# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: kinsing

# Reference: https://www.lacework.com/h2miner-botnet/
# Reference: https://zhuanlan.zhihu.com/p/101220054

http://45.10.88.102
http://91.215.169.111
http://139.99.50.255
http://46.243.253.167
http://195.123.220.193

# Reference: https://www.lacework.com/h2miner-botnet/
# Reference: https://github.com/lacework/lacework-labs/blob/master/blog/h2miner.csv
# Reference: https://otx.alienvault.com/pulse/5e7baacc3c7b8864552f6774

http://139.99.50.255
http://142.44.191.122
http://217.12.221.12
http://217.12.221.244
http://45.10.88.102
http://46.243.253.167
http://82.118.17.133
http://91.215.169.111

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/
# Reference: https://otx.alienvault.com/pulse/5ea068474577163bf614eb39

http://193.33.87.220

# Reference: https://labs.f-secure.com/advisories/saltstack-authorization-bypass
# Reference: https://twitter.com/blackorbird/status/1256944563668672513

http://206.189.92.32
http://217.12.210.192

# Reference: https://www.virustotal.com/gui/file/96589ba7818fae9282b7f69920b7e42b9847e24b7eadc76d6702cbfa293aa43e/detection
# Reference: https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection

http://217.12.221.12
359328.selcdn.ru

# Reference: https://twitter.com/IntezerLabs/status/1298992385041473547

http://93.189.43.3

# Reference: https://twitter.com/r3dbU7z/status/1361235377869185024

http://92.242.40.225

# Reference: https://twitter.com/r3dbU7z/status/1361237420067422208

http://194.40.243.167

# Reference: https://twitter.com/r3dbU7z/status/1361978671310000129

http://194.38.20.199

# Reference: https://twitter.com/r3dbU7z/status/1374715716323188743

http://192.153.76.184
479.bf.run

# Reference: https://www.lacework.com/carbine-loader-cryptojacking-campaign/
# Reference: https://github.com/lacework/lacework-labs/blob/master/blog/carbine_loader_iocs.csv
# Reference: https://otx.alienvault.com/pulse/607e03d9ebfec697172c4b07
# Reference: https://www.virustotal.com/gui/file/4ae513b6f46132aec7d1c268e6ee981af1ac0ab6d92c448c7c9bdedd63e3c303/detection
# Reference: https://www.virustotal.com/gui/file/5f19a959b36c2696ef95873017b48ab03c3ae83ecae2ea5092a30fb6179f5c7c/detection

185.183.84.197:8080
jquery-dns-07.dns05.com
sslcer.justdied.com

# Reference: https://www.virustotal.com/gui/file/0dc0d5e9d127c8027c0a5ed0ce237ab07d3ef86706d1f8d032bc8f140869c5ea/detection

http://45.9.148.85

# Reference: https://www.virustotal.com/gui/file/39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae/detection

http://85.214.149.236
85.214.149.236:443
oracle.zzhreceive.top

# Generic

/kinsing
/kinsing2
