# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/Antelox/status/768023996923277312

193.164.131.58:10000

# Reference: https://twitter.com/James_inthe_box/status/1080521422823337984

193.42.107.7:3687

# Reference: https://twitter.com/ostinjohn/status/994560995615039488
# Reference: https://www.hybrid-analysis.com/sample/3aca697f1ac623ac970764dd1b248339d03f18acd5ba1b4a443ff9d5016f8e4e/5af3d6237ca3e179812bdfc5

178.238.230.52:3828
178.238.230.52:6828
178.238.230.52:11226 

# Reference: https://twitter.com/Antelox/status/810488762140684288
# Reference: https://www.virustotal.com/gui/file/f0b27a8c47f6d9f82489e0e5fba75f70fab8acdbb63b05c93cb3cceec90295ae/community

37.48.84.229:9901

# Reference: https://twitter.com/Antelox/status/770613975662796803
# Reference: https://www.virustotal.com/gui/file/c88095a28fea80409da7b2fc601b4c68828f0d31b7faebe4453217887f9e3241/community

5.189.161.200:7865

# Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf (# Crimson C&C)

bhai123.no-ip.biz
bhai1.ddns.net
sudhir71nda.no-ip.org
178.238.228.113:7861
193.37.152.28:9990
213.136.87.122:10001
5.189.143.225:11114

# Reference: https://twitter.com/killamjr/status/1190456533588598784

139.28.36.82:53631

# Reference: https://twitter.com/DynamicAnalysis/status/1197938882026901504

5.196.210.44:33401

# Reference: https://twitter.com/DeadlyLynn/status/1213338265308155904
# Reference: https://www.virustotal.com/gui/file/6078b55381e39779f915032533a93d725bab98982b303998fa8ba2ecfc675737/detection
# Reference: https://www.virustotal.com/gui/file/ecd7d7a27a2a043919a233bb91e3b009c05b7c81ff132a7c29228e1c45d2b6a6/detection

167.114.138.12:6828

# Reference: https://twitter.com/DynamicAnalysis/status/1220432888019214337
# Reference: https://medium.com/@dinu135dk/revive-of-crimson-rat-6b8838920c02

160.20.147.59:2987
bjorn111.duckdns.org
newsupdates.myftp.org

# Reference: https://www.virustotal.com/gui/file/d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f/detection

192.169.69.25:2987

# Reference: https://app.any.run/tasks/9ca972d6-3574-4d85-bd68-a9cd26c203ee/

185.140.53.91:6711

# Reference: https://twitter.com/malwrhunterteam/status/1229780080517357568

64.188.25.232:3263

# Reference: https://twitter.com/w3ndige/status/1235184651699998721
# Reference: https://www.virustotal.com/gui/file/370a108b98b8652aacd4acec5d140cab685291ad77e2a4a0821734aad614eb6a/detection

185.174.100.63:34891
185.174.100.63:3920
transfer-shopping-malls.webredirect.org

# Reference: https://app.any.run/tasks/8527edcf-6459-48f6-aee2-85eaf817571c/

198.46.177.73:6421

# Reference: https://twitter.com/killamjr/status/1232071072096239617
# Reference: https://app.any.run/tasks/2eeeb372-d6ba-4f9f-add7-8b1532f938ec/

alrazi-pharrna.com

# Reference: https://twitter.com/_re_fox/status/1236483115037704192

198.46.168.28:2581

# Reference: https://twitter.com/_re_fox/status/1235941826634354688
# Reference: https://app.any.run/tasks/d8b93681-2730-4d03-b796-c52562260328/

181.215.47.169:3368

# Reference: https://twitter.com/_re_fox/status/1232493185475104771

107.175.64.209:6728

# Reference: https://twitter.com/_re_fox/status/1232402275181703169

185.136.163.197:4442

# Reference: https://twitter.com/srcr/status/1232288977790668801

185.244.30.102:4590

# Reference: https://twitter.com/killamjr/status/1232071072096239617

185.244.30.102:4950

# Reference: https://twitter.com/_re_fox/status/1237740569293701120

64.188.25.205:3692

# Reference: https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/
# Reference: https://otx.alienvault.com/pulse/5e6fa2a12088756147d24648

email.gov.in.maildrive.email

# Reference: https://app.any.run/tasks/7fe802ae-9d74-4e40-91e3-bb65cd06a458/

107.175.95.107:6790
westvalleyhospicecare.theworkpc.com

# Reference: https://www.virustotal.com/gui/file/9f7bc1ac97d28d614f9b1965709a284511b9b13f3bd9685707f8f377b949efe5/detection

78.159.131.80:10001
superingtest.zapto.org

# Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/

107.175.64.251:6286

# Reference: https://twitter.com/_re_fox/status/1280221170307137538
# Reference: https://app.any.run/tasks/3b6fa50a-2496-400e-b7cf-fd2d4d48f405/

173.212.226.184:3169

# Reference: https://app.any.run/tasks/26933c3a-127f-4b12-8396-8684d7bdec44/

185.136.161.124:8761

# Reference: https://twitter.com/JAMESWT_MHT/status/1290952335192195072
# Reference: https://www.virustotal.com/gui/file/f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92/detection

193.142.59.56:1131
lawdvmercy.site

# Reference: https://www.virustotal.com/gui/file/6d3982d6c6ca753d6d1daa71d88678c07718dd1919a874959a0c7975619c37fc/detection

151.106.56.32:3561

# Reference: https://www.virustotal.com/gui/file/db37f6755e954367a3365c3264e3916e5fd00c4c3e4c609515fa8599d36ca681/detection

64.188.26.219:4820

# Reference: https://securelist.com/transparent-tribe-part-1/98127/
# Reference: https://www.virustotal.com/gui/file/a860ba3861df2ae0add2b695071c04468f83c0973525519d62679dd4cd4d0026/detection
# Reference: https://www.virustotal.com/gui/file/59c6721a5ec5f97ef9b35e17057a5edb4f0075d1430c0cbd3eecfd44ccfe272c/detection
# Reference: https://www.virustotal.com/gui/file/e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132/detection
# Reference: https://www.virustotal.com/gui/file/d2cc95b72c3e72b3888e9fa35f6fe0563f9dbbd08b76d0c3546065ceca3c5961/detection

173.212.192.229:3364
173.212.192.229:8264
173.249.14.119:6865
newsbizupdates.net
uronlinestores.net

# Reference: https://twitter.com/ShadowChasing1/status/1298268550340067329
# Reference: https://twitter.com/CyS_Centrum/status/1298565025985069057

209.127.16.126:4768
209.127.16.126:6758
209.127.16.126:11066
209.127.16.126:14824
209.127.16.126:18614

# Reference: https://twitter.com/ShadowChasing1/status/1304347789917212672
# Reference: https://www.virustotal.com/gui/file/9e305566f7d342adc8eaf30471aa3eb95c049acffc742ae23a5830a44f96e51d/detection

185.174.102.105:2991
tasnimnewstehran.club

# Reference: https://www.virustotal.com/gui/file/a5f02bb70acdf335bed9c0fc8439ab3a220027a28c7eb44f459afda0ec7b62eb/detection

151.106.14.125:6818

# Reference: https://www.virustotal.com/gui/file/137c059adda4df22eb29785fada54ebc00a22d150bfdc423f87ff1f6093bd827/detection

185.136.161.124:11614

# Reference: https://www.virustotal.com/gui/file/87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad/detection

185.136.161.124:6128

# Reference: https://www.virustotal.com/gui/file/60d46513d3473c2cb4fdfcf64229f4e99d1e202a2f840503d77fa07978dcb025/detection

104.227.97.53:2548

# Reference: https://twitter.com/mg2_tracy1/status/1314754343124365312
# Reference: https://www.virustotal.com/gui/file/dba5d00a87ad96b74d234d1415ca5172285cd7d781556d45b6609fd738bfc747/detection

172.245.247.112:3878
172.245.247.112:5648

# Reference: https://www.virustotal.com/gui/file/e3fe87254b405fa132a52daf1651d2ff11296691131956bf3f0059031135dcdd/detection

45.147.231.191:3626

# Reference: https://twitter.com/_re_fox/status/1317499039932362753
# Reference: https://app.any.run/tasks/355396a2-6711-4750-98ec-e492625d4d54/

45.147.231.191:8226

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338192738135789570
# Reference: https://www.virustotal.com/gui/file/47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e/detection
# Reference: https://www.virustotal.com/gui/file/b9446d663f2aef34efdb579ae02e62923b5c3bc02b9d0fe537f5974ae439a422/detection
# Reference: https://www.virustotal.com/gui/file/5a449782c6d286a5af7fd5cbab5d5d46dd4dd153cbc46e4aeae0ea54f2785980/detection

64.188.12.126:6658

# Reference: https://app.any.run/tasks/b129aead-e7cb-4ba7-ba72-842644cf7c97/

173.212.246.247:4368

# Reference: https://twitter.com/_re_fox/status/1337411756818395136
# Reference: https://www.virustotal.com/gui/file/5920a3300107b7b1cf8c230a071a0e5f2f5ff5941a5c450ef911582a7ce08346/detection

45.32.151.155:6126

# Reference: https://twitter.com/ShadowChasing1/status/1369196724544106504
# Reference: https://www.virustotal.com/gui/file/4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73/detection

172.245.87.12:6276

# Reference: https://twitter.com/ShadowChasing1/status/1397419326160793600
# Reference: https://www.virustotal.com/gui/file/eb7c34343944a6ae52b052bb263d29e2c627368aeee2080da0481f33a72f2085/detection

142.105.157.110:8181

# Reference: https://twitter.com/teamcymru_S2/status/1402607930046832645

185.136.169.139:14565
185.136.169.139:20555
185.136.169.139:28443
185.136.169.139:4561

# Reference: https://www.virustotal.com/gui/file/5f736d23d5d7f7382afb78acdc3b125ec101c0629327fb9a7fc5545b32ec0c38/detection

167.160.166.80:12214
167.160.166.80:16441
167.160.166.80:18822
167.160.166.80:6288
167.160.166.80:8868

# Reference: https://www.virustotal.com/gui/file/e052a90bdb716da64928b1286d86b3670efe5192115175ba25bf0c191398323d/detection

104.144.198.105:12816
104.144.198.105:14572
104.144.198.105:16286
104.144.198.105:4289
104.144.198.105:6722
