# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MaelSecurity/status/1039752010713718785

endbars.co
readact.co

# Reference: https://twitter.com/K_N1kolenko/status/1109030275395342336
# Reference: https://twitter.com/PhishFindR/status/1184743844962803712

kaosjdoaaf6.pw
kadosjdoafa.pw
kadosjdoaaf6.pw
hostyourhe.xyz
offerswides.xyz
/fk/f2.php
/hc/f2.php

# Reference: https://twitter.com/0x1xday/status/1115541156434202624

deluxemattress.ca

# Reference: https://twitter.com/K_N1kolenko/status/1098500517272137728

cba.demdex.uk.com
hegorevent.online
/googleads

# Reference: https://twitter.com/K_N1kolenko/status/1097488279279226881

businesmol.pw
hegorevent.club

# Reference: https://twitter.com/K_N1kolenko/status/1095997980614770688

unilear.pw
236.16.27.121:443
158.95.73.22:443
185.92.222.238:443
212.11.167.110:443
242.5.247.180:443
64.34.94.27:443
134.90.213.11:443
72.125.213.163:443
237.236.131.48:443
192.71.249.51:443

# Reference: https://twitter.com/malware_traffic/status/1119331956217585664

business4good.eu

# Reference: https://twitter.com/devnullek/status/1097871459752599552

driverssoftware.info
messagesupport.info
softwaresearch.info
traderssoftware.info

# Reference: https://twitter.com/James_inthe_box/status/1122156673299173377

frezyderm-orders.gr/sites/all/notused/not/ponto.php

# Reference: https://twitter.com/devnullek/status/1123208253566005248
# Reference: https://app.any.run/tasks/a86516d1-07c3-4417-b4ad-bd8ce026acee

piosnoksld.info
zaratoons.info
212.73.150.207:443

# Reference: https://twitter.com/0xE9FBFFFFFF/status/1140946344137416704

fiuiert.xyz
lulipcxulci.info
statusnim.info

# Reference: https://otx.alienvault.com/pulse/5d0b9cbf63180da44379580a
# Reference: https://research.checkpoint.com/danabot-demands-a-ransom-payment/

braksiolsa.top
brekwinarew.site
brukaisloap.club
brukiloapos.xyz
bruksialopws.icu
goskilindad.site
gousikolka.space
guksuoiew.top
gustemiaksa.icu
gustokiloe.xyz
jklfsdkfjhwefjosdf.top
jklfsdkfjhwefjosdf.xyz
kadosjdoaaf6.pw
kadosjdoaf6.pw
kadosjdoafa.pw
kadosjdoiafa.pw
kaosjdoaaf6.pw
kaosutdoaaf.pw
kaosutdoaaf6.pw
kdguwoewpew.pw
kdosjdoiafa.pw
kduwouewpew.pw
kipokahynr.top
kipokahynr.xyz
lidaskiheg.site
lidaskiheg.space
lindakiski.top
lnet4-data.com
mon-sta.com
muabolksae.club
muoklaiow.xyz
nautorern.xyz
net4-data.com
okjauwbueiws.top
okjauwbueiws.xyz
oneuisopeweh.icu
onueilsndsuywe.xyz
sfjskdjfwoiewwegroup.tech
thegiksjoute.online
thenautorern.tech

# Reference: https://twitter.com/Bank_Security/status/1146296727349157888
# Reference: https://pastebin.com/QyYHnKMH

derikaosos.info
sinoposdssf.info
statusnim.info
tefidnsops.info

# Reference: https://twitter.com/w3ndige/status/1164148967413878788
# Reference: https://app.any.run/tasks/5b6c027d-dc71-4d67-9dff-9343e8095969/

http://74.118.138.146
109.202.103.170:8733
213.152.161.229:8733
114.26.195.117:443
146.229.67.12:443
154.94.158.126:443
5.188.86.20:443
66.165.187.11:443
gazgrsrto.xyz

# Reference: https://research.checkpoint.com/danabot-demands-a-ransom-payment/

encrypter.webfoxsecurity.com

braksiolsa.top
brekwinarew.site
brukaisloap.club
brukiloapos.xyz
bruksialopws.icu
goskilindad.site
gousikolka.space
guksuoiew.top
gustemiaksa.icu
gustokiloe.xyz
jklfsdkfjhwefjosdf.top
jklfsdkfjhwefjosdf.xyz
kadosjdoaaf6.pw
kadosjdoaf6.pw
kadosjdoafa.pw
kadosjdoiafa.pw
kaosjdoaaf6.pw
kaosutdoaaf.pw
kaosutdoaaf6.pw
kdguwoewpew.pw
kdosjdoiafa.pw
kduwouewpew.pw
kipokahynr.top
kipokahynr.xyz
lidaskiheg.site
lidaskiheg.space
lindakiski.top
lnet4-data.com
maintrump.org
mon-sta.com
muabolksae.club
muoklaiow.xyz
nautorern.xyz
net4-data.com
okjauwbueiws.top
okjauwbueiws.xyz
oneuisopeweh.icu
onueilsndsuywe.xyz
sfjskdjfwoiewwegroup.tech
thegiksjoute.online
thenautorern.tech

# Reference: https://www.virustotal.com/gui/file/baa1a65fc9c1e7e68cd39efd486275b306c5f25a440bc06f9c0adfbd7ede22b6/detection
# Reference: https://app.any.run/tasks/5a323554-ea21-4a2d-a1d6-adff379b8ef9/
# Reference: https://twitter.com/Artilllerie/status/1168539710769303552

149.154.159.213:443
151.236.14.84:443
168.248.43.207:443
172.237.125.185:443
184.98.44.103:443
195.123.246.209:443

# Reference: https://twitter.com/ostinjohn/status/1169603418211737601
# Reference: https://app.any.run/tasks/5d945c76-26aa-45bb-8c6d-07cf2a635bdd/

139.113.48.33:443
149.154.159.213:443
149.53.185.172:443
187.198.70.207:443
195.123.246.209:443
2.255.189.191:443
222.175.52.161:443
58.58.210.181:443
81.63.70.192:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1174239640011845638
# Reference: https://app.any.run/tasks/63239269-d5a9-478c-8314-6d67cae2c786/

fepolomokmmas.xyz
mustve.site
seioooi.xyz

# Reference: https://twitter.com/Mesiagh/status/1184533873545359360

bluewaters.space
djeudnsj.xyz
eroutks.co
euiobol.xyz
gontaseesl.website
gontaseonar.site
gontaseopa.site
gontaseopa.website
heuirnst.space
heuirnst.website
jeudnsjkd.xyz
jeudnsju.xyz
jeuisjr.xyz
joskaejw.club
loperatys.site
loreteo.xyz
loretoi.xyz
ujaioep.site
ujaioep.website

# Reference: https://app.any.run/tasks/9c77ec66-4d42-48be-ae11-2c97a9d2e528/

avgsupport.info
esetsupport.info

# Reference: https://twitter.com/w3ndige/status/1189301539535556614

everythingtogeta.xyz

# Reference: https://any.run/malware-trends/danabot (Note: as seen on 2019-12-04)

qxq.ddns.net
thuocnam.tk

# Reference: https://twitter.com/VK_Intel/status/1020236244020867072

http://176.119.1.112
farzona.co
/injj/777.php

# Reference: https://twitter.com/0xFrost/status/1205187802629070853
# Reference: https://www.virustotal.com/gui/file/995378f5a47357f7dc2dab638263cf42ab67f800b82df29d23ab29bb985cd80d/detection

digidimag.com

# Reference: https://twitter.com/K_N1kolenko/status/1209733370013519872

145.249.107.168:443
145.249.107.201:443
145.249.107.78:443
199.247.16.30:443
209.250.243.55:443
luxurylive.org

# Reference: https://twitter.com/Racco42/status/1217763274537754625
# Reference: https://twitter.com/Racco42/status/1217764284383596545

64.188.22.122:443
64.188.22.153:443
64.188.22.154:443
64.188.22.33:443
64.188.23.155:443

# Reference: https://www.virustotal.com/gui/ip-address/89.144.25.174/relations
# Reference: https://www.virustotal.com/gui/file/d37ed2e77d73875a20605a198986b008eb8b4c8bcfb84783b7b0f329ec1a5384/detection

113.102.102.121:443
186.174.47.177:443
89.144.25.243:443

# Reference: https://twitter.com/K_N1kolenko/status/1237322223586852865
# Reference: https://pastebin.com/2HbabLQa

formaulist.com

# Reference: https://twitter.com/K_N1kolenko/status/1240553870633336833
# Reference: https://www.virustotal.com/gui/ip-address/195.123.225.167/relations

digidonaud.com
finburgers.com

# Reference: https://twitter.com/K_N1kolenko/status/1209733370013519872

signin.luxurylive.org

# Reference: https://twitter.com/casual_malware/status/1239687496692387841
# Reference: https://app.any.run/tasks/0473bb63-11bc-4b98-864d-df00082d60cb/
# Reference: https://twitter.com/malwrhunterteam/status/1239628249136758786
# Reference: https://urlhaus.abuse.ch/host/corona-virus-map.net/

corona-virus-map.net
corona-map-data.com
202.195.34.6:443
/map1.jnlp
/map.jar
/mapdata.jar

# Reference: https://twitter.com/luc4m/status/1245750938465378304
# Reference: https://app.any.run/tasks/0f31129d-a473-4cd7-92fa-1ea817950f9e/

123.236.244.164:443
129.255.179.202:443
177.40.161.5:443
185.181.8.49:443
187.237.21.167:443
27.109.5.166:443
28.63.88.50:443
64.188.12.140:443
64.188.19.39:443
78.103.173.2:443

# Reference: https://twitter.com/w3ndige/status/1258128183527956487
# Reference: https://app.any.run/tasks/9448b002-1b67-48f5-beb7-f4ee357abb46/

172.81.129.196:443
192.236.179.73:443
192.99.219.207:443
23.82.140.201:443
45.147.228.92:443
51.255.134.130:443
54.38.22.65:443

# Reference: https://www.virustotal.com/gui/file/adc20c4626d99f2a35d7d58043b9b57946b21485ece1356e223d0b661824d9de/detection

sfsdfpizdatrtu.space

# Reference: https://app.any.run/tasks/e54dcc1c-ff39-41e4-a164-15d15c94414b/

2.56.213.39:443
5.61.56.192:443
5.61.58.130:443

# Reference: https://twitter.com/reecdeep/status/1261206870037008385

post-990094.at
172.81.129.196:443
192.236.179.73:443
192.99.219.207:443
23.82.140.201:443
45.147.228.92:443
51.255.134.130:443
54.38.22.65:443

# Reference: https://app.any.run/tasks/91d61bf3-e8a8-4df6-9c4f-ed087b0563e6/

post-990094.at

# Reference: https://twitter.com/w3ndige/status/1262652047884779521

belayedd.at

# Reference: https://app.any.run/tasks/93bccdd5-3204-4daf-aa30-26cf49722e45/

http://137.74.64.245
45.153.240.84:443

# Reference: https://app.any.run/tasks/3590ee62-eae7-4d2b-802c-2d02281ed82c/

45.153.240.84:443
192.236.161.25:443
93.115.21.108:443
173.234.155.181:443
2.56.212.137:443

# Reference: https://urlscan.io/result/13a9e931-a88e-43ec-8744-ee00294a7d98/
# Reference: https://www.virustotal.com/gui/ip-address/47.90.210.107/relations

impresscop.xyz

# Reference: https://twitter.com/killamjr/status/1351893396726624256
# Reference: https://app.any.run/tasks/177367bc-5d4c-498b-b54f-332e0548e39f/

47.254.174.158:1024

# Reference: https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot
# Reference: https://otx.alienvault.com/pulse/60108cc47e31884e434c0258
# Reference: https://www.virustotal.com/gui/file/c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d/detection

104.144.64.163:443
108.62.141.152:443

# Reference: https://twitter.com/wwp96/status/1365401963974828033
# Reference: https://twitter.com/wwp96/status/1365402205432541189
# Reference: https://app.any.run/tasks/aefe1a14-684e-4dae-bacf-52876bd4f630/

192.161.48.5:443
arizonacruz.com

# Reference: https://www.virustotal.com/gui/file/36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe/detection
# Reference: https://tria.ge/210211-8wd7dd262x

104.168.156.222:443
134.119.186.199:443
172.93.201.39:443
192.236.192.241:443

# Reference: https://www.virustotal.com/gui/ip-address/34.90.236.200/relations
# Reference: https://www.virustotal.com/gui/ip-address/8.208.88.231/relations

breasuala32.top
breasuala57.top
breasuala63.top
breasualb24.top
breasualb27.top
breasualc17.top
breasuald52.top
breasuald74.top
breasuale31.top
breasualf37.top
breasualf62.top
breasualf64.top
breasualg54.top
breasualg72.top
breasuali12.top
breasuali45.top
breasuall73.top
breasualm44.top
breasualn34.top
breasualp22.top
breasualq11.top
breasualr41.top
breasuals42.top
breasualt15.top
breasualt47.top
breasualt51.top
breasualu35.top
breasualu67.top
breasualu71.top
breasualv14.top
breasualw21.top
breasualx77.top
breasualy25.top
breasualy61.top
cotraresa09.top
cotraresd11.top
cotraresf12.top
cotraresi07.top
cotraresm01.top
cotraresp08.top
cotraresq02.top
cotraresr04.top
cotraress10.top
cotrarest05.top
cotraresu06.top
cotraresw03.top
eressedb36.top
ewsjasea09.top
ewsjasei07.top
ewsjasep08.top
ewsjases10.top
fhjweheed74.top
fhjweheee75.top
fhjweheef62.top
fhjweheef64.top
fhjweheeg72.top
fhjweheeh13.top
fhjweheej23.top
fhjweheek33.top
fhjweheel43.top
fhjweheeu67.top
fhjweheeu71.top
fhjweheew65.top
fhjweheex77.top
fhjweheey61.top
lorearsb24.top
lorearsi12.top
lorearsp22.top
lorearsq11.top
lorearst15.top
lorearsv14.top
lorearsy25.top
luspaserg13.xyz
luspaserh14.xyz
luspaserj15.xyz
morfagrtem01.top
morteisati07.top
morteisatm01.top
morteisatq02.top
morteisatr04.top
morteisatt05.top
morteisatu06.top
morteisatw03.top
morteqabi07.top
morteqabu06.top
petroscm01.top
petroscq02.top
petroscw03.top
seetsaysaw03.top

# Reference: https://tria.ge/210412-tsf6alc8ka

192.3.26.107:443
23.106.123.141:443
23.106.123.185:443
23.81.246.201:443
