# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.fortinet.com/blog/threat-research/circle-of-the-fraud-more-information-about-bitcoin-orcus-rat-campaign.html

adobe.br.com
bitcolntalk.com
bitcolntalk.org
bltcointalk.com
bltcointalk.org
bltcolntalk.com
bltcolntalk.org
githvb.com
qithub.org
qunthy.org
wcx.nz
wex.ac.nz
wex.ms

# Reference: https://twitter.com/oguzpamuk/status/1165739004974817280
# Reference: https://app.any.run/tasks/bc90ea8c-24fd-43d1-a831-2246eca40e32/

65.49.81.174:1337

# Reference: https://twitter.com/JayTHL/status/1188666712813719552
# Reference: https://www.virustotal.com/gui/ip-address/176.227.191.12/relations
# Reference: https://www.virustotal.com/gui/file/ab27de99f9af5b25c51a452734624d275be3f375acb8e2e196753f58edd7ff61/detection

176.227.191.12:1337
176.227.191.12:8080
fbkw.tk
glared.ga
kekw.tk

# Reference: https://www.virustotal.com/gui/file/246ed49ede850eaafddff2794415bb71eca90238b8c3ef7969f2a2d9247761a5/detection

176.227.191.12:10134

# Reference: https://www.virustotal.com/gui/file/ba6ac57263f886ec57dbc7d91705bc997a6ee9e0e4753bb1e28036245fa5d954/detection

176.227.191.12:1564

# Reference: https://www.virustotal.com/gui/file/abbf1a3dc2074173f0679edbc25b7e835a799684151f4f5ceb2174515a30f2b6/detection

176.227.191.12:2002

# Reference: https://www.virustotal.com/gui/file/a83458a20fa9f2dd5f58d8bb0b08f9e3c64640b4898d14d4f1494130b9ef2357/detection

176.227.191.12:6666

# Reference: https://www.virustotal.com/gui/file/84a550cd5c0ab129a3e7ddf222e6e20b30e8126abf297d1765c17ef079c8ca9e/detection

176.227.191.12:7007

# Reference: https://twitter.com/JayTHL/status/1199555057513046017
# Reference: https://www.virustotal.com/gui/file/49bd78001249923b28dc30e6c52e121fea38fb58f29c15968379488b4de53c30/detection
# Reference: https://www.virustotal.com/gui/file/fc04d2256cdf30a4fcf5eba79c9d451e3e3d20ba01740edce82c0fe697ffa191/detection

6.6.6.6:5631
warfram3client.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f1e09e33334341d3a91e93a1cf44d5c4d7ac420c5e7a1b7d608b6388174de1d0/detection

154.234.192.165:500

# Reference: https://twitter.com/JAMESWT_MHT/status/961905004960468992
# Reference: https://app.any.run/tasks/d8405f6a-e8a5-45e0-abd2-c7fa5ec899ec/

stinkletjet.me

# Reference: https://twitter.com/James_inthe_box/status/948880929342173184

88.150.189.98:9989

# Reference: https://twitter.com/James_inthe_box/status/913131729233133568

212.83.170.126:2325

# Reference: https://www.fortinet.com/blog/threat-research/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors.html
# Reference: https://www.virustotal.com/gui/file/6554fabddabac2b14cb3209393a13471e7fe985750f1a9a8f030d1ebbc8dff35/detection

172.111.160.213:10134

# Reference: https://www.virustotal.com/gui/file/851f5ea787e9a287880c4a6d05c57e1014605e9a42bae5e3cf770fcd0fe8fb3a/detection

192.69.169.25:10132
ssniper.duckdns.org

# Reference: https://www.virustotal.com/gui/file/bf9bb8e1d8bf2de2b73ae7c8e8c5c58083ebe55b0981364e4b976260b3880350/detection

162.200.139.146:1337
voltaire.zapto.org

# Reference: https://www.virustotal.com/gui/file/14eb56236bfd39bd8f7cf62c1ec4d50aeaac64d1e17ebf6772a3c259959e0bbb/detection

162.200.139.146:1604

# Reference: https://www.virustotal.com/gui/file/a7d7820eb3ac86718b610030e814fc10da5bc9e5612f35a640e797e23fba6ca4/detection

mistervoltaire.duckdns.org

# Reference: https://www.virustotal.com/gui/file/11f1090f1ae7cf8bb9a811f7eb6e1f18d33bd44d639e06e031d0ba071eaabd23/detection

185.101.92.3:1919

# Reference: https://www.virustotal.com/gui/file/05040a3af990ed78d087cbaa1e29220f2810b200ce6a0db37dfe869c93381379/detection

104.244.75.220:9340

# Reference: https://www.virustotal.com/gui/file/933dc2ab7637ebaa57187cd43b1ea700499ea53a0e2e5ef7c768b0d43833532b/detection

193.56.28.134:2222

# Reference: https://app.any.run/tasks/5308b1f1-fc1d-41df-9a51-36d9f209caba/

13.68.91.206:9337

# Reference: https://www.virustotal.com/gui/file/48be5ae5cb8e6155352d0936f4785d3da1c1e2a8d0f86f14b240627b378f3a56/detection

66.26.181.172:10134

# Reference: https://www.virustotal.com/gui/file/3fea35061269dd2ecfd1a3561d6490df0586584fd7273510da3602359128e9cf/detection

185.114.225.60:1337

# Reference: https://www.virustotal.com/gui/file/352d043e9d06d67fbc5250dd1183edf4b6b6efc72c86584ab1af183034e345c2/detection

104.128.234.104:1337
takethei.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f456d4d5a9233fd787622e0827eeaf5a945e1a808de5312fb57fe4d8feaacecc/detection

45.76.57.32:1337

# Reference: https://www.virustotal.com/gui/file/906f097c2e91c5fafcc8a4d5b480e6cb89d45977d799615a68d6f0689e6c3a52/detection

185.198.26.245:1337

# Reference: https://www.virustotal.com/gui/file/65f750af58456ce7ff79936dba02c53bb4802f0c9acd81e7e37039a21ed06063/detection

206.189.192.66:1337

# Reference: https://www.virustotal.com/gui/file/802f6b02bcfe6cb847a055acdceb8ce3caf1cee6a42ea82baa13e510288bca0d/detection

185.198.26.245:1337
192.169.69.25:1337

# Reference: https://www.virustotal.com/gui/file/6df589eb6933aecc36c73ec13878188843ff7ea2754dc4e05906846524ee99d5/detection

51.68.92.105:1337
1337hax0rs.hopto.org

# Reference: https://www.virustotal.com/gui/file/72a9bcb559629c758cbc4da43d78ff0402eee8b1037534fd50d9c5c9435b8f67/detection

185.114.225.60:1337
51.68.81.247:1337

# Reference: https://www.threatcrowd.org/malware.php?md5=2777e5b529531cb2ce4dfaf51e029cc1

menusbyxarva.tk
menusbyxarva.ga
menusbyxarva.ml
menusbyxarva.cf

# Reference: https://twitter.com/abuse_ch/status/1233659527989325825

35.192.205.70:6969

# Reference: https://www.virustotal.com/gui/file/aa43e982c2852d515224124f835c5222895525d4dfba78215dfab38421448197/detection

196.89.40.35:3365

# Reference: https://www.virustotal.com/gui/file/713111b19f47264a55f126daeb8e0cdcfa477caad3c62dafceb6dfb726a9b858/detection

91.218.65.24:3333

# Reference: https://www.virustotal.com/gui/file/4491b49ec07c3c0cb02ce71fe84f42dc3f51e31d37d2773d81a64c27fa266076/detection

91.218.65.24:10134

# Reference: https://www.virustotal.com/gui/file/0f788b53c047325fa4478a4e35532547fb4e6f16c14d9b7bc6d7eb2606faa25e/detection

91.218.65.24:5634

# Reference: https://www.virustotal.com/gui/file/dd746a6d73f73034d24ae56938ad02370bbdade419c2bfe7cebba1efb9c29072/detection

91.218.65.24:1337

# Reference: https://www.virustotal.com/gui/file/10f9c60cae4b545950b7c92893d5c163f5a7d961346f2b3e9f3cc98069e509db/detection

91.218.65.24:7777

# Reference: https://www.virustotal.com/gui/file/edf5f9bb676e7108c411eed1c1cd1cd322621b7f874b67dc585828dc9d9c5214/detection

140.82.57.249:9876

# Reference: https://app.any.run/tasks/4348840b-74d2-4a36-8b4f-30f7c5c78ac4/

193.161.193.99:40601
nickman12-40601.portmap.io

# Reference: https://www.virustotal.com/gui/file/6610169683c653daa73ebbe240ab6aedbdf029cc1dec4b72e7573b2a6fda61c0/detection

116.39.19.117:3

# Reference: https://www.virustotal.com/gui/file/1110bec1dada5b6ed0042149c1941db248277f3b2b409f693f46e0930920f788/detection

121.130.181.73:3

# Reference: https://www.virustotal.com/gui/file/c65a4ac63d28c402afd57b79e12c6d61105d6d6a01860876bfa44efd797689dc/detection

141.255.154.37:1212
141.255.146.73:1212

# Reference: https://app.any.run/tasks/d334bd67-4079-452e-88be-d924ba7203cd/

89.208.221.195:14500

# Reference: https://www.virustotal.com/gui/file/4ef58d34d748aae0e1143faba71238eb9910cea26cbc530d8d3c125d8c60789e/detection

88.123.12.74:20030

# Reference: https://app.any.run/tasks/1e5abf39-f919-41c8-954d-d72874ce6a15/

144.202.9.121:101

# Reference: https://app.any.run/tasks/294f5e39-60d3-4f96-9fc0-65935ce602dd/

185.239.242.234:1738

# Reference: https://app.any.run/tasks/f34ccc3a-6b82-4aa0-867a-ebf3a9f669ae/

5.83.160.177:60011
82.228.72.90:60011
macronemmanuel.tk

# Reference: https://app.any.run/tasks/b25b2ef4-14cd-42c2-a59b-e336fcd05149/

178.150.186.188:7771
kirill2811.ddns.net

# Reference: https://app.any.run/tasks/ea5216eb-a0d4-4848-8c94-f613809f31a3/

13.58.162.35:8739
orcushack.ddns.net

# Reference: https://www.virustotal.com/gui/file/f02a7e84be2f16d0367b4f01781e6b10d6ff522c767d2294349b233e4c7195b1/detection

45.140.146.29:10134

# Reference: https://app.any.run/tasks/7adda6c1-ff18-4d63-9a17-b3a6941ba473/

193.161.193.99:27371
ParadoxZenon-27371.portmap.io

# Reference: https://twitter.com/petrovic082/status/1357973355165585408
# Reference: https://app.any.run/tasks/891171ac-402b-49ca-b121-b0e04560e90e/

193.161.193.99:51357
reqwah-51357.portmap.host

# Reference: https://app.any.run/tasks/2ff5f3ba-fb88-4abc-bec8-6f2e79cb59e8/

145.249.220.15:10134
skalede767.hopto.org

# Reference: https://app.any.run/tasks/64263906-2813-42a1-b04b-5a103e23738f/

3.128.190.178:1604
orcustop4ik.duckdns.org

# Reference: https://www.virustotal.com/gui/file/b2b168bf95857cebb26045f1c8f393aff09126a78f3030a172a160ac4854ccff/detection

31.220.4.216:55551

# Reference: https://www.virustotal.com/gui/file/5519951fbf86c9b18e4aee9ad22be8ca31bd84f5b4cccebf76b4aa47eb2c9ce2/detection

145.249.216.199:10134
danst9364.hopto.org

# Reference: https://www.virustotal.com/gui/file/ff9f613548004aa9b8fecf065df4e430300333ebb8f9f8797a2325c6200f01ab/detection

newgate.publicvm.com

# Reference: https://otx.alienvault.com/pulse/6093db7387777eeb731864eb

briaseynan.xyz
6yis.hyperfast.ru

# Reference: https://app.any.run/tasks/0d7bb251-7761-484b-a05f-3df038d36c3a/

109.108.78.4:6666
vertik.ddns.net

# Reference: https://otx.alienvault.com/pulse/60b22df3fe03195e2183cc9d

mehack1234567.ddns.net

# Reference: https://otx.alienvault.com/pulse/60bcb9f5d4b06e9237fc4c77

dbxzpalgedvrvpunalvkzafpwztssi-21177.portmap.io
stormy.webhop.me
