcff530e0c9e44e46ec3d7b2a0d2c979f2eab45d034ff66ac0323aa9/detection

185.247.228.246:5200
79.134.225.122:5200

# Reference: https://csirt.bank.gov.ua/news-ioc/78 (Ukrainian)
# Reference: https://www.virustotal.com/gui/domain/unlimitedimportandexport.com/detection

79.134.225.114:49168
79.134.225.114:49169
79.134.225.114:49170

# Reference: https://twitter.com/JayTHL/status/1247913539924307968

winx.xcapdatap.capetown

# Reference: https://www.virustotal.com/gui/file/b9626de5d7262ab3985c0a064e3855f7a40fb9a6a941a29f55c2cb67df503fcf/detection

198.50.243.173:52001
mfonwar.duckdns.org

# Reference: https://www.virustotal.com/gui/file/328a5c568c870758cf0cab65296ad6b6a43e83346f03609fe84a3f25ec18ec57/detection

5.253.114.116:6667

# Reference: https://app.any.run/tasks/ee9a3ce7-1c43-4767-9f7d-5bd836afb695/

79.134.225.54:7200
purchase.ddns.net

# Reference: https://www.virustotal.com/gui/file/8e944862dbed48bf69c402e4d8b58b87092b9154e127f6786ef47132148177b7/detection

51.83.200.169:5554

# Reference: https://www.virustotal.com/gui/file/78ae67bcd77b61bb3351ea259ce5d73a87461e627dab8e81a6eabcd7c1641831/detection

194.5.98.22:4040

# Reference: https://www.virustotal.com/gui/file/ce49af22dbaeddc0d973256a12b169621404baaf617a7f8bc093d974ab0c5f2e/detection

ab6b64b3.ngrok.io
ef94c2ec.ngrok.io

# Reference: https://www.virustotal.com/gui/file/c4f91744a0c1ef1b26212936537e430a333e7b6a94b5d351bace5168aee3c719/detection

2fff5496.ngrok.io

# Reference: https://www.virustotal.com/gui/file/0d55101bad40167bfe9ee6cace2571db0a700b746e3a306036301936fe80b6bb/detection

23.82.140.14:433

# Reference: https://www.virustotal.com/gui/file/ebddbf171d569ce4db44a0284ac1cbe390e075854749713aa9186276036cacd6/detection

qlox.duckdns.org

# Reference: https://www.virustotal.com/gui/file/a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b/detection

securitysr.duckdns.org

# Reference: https://www.virustotal.com/gui/file/061aba0cc132ebe2c8e666ffa001677463d9592b719247b3effb0d7e34a05614/detection

66.128.136.158:6667

# Reference: https://www.virustotal.com/gui/file/b4fa30c9108e903849b0a006ed91f4908e884c0214714e08895d7d8251931015/detection

185.165.153.212:5678
185.165.153.247:5678
smiggle.ddns.net

# Reference: https://www.virustotal.com/gui/file/267b96f4e47346ccd8e19d7a6ffe38204b88ebf614f13268e27fe564e8caf934/detection

39.41.105.37:1996
grayspott.ddns.net

# Reference: https://www.virustotal.com/gui/file/a560a69ff3ce3f6705ecde244b404055abf2865a3cf9c8caf4545bc127b74186/detection

79.134.225.5:1975
79.134.225.5:5556
maxcoopar.ddns.net
maxcoopar80.hopto.org
maxcoopart80.ddns.net

# Reference: https://www.virustotal.com/gui/file/12caab7fa1930479e36119bd979a727539b9e2fb213aaeb8d02c8d232c97d43c/detection

179.14.168.79:1999
192.169.69.25:1999
dia9dejunio2020.duckdns.org

# Reference: https://twitter.com/58_158_177_102/status/1280377733466345472
# Reference: https://app.any.run/tasks/db7a8d7e-36ae-4eb7-abab-d7b67a42d385/

185.140.53.91:1867

# Reference: https://twitter.com/VirITeXplorer/status/1280415278774595584

20.185.199.35:5800

# Reference: https://www.virustotal.com/gui/file/931271a7d61eb05a68882f90042d1e109da4249bbc87f9480f6250484f81f131/detection

155.94.198.169:9115
waz.no-ip.ca

# Reference: https://www.virustotal.com/gui/file/de8efff765420227a449b89e3398131fc2949d7b7be0b5794fd6b6b9dbccfacb/detection

wazone.duckdns.org

# Reference: https://app.any.run/tasks/097eed92-7211-44fe-a6f0-4959546bcb0b/

4610215325.redirectme.net

# Reference: https://twitter.com/James_inthe_box/status/1293267162258272256
# Reference: https://app.any.run/tasks/49ba0acb-fd7a-47ec-9998-cacc6eb875d5/

185.157.162.81:20058
uknwn.linkpc.net

# Reference: https://twitter.com/James_inthe_box/status/1295764954306326529
# Reference: https://app.any.run/tasks/db85aadd-841c-47ba-b331-541c7b8d70ff/

story43.ddns.net

# Reference: https://www.virustotal.com/gui/file/b5397e498dcc57edb5746a9aea3b86c60933d567e2fcfce376efb7e1da0732b2/detection
# Reference: https://www.virustotal.com/gui/file/0c89ea82f6be13d98bed32712966f66d2664264e026ca1d822b174a2483ed63c/detection
# Reference: https://www.virustotal.com/gui/file/6c51877004df7e830c9afa8d698ad3102c3327c2d486b554ce6a4787931d40a9/detection

196.157.29.41:5200
41.233.195.30:5200
41.35.217.21:5200

# Reference: https://www.virustotal.com/gui/file/db2377b06ca2fa51438e54a011c5d04266c2c115806ec0b36f6138e4ca721a8a/detection

5.196.102.89:4342

# Reference: https://app.any.run/tasks/0eb62769-7d77-4371-988f-5e3ccf12bc0d/

bigmoney2020.ath.cx

# Reference: https://app.any.run/tasks/0bc9ba17-1bac-43e2-b3ea-84948ca3b95a/

103.207.39.83:1021

# Reference: https://www.virustotal.com/gui/file/fb9e1f0ad494ffc39d06ba6b0df33c1aa5e059e10e1c366d9a3a2bc462c4ff59/detection
# Reference: https://www.virustotal.com/gui/file/6534a7953482135c6b462c90fb9d33dcf7ed9094fd42704266debab1cc775524/detection

93.174.89.30:5200

# Reference: https://app.any.run/tasks/71d495f0-d275-412c-9523-b89c3952ca45/

192.236.249.173:2709

# Reference: https://app.any.run/tasks/42df4e1e-29ad-4b1e-9359-ae37142102c5/

150.242.14.61:5552
iphanyi.mywire.org

# Reference: https://app.any.run/tasks/c1d64385-f10d-420c-aee8-b7b752d5779e/

94.158.245.3:6969

# Reference: https://app.any.run/tasks/f79cdfd6-8c81-4a56-afc6-9084473730d6/

185.32.221.45:5200
minekroft.duckdns.org

# Reference: https://app.any.run/tasks/615af023-eeb1-432f-bc62-763a2d2eba28/
# Reference: https://app.any.run/tasks/9fb314c8-72f9-4a82-87be-e035d52ce071/

178.170.138.163:4554

# Reference: https://app.any.run/tasks/42fdc696-a9f8-48ec-b94e-59b91a73910a/

185.19.85.177:5200

# Reference: https://twitter.com/h2jazi/status/1321867657956806656
# Reference: https://twitter.com/h2jazi/status/1321867659605086209
# Reference: https://www.virustotal.com/gui/file/a3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073/detection
# Reference: https://www.virustotal.com/gui/file/1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126/detection

recent.wordupdate.com
wordupdate.com

# Reference: https://gist.github.com/silence-is-best/0aa844b003c62c6ce491e91e168ac662
# Reference: https://www.virustotal.com/gui/file/71435231f2c9636b8286fbc31f59a95fc8a2f9a598525f4c9c65c7b1f6c3c634/detection

79.134.225.95:2442
bestsuccess.ddns.net

# Reference: https://www.virustotal.com/gui/file/ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab/detection

194.5.97.15:9901
wzefi.duckdns.org

# Reference: https://app.any.run/tasks/5b60dcaa-7155-48ff-8428-722bd4b2872b/

52.146.42.226:5600

# Reference: https://app.any.run/tasks/37e8edc3-4e05-40c3-a8ff-355da5f73564/

209.127.186.228:5200
warzonecastro.ddns.net

# Reference: https://www.virustotal.com/gui/file/d0ef59cdc766a5abb2c652273bcd713aaf660c6631154f78c1fc028934ebd083/detection

91.193.75.6:5988

# Reference: https://urlhaus.abuse.ch/browse/tag/AveMariaRAT/
# Reference: https://www.virustotal.com/gui/file/6cb291e90e6b603de38931adb89ca89d0745a487169ed46e10669d2890eb627d/detection

5.196.207.55:7272

# Reference: https://www.virustotal.com/gui/file/3b84ae0d295425279c7636ff3de98950d1f6ebf935b79a23049842d85c9d905c/detection

34.208.109.201:5200

# Reference: https://www.virustotal.com/gui/file/788fb7921aa27add6ee4a6e7927c8475236eb9cf82faef193c4d113b8da886c0/detection

141.255.157.54:1605

# Reference: https://www.virustotal.com/gui/file/08c0209ce6617b4737872ac19223aacd84a752b8f4b013823ac6107f7f1d74ab/detection

136.243.31.186:1608

# Reference: https://www.virustotal.com/gui/file/f3f654a41d57053362f7306f9a432c1341cbd57dce82f0940108a73917a8a934/detection

193.161.193.99:40377

# Reference: https://www.virustotal.com/gui/file/535b6e5e8cd0fd9610c321d9b5e7fb95d18e0161a8a8d63a8a35913d6e6a4866/detection

192.169.69.25:5200

# Reference: https://www.virustotal.com/gui/file/0356ea425eda4c9b1d7a8d58879c441e29919d491b85e84eb4f96c9113052818/detection

177.75.41.196:5200

# Reference: https://www.virustotal.com/gui/file/dd0c8701d0d9e62c7b354e97e41cfec6aa85da269cfa6a6490ba68cce58b2385/detection

91.193.75.5:7711
versi.duckdns.org

# Reference: https://www.virustotal.com/gui/file/90001df66b709685e2654b9395f8ce67e9b070cbaa624d001a7dd2adbc8d8eda/detection

155.94.198.169:1991
pounds1991.duckdns.org

# Reference: https://www.virustotal.com/gui/file/7ca83349bed484f6eda4ad1dce51d4b1ed79c76a535f56c85033977b3728a3b5/detection

162.218.122.109:1117

# Reference: https://www.virustotal.com/gui/file/1a9644d007b728f70a743529ea97b910baf33351a405d35c065c4d7eccda2b2c/detection
# Reference: https://www.virustotal.com/gui/file/4083be0a99183e9b1da84b0a360b67c452b09302ce536c5b3cfa3ccdd36fea0a/detection

69.65.7.134:3890
eldragon.ooguy.com

# Reference: https://twitter.com/Racco42/status/1329057446787215360
# Reference: https://app.any.run/tasks/72ef6190-f792-4672-b679-591641f92913/

156.96.44.201:5200
auditor3.duckdns.org
8e3d-wzr.duckdns.org

# Reference: https://www.virustotal.com/gui/file/43401d61e09bbe698a38b98a0a74e46f5d2daf28d2d115339a67d8a18a86e71a/detection
# Reference: https://www.virustotal.com/gui/file/3c2952b8e4351727e26025036532b31841b06c45b5e0e3faec4110d1959aad8b/detection

79.134.225.37:5200
91.134.167.159:5200
icey.awsmppl.com

# Reference: https://www.virustotal.com/gui/file/5385cc5d2b11648b15c2d43657b85092dce7effdadad1c98c5e7ef597f2e7ee4/detection

c.awsmppl.com
jikk.duckdns.org
/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii/
/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii/Ynte

# Reference: https://www.virustotal.com/gui/file/a050a83263058dd2a74f2b7490e8bffb188a3a7a241ad83032b3d10c701ce39c/detection

183.104.220.151:5555
kwen0939.codns.com

# Reference: https://app.any.run/tasks/88df6565-81e6-4774-80d6-d05d3cb3c4de/

195.140.214.82:6703
aogmphregion.org.za

# Reference: https://app.any.run/tasks/0a43f51f-93e7-4f01-8a9a-6b1785fdb7d8/

45.147.231.232:5200
syncronize.3utilities.com

# Reference: https://app.any.run/tasks/4fd30ffe-3e23-4032-8522-03eb6ae4a33e/

149.28.115.223:3404

# Reference: https://www.virustotal.com/gui/file/d0e70f2ede6386eb36547cc0bfb0b972ea402ea569505cfd97c740c9d5e28d63/detection

79.134.225.9:1313
2c04mm.hopto.org

# Reference: https://www.virustotal.com/gui/file/43884a1b9effdb7893f607139d10d82eb42a1b6dd66af3c9935b692d9a694791/detection

37.221.115.52:40701
psalm21.duckdns.org

# Reference: https://app.any.run/tasks/4bf7a851-6342-4886-a321-5ae2972e029a/
# Reference: https://app.any.run/tasks/9da5599d-a818-443e-b960-ad35d0fa3e54/

185.150.24.27:5200
185.140.53.227:5200
goodyear21.duckdns.org

# Reference: https://www.virustotal.com/gui/file/504e0489472d6107d56d6d4f88600200b055bd97c3158ef1c9a54ea38074351a/detection

37.46.150.86:5200

# Reference: https://www.virustotal.com/gui/file/492b57cab7d4eed865141cff12e5c0a9cc551f848b5bce90a36b5868b6be926c/detection
# Reference: https://www.virustotal.com/gui/file/7ec6ac9a3213f3a69d19a3209b763cb429b331fda2cf1ab02cc0cd4cff953a70/detection

91.193.75.251:43526
ie2z2.ddns.net

# Reference: https://twitter.com/reecdeep/status/1354070251911213057
# Reference: https://app.any.run/tasks/291734ae-12f5-4350-a320-2da1583ed5e7/

52.146.42.226:5600

# Reference: https://app.any.run/tasks/d7f182ab-5a09-4a5f-8741-6063eb65cddc/

185.244.43.60:5200

# Reference: https://app.any.run/tasks/a063c378-3cca-464e-a95a-2e8e39b240da/

79.134.225.115:7112
yetye.ddns.net

# Reference: https://twitter.com/executemalware/status/1359294408814956546
# Reference: https://pastebin.com/E2bbqwqC
# Reference: https://www.virustotal.com/gui/file/ee0b28949b01044f151f04743d49f6310a70de7339ad4936afd79b5c8a724025/detection

http://45.145.185.153
45.145.185.153:5210

# Reference: https://twitter.com/satontonton/status/1359507457362415617
# Reference: https://app.any.run/tasks/f71d16ef-1e0b-4789-b86b-fc980af5c619/
# Reference: https://www.virustotal.com/gui/file/4d05a527675f1cf3d6192a8336a174df03a542c69b126ef0263706fa1537d921/detection
# Reference: https://www.virustotal.com/gui/file/3ed44cbe5246f325af70060e29e1ac6b9cd154cbbf1491c04f3fe4add9d2d442/detection

http://111.90.149.168/autom.html
107.175.1.186:54213

# Reference: https://app.any.run/tasks/e131bcfa-6402-4c90-9bf5-b89a1305b59f/

139.28.235.223:1234

# Reference: https://twitter.com/reecdeep/status/1361276747392704513
# Reference: https://app.any.run/tasks/7effca1a-1ffa-4e27-89e0-599c42df2e70/

137.116.87.64:8400

# Reference: https://tria.ge/210215-q6gln4q3wj/behavioral1

37.46.150.67:5211

# Reference: https://app.any.run/tasks/77aeaadc-ce9e-45a6-8ad9-edb1b6db4b25/

185.140.53.243:11754

# Reference: https://www.virustotal.com/gui/file/200b6e75f3cf519f4e85c2ca1ed0aa458f6c0fca011f5e7c76dec1911c23b0e5/detection

95.165.5.79:1340

# Reference: https://twitter.com/reecdeep/status/1369975299664908290
# Reference: https://app.any.run/tasks/23c27210-a6c6-4d8f-8af1-cfb338707b78/
# Reference: https://otx.alienvault.com/pulse/604b58f15d9f775f69553290

79.134.225.26:3141
cbngroup.duckdns.org

# Reference: https://www.virustotal.com/gui/file/b92de2b0a516b39be2debd436167dc0fce504f98e1fb95230393b8745b9f85dd/detection
# Reference: https://www.virustotal.com/gui/file/d0c9866eae91701201a24089089e04c6e7aed78997c04d5e681c3e731e56e816/detection

185.19.85.151:1990
farahpower45.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/20fdfd5f97c412473ef17a980fd6ec16d59092ef1f9da5532344acbfb534649f/detection

mit.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/86539dd3983a0edd712ab3831130ddf317e92944bf6ace1f6846b886f31a1ccd/detection

193.56.28.206:5200
black.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/c7e9a961c18f29d0c87232ed3a3829db6658b83fa693bce257079dbba8c19a65/detection

au.warzonedns.com

# Reference: https://app.any.run/tasks/95e995ad-a108-4b3d-bfbb-03def6144333/

104.209.133.4:7500

# Reference: https://twitter.com/neonprimetime/status/1381955462967476228
# Reference: https://twitter.com/ps66uk/status/1381962342200606723
# Reference: https://app.any.run/tasks/0cf85641-e5be-4979-9e97-8afc0f30fa67/
# Reference: https://app.any.run/tasks/65952547-7f8a-4505-a425-0422ac4f40cf/
# Reference: https://www.joesandbox.com/analysis/384058/0/html
# Reference: https://tria.ge/210413-mp9t774whx
# Reference: https://www.virustotal.com/gui/file/6cb41881b598c60c42e387639f439de19d8d38d8ab7decc539275da86f44d57e/detection

178.170.138.116:6021
beda.remcosagent.com
cfr.eur-import.com
maskcovld.ga

# Reference: https://www.virustotal.com/gui/file/8c08527b2f800a885e149e4885d48f881460a7a95f87aed31e34265e7720ef5a/detection

91.207.57.51:57797
rat1234.ddns.net

# Reference: https://www.virustotal.com/gui/file/d7df4ac0cb45d0a0e9e6d237ffc95b19c557a6d8a8753dfbea41b5425ffb84f1/detection

185.244.30.118:9090
parosp1.duckdns.org

# Reference: https://www.virustotal.com/gui/file/067e134111d09e1a91aa5466c485189b33aff7c3bd6efb09056f1edddb1296ad/detection

194.5.99.47:9090
parobk1.duckdns.org

# Reference: https://www.virustotal.com/gui/file/afec970c19cf52710146bad6dbcf78328ce88891bbd9cf726a7dac38545b39bc/detection

warrsppa.duckdns.org

# Reference: https://www.virustotal.com/gui/file/342cb4abad3390f7ee7443b8b007f8b767d88afe846fe0c096acb6b68449cf4c/detection

165.22.238.120:56812
round-brush.auto.playit.gg
tor2.playit.gg

# Reference: https://www.virustotal.com/gui/file/7b49cb94af4e1f43b5197c7ab0d0a6a0c59cd33abba978d877a7933e31e7aa9f/detection

134.122.66.170:59829
brash-bite.auto.playit.gg

# Reference: https://www.virustotal.com/gui/file/95aa5e6660ad096f6f3273f0f2bda2a935a5674d6904f91a0394c9cef9279ad0/detection
# Reference: https://www.virustotal.com/gui/file/7f3169ecdc795f8b01afb05e074dbd62bf24407dabaeb635918e71db23579af1/detection

134.209.194.210:1604
134.209.194.210:54950
134.209.194.210:55180
134.209.194.210:57183
defective-experience.auto.playit.gg
miniature-car.auto.playit.gg
normal-knife.auto.playit.gg

# Reference: https://www.virustotal.com/gui/file/b5bc70d63ab20ffded67bbc999d1db56d93e7a0e17fa2f9304ef15f0a6e89a48/detection

white-fuel.auto.playit.gg

# Reference: https://www.virustotal.com/gui/file/e69548a8006b100284c6c1f6429bc1625e69994333041a35ce98803381b71dc7/detection

188.244.63.241:25565

# Reference: https://www.virustotal.com/gui/file/5dde5153e0385b320c18aede7cc5c6208aa7791e2f44ecb8e676973640614976/detection

88.124.75.73:6766
warzone.ddnsking.com

# Reference: https://tria.ge/210608-nj6t2mfqqe/behavioral2

79.110.52.7:65535
hongphilxxx.duckdns.org

# Reference: https://twitter.com/MBThreatIntel/status/1408064073963429900
# Reference: https://www.virustotal.com/gui/file/2960795548bdc081bce7c2b6931113fc2dbceec5778a0de4e988ace7522594aa/detection

13.82.24.228:5918

# Reference: https://twitter.com/ffforward/status/1410316799288168449
# Reference: https://tria.ge/210630-x1j748z73s

185.157.160.215:2211
