# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: kegtap

# Reference: https://pastebin.com/raw/BmPzBqUs
# Reference: https://app.any.run/tasks/975fb69c-b5eb-49c7-8d8f-332d34b6f46b/
# Reference: https://app.any.run/tasks/d0b1de23-ac5a-4274-afa0-4066fcb51844/
# Reference: https://app.any.run/tasks/b21c7dbe-7a74-48d3-9762-874c3c80c9e0/

164.132.76.76:443
164.68.107.165:443
195.123.241.194:443
212.22.70.4:443
54.37.237.253:443
82.146.37.128:443
calacatta.com
rayanat.com
unitedyfl.com

# Reference: https://twitter.com/James_inthe_box/status/1310987704021073926

http://51.89.177.16
51.89.177.16:443

# Reference: https://twitter.com/James_inthe_box/status/1311386833041809408
# Reference: https://twitter.com/James_inthe_box/status/1311388126284185600
# Reference: https://app.any.run/tasks/6829a6b6-7444-400a-8888-b95ff3875ef6/
# Reference: https://www.virustotal.com/gui/ip-address/64.44.131.106/relations
# Reference: https://www.virustotal.com/gui/ip-address/96.9.225.147/relations

bubl6g.com
check1ster.com
control1domain.com
gate56dc.com

# Reference: https://www.virustotal.com/gui/file/23ac461f9b5128841cafabb4282432252ea7b57874595cf6fe8457fc1ac65007/detection
# Reference: https://www.virustotal.com/gui/file/fa70444f840f593557d5d062dcb7d57d5869a8c1a998939881e7762044660272/detection
# Reference: https://twitter.com/malware_traffic/status/1313261006634848256

3.137.182.114:443
54.146.200.146:443
cstr1.com
cstr3.com

# Reference: https://twitter.com/James_inthe_box/status/1313512886640074753

z57gc.com

# Reference: https://twitter.com/IntezerLabs/status/1314236451119411200
# Reference: https://www.virustotal.com/gui/file/0654bd997b078513c0607683315b9499ec1edc970af5e75d71948ea605781867/detection

ds45x1.com
ds46x1.com
ds47x1.com
x55gc.com
x57gc.com

# Reference: https://twitter.com/James_inthe_box/status/1314612116574203906
# Reference: https://otx.alienvault.com/pulse/5f80a8e422f0579f87cdf4d0

allrulk.com
breezdesign.com
cuprinc.com
grumhit.com
onevdg.com

# Reference: https://twitter.com/James_inthe_box/status/1316009750086123523

3.137.180.197:443
34.221.202.231:443

# Reference: https://twitter.com/James_inthe_box/status/1316779729299542017
# Reference: https://twitter.com/pancak3lullz/status/1316790427958292515

244.222.244.154:443
freedubcs.com
labelcs.com
shophoof.com
titlecs.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1319347664207679488

mixcinc.com
nicknames.com

# Reference: https://twitter.com/James_inthe_box/status/1319298609255383040

hunopk.xyz
sersd.xyz

# Reference: https://twitter.com/Scoobs_McGee/status/1321545184891539466

hmiu.xyz
refvs.xyz
zaxswder.xyz

# Reference: https://gist.github.com/silence-is-best/0aa844b003c62c6ce491e91e168ac662

bigjamg.xyz
dasvdbfgne.xyz
lmnab.xyz
z55gc.com

# Reference: https://twitter.com/James_inthe_box/status/1323373950022250497

citycafeonline.com
ikjumnh.xyz
woodallmcneill.com

# Reference: https://twitter.com/James_inthe_box/status/1323711792686587905
# Reference: https://app.any.run/tasks/e133041c-9c4c-48e9-8b9b-8912fb7fc835/

nemtos.com
lukeschicago.com
ukmedm.com

# Reference: https://www.virustotal.com/gui/file/2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f/detection

burngs.com

# Reference: https://www.virustotal.com/gui/file/f54cec2b04daafb0a1d612ef84913a1d03ef61d7de8b4c144414378c4415ac09/detection

35.164.230.208:443
aegijmaliijo.bazar
afehjlamghjn.bazar
afeiilamgiin.bazar
bdegjkbkggjm.bazar
bdfgilbkhgin.bazar
ceggjkcligjm.bazar
dcegjldjggjn.bazar
ddegkmdkggko.bazar
ddehimdkghio.bazar
dfegkkdmggkm.bazar

# Reference: https://www.virustotal.com/gui/file/15305978d7c42e26d908feca9aed4efa3df89ae6524ecce10752a2ee3cdf813f/detection
# Reference: https://www.virustotal.com/gui/file/20f46f645a8eee243166fe55e1473e908f194438bed47d8d0caf164fbbd45655/detection

81.17.28.105:443

# Reference: https://twitter.com/ffforward/status/1337091508391047168

cleancarwashlla.org
envirodedge.com
thecarwash-zone.com

# Reference: https://twitter.com/ffforward/status/1337094696460496903

chukysdetall.com.com
ecosmartdetaillng.com
masterpiece-auto.com

# Reference: https://www.virustotal.com/gui/file/ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497/detection

cleaningcompany-online.com

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1340455647763189761
# Reference: https://www.virustotal.com/gui/file/288d28f4d53d8e44d599a4d2f70b53d5b13f0827ad2b7a953a7a3cbd6e67bf25/detection
# Reference: https://www.virustotal.com/gui/file/a32ed4b36d44c489341721920d27294cab78ad7bd970c8ac6baa3edc4337a600/detection

homeclean-heroes.com

# Reference: https://twitter.com/_pr4gma/status/1340026234621857793
# Reference: https://www.virustotal.com/gui/file/56c5bee33c17a453c900725f88efb0466fd928072c420955fa599b518b9dfcd2/detection
# Reference: https://www.virustotal.com/gui/file/68ed893ae6ab2d7f00c3aacf46bc0c92966b647bcfe7e940a5d3ee55af01105a/detection

akbuilding-services.com
johnnyclean-carwash.com

# Reference: https://twitter.com/_pr4gma/status/1341115000652525569
# Reference: https://www.virustotal.com/gui/ip-address/192.236.155.212/relations
# Reference: https://www.virustotal.com/gui/file/436301cb89dadecb6c6cefc043b8a4d8f47de2054b1e84e1612cf061cd14dc15/detection

birch-psychology.com
busybjjj.com
flux-psychology.com
kpn-diensten.com

# Reference: https://www.virustotal.com/gui/file/102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31/detection

bitaonyw.bazar
etymsoem.bazar
iqtielca.bazar
izaztoew.bazar
lilaelac.bazar
uclaibyw.bazar
vuazelqe.bazar

# Reference: https://twitter.com/_pr4gma/status/1341513863364272128
# Reference: https://www.virustotal.com/gui/file/392c73ffa3b1513cd8de9435d7e76320eff7f98db884eb6bc776c3b2bea7c77e/detection

elevateyoga-denver.com
flourish-psychology.net
impactpsychcoloradoo.com
livingyoga-denver.com

# Reference: https://twitter.com/James_inthe_box/status/1339660764303388673

sosefinawinnifredsullivan8-5ce0e.gr8.com

# Reference: https://www.virustotal.com/gui/file/ba32f63679760a34efd78fb148785a5b9074a406a0a0bf5881e7ccdc15a5d70f/detection

http://13.57.15.8/vegetable/cut/bananas
http://54.193.186.118/map/spell/16
http://54.193.186.118/vegetable/cut/bananas
dcegjldcggjn.bazar

# Reference: https://www.virustotal.com/gui/file/ba31f57d30e59c14c77c44fc90b8220933771220fba0ec1b27acd665c2a145ad/detection

18.188.18.65:443
3.15.209.89:443
juiceandfilm.com
aegijmaliijo.bazar
bdegjkbkggjm.bazar
bdfgilbkhgin.bazar
dcegjldjggjn.bazar
ddegkmdkggko.bazar
ddehimdkghio.bazar

# Reference: https://www.virustotal.com/gui/file/d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38/detection

34.209.40.84:443
54.184.178.68:443

# Reference: https://www.virustotal.com/gui/file/571c32689719ba00f0d60918ae70a8edc185435ce3201413c75da1dbd269f88c/detection

http://34.209.40.84
http://54.184.178.68

# Reference: https://twitter.com/_pr4gma/status/1348468157028196352
# Reference: https://www.virustotal.com/gui/file/712613ccdbc874e5467e58f6132687d39ece03669a4f0ea085e2c11e2158a7ed/behavior

http://34.216.201.114/biker/bearded1
http://52.37.6.188/biker/bearded1
http://52.37.6.188/manufacturer/ningbo
a-c-s.com/omgas/orexda.php

# Reference: https://twitter.com/jfslowik/status/1352075291137437696
# Reference: https://twitter.com/jfslowik/status/1352078589773037568
# Reference: https://twitter.com/jfslowik/status/1352078590746103809

1800carwashdcc.com
carwashcafe-usa.com
carwashers.app
carwashnearme.online
championsgatecarwashh.com
cleanasawhistlecarwashh.com
coastalbrezecarwash.com
englewoodcarwashh.us
flagshiipcarwash.com
flagship-carwash.com
insideoutexprescarwash.com
liberty-carwashh.com
lruless.org
maidcompletee.com
maycarwash.co
miraclecarwashanddetall.com
mysplash-carwash.com
myvaleycarwash.com
nemosexpresscarwashh.com
riptidecarwashfll.com
shellgasand-carwash.com
steam-cleaning.us
timetshinecarwash.com
topshine-carwash.com
usedcarwash.com
usedcarwashequipment.com
waldenlakeecarwash.com
washcity-carwash.com

# Reference: https://twitter.com/ffforward/status/1353695031287291905
# Reference: https://app.any.run/tasks/71430bf0-d4c1-4647-8e76-1ec367eac0db/

aceiikbdgiin.bazar
acfgikbdhgin.bazar
acghilbdihio.bazar
adehjkbeghjn.bazar
adggklbeigko.bazar
afegkmbgggkp.bazar
bchgjlcdjgjo.bazar
bffhklcghhko.bazar
nnotifytgame.bazar
thegame.bazar

# Reference: https://twitter.com/ffforward/status/1356571665648537601
# Reference: https://urlhaus.abuse.ch/browse/tag/BazarCall/

compact-ssd.us
compactstorage.us
compssd.us
intimylingerie.us
toptipsoffice.us
toptoffice.us
tt-office.us
ttoffice.us
ttoffices.us

# Reference: https://twitter.com/ffforward/status/1358863187748282368
# Reference: https://app.any.run/tasks/c3e540e5-8fc5-4bd0-8477-5f497c6ef22c/

34.210.71.206:443
34.213.138.61:443
54.241.149.90:443
acegikbcggin.bazar
acegilbcggio.bazar
acegimbcggip.bazar
acegjkbcggjn.bazar
acegjlbcggjo.bazar
acegjmbcggjp.bazar
acegkkbcggkn.bazar
acegklbcggko.bazar
acegkmbcggkp.bazar
acehikbcghin.bazar
acehilbcghio.bazar
acehimbcghip.bazar
acehjkbcghjn.bazar
acehjlbcghjo.bazar
acehjmbcghjp.bazar
acehkkbcghkn.bazar
acehklbcghko.bazar
acehkmbcghkp.bazar
aceiikbcgiin.bazar
aceiilbcgiio.bazar
aceiimbcgiip.bazar
aceijkbcgijn.bazar
aceijlbcgijo.bazar
aceijmbcgijp.bazar
aceikkbcgikn.bazar
aceiklbcgiko.bazar
aceikmbcgikp.bazar
acfgikbchgin.bazar
acfgilbchgio.bazar
acfgimbchgip.bazar
acfgjkbchgjn.bazar
aeghkkbeihkn.bazar
bcfijmcchijp.bazar
cfhgjldfjgjo.bazar
efehilffghio.bazar
obpharmacy.us
snutrition.us

# Reference: https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day
# Reference: https://otx.alienvault.com/pulse/602ecfb40524de16ef1b6fa3/

http://18.188.232.155/investigate/discharge/partially2
http://18.188.232.155/leading/crisis26/snow11
http://18.236.86.87/organization/round_table
http://34.210.71.206/artists/id/13131
http://34.210.71.206/home/static
http://34.210.71.206/news/article/12422
http://34.212.73.169/organization/round_table
http://34.220.167.220/organization/round_table
http://34.220.204.73/exceed/requested7/ppd15
http://52.12.160.92/blog/entry/361446
http://52.12.160.92/exceed/requested7/ppd15
http://52.12.160.92/goods/itemid/124324
http://54.190.50.234/organization/round_table
cacla2006.org/achlom/hamin.php
cutedigitalphotography.com/vitrum/caretas.php
homeprojectplanning.com/germes/sanertl.php
horsehospital.com/assebles/hamnab.php
morrislibraryconsulting.com/favicam/gertnm.php

# Reference: https://twitter.com/jfslowik/status/1362453716230492166

basketandgoal.us
chasingflavour.us
cookingvillage.us
crazytrends.us
dacklera.us
famouscuisine.us
freekick.us
funshowbiz.us
iconiccook.us
infototal.us
midcourtgoal.us
penaltyshot.us
totalshowbiz.us

# Reference: https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/

ceeiildegiio.bazar
ceeiimdegiip.bazar
ceeijkdegijn.bazar

# Reference: https://www.proofpoint.com/uk/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware
# Reference: https://www.virustotal.com/gui/file/540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d/detection

centralbancshares.com
gariloy.com
liqui-technik.com

# Reference: https://twitter.com/z0ul_/status/1374121916143919106

3.14.85.24:443
3.137.152.31:443

# Reference: https://twitter.com/executemalware/status/1374100169747267599
# Reference: https://pastebin.com/0dmZaAgj

35.168.81.240:443

# Reference: https://twitter.com/z0ul_/status/1374129456411906048
# Reference: https://www.virustotal.com/gui/file/e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6/detection
# Reference: https://www.virustotal.com/gui/file/c8768444c9e489989a6610537ecb1bc204216e0b0880079e6d9e561e56dc60a8/detection

3.137.152.31:443
34.219.157.178:443
35.166.81.240:443
54.91.125.140:443

# Reference: https://twitter.com/pmmkowalczyk/status/1374321802105733121

aeghikanihin.bazar
affiklaohiko.bazar
bcegkmblggkp.bazar
bcfhikblhhin.bazar
coldmountainsanimals.bazar
rareanimalsofcanada.bazar
wildwinternature.bazar

# Reference: https://twitter.com/malware_traffic/status/1375237822941134850
# Reference: https://app.any.run/tasks/ef6d19a8-ff03-46d2-9e78-6893ed577889/
# Reference: https://www.virustotal.com/gui/file/d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9/detection

18.188.109.70:443
3.89.160.167:443
34.239.255.128:443
/studio/cut_the_crup

# Reference: https://twitter.com/Unit42_Intel/status/1379875382699167752

13.57.235.224:443

# Reference: https://isc.sans.edu/diary/27308

veso2.xyz

# Reference: https://unit42.paloaltonetworks.com/bazarloader-malware/
# Reference: https://github.com/pan-unit42/iocs/blob/master/BazarCall/Appendix-B.txt

bluecartservice.com
bluecartservices.net
bookpoint.us
bookspace.us
bookspoint.us
bookworld.us
buyimers.us
ebookreading.us
ebookstoread.us
ebookworld.us
geticart.us
getmers.us
gobcs.us
goimed.us
icartservice.app
icartservice.net
icartservice.org
imedservice.app
imedservice.net
imedservice.org
imerservice.net
merservice.net
merservice.org
pointbook.us
pointbooks.us
readebook.us
readebooks.us
subsbookpoint.us
worldbookpoint.com
worldbooks.us
worldebook.us

# Reference: https://twitter.com/malware_traffic/status/1395158205811068930
# Reference: https://www.virustotal.com/gui/ip-address/8.211.2.246/relations

justpayless.co
justpayless.net

# Reference: https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html (# Win.Malware.BazarLoader-9861103-1)

aeehjkalghjn.bazar
afeijlamgijo.bazar
cfgiimcmiiip.bazar
defiildlhiio.bazar
eeehjlelghjo.bazar
lbesthl3alyxgame.bazar
lbesthlalyxgame.bazar
lbeststalkergame.bazar
lrusalyxbestgame.bazar
lrusstalker2game.bazar
lstalker2game.bazar
thegame.bazar

# Reference: https://twitter.com/malware_traffic/status/1405301208315793411
# Reference: https://twitter.com/malware_traffic/status/1405301516307685376
# Reference: https://tria.ge/210616-ajt6zhz84j
# Reference: https://tria.ge/210616-4d911qr6pa/behavioral1

http://172.83.155.161
http://195.123.220.85
172.83.155.161:443
195.123.220.85:443
cg4824pvtrn4ao.xyz
vcophoto.com

# Reference: https://twitter.com/joeynoname/status/1405725164449509376
# Reference: https://twitter.com/InQuest/status/1400152806674288645
# Reference: https://twitter.com/InQuest/status/1400880724748779524
# Reference: https://www.virustotal.com/gui/file/94e0fb454ceac3661246c926658b44aa56167d0f988dd3c4c4bd3c8143f9af26/detection
# Reference: https://www.virustotal.com/gui/file/cf80a2ad1e4a809e0fe6d2974e953a9d3d8bbd1d91479b625365273bd41c6e26/detection

173.232.146.155:711
ciscoupdate.net
mcsoft365.club
micrsoft365.live
th4c910ma9puls.xyz
ufjr137kv8f0d.xyz
vcophoto.us
vvbbvv.casa
zonerphoto.us
zonerphotos.com
/xe1t23ym0s.php

# Reference: https://pastebin.com/c6ZHyzT1

c5rff1iiovab251.xyz
dr4tlof3bz791b.xyz
emkb6hj843w6yl.xyz
entkun4811wi6y.xyz
j107dnv1y4vffm.xyz
k1e04ixsdcp7e3.xyz
m78n7p57dgmqvj.xyz
nrb4fu008jfbq6.xyz
opz0n402ze7jry.xyz
sknmb3d88are95.xyz
u5yb42ean3pz9j.xyz
vkf1q9ldovd393.xyz

# Reference: https://twitter.com/James_inthe_box/status/1408143664619016196

195.123.211.5:443
downloadm.xyz

# Reference: https://twitter.com/MBThreatIntel/status/1408464646546276355
# Reference: https://twitter.com/MBThreatIntel/status/1408464648698011648

194.15.113.116:443
45.148.120.77:443
microsont.xyz

# Reference: https://twitter.com/joeynoname/status/1408062054884286476

downloadup.xyz
downloaws.xyz
downlo4d3.club
downlod1.xyz
download2host.club

# Reference: https://twitter.com/stoerchl/status/1408348262894014469

prepearcooking.us
prepearfood.us

# Reference: https://twitter.com/Mesiagh/status/1408507751928455168

finesse.ink
prepearinc.us
prepearink.us

# Reference: https://twitter.com/_re_fox/status/1409572692370595844

52.91.135.7:443
54.144.144.42:443
australiatourism.bazar
restinaustraliaplace.bazar
sightsofsydney21.bazar

# Generic

/23c55b2cb0637e6dfa0f80a62ca03dc3/
/bont/past
/bont/vnt
/pgta/a12
/pgta/a14
