# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: elephantrat, gh0st, pcrat, smanagerrat

# Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

bj6po.a1free9bird.com
beiyeye.401hk.com

# Reference: https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant
# Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/
# Reference: https://www.virustotal.com/gui/file/54f62979c8c7637af238093fbf204b1edb16e9ce7ca371f9f62c4039f934cede/detection
# Reference: https://www.virustotal.com/gui/file/d3dfa0f0582818e24caaccdda78c0b0833d30aa97a8ca9c43cacc7fe3bebab67/detection
# Reference: https://www.virustotal.com/gui/file/23414344a6c2afdec92a4679f7947b44498db151dff2822ca7c72d704c6e28e0/detection
# Reference: https://www.virustotal.com/gui/file/beade05902c2bd59b1aafe77e0a043766f5e507ac4024640f17ad1fe7c890d6c/detection
# Reference: https://www.virustotal.com/gui/file/cbd875b7f9516d4662526457c2132f17e4ac4596380202aac105bc3c146ea93a/detection
# Reference: https://www.virustotal.com/gui/file/d4dec64053fa6de0aa85fefd692ce71fb71d3cdd295e7169c8b9b9bd4210b023/detection
# Reference: https://www.virustotal.com/gui/file/ea49fbabc6f69ffc9f93993e3d7d5fe47f743fbdc1cc031557a8595fb1594d94/detection
# Reference: https://www.virustotal.com/gui/file/d4a21390dd9c85fe6f3b41038a4b270de055a30ad6f9500699775e3ae78d7fd1/detection
# Reference: https://www.virustotal.com/gui/file/77722a09b3cc0b17159e27433945548b3e6bd9160d4de4919b02ea6eea671111/detection
# Reference: https://www.virustotal.com/gui/file/8e1c369e8b470c9bad0aee715da300dda9a50db153a025b3c797c219d537bb68/detection
# Reference: https://www.virustotal.com/gui/file/6d79053611e0d0e2f586061636f337d27de51325b24070edefe08af7d9c5006d/detection
# Reference: https://www.virustotal.com/gui/file/88df6448d091acba48dfea761e5360d111f4f50acaf15b4bd2734d81a79ab21b/detection
# Reference: https://www.virustotal.com/gui/file/1f824c7b70667072964e4c08a372305cc78a0833beacad52b3e0d24a84e89065/detection
# Reference: https://www.virustotal.com/gui/file/0caf2987bca2ca7f644c2cb33099950eb8a5aebe03244ddf8de5e6f3fc8bf1cf/detection
# Reference: https://www.virustotal.com/gui/file/45a84d5bb8ce67685504a4409bf4604a500628e454e80ef3f3b832507a4cf855/detection
# Reference: https://www.virustotal.com/gui/file/af8f6c9a5a588e4d61913d54c2ae4fb3de2e50b43f57290b0657b11466a18779/detection
# Reference: https://www.virustotal.com/gui/file/dfe0e061279f0d67ba84bb4f945b0115b20759f6c48a91dd6c09782cb232266e/detection
# Reference: https://www.virustotal.com/gui/file/3b925244721054a15cbb845ba4b617e5c7c46d80ea1c78e7fa5d02bb2069553b/detection
# Reference: https://www.virustotal.com/gui/file/258b70d70b856484b65bdaaf4a5c23efb200b160af0babfb21ccd0679bd09749/detection
# Reference: https://www.virustotal.com/gui/file/d19bf8ad35b8d494e68ca817a324a4eac3d456a527c8963145e438db9c1e6924/detection

106.14.45.61:15963
106.14.45.61:18566
106.14.45.61:19637
106.14.45.61:19931
106.14.45.61:19932
106.14.45.61:19934
106.14.45.61:25553
106.14.45.61:25563
106.14.45.61:29931
106.14.45.61:3654
113.28.187.169:15963
113.28.187.169:18566
113.28.187.169:19931
113.28.187.169:3654
123.129.224.185:15963
123.129.224.185:18882
123.129.224.185:18883
123.129.224.185:19931
123.129.224.185:19932
123.129.224.185:3654
129.28.23.76:81
221.229.207.145:19931
221.229.207.145:3654
221.7.12.156:19637
221.7.12.156:19931
221.7.12.156:19932
221.7.12.156:19934
221.7.12.156:25553
221.7.12.156:25563
221.7.12.156:29931
221.7.12.156:3654
23.101.115.41:18566
23.101.115.41:19931
23.101.115.41:3654
43.229.153.122:19931
43.229.153.122:3654
58.218.66.180:19931
58.218.66.180:3654
60.169.10.86:15963
60.169.10.86:19637
60.169.10.86:19931
60.169.10.86:19934
60.169.10.86:25553
60.169.10.86:25563
60.169.10.86:29931
60.169.10.86:3654
61.147.125.184:19931
61.147.125.184:3654
95.211.102.25:19931
95.211.102.25:3654
mdzz2019.noip.cn
yuankong.info

# Reference: https://twitter.com/lazyactivist192/status/1112449219653193736
# Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations

z-hacker-y.win

# Reference: https://twitter.com/Jan0fficial/status/1102912998975434752
# Reference: https://twitter.com/lazyactivist192/status/1168582672752566279
# Reference: https://pastebin.com/D2pUSzcS
# Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f
# Reference: https://www.virustotal.com/gui/file/2fcc9c48d5d8a5c6889ca3302fcaa9f6296a9e36b167526033a0371172ab1693/detection

haohai.hopto.org
ip.yototoo.com
116.196.18.237:8082
122.114.192.241:8082
139.196.209.127:923
183.104.6.120:923

# Reference: https://twitter.com/malware_traffic/status/949057588250865665
# Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html

etybh.com

# Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977

45.125.17.15:443

# Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906

nicetiss54.lflink.com

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0)
# Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af

278267882.f3322.org
850967012.f3322.org
a3328657.f3322.org
a678157.oicp.net
cfhx.f3322.org
ddos-cc.vicp.cc
guduyinan.gnway.com
guduyinan.gnway.net
jie0109.hackxd.net
linchen1.3322.org
q727446006.gicp.net
touzi1616.com
xm974192128.3322.org
xueyang22.gicp.net
y927.f3322.org
zy520.f3322.org
sweety2001.dating4you.cn
paleb.no-ip.org
honeypus.rusladies.cn
marina99.ruladies.cn
youwave932.no-ip.biz
x.93ne.com
ns1.helpchecks.at
ns1.helpchecks.by
ns1.helpchecks.com
ns1.helpchecks.eu
ns1.helpchecks.info
ns1.helpcheck1.com
ns1.helpcheck1.net
ns1.helpcheck1.org
mskgh.ddns.net
yeswecan.duckdns.org
sabridz.no-ip.biz
mskhe.ddns.net
karem.no-ip.org
cdn.zry97.com
dmar-ksa.ddns.net
alkhorsan2016.no-ip.biz
amiramir.noip.me
katarinasw.date4you.cn

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0)

79575465.f3322.net
chhacke.win
cx820329965.f3322.net
e2.luyouxia.net
guxiaosen.f3322.net
labixiaoxin.e2.luyouxia.net
mf123.f3322.net
mingyemo.3322.org
yaoyao.f3322.net

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0)

1321.f3322.org
254143.f3322.net
53ca.meibu.net
feng12763.3322.org
jwl520.xicp.net
pass.5sfox.com
pzss.f3322.org
pzss.foxdos.cc
separa.f3322.org
wfs2015.f3322.net

# Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584

haohai.ddns.net

# Reference: https://twitter.com/dcTavvy/status/1168906154602373122

154.221.22.25:8080

# Reference: https://twitter.com/killamjr/status/1196089316986032128
# Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/

106.54.57.80:8080

# Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection
# Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection

106.54.57.80:80
106.54.57.80:94

# Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0)

107.163.241.193:6520
107.163.56.251:6658
host123.zz.am

# Reference: https://twitter.com/pancak3lullz/status/743123575146586112

183.61.165.228:8000
243145432.f3322.org

# Reference: https://twitter.com/securiteoff/status/739622863485931520

qqqq374281.f3322.org

# Reference: https://twitter.com/pancak3lullz/status/739619999334031360

115.239.229.196:8090

# Reference: https://twitter.com/lazyactivist192/status/1214302017981702144

1j5p551644.iok.la

# Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection

218.94.148.242:2015
218.94.148.242:2554

# Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection

61.142.176.23:2014

# Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/

xilongxi.net
45.138.209.61:8080

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1)
# Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection

67.198.149.218:6720
67.198.149.220:8590

# Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264
# Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection

192.225.226.217:80

# Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection

192.225.226.217:8443

# Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection

192.225.226.217:443
192.225.226.217:53

# Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/

137.220.135.36:8000

# Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/

vip38000a.com
30.554205.com

# Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/

183.236.2.18:8888
haidishijie.3322.org

# Reference: https://twitter.com/wwp96/status/1232326236636090370
# Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb

425rt.rapiddns.ru
ref.tbfull.com

# Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
# Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27

cloud.newsofnp.com
load.collegesmooch.com
ssl.newsofnp.com

# Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02

chdvks88.dns0755.net

# Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection

101.200.58.177:16233

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1)
# Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations
# Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations

113.214.1.34:52
117.78.50.197:333
210.222.25.223:7718
210.222.25.223:7748
cq52.top
w1464642840.f3322.org
xiaoxinzadan.gicp.net

# Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection

210.222.25.223:8562

# Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection

107.163.56.243:18963
107.163.56.246:18530

# Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection

107.163.56.250:18963

# Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection

107.163.56.245:18963

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0)
# Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection
# Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection
# Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection
# Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection
# Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection
# Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection

106.9.144.132:7777
106.9.146.161:7777
116.62.168.250:24649
123.207.217.39:90
129.28.191.60:8000
129.28.191.60:99
174.128.255.252:8000
183.131.80.101:90
43.248.201.209:27268
49.232.147.19:8080
8686.f3322.net
ccidc.f3322.net
qqqqdddd.e2.luyouxia.net
qyefeng.vicp.net
wzbbk.com

# Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0)

1.93.49.73:2012
104.143.150.115:2012
142.4.97.105:2012
155604.f3322.org
182.91.107.168:2012
192.210.63.230:2012
198.74.98.230:2012
aa7899.f3322.org
j8666.f3322.org
jiuyin.f3322.org
kingsir.6600.org
linlinwoaini.f3322.org
q1299771210.f3322.org
qq0104.gicp.net
songkeliang.eicp.net
vves.3322.org
wuer1985.9966.org
xiaoxiannv.gnway.net
xiaozijun.f3322.org
xyllz.com
yangman520.f3322.net
youlanxiangyin.vicp.cc
yzc110110.meibu.net
zuoyi5201314.5166.info

# Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
# Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3

45.76.6.149:443
comcleanner.info
mlcrosoft.site

# Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection

103.133.177.250:4563
quasa.ddns.net

# Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection

103.40.101.68:4563

# Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection

43.248.11.151:4243
pclient.ddns.net

# Reference: https://app.any.run/tasks/b584a05c-2f6d-47cf-83e7-657b2e0cf4b1/

http://118.107.47.110
118.107.47.104:8000
118.107.47.104:8001

# Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html (# Win.Packed.Gh0stRAT-9776529-0)
# Reference: https://www.virustotal.com/gui/file/086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b/detection

122.114.28.118:3522
xmrminer.f3322.net

# Reference: https://app.any.run/tasks/be0fe876-bcf2-4de7-9ff0-9df1935d0e3b/

103.74.173.145:6688
pc.8686dy.com

# Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html (# Win.Dropper.Gh0stRAT-9786931-0)

1x1elma7.xiaomy.net
22i5b37672.51mypc.cn
2313u080t2.imwork.net
232mr66094.iok.la
26k4593i06.51vip.biz
273o4d5660.wicp.vip
27ow345733.wicp.vip
2z213948z7.iask.in
a731940742.gicp.net
y2291815a1.51mypc.cn

# Reference: https://app.any.run/tasks/4d47550f-cc3b-4b49-8af8-0ccad1760a9e/

27.124.10.245:4753
syy.skt-one.com

# Reference: https://twitter.com/wwp96/status/1327897784213794816
# Reference: https://app.any.run/tasks/e5baf985-6f1d-48ac-bcf2-1302d4a3086d/

143.92.57.83:8001
143.92.57.83:8080

# Reference: https://www.virustotal.com/gui/file/99d47a61b580eedd39efa6d6c7fb9d13fa1fca3c9fe628cee0f49f1c8f97e8db/detection

xiaohai2013.f3322.org

# Reference: https://otx.alienvault.com/pulse/5fc0eb77569dc57d9686fb39

graceland777.ddns.net
mitty1.freemyip.com
williamz20.ddns.net

# Reference: https://otx.alienvault.com/pulse/5fc8d47bae040ead5cfc4767

cloudbase-init.pw
compprotect.com

# Reference: https://twitter.com/lazyactivist192/status/1216814092725506049

zjq1993.meibu.com

# Reference: https://twitter.com/_re_fox/status/1238188943587377155
# Reference: https://app.any.run/tasks/f2118744-26c3-4523-8e82-d7203e3bb1e4/

193.203.215.52:2011
online.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/12d847b384f2aa42db19236178ccd18cf39feb4f18477e48b957816c537d854c/detection

104.149.136.66:2011
mail.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/b739076d107965600dfdb92536faa8638deb6d0dcfba5fc6e653ec12853c215c/detection

live.korearac.com

# Reference: https://www.virustotal.com/gui/file/4c652657944ba7f09a4dbeff95ea66d69f7d82c3bea44808e0428935c513273b/detection
# Reference: https://www.virustotal.com/gui/file/4ecc8864e91febef66a6efc6538749e29af715f1a61807b78cd25efebe372449/detection

107.175.137.138:59170
211.149.209.11:59170
lijiejie.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html (# Win.Dropper.Gh0stRAT-9800485-0)

53074960.nat123.cc
bqcyyx.com
lht1361828085.3322.org
mingyemo.3322.org
seo.kfj.cc

# Reference: https://www.virustotal.com/gui/file/9b757b63b31061e0b77a31b5706911f223376283ace22140a415203cbe8040e3/detection

35084ea6.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1204-1211.html (# Win.Dropper.Gh0stRAT-9802375-0)
# Reference: https://www.virustotal.com/gui/file/e347ced607de94a87801a27edc9b3faec0551829dbd78294748d93460e28346c/detection

118.193.233.10:7360
a13932873816.f3322.org
cescmouad.zapto.org

# Reference: https://twitter.com/wwp96/status/1337849110536347650
# Reference: https://app.any.run/tasks/8edcf322-5fba-49ea-a98e-dec554b3d9d0/

202.58.105.174:8000

# Reference: https://twitter.com/wato_dn/status/1356965355650863106
# Reference: https://twitter.com/kienbigmummy/status/1361965176451264517
# Reference: https://app.any.run/tasks/b91747ae-ea86-4875-9cbf-8a2b78487cc1/
https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html

103.255.177.138:8080

# Reference: https://www.virustotal.com/gui/file/2fadd1cb04e54811ca3d3538b9833c254a31db8b875a96794d44aa49db3faa60/detection

43.248.201.209:21922
yg484698405.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/dba5987cbe9958bb86bd08eeccdb72999e0327b032821c0b2df4ea5b537c4072/detection

43.248.201.209:29719
xiaok66.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/429cd23868b064297dd5c536ea420152394b2b5210d8b1f6f1802d353759e7a6/detection

43.248.201.209:32520
xiaoren234.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/e407517a144c10e6946082afded7cf7f6afbf4beb4808894fd6b7ac170830a85/detection

43.248.201.209:27140
mmp224460.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/f711c717473bb221b7f39a6f13d2c1aaa9403f7fcc5791dc53c38468efead20d/detection

43.248.201.133:28672
hax0fdafda.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/9eed6ad63fd1688c0e906ef294a1c6f0489cb6356c3736584c12a34ceea0ff0d/detection

43.248.201.133:27731
damm25969.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/09291140c7cd8b73219fa7a95564ec75c54bbfea92dd92cbccfb47c6a7699736/detection

222.186.170.35:29802
zhangjian123.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/23ad910aadc455b38b41446ba7425cb891d00f3791d64c7cf8b2c7b47ddf1fe7/detection

43.248.201.133:2021
yindixiang.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/130a026be6e1c01d23c3a94052db892950dd00cf2195cc7e54d7e3add19f6278/detection

43.248.201.133:21727
fxd9988019.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/0a80a258c199b864b1de65ed260b2cfed02934eb1e51a45e89ae192fb3afa787/detection

43.248.201.133:28316
q3088429300.e1.luyouxia.net

# Reference: https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html (# Win.Trojan.Gh0stRAT-9831483-1)

aka.f3322.net
gyxin1314.xicp.net
god_xinghe.f3322.org
ljwser.xicp.net
nt520.f3322.org

# Reference: https://app.any.run/tasks/67e24e08-584b-4cca-a8a1-b1ca12f70e95/

125.65.79.5:5522
103.119.1.139:1987

# Reference: https://twitter.com/wwp96/status/1368417388543180800
# Reference: https://app.any.run/tasks/39d974b3-6fe0-4278-8695-98684eb35c1f/

113.212.91.178:4753
six.skt-one.com

# Reference: https://www.virustotal.com/gui/file/32f2fe76ed68ffaa93baaf3e05ab0cabb058c48a431974e2f8312e2661849a93/detection

45.154.198.168:4753
sy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/91c422b4d9d826ff83ba875f46091c5907b61dcac8a7829ad25aebe181bdc359/detection

45.154.198.160:4753
mm.skt-one.com

# Reference: https://www.virustotal.com/gui/file/fd77950eb7f104dfef6eb7f535a5d324069e8f7fb7cca7057e67e427d248f1ff/detection

202.5.23.125:4753
ss.skt-one.com

# Reference: https://www.virustotal.com/gui/file/90085f7de94a2ca42f3f534d628318854d7dea91d97a4527ca5b3545fe75094b/detection

27.124.10.245:4753
syy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/a99f4c0c9653bb121c9d6875b756203adf3e4d9086f2111e0fe0243355f26e36/detection

73.23.200.124:44579

# Reference: https://www.virustotal.com/gui/file/7f8742297042b4da3914c65c79bec5608eb166fe2034fa054f3d108f7d4f8131/detection
# Reference: https://www.virustotal.com/gui/file/2d26ef7b55e8345369b4e6c184441197304532dcf0557022431e5689fd2e9552/detection

113.212.90.152:4753
113.212.91.215:4753
tmh.skt-one.com

# Reference: https://www.virustotal.com/gui/file/4359b20a9570083d6126fc013d74d5fb65de09a628a287ae291cd3b7335eb5e3/detection
# Reference: https://www.virustotal.com/gui/file/ad101c55122b9bd5be2d5a64d27de50b1826b5908741355e1a28cf38cde79b79/detection
# Reference: https://www.virustotal.com/gui/file/ae90ea48bb6a9501de26f6d2763ead816047dab1bed91e5565c477113c63ddef/detection

103.135.101.189:4753
ax.skt-one.com

# Reference: https://www.virustotal.com/gui/file/2d3d7817dfaf66265cf2db4a3b8a1806394b74530ae36e7d6d3ad0ba95a0606e/detection

27.124.10.245:4753
ssy.skt-one.com

# Reference: https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html (# Win.Keylogger.Gh0stRAT-9847918-1)

36ho560717.wicp.vip
cn-xz-bgp.sakurafrp.com
lolsb.cn

# Reference: https://twitter.com/wwp96/status/1385603503998095361
# Reference: https://app.any.run/tasks/8b366bb8-90d3-422c-bf28-c20fad648817/

122.114.68.46:1990
39.103.200.111:14996
qjy888.f3322.net
ref.tbfull.com

# Reference: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html
# Reference: https://www.virustotal.com/gui/file/55ade218a34f3e727186c9e9c645265f161d7a9b7f55a721ba29e6ef5c3a12da/detection

download.adobe-air.com

# Reference: https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html (# Win.Dropper.Gh0stRAT-9871236-0)

gaoshouzaimimang.f3322.org

# Reference: https://twitter.com/wwp96/status/1409713019802710029
# Reference: https://app.any.run/tasks/9de5a384-d5aa-4e56-9ead-6a6e63a3731b/

192.250.240.130:8000

# Reference: https://twitter.com/wwp96/status/1410328605389905923

103.194.104.94:8080
