# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bizzana, gussdoor, remote manipulator system, rms, rmska, remote utilities

# Note: https://malpedia.caad.fkie.fraunhofer.de/details/win.rms
# Note: https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

# Reference: https://twitter.com/James_inthe_box/status/1118968911590907904
# Reference: https://twitter.com/James_inthe_box/status/1121513004627927040

159.69.48.50:5655

# Reference: https://twitter.com/dave_daves/status/1130471755783573504
# Reference: https://app.any.run/tasks/f363c1d5-45ed-4b08-ab3c-54f1f5ac1636/

kentona.su
66.111.2.131:9030

# Reference: https://twitter.com/Bank_Security/status/1148471450422140929
# Reference: https://pastebin.com/0XNMhLP2
# Reference: https://blog.yoroi.company/research/ta505-is-expanding-its-operations/

217.12.201.159:5655

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/raby_mr/status/1184430613165572097
# Reference: https://app.any.run/tasks/90aaff29-18fe-4ad1-b385-a4e0d7f19564/
# Reference: https://twitter.com/nao_sec/status/1240581594999472128
# Reference: https://app.any.run/tasks/1cc1c195-5f71-4279-a8eb-336a10d2c354/
# Reference: https://twitter.com/smica83/status/1052107791673020416
# Reference: https://www.virustotal.com/gui/file/81d42d5332d586602b4014710ebbe7068aae024ee1922f3e9e8be4d36fe07397/detection
# Reference: https://www.virustotal.com/gui/file/a4523f84e035908af8cd1e1b5fb73847c08e532416bc961abc3c77ffa664b82b/detection
# Reference: https://www.virustotal.com/gui/file/fbe265d9d8dba77e1e0e9574dfbae513dcbf6dd7e492777431c52884bec1e394/detection
# Reference: https://app.any.run/tasks/7759fbd4-7b04-4a80-aa80-f56696ccb665/
# Reference: https://app.any.run/tasks/0e85e440-595e-43de-bf17-32bdbe2f185e/

109.234.156.180:563
109.234.156.180:5655
109.234.156.180:5656
109.234.156.181:563
109.234.156.181:5655
109.234.156.181:5656
rms-server.tektonit.ru
rut-server.tektonit.ru
rmansys.ru
wininit.xyz
svchost.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923
# Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/

79.134.225.73:3175
britianica.uk.com

# Reference: https://www.virustotal.com/gui/file/81315a77d8494695ba4453cd8f15278f214ad26373c69ef925b4711c4dda0bf6/detection

94.73.36.254:3175
biofaction.no-ip.biz

# Reference: https://www.virustotal.com/gui/file/0b96700873fba0b74c534ffcaee852b976f92de18b7ccd723dd464b56110ea06/detection

94.73.32.235:3175
enterbotvn.no-ip.info

# Reference: https://www.virustotal.com/gui/file/87a8d33209840bd40e858624cbd2952416118962b2c923b277a7796a3e4e9b02/detection

dr9.no-ip.info

# Reference: https://app.any.run/tasks/c6797f0b-722f-4f85-be9c-6957415b1c1d/
# Reference: https://www.virustotal.com/gui/file/cfcd9808e91122903281706de3d96d8249e282555d87a02c177cb705ac06fd2d/behavior/VirusTotal%20Jujubox

id.remoteutilities.com
server.remoteutilities.com
108.163.130.184:5655

# Reference: https://www.virustotal.com/gui/file/dda1fc31d4d4d37d544a3ff537863a909706b861dcaebb33c084d29f4ead488e/detection

185.121.166.28:9030
poulty55.chickenkiller.com

# Reference: https://www.virustotal.com/gui/file/78f90e9e2fa31727e50bf9c8358556f768cf8a8f847888ff8af8b920d4ddf33c/detection

194.5.98.50:9030

# Reference: https://www.virustotal.com/gui/file/e7183b9653a49d85ba53b786d844c609ee3328c973d463041f07a889a143aad0/detection

194.5.98.83:9030

# Reference: https://www.virustotal.com/gui/file/5adef384ca8b56ae3524fdde2c69c0ab25801f1fde94375696a646cef4fba2c5/detection

194.5.98.139:9030

# Reference: https://www.virustotal.com/gui/file/160a4f5e4fee2d948a2da1708418c398505fdcb2bf3804a323db2452599a4fcf/detection

184.75.209.165:9030

# Reference: https://www.virustotal.com/gui/file/4ea812dfa9ec344fecf52d0a47c6db58ef22f5fa1fa720cae96ace032438843d/detection

95.167.151.233:9030
sickly.jumpingcrab.com

# Reference: https://twitter.com/blackorbird/status/1222878160187838465 (# Wuhan)
# Reference: https://www.virustotal.com/gui/file/e6f0274fe4f0ebc7323ce86d6aceb991ae0242c8d514a1e241cbdfe88921e50d/relations

202.58.105.80:5073
9.wqkwc.cn

# Reference: https://app.any.run/tasks/54196a1e-3729-4d07-8518-c1f73a6b17ff/

wsus.eu
id.remoteutilities.com
108.163.130.184:5655
66.240.205.51:5655
23.235.252.66:5655

# Reference: https://www.virustotal.com/gui/file/9e5d3643ea41983e426f184949f4b77bc52d2951dcc57ab04466429192bc3396/detection

karensonjon.com

# Reference: https://twitter.com/fr3dhk/status/1319366605218959361
# Reference: https://app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/

wsusms.com

# Reference: https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf
# Reference: https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/
# Reference: https://otx.alienvault.com/pulse/5fa440244397a8c64412347d

dncars.ru
timkasprot.temp.swtest.ru
z-wavehome.ru

# Reference: https://www.virustotal.com/gui/file/6fa7f1a905e7b9fe6c6ebb0511b679527b3a136cf178a3627cc341418ec1ddbb/detection

23031.selcdn.ru

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/BackDoor.RMS/README.adoc
# Reference: https://otx.alienvault.com/pulse/5fd3e533f31a2aa08d9ac388
# Reference: https://www.virustotal.com/gui/file/75c23c42074c0cc6683e291579543941bb5207b69365c510386ba3fab3f37bcb/detection
# Reference: https://www.virustotal.com/gui/file/d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745/detection
# Reference: https://www.virustotal.com/gui/file/cb8b32697730d7142ef4de56c0b4cc718abce0c2ac87218744188ad3ce1587b2/detection
# Reference: https://www.virustotal.com/gui/file/800d4b5dfbdf742feb47cf580501d3f2d558c380c7619420160c4e33bd912732/detection
# Reference: https://www.virustotal.com/gui/file/89bfdabd25b0334a7444bcb67e1d1b42907e5d8107179c7f5f0bbca8eb4219e0/detection

111.90.140.23:5651
111.90.140.23:8080
176.107.179.100:8081
176.9.112.14:5651
176.9.112.14:8080
194.9.176.31:8081
194.9.176.33:8081
194.9.176.37:5651
194.9.176.38:5651
194.9.176.38:8081
194.9.176.38:81
194.9.176.39:8080
194.9.176.39:81
95.216.64.185:8080
95.216.64.186:8080
95.216.64.187:8080
95.216.64.187:8081
95.216.64.191:8080
95.216.64.198:8080
360mediashare.com
ateliemilano.ru
gedebeywater.com
kiat.by
mystorage-settings.ru
nordtexnika.az
office360.work
office360share.com
road258.website
road349.website
savalan.az
wsus.ga
wsusms.com

# Reference: https://www.virustotal.com/gui/file/d08912c79a47501ccd1a01b350721ff7a87bcaad0af7a0a6b2943f6d30bb7009/detection
# Reference: https://www.virustotal.com/gui/file/308a5f4df9a9f8a42471440d4e8d6787b6faa87b6faed943705ea69501d3ba7b/detection

70.38.38.43:5655
rutils.com
server.rutils.com

# Reference: https://twitter.com/ffforward/status/1361362720948424705
# Reference: https://bazaar.abuse.ch/sample/ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83/
# Reference: https://tria.ge/210215-g7bdp3nema/behavioral1

209.205.218.178:5655

# Reference: https://twitter.com/JAMESWT_MHT/status/1364130821897129985
# Reference: https://app.any.run/tasks/aa80eaeb-9160-47dd-9e7c-1b86e099919a/

185.220.102.6:5651
id70.internetid.ru
zen.hldns.ru

# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.186/relations
# Reference: https://www.virustotal.com/gui/file/0264bbf56bf0f491cc105ab2a3fc7e3f3cc6198fc33dd0ea74b1794d8ededf14/detection
# Reference: https://www.virustotal.com/gui/file/d9912f37e0b60988891550546dea6dc47fbfaffeaea8ce3de2cf68f15b8de986/detection
# Reference: https://www.virustotal.com/gui/file/e7226d32ed09060417beb40743aa116d200f3890b948e19fd97609ca435e84e4/detection
# Reference: https://www.virustotal.com/gui/file/f18d414efd8aa6f1493d9cf39ac3c23d79bc04514fac7f31d64232feecf58cf3/detection

185.161.208.186:5651
185.161.208.186:5652
185.161.208.186:8080
185.161.208.186:81
185.161.208.186:8888

# Reference: https://www.virustotal.com/gui/file/506e4ff03ebad6388a05dcb9339f7c093a571ee8f7661199d635a03618828839/detection

wsus2.co

# Reference: https://www.virustotal.com/gui/file/23d7771c3ba57e2bd810fa4edc5a2361d50aae0a705e3f3a3861b594c8368e78/detection

139.28.38.254:5651
139.28.38.254:8081

# Reference: https://twitter.com/fr0s7_/status/1374297423460306949
# Reference: https://app.any.run/tasks/c113a0f8-522b-4c59-a9d3-5fe3334c3bb4/

195.2.76.196:5655

# Reference: https://www.virustotal.com/gui/file/96b07b96579eb0ca13277720ec47cfd69a906bc21a6a64f2c604ad5debb9a504/detection

109.234.156.178:5655
109.234.156.180:5655

# Reference: https://www.virustotal.com/gui/file/e35570c68177b9e60777d66173b44aaff73be8c1f6da479a3ca5c09e4f7d5c6b/detection

185.175.44.167:5655
5.167.2.130:5651
moderator.hldns.ru

# Reference: https://www.virustotal.com/gui/file/6dcb5e65d0ae4f1a44f8dd510c4e7495760b2b9da0d8456b27deeb09d082a9db/detection
# Reference: https://www.virustotal.com/gui/file/5cc3322ab838ef64d006c27d63ad5cae87bf8a22295aca47f7b085bc0c57861e/detection
# Reference: https://www.virustotal.com/gui/file/ead5d0dbfc34a43c568fc76e098d51ecbde11bc844738c39f4ee5dc3477a80ce/detection

145.239.23.207:5651
145.239.23.207:8080
176.9.145.100:5651
176.9.145.100:8080
176.9.145.100:81
178.210.76.171:5651
178.210.76.171:8080
185.231.68.230:5651
185.231.68.230:8080
185.231.68.230:81
194.156.99.64:5651
194.156.99.64:8080
195.24.68.15:5651
195.24.68.15:8080
rmssrv.ru

# Generic trails

/utils/inet_id_notify.php
