# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bazar, trickbot, trickmo

# Reference: https://twitter.com/itaitevet/status/1035250414038474752
# Reference: https://pastebin.com/XT20EyJA

3gihg5esw7lxg2wh.onion

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=8442588975b9c69bf696447.83703696

/neam.meow

# Reference: https://myonlinesecurity.co.uk/trickbot-still-being-delivered-by-fake-payroll-emails/

/super.orb

# Reference: https://twitter.com/James_inthe_box/status/1047239965216665600
# Reference: https://twitter.com/James_inthe_box/status/1047241977043898368

/cantbe.played

Reference: https://www.malware-traffic-analysis.net/2018/10/05/index.html

/novich.gas

# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

excel-office.com

# Reference: https://app.any.run/tasks/fe58bf2c-065f-4505-a644-6baeeb7ee4cf

/78237_8219_9.php

# Reference: https://twitter.com/Racco42/status/1107351502878842880

/001928_112.php

# Reference: https://twitter.com/Racco42/status/1106547527334154240

/47238348_8820.php

# Reference: https://twitter.com/Racco42/status/1106225615705948167

/99208_929_991.php

# Reference: https://twitter.com/Racco42/status/1106201029127880704

/92112893892.php

# Reference: https://twitter.com/Racco42/status/1102869794502705152

/CPQpqCOuKV.php

# Reference: https://twitter.com/Racco42/status/1102590512228388866

/930_08.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353

/logHbst.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1109027309015715840
# Reference: https://app.any.run/tasks/738cc560-f3c6-4534-893d-3ea28dd60671

/shh.sshh

# Reference: https://twitter.com/Racco42/status/1110461029354487809

/993098_2.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1111236459930046464
# Reference: https://app.any.run/tasks/ca7a8278-2535-4101-b5be-ea70e7362617

/tot445/

# Reference: https://twitter.com/0bfusCat/status/1036577317190021127

95.213.251.200:443
/tt0002

# Reference: https://twitter.com/avman1995/status/1115514722751848448

3dnext.ru/43434673.php

# Reference: https://twitter.com/K_N1kolenko/status/1094871503303262208

/corona.mor

# Reference: https://twitter.com/JAMESWT_MHT/status/1117105783240577026

/7738_0019.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353
# Reference: https://twitter.com/K_N1kolenko/status/916192356847751168
# Reference: https://twitter.com/K_N1kolenko/status/900259914874073088

/worming.png

# Reference: https://twitter.com/K_N1kolenko/status/916551437647335424

/worming2.png

# Reference: https://twitter.com/K_N1kolenko/status/1017305694331121665

5g4c3a6jkk734fs5.onion

# Reference: https://twitter.com/malware_traffic/status/1118299982069628929

201.184.231.34:8082
/sat43/

# Reference: https://twitter.com/Racco42/status/1118476901876674561

/43455_5514_12.php

# Reference: https://twitter.com/malware_traffic/status/1119021844416405504

/8377_8298_99.php

# Reference: https://twitter.com/pancak3lullz/status/1106677558224060416
# Reference: https://twitter.com/pancak3lullz/status/1102629658221314048

103.119.144.250:8082
75.183.130.158:8082
/lib427/
/tot427/

# Reference: https://twitter.com/Racco42/status/1121379098834755584

/99200277_0.php

# Reference: https://twitter.com/James_inthe_box/status/1126175073759481857
# Reference: https://pastebin.com/T5U4SHQU

181.209.88.26:449
185.222.202.42:443
185.222.202.43:443
95.213.252.153:443
192.227.232.63:443
192.227.232.65:443
185.243.115.149:443
200.122.209.78:449
200.54.14.61:449
181.143.17.66:449
177.105.235.17:449
181.143.102.30:449
190.0.20.114:449
190.151.25.178:449
201.184.69.50:449
190.109.165.197:449
125.209.82.158:449
80.173.224.81:449
76.107.90.235:449
181.129.136.226:449
191.103.219.138:449
202.63.242.48:449
181.176.191.5:449
190.117.66.194:449
186.226.188.105:449
143.255.141.137:449
190.151.10.114:449
181.115.236.26:449
190.196.32.42:449
181.48.203.10:449
177.105.237.93:449
181.129.20.250:449
186.159.2.153:449

# Reference: https://twitter.com/malware_traffic/status/1128019457966735360
# Reference: https://twitter.com/malware_traffic/status/1136682537005305858

186.159.1.217:8082

# Reference: https://twitter.com/Racco42/status/1128955163023171584

/1124_938_0029.php

# Reference: https://twitter.com/binitamshah/status/1137743683586052096
# Reference: https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
# Reference: https://pastebin.com/wZ3R0gCa
# Reference: https://pastebin.com/ghGtMBLH

125.209.82.158:449
136.25.2.43:449
138.186.62.222:449
143.255.141.137:449
162.209.124.166:80
167.99.206.127:80
177.105.235.17:449
177.105.237.93:449
177.183.194.194:449
177.92.249.187:449
179.189.234.157:449
181.112.221.246:449
181.115.156.218:80
181.115.236.26:449
181.129.136.226:449
181.129.160.10:8082
181.129.20.250:449
181.129.49.98:449
181.143.102.30:449
181.143.17.66:449
181.176.191.5:449
181.209.88.26:449
181.48.203.10:449
181.57.97.138:80
185.117.73.140:443
185.183.96.219:443
185.198.57.70:443
186.10.243.70:8082
186.159.1.217:8082
186.183.151.194:8082
186.226.188.105:449
186.248.163.198:449
186.42.186.202:449
187.17.201.237:449
187.61.106.223:449
187.61.107.140:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
190.0.20.114:449
190.109.165.197:449
190.117.66.194:449
190.151.10.114:449
190.151.25.178:449
190.152.125.162:80
190.196.32.42:449
190.215.52.165:449
191.103.219.138:449
191.103.252.29:80
191.241.233.195:449
191.242.178.210:449
191.36.157.164:449
192.210.152.190:443
194.5.250.130:443
199.247.24.9:80
2.184.90.173:449
200.107.59.130:449
200.110.72.134:449
200.122.209.78:449
200.21.51.30:80
200.35.47.199:80
200.35.56.81:449
200.54.14.61:449
200.83.49.141:449
201.148.247.21:449
201.184.69.50:449
201.56.193.18:449
202.63.242.48:449
209.45.30.2:449
216.189.145.231:443
31.47.55.106:449
36.91.93.114:80
37.255.200.157:449
5.190.90.5:449
75.183.130.158:8082
76.107.90.235:449
80.173.224.81:449
85.133.183.174:449
85.209.162.148:443
90.215.52.165:449
91.242.178.210:449
91.98.159.58:449
93.115.146.119:449
93.115.147.198:449
94.101.182.156:449
97.87.127.198:80

# Reference: https://twitter.com/James_inthe_box/status/1090234438833778690
# Reference: https://app.any.run/tasks/5a12dfe2-ba7a-4efe-8062-d710e7350c94/

37.140.199.69:17655
37.140.199.69:25087

# Reference: https://twitter.com/ararora4/status/1144982095325990913
# Reference: https://garwarner.blogspot.com/2019/06/trickbot-new-injects-new-host.html

aefaldnessliverhearted.com
onlylocaltrade.com
remirollerros.com
wellsfargostrade.com

# Reference: https://twitter.com/malware_traffic/status/1146086054207873024

170.238.117.187:8082

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

mailchi.mp/d975f55661ef/4jzmygx2t9
pasini.info

# Reference: https://twitter.com/seguridadyredes/status/1054112048559329282

http://185.92.74.85/index.php
98.177.188.224:49225

# Reference: https://twitter.com/James_inthe_box/status/1151140239122894848
# Reference: https://pastebin.com/wTidM7a9

187.58.56.26:449
146.196.122.167:449
177.103.240.149:449
131.196.184.141:449
103.117.232.198:449
163.53.80.228:449
190.152.4.210:449
138.59.233.5:449
36.89.85.103:449
146.196.122.152:449
170.84.78.186:449
131.255.82.24:449
186.138.152.228:449
180.250.197.188:449
181.129.93.226:449
186.42.226.46:449
190.13.160.19:449
186.183.199.114:449
177.8.172.86:449
181.129.140.140:449
103.87.48.66:449
177.52.79.29:449
168.227.229.112:449
186.42.186.202:449
138.121.24.78:449
131.0.142.120:449
181.129.49.98:449
181.115.168.69:449
172.245.241.25:443
107.191.109.143:443
193.124.176.170:443
206.217.143.91:443
23.94.137.179:443
23.94.137.223:443
94.103.94.97:443
92.38.171.12:443
89.105.203.180:443
185.141.25.101:443
195.133.196.102:443
185.252.144.213:443
198.46.190.37:443
78.155.206.85:443

# Reference: https://twitter.com/Racco42/status/1151098878466416641
# Reference: https://pastebin.com/94cAWDHm
# Reference: https://twitter.com/jcarndt/status/1154731650145763328

/hollyhole/c644.php
/hollyhole951/c644.php

# Reference: https://twitter.com/malware_traffic/status/1151540706508464134

luxuryvailrentals.com

# Reference: https://otx.alienvault.com/pulse/5d2f644f8fe9174629471028
# Reference: https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

qqcore.co
util98.com

# Reference: https://twitter.com/malwrhunterteam/status/1151382643277213696

get-office365.live

# Reference: https://twitter.com/Racco42/status/1152202184685236232

alco.co.in/images/flash_viewer.php
aloe-drink.com/host.php
alternativemedicinenis.com.au/images/view.php
amanchemicalsindia.in/images/visual.php
ambari.co.in/images/view_install.php
ambivium.org/fonts/myriad-pro-installerr.php

# Reference: https://twitter.com/Racco42/status/1152202311982354433

abarkagambia.com/backup.php
acaciarodriguez.com/images/gif_animator.php
accompagnatricidilusso.net/media.php
admimm.cl/images/flash_download.php
adminsystemcr.com/images/watermarks.php
ahangamalmagate.co.za/images/image_resizer.php

# Reference: https://twitter.com/Racco42/status/1152202470971625473

ambrosiapanama.com/images/imagedb.php
amcgsr.com.mx/images/imageresize.php
abidyahya.com/wp-test.php

# Reference: https://app.any.run/tasks/d8abd914-eccb-47f3-9619-734159777e1c/

23.94.93.106:443
192.243.102.102:447

# Reference: https://twitter.com/malware_traffic/status/1154511610649538560 (# Trickbot VNC Module)

107.155.66.16:5900

# Reference: https://twitter.com/matte_lodi/status/1155815877905997824

altxcode.com

# Reference: https://twitter.com/MalHunters/status/1158262554935713794

107.181.175.122:443
185.65.202.127:443
195.123.243.60:443

# Reference: https://twitter.com/ps66uk/status/1158446041643081728

/recenorg.php

# Reference: https://app.any.run/tasks/9cc66fab-9dba-4471-b77c-2dc461006ff0/

46.30.42.245:80
162.248.225.20:443

# Reference: https://twitter.com/425A_/status/1159152546805628930
# Reference: https://app.any.run/tasks/687bafc0-9d7c-4dd4-acb6-9162589e4b87/

http://5.53.124.203/index.php

# Reference: https://twitter.com/ps66uk/status/1159395052893933568

/inputok.php

# Reference: https://twitter.com/James_inthe_box/status/1164269734193274881
# Reference: https://pastebin.com/2R5TUnJS

103.207.1.44:449
103.84.238.3:449
107.175.33.16:443
107.181.175.122:443
131.196.184.141:449
146.185.219.27:443
168.227.229.112:449
177.103.240.149:449
178.170.189.117:443
180.250.197.188:449
181.129.140.140:449
181.129.49.98:449
181.129.93.226:449
181.176.160.145:449
185.172.129.146:443
185.174.172.60:443
186.156.52.78:449
186.183.199.114:449
186.42.186.202:449
186.42.226.46:449
186.47.40.234:449
186.47.82.6:449
187.58.56.26:449
189.80.134.122:449
190.13.160.19:449
190.13.190.178:449
190.151.213.140:449
190.152.36.30:449
190.152.38.66:449
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.3.146.179:443
198.12.97.212:443
198.46.198.12:443
200.119.45.140:449
202.9.120.79:449
31.184.253.6:443
36.89.85.103:449
37.228.117.250:443
45.237.240.178:449
5.53.124.49:443
79.143.31.94:443
82.118.21.99:443
89.105.203.184:443

# Reference: https://twitter.com/nahamike01/status/1166309356574347264
# Reference: https://www.virustotal.com/gui/file/bb23200f9c2c5f7764383d34d5d31aad164cd4e0281085256457872dd1ee2a8d/detection

45.137.151.112:443

# Reference: https://twitter.com/OttoScav/status/1169737229310275589

170.238.117.187:8082
186.10.243.70:8082
190.119.180.226:8082
131.161.105.206:8082
103.116.84.44:8082
200.35.43.105:80
103.194.90.242:80
103.87.48.54:80
190.152.125.162:80
103.84.238.3:80
192.3.105.136:443
54.37.229.180:443
192.227.142.155:443
23.94.204.80:443
5.230.26.41:443
45.80.148.236:443

# Reference: https://twitter.com/Artilllerie/status/1169924303053303808
# Reference: https://pastebin.com/aFeeUMJJ

103.116.84.44:8082
103.194.90.242:80
103.207.1.44:449
103.84.238.3:449
103.84.238.3:80
103.87.48.54:80
107.155.137.12:443
107.173.160.18:443
107.173.160.19:443
107.173.160.22:443
107.173.90.220:443
131.161.105.206:8082
131.196.184.141:449
146.196.122.167:449
168.227.229.112:449
170.238.117.187:8082
177.103.240.149:449
181.112.159.70:449
181.129.49.98:449
181.129.93.226:449
181.129.96.74:449
181.176.160.145:449
185.142.99.59:443
185.235.130.84:443
186.10.243.70:8082
186.156.52.78:449
186.42.186.202:449
186.42.226.46:449
186.46.63.58:449
186.47.40.234:449
187.58.56.26:449
189.80.134.122:449
190.109.189.119:449
190.119.180.226:8082
190.13.160.19:449
190.13.190.178:449
190.144.89.82:449
190.151.213.140:449
190.152.125.162:80
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.227.142.155:443
192.3.104.38:443
192.3.105.136:443
200.119.45.140:449
200.29.106.33:449
200.35.43.105:80
23.94.204.80:443
31.202.132.179:443
36.89.85.103:449
37.187.186.7:443
45.80.148.236:443
5.230.26.41:443
54.37.229.180:443
68.168.123.85:443
79.124.49.206:443
95.174.65.246:443

# Reference: https://www.ncsc.gov.uk/news/ryuk-advisory
# Reference: https://otx.alienvault.com/pulse/5d108ad7a63b52237073efd1

177.183.194.194:449
177.52.28.238:449
177.52.79.29:449
186.248.163.198:449
186.42.186.202:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
191.241.233.195:449
200.107.59.130:449
200.110.72.134:449
200.35.56.81:449
200.83.49.141:449

# Reference: https://twitter.com/0XCHAR/status/1175154224046452742

rvmzrf24dgmr4tce.onion
107.155.137.8:447
107.173.160.29:447
145.239.188.95:447
178.157.82.135:447
178.170.189.239:447
185.250.204.126:447
195.123.221.104:447
195.123.221.178:447
195.123.238.36:447
195.123.247.27:447
23.95.214.138:447
37.228.117.65:447
45.8.126.5:447
46.4.167.254:447
5.53.124.55:447
91.92.128.237:447
92.63.102.212:447

# Reference: https://twitter.com/makflwana/status/1176877958473977857
# Reference: https://app.any.run/tasks/a7be32af-a368-4200-b8c6-9b64b2d170be/

http://144.91.69.195/solar.php
51.254.69.244:443

# Reference: https://pastebin.com/5XF67ZmJ

103.194.90.242:80
103.84.238.3:80
103.87.48.54:80
104.244.73.115:443
107.172.143.155:443
138.185.25.228:449
138.59.233.5:449
146.196.122.167:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.115.168.69:449
181.129.49.98:449
181.129.93.226:449
181.196.61.110:449
181.199.102.179:449
181.49.61.237:449
185.222.202.49:443
185.70.182.162:449
186.183.199.114:449
186.42.185.10:449
186.42.186.202:449
186.42.226.46:449
186.42.98.254:449
187.110.100.122:449
190.13.160.19:449
190.152.4.210:449
190.152.4.98:449
192.227.142.155:443
193.29.56.122:443
200.153.15.178:449
200.21.51.38:449
200.29.106.33:80
200.35.56.81:449
201.184.137.218:80
23.94.204.80:443
36.89.85.103:449
45.161.33.88:449
91.207.185.73:449

# Reference: https://twitter.com/killamjr/status/1181657813417959424

185.130.104.157:443

# Reference: https://twitter.com/malware_traffic/status/1182090303420997632

cardesign-analytics.com
dzbvyejoy81.com
t7763jykqeiy.com
/leo20/

# Reference: https://twitter.com/James_inthe_box/status/1182999215833677826

172.245.118.105:446

# Reference: https://twitter.com/0xFrost/status/1184189273010032640

185.79.242.204:449
194.5.250.82:443
194.5.250.83:443

# Reference: https://twitter.com/killamjr/status/1184204867545513987
# Reference: https://pastebin.com/1xzBiPm6

109.234.34.135:443
138.185.25.228:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.113.20.186:449
181.115.168.69:449
181.129.49.98:449
181.49.61.237:449
185.222.202.222:443
185.222.202.223:443
185.244.150.142:443
185.70.182.162:449
185.79.242.204:449
185.79.243.37:449
186.42.185.10:449
186.42.186.202:449
186.42.98.254:449
187.58.56.26:449
188.137.81.201:449
189.80.134.122:449
190.13.160.19:449
190.152.4.98:449
190.154.203.218:449
194.5.250.82:443
194.5.250.83:443
195.93.223.100:449
200.116.199.10:449
200.21.51.38:449
200.35.56.81:449
31.184.253.37:443
31.214.138.207:449
36.89.85.103:449
45.142.213.58:443
45.161.33.88:449
45.66.11.116:443
45.80.148.30:443
46.30.41.229:443
5.185.67.137:449
66.55.71.11:443
78.88.188.42:449
81.190.160.139:449
85.11.116.194:449
89.25.238.170:449
91.207.185.73:449
94.156.144.3:443

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html (# Win.Dropper.Trickbot-7340237-0)

46igeuohbyzeokpe.onion

# Reference: https://twitter.com/malware_traffic/status/1189950830448959488
# Reference: https://app.any.run/tasks/bec0f8ee-7050-4c37-999a-2a3c2f152c36/

144.91.79.12:443
85.204.116.139:443

# Reference: https://twitter.com/malware_traffic/status/1190026665952497667

185.222.202.192:443
185.99.2.104:447
186.71.150.23:449

# Reference: https://pastebin.com/29uSdMAk

192.3.104.46:443

# Reference: https://twitter.com/stecar792/status/1194746230997495808
# Reference: https://pastebin.com/SKBmjFGm

103.219.213.102:449
103.255.10.24:449
107.173.240.221:443
117.196.233.100:449
117.197.119.219:449
117.204.253.33:449
117.206.149.29:449
117.255.221.135:449
144.91.80.253:443
145.239.188.90:447
177.105.242.229:449
177.154.86.145:449
181.112.157.42:449
181.113.28.146:449
181.113.28.162:449
181.129.104.139:449
181.129.134.18:449
181.129.167.82:449
181.140.173.186:449
181.196.207.202:449
184.95.51.5:447
185.141.61.29:443
185.177.59.41:447
185.189.122.68:449
185.222.202.242:447
185.222.202.25:443
185.252.144.145:447
185.57.167.32:449
185.99.2.166:447
189.28.185.50:449
192.3.247.117:447
194.5.250.109:443
194.5.250.136:447
194.5.250.162:447
195.123.220.151:447
195.123.220.155:443
195.123.221.190:447
195.123.239.79:447
198.24.151.211:447
212.73.150.144:447
212.80.218.144:443
45.141.102.2:443
45.224.214.34:449
45.238.37.14:449
5.182.210.254:443
5.2.79.203:447
51.89.115.110:443
62.109.22.2:443
62.109.30.70:447
66.55.71.129:447
66.77.59.41:447
66.85.173.57:443
78.24.219.9:443
85.143.219.117:447
85.204.116.91:447
91.108.150.213:449
94.156.144.74:443
95.181.198.94:447
cmw5x56e4whk6dpx.onion

# Reference: https://twitter.com/malware_traffic/status/1196554607658459136
# Reference: https://app.any.run/tasks/1496c35f-f44a-4913-b7de-847a421bdfe1/

94.103.82.99:2050

# Reference: https://twitter.com/malware_traffic/status/1199082009387290630

190.142.200.108:449
200.21.51.38:449
5.34.176.212:447

# Reference: https://twitter.com/malware_traffic/status/1201890411343761409

157.25.102.50:80
185.62.189.132:443
64.44.133.151:443
66.55.71.152:447

# Reference: https://twitter.com/malware_traffic/status/1201923577689174016

107.172.82.165:80

# Reference: https://any.run/malware-trends/trickbot (Note: as seen on 2019-12-04)

qxq.ddns.net
thuocnam.tk
office.webxpo.us
driverconnectsearch.info

# Reference: https://otx.alienvault.com/pulse/5df0edc2630945dce885b806

qfcallc.com
chishir.com
carambaneed.club
kostunivo.com
northracing.net
mangoclone.com
excelestimation.com
sodonnews.com
onixcellent.com
cics.secureforge.info
wuniuqhi5byfc5qh.onion

# Reference: https://twitter.com/malware_traffic/status/1205171614788313101

172.82.152.136:443
198.46.161.213:443
23.94.70.12:443

# Reference: https://twitter.com/James_inthe_box/status/1205547881496641536
# Reference: https://www.virustotal.com/gui/file/bcc9b0a91e0280fdb89c20954c11f3555c335cc96e4742f7d7ad1a0238f97966/detection

91.134.14.26:443
93.190.143.26:443
spirrits.com

# Reference: https://twitter.com/smica83/status/1206957311668953088

100.38.123.22:443
181.123.59.111:443
181.126.80.118:443
73.179.178.78:443
75.110.250.89:443

# Reference: https://twitter.com/malware_traffic/status/1208205659466092544

181.129.104.139:449
51.89.204.240:447

# Reference: https://twitter.com/luc4m/status/1214981595301462017
# Reference: https://pastebin.com/qeQZP0Tu

5.182.210.109:443
36.89.85.103:449
45.137.151.198:443
46.174.235.36:449
51.89.115.124:443
78.24.223.88:443
114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
131.161.253.190:449
146.185.253.191:443
164.68.120.60:443
170.84.78.224:449
171.100.142.238:449
172.82.152.11:443
180.180.216.177:449
181.112.157.42:449
181.113.28.146:449
181.129.104.139:449
181.129.134.18:449
181.140.173.186:449
181.196.207.202:449
185.141.27.190:443
185.177.59.163:443
185.213.20.246:443
186.71.150.23:449
186.232.91.240:449
188.120.254.68:443
188.165.62.34:443
190.214.13.2:449
195.123.220.178:443
198.23.209.201:443
200.21.51.38:449
200.127.121.99:449
202.29.215.114:449

# Reference: https://pastebin.com/GyzCEEXH

114.8.133.71:449
119.252.165.75:449
121.100.19.18:449
131.161.253.190:449
146.185.219.31:443
164.68.120.60:443
170.84.78.224:449
171.100.142.238:449
176.119.159.204:443
180.180.216.177:449
181.112.157.42:449
181.113.28.146:449
181.129.104.139:449
181.129.134.18:449
181.140.173.186:449
181.196.207.202:449
185.62.188.83:443
186.232.91.240:449
186.71.150.23:449
190.214.13.2:449
195.123.221.194:443
195.123.240.81:443
198.23.209.201:443
198.8.91.10:443
200.127.121.99:449
200.21.51.38:449
202.29.215.114:449
23.95.231.187:443
36.89.85.103:449
46.174.235.36:449
5.182.210.109:443
5.182.211.44:443
5.2.76.122:443
51.89.73.159:443
64.44.133.157:443
79.174.12.245:443
85.143.219.230:443
92.63.105.138:443
95.181.198.151:443

# Reference: https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
# Reference: https://otx.alienvault.com/pulse/5e173a76a3ecc18449d121a0

kostunivo.com
magichere.icu
magikorigin.me
northtracing.net
traveldials.com
web000aaa.info
wizardmagik.best

# Reference: https://feodotracker.abuse.ch/browse/host/203.176.135.102/ (# Trickbot)
# Reference: https://www.virustotal.com/gui/ip-address/203.176.135.102/relations

203.176.135.102:80
203.176.135.102:8082

# Reference: https://twitter.com/reecdeep/status/1220678917448749057

185.159.82.182:80

# Reference: https://www.virustotal.com/gui/file/fe2c4521ea823e91f2bf43d3261d699b6e5dc077a87ff7adb79088bba73c5eb5/detection

5.182.210.226:443
104.168.96.113:443

# Reference: https://www.virustotal.com/gui/file/a2e3ebf2b30d9f0736e37346f33d7f18da4da9a44448e05bf4d3dada500a91b9/detection

107.173.26.231:447
181.129.104.139:449

# Reference: https://www.virustotal.com/gui/file/fe2c4521ea823e91f2bf43d3261d699b6e5dc077a87ff7adb79088bba73c5eb5/detection

5.2.75.167:443

# Reference: https://www.virustotal.com/gui/file/e71419cd556dd730ebee920968e97ff5a16441fcfe51cf7da616421d2011c5fb/detection

146.185.253.177:447
85.143.217.237:447
85.204.116.233:447

# Reference: https://app.any.run/tasks/8ece34b7-9b69-4698-87d2-e8f61aaf3437/

5.182.210.246:443
164.68.120.56:443

# Reference: https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html (# Win.Packed.TrickBot-7541396-1)

2cdajlnnwxfylth4.onion
teene.site

# Reference: https://twitter.com/malware_traffic/status/1221919676030042112
# Reference: https://www.virustotal.com/gui/ip-address/107.175.116.133/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.123.221.53/relations
# Reference: https://pastebin.com/YxFc5dgG
# Reference: https://app.any.run/tasks/b4d6f542-7582-4de9-87cd-d959e995b68d/
# Reference: https://app.any.run/tasks/c9f6e633-9784-4bee-96c5-d6803a7896b7/

107.175.116.133:80
185.66.12.59:447
195.123.221.53:443
195.123.221.53:447
195.158.224.103:447
5.182.210.230:443
78.24.221.145:447
92.63.98.59:447

# Reference: https://www.virustotal.com/gui/file/3193ec3b85f65b8b899ab5b189314e1eccfc61e098341397d76720c17f0a32b8/detection

162.247.155.133:447
198.8.91.25:447

# Reference: https://twitter.com/reecdeep/status/1218098821143703552

185.159.82.96:80

# Reference: https://pastebin.com/Mc1UwKae

103.94.122.254:8082
112.78.164.34:8082
190.100.16.210:8082
177.74.232.124:80
36.89.106.69:80
96.9.73.73:80
96.9.77.142:80
164.68.96.155:443
185.99.2.137:443
185.99.2.185:443
188.165.62.29:443
188.165.62.2:443
195.123.216.95:443
195.123.219.93:443
5.2.64.188:443
5.2.78.191:443

# Reference: https://github.com/SentineLabs/PowerTrick/commit/c046404538d11044f8df0ce98491292fe618660e

192.99.38.41:80
5.9.161.246:80
drive.staticcontent.kz

# Reference: https://twitter.com/reecdeep/status/1224333532681641985

91.196.70.100:80

# Reference: https://twitter.com/James_inthe_box/status/1224442114374717444

it-corp.info

# Reference: https://twitter.com/malware_traffic/status/1224476088946122752

212.109.195.175:447

# Reference: https://www.herbiez.com/?p=949

107.22.214.64:80
149.56.167.227:443
172.82.152.171:443
178.156.202.114:443
178.156.202.206:443
188.165.62.15:443
188.165.62.46:443
188.165.62.8:443
194.87.102.167:8082
194.87.102.36:443
199.181.238.221:443
199.181.238.224:443
210.16.102.251:443
217.12.210.54:447
37.59.80.96:443
46.105.238.157:443
5.152.210.176:443
5.2.65.130:443
5.2.76.34:443
51.254.164.249:443
66.85.27.165:443
67.21.84.23:443
84.238.198.166:449
84.40.65.85:449
89.46.222.240:443
89.46.222.246:443
91.139.236.92:449
95.154.199.118:1062
campusassas.com
campuslinne.com
changetheworld.bit

# Reference: https://twitter.com/nhs281/status/1228752573215248387
# Reference: https://app.any.run/tasks/cdc172e1-36e8-446d-b0bf-b860f312c26f/

185.11.146.86:443
185.45.193.76:443
51.254.164.240:443
5.2.78.70:443

# Reference: https://twitter.com/malware_traffic/status/1230214222111485953

185.62.188.10:443
192.3.124.40:80

# Reference: https://twitter.com/malware_traffic/status/1230260269596758016

195.123.220.154:447

# Reference: https://twitter.com/malware_traffic/status/1232370158494154754

45.138.72.155:443

# Reference: https://twitter.com/malware_traffic/status/1232782901927972865

104.237.194.147:80

# Reference: https://twitter.com/malware_traffic/status/1232790448051281921
# Reference: https://www.virustotal.com/gui/file/6f55f3b1415b5bf9dda57158f05fe628edb92b436887ad72f3d4bd108e8542d2/detection
# Reference: https://www.virustotal.com/gui/file/f9507a76801d5b1b83704a5019cdc312de18b004f16c5547b91b7dba086b2e29/detection

http://51.89.115.99
51.89.115.99:443
155.138.216.133:443
defenswin.com

# Reference: https://twitter.com/James_inthe_box/status/1233086420857708544
# Reference: https://www.virustotal.com/gui/ip-address/161.117.177.248/relations

barbeyo.xyz
basorkiq.host
emmnebuc.xyz
merystol.xyz
pnxkntdl.xyz
soficatan.site
tozcftdl.xyz
veqejzkb.xyz

# Reference: https://twitter.com/seguridadyredes/status/1234215349454876672/photo/1
# Reference: https://www.virustotal.com/gui/ip-address/107.172.208.30/relations

http://107.172.208.30

# Reference: https://twitter.com/Arkbird_SOLG/status/1234624555131555841
# Reference: https://www.virustotal.com/gui/ip-address/5.34.176.184/relations
# Reference: https://www.virustotal.com/gui/file/08ea96e4b9e71cc0281938d91fe7b12f77a2ade37845d1110afd75f225603bae/detection

http://5.34.176.184
5.34.176.184:443

# Reference: https://twitter.com/MalHunters/status/1069898222636679168
# Reference: https://pastebin.com/SUbUY0if

105.27.171.234:449
107.174.34.202:443
108.160.196.130:449
140.190.54.187:449
172.222.97.179:449
182.253.20.66:449
190.145.74.84:449
192.3.52.107:443
192.52.167.145:443
193.29.56.3:443
198.46.131.164:443
198.46.160.217:443
198.46.198.241:443
199.227.126.250:449
206.130.141.255:449
24.227.222.4:449
24.247.181.155:449
24.247.181.226:449
24.247.182.174:449
24.247.182.179:449
24.247.182.29:449
24.247.182.39:449
24.247.182.7:449
47.49.168.50:443
64.128.175.37:449
65.31.241.133:449
71.94.101.25:443
72.189.124.41:449
72.241.62.188:449
74.132.135.120:449
74.134.5.113:449
74.140.160.33:449
75.108.123.165:449
89.46.222.239:443
94.232.20.113:443
97.87.172.0:449

# Reference: https://twitter.com/malware_traffic/status/1235261812083482624

192.3.193.162:443
5.182.210.226:443
64.44.133.156:447

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Malware.Trickbot-7603048-1)

107.181.246.213:443
185.86.150.89:443
191.7.30.30:443
193.124.117.189:443
193.124.117.189:447
194.87.144.16:443
194.87.92.113:443
195.62.52.96:443
37.59.183.142:443
67.21.90.106:443
67.21.90.109:443
87.121.76.172:443
87.121.76.172:449
91.219.28.58:443
91.219.28.80:443
http://107.181.246.213
http://185.86.150.89
http://191.7.30.30
http://193.124.117.189
http://194.87.144.16
http://194.87.92.113
http://195.62.52.96
http://37.59.183.142
http://51.254.164.249
http://67.21.90.106
http://67.21.90.109
http://84.238.198.166
http://87.121.76.172
http://91.219.28.58
http://91.219.28.80

# Reference: https://twitter.com/JAMESWT_MHT/status/1237028470565240832
# Reference: https://www.virustotal.com/gui/ip-address/162.244.32.210/relations

162.244.32.210:443

# Reference: https://gist.github.com/kirk-sayre-work/3999514ffdd15923ac1290c4bd74d2b0

big-partynew.ru
birthdayeventdxb.com
bootiky.com
elievarsen.ru
luxjewelleries.com
wex-notdead.ru
gettonatissime.cyprustimbermerchants.com
lookmodeusa.com
vatonly.com

# Reference: https://www.virustotal.com/gui/ip-address/64.44.133.131/relations
# Reference: https://app.any.run/tasks/5c03c481-ab9a-4d3d-b22f-47cf859b9d6f/

http://64.44.133.131
146.185.253.176:447
51.254.164.245:443
64.44.133.131:447

# Reference: https://twitter.com/pancak3lullz/status/1240983894461231104
# Reference: https://www.virustotal.com/gui/ip-address/185.62.188.159/relations

http://185.62.188.159

# Reference: https://twitter.com/benkow_/status/1242457353070546944
# Reference: https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/ (# TrickMo variation)
# Reference: https://twitter.com/benkow_/status/1242526274217746432

facebouk.net
mcsoft365.com
pingconnect.net
web5401.com
webnat.host

# Reference: https://www.virustotal.com/gui/ip-address/195.123.220.193/relations

http://195.123.220.193
195.123.220.193:443

# Reference: https://twitter.com/AltShiftPrtScn/status/1243166479903834112
# Reference: https://blog.reversinglabs.com/blog/exposing-ryuk-variants-using-yara
# Reference: https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
# Reference: https://otx.alienvault.com/pulse/5e7cc5274bea708f20593bec

norulless.com

# Reference: https://twitter.com/malware_traffic/status/1243674365222322176

doha-media.com

# Reference: https://twitter.com/laskow26/status/1244576312724836352
# Reference: https://laskowski-tech.com/2020/03/29/opnsense-and-ssl-decryption-using-sslsplit/

http://172.245.156.138
http://51.254.164.244
http://51.254.164.245
172.245.156.138:443
51.254.164.244:443

# Reference: https://twitter.com/hatching_io/status/1246092812103421953
# Reference: https://tria.ge/reports/200403-3kjagsdnqa/behavioral1

109.86.227.152:443
111.69.87.59:449
138.34.32.218:443
138.34.32.74:443
158.58.131.54:443
173.26.243.116:443
182.253.210.130:449
185.146.156.237:443
185.159.129.78:443
185.228.232.13:443
187.163.215.32:443
199.250.230.169:443
200.2.126.98:443
201.174.70.238:443
209.131.236.23:443
36.74.100.211:449
45.56.2.247:443
47.40.90.210:443
62.31.150.202:443
66.229.97.133:443
66.232.212.59:443
67.159.157.150:443
73.107.42.28:443
77.246.158.173:443
86.61.177.139:443
93.109.242.134:443
95.213.191.30:443

# Reference: https://twitter.com/makflwana/status/1247779774623150080
# Reference: https://app.any.run/tasks/b3f18101-314e-47a6-bf21-d1ebc3820765/
# Reference: https://www.virustotal.com/gui/ip-address/194.5.250.189/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.123.239.194/relations

http://194.5.250.189
http://195.123.239.194
194.5.250.189:447
195.123.239.194:443

# Reference: https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/
# Reference: https://otx.alienvault.com/pulse/5e8e2c6890241d5f774cdea3
# Reference: https://otx.alienvault.com/pulse/5ebf07c5b90ea8b330e8561a

http://104.168.98.206
http://107.173.160.14
http://172.82.152.15
http://185.98.87.185
http://198.46.161.242
http://64.91.251.250
http://85.204.116.245

# Reference: https://bazaar.abuse.ch/sample/80d162a9d3998938dbf4e82b4411c7aebf3365bef53412c622de318062da3c70/

103.12.161.194:449
103.5.231.188:449
108.170.61.186:443
131.161.253.190:449
134.255.221.55:447
148.251.185.164:443
164.68.120.58:443
171.100.142.238:449
181.129.134.18:449
185.141.27.225:443
185.14.29.141:443
185.161.211.215:447
185.90.61.62:443
185.99.2.197:443
185.99.2.44:443
185.99.2.67:447
188.165.62.2:447
190.214.13.2:449
194.5.250.201:443
195.123.237.105:443
202.29.215.114:449
31.131.20.159:447
31.131.21.184:443
5.1.74.249:447
51.89.115.108:443
51.89.115.112:443
62.109.30.83:447
91.235.129.199:443
94.250.249.170:443
94.250.250.69:443

# Reference: https://twitter.com/malware_traffic/status/1252320726557827073

http://107.172.221.106

# Reference: https://twitter.com/malware_traffic/status/1252716888188227584
# Reference: https://app.any.run/tasks/dcc8420c-c71c-45f2-bdd6-40bf448d5dde/
# Reference: https://app.any.run/tasks/11e79d9c-b6c6-4980-98f0-b5a17bddb94f/
# Reference: https://app.any.run/tasks/796ceffe-4e46-49fc-80c5-32d5cd091fc3/
# Reference: https://www.virustotal.com/gui/ip-address/194.5.250.52/relations

http://62.171.152.105
http://194.5.250.52
194.5.250.52:443
194.5.250.52:447
fetitech.live

# Reference: https://twitter.com/James_inthe_box/status/1250907772494864384
# Reference: https://twitter.com/DynamicAnalysis/status/1252982471811043331
# Reference: https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/

petromltd.com
bestgame.bazar
forgame.bazar
newgame.bazar
portgame.bazar
thegame.bazar

# Reference: https://twitter.com/abuse_ch/status/1255413734325059586
# Reference: https://twitter.com/reecdeep/status/1255866535945568257
# Reference: https://bazaar.abuse.ch/sample/3008d3a85d42533167443e236755a01ae25d008728dbcd9630d99a42db30fbae/

chinatyres.net/IuNbOpen/oiUnbYATR.php

# Reference: https://thedfirreport.com/2020/04/30/tricky-pyxie/
# Reference: https://app.any.run/tasks/e4ab5166-07a5-4399-87d1-63e543f5c3b5/

103.227.147.82:449
110.232.76.39:449
110.93.15.98:449
122.50.6.122:449
148.251.185.186:443
151.80.212.114:443
164.132.255.19:443
176.119.159.147:443
178.156.202.251:443
185.234.72.193:443
185.234.72.50:443
185.99.2.152:447
188.119.113.60:443
190.136.178.52:449
194.5.250.200:443
200.171.101.169:449
217.12.209.159:443
217.12.209.176:447
217.12.209.244:443
36.91.45.10:449
45.6.16.68:449
5.182.210.178:443
5.182.210.30:447
5.196.247.14:443
51.254.164.243:443
51.89.115.121:443
93.189.42.81:443
96.9.77.56:449

# Reference: https://twitter.com/malware_traffic/status/1255939600184496130

dichthuatsnu.com/goodweb/

# Reference: https://twitter.com/malware_traffic/status/1256297802948399104

piedmontrescue.org/sport/

# Reference: https://twitter.com/James_inthe_box/status/1257418677760282624

spdtextile.com/sport/

# Reference: https://twitter.com/James_inthe_box/status/1257365981233635335

185.99.2.133:443

# Reference: https://twitter.com/VK_Intel/status/1258519788885700611
# Reference: https://www.virustotal.com/gui/file/9e4edad037a06e1cfa803adca84b3950b3e9fbe471397c71db53b0ab1510cc56/detection

http://193.38.54.106
http://45.148.120.176
193.38.54.106:443
45.148.120.176:443

# Reference: https://twitter.com/vk_intel/status/1259905046134829056
# Reference: https://otx.alienvault.com/pulse/5ebafadd0dddaee2f8bb193b

dns.dnsskype.com
dns2.dnsskype.com
dns3.dnsskype.com

# Reference: https://twitter.com/abuse_ch/status/1270740309140529152
# Reference: https://twitter.com/abuse_ch/status/1270773648262119424

copsbiau.monster
mnjcszrh.monster
shmbidgp.monster
vmrriktf.monster
ygzggxeh.monster

# Reference: https://twitter.com/reecdeep/status/1270961624954830848
# Reference: https://app.any.run/tasks/e26e317f-7ab5-4bca-b497-d14516332797/
# Reference: https://www.virustotal.com/gui/ip-address/85.204.116.100/detection

85.204.116.100:443
coprikompatt.com/autostart/apptrace.php

# Reference: https://twitter.com/reecdeep/status/1272782327278637057

134.119.191.11:443
185.99.2.65:443
5.1.81.68:443
51.81.112.144:443
memberlogin.cloud

# Reference: https://twitter.com/OttoScav/status/1272937840301813763
# Reference: https://twitter.com/OttoScav/status/1272984737343320065
# Reference: https://twitter.com/OttoScav/status/1272984829785767937
# Reference: https://twitter.com/OttoScav/status/1272984893040005120

103.111.83.246:449
107.175.72.141:443
110.50.84.5:449
134.119.191.21:443
182.253.113.67:449
185.14.31.104:443
185.90.61.9:443
185.99.2.66:443
192.3.247.123:443
194.5.250.121:443
200.107.35.154:449
36.66.218.117:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
78.108.216.47:443
80.210.32.67:449
85.204.116.216:443
91.235.129.20:443
95.171.16.42:443

# Reference: https://twitter.com/malware_traffic/status/1273007235115999233

195.123.221.93:443
85.143.222.208:447

# Reference: https://www.virustotal.com/gui/file/fd9a7d0013a7407a82d7ce662b5e3ec2d20b33681e1e3600e409b1ed8d086dfa/detection

217.12.209.60:443
217.12.209.60:80

# Reference: https://twitter.com/bit_dam/status/1275141957187244036

covidsonline.com

# Reference: https://twitter.com/reecdeep/status/1275316892635463680
# Reference: https://app.any.run/tasks/0efc7226-4b9e-4775-bf74-c54ea72997c5/
# Reference: https://app.any.run/tasks/2c8af64d-f294-4847-8f50-09f42eccee12/

lawyersblog.net

# Reference: https://bazaar.abuse.ch/sample/024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689/
# Reference: https://bazaar.abuse.ch/sample/04c2d16ee5463453c04a6b4645f6a36f2485d91bd86fb18a9ed20446fdc57728/

http://23.95.231.200

# Reference: https://twitter.com/p5yb34m/status/1278146363734126592

ruths-brownies.com/adbanner/ololomadam.php

# Reference: https://twitter.com/abuse_ch/status/1278321543953735682

terracotia.xyz

# Reference: https://bazaar.abuse.ch/sample/44639ea41979b4c2128df89a16f8d1c277e16ddad27372bcb33e6956de3eeb90/

http://185.14.30.131

# Reference: https://bazaar.abuse.ch/sample/b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe/

http://194.5.249.107

# Reference: https://bazaar.abuse.ch/sample/ccbfecc4794a51d7e8a3cb58a3b0c5dc9f7ab301d5cdc9669bb0fc0fad8f0eff/

pinskdrev.market
archive.saturn.mn

# Reference: https://bazaar.abuse.ch/sample/8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199/

http://185.99.2.83

# Reference: https://bazaar.abuse.ch/sample/53443315360c434457eca1626003a288924a363677a4e1ca1bbaad902f677674/

http://185.45.192.232

# Reference: https://bazaar.abuse.ch/sample/2b354d7dccd32f56af516f35821d9d389271da55cd4c9c7a97f30303d1136e04/

http://185.180.197.66

# Reference: https://bazaar.abuse.ch/sample/c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db/

http://93.189.41.196

# Reference: https://twitter.com/VK_Intel/status/1281570630169759745

http://66.70.218.46

# Reference: https://twitter.com/malware_traffic/status/1281682198815477761
# Reference: https://app.any.run/tasks/659cdd3a-d99a-4702-8f1e-e4e8f1357845/

http://45.11.183.78

# Reference: https://urlhaus.abuse.ch/browse/tag/chil65/

http://192.210.152.100
http://66.70.218.45
http://94.140.115.48

# Reference: https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30 (# anchor_dns)
# Reference: https://otx.alienvault.com/pulse/5f0c8ae66a7df4bc2d9fdf70

biillpi.com

# Reference: https://twitter.com/reecdeep/status/1284005945962631169

http://195.123.242.93

# Reference: https://www.virustotal.com/gui/file/8a96a8d0337d095c05f291e97927a2f7ff8ceab6db9335c44a842ac7791c863e/detection

http://162.216.0.182
162.216.0.182:447

# Reference: https://www.virustotal.com/gui/file/24ffa4b433cd90f30b432b6007a066672ef0a886d56f2938b9a41234d754e861/detection

http://85.204.116.144
85.204.116.144:447

# Reference: https://twitter.com/killamjr/status/1287896689685278720
# Reference: https://app.any.run/tasks/694cccad-ce08-4348-bea9-899e022d7224/

http://188.40.203.198
http://198.46.198.115

# Reference: https://app.any.run/tasks/3aeb59d6-3f23-4d67-9a78-9237040e84f2/

107.174.196.242:443
183.81.154.113:449
186.159.8.218:449
195.123.241.187:443

# Reference: https://twitter.com/malware_traffic/status/1291113168157188097

kiwizon.com/junkreps/sllep.php

# Reference: 

hanayadefi.com/js/crypt_bot32.dll
hanayadefi.com/js/d2.dll
hanayadefi.com/js/PO1DD.dll

# Reference: https://twitter.com/abuse_ch/status/1294169425826983936

anikastyle.com/ram2base.php

# Reference: https://twitter.com/malware_traffic/status/1294073727014129665

http://138.68.78.51
/campo/22/22
timseddon.com/loader.dll

# Reference: https://twitter.com/ViriBack/status/1321779235221053441
# Reference: https://twitter.com/500mk500/status/1321807553249103875
# Reference: https://www.virustotal.com/gui/ip-address/207.154.210.66/relations
# Reference: https://www.virustotal.com/gui/file/511d6897758dab59c545bd39d7c3a78b47cf756fe241dc21a9e05480ada9c4af/detection
# Reference: https://www.virustotal.com/gui/file/6195dac0f280220406c8a2c4705b99c8ea20a28c9e67c9ae9554fd206775f826/detection

foreverbold.xyz
nightsalmon.xyz
superstartart.xyz
/campo/b/b

# Reference: https://twitter.com/malware_traffic/status/1295497122276679682

alphasheild.com/metalf.php

# Reference: https://twitter.com/InQuest/status/1296852524654301185
# Reference: https://twitter.com/InQuest/status/1297051748293586944
# Reference: https://www.virustotal.com/gui/file/1951fe180603952a4f329f14a22161c7c3275a6cf62e861c4451d8351b3f36b3/detection

http://195.123.232.163
http://195.123.242.118
107.155.137.18:443
91.200.100.85:443
disk-cloud-app.com
template-doc.com

# Reference: https://twitter.com/h2jazi/status/1297911526972686339
# Reference: https://www.virustotal.com/gui/domain/yektairon.com/detection
# Reference: https://github.com/pan-unit42/tweets/blob/master/2020-08-24-Trickbot-gtag-ono66-IOCs.txt

yektairon.com
/brands/goodmanstory.php

# Reference: https://twitter.com/VirITeXplorer/status/1298195728532111360

http://107.174.192.219

# Reference: https://www.virustotal.com/gui/file/17c04932b68cbacea61759b43dc393b1c7dc32dd13276473c3f32411e0f380ef/detection

180.211.170.214:449
195.123.241.90:443
198.46.198.128:447
86.104.194.116:443

# Reference: https://www.virustotal.com/gui/file/b08a808cd66128c3f1fbfb008dbc26471075af804eff2c724fe773787c429391/detection

http://104.161.32.109

# Reference: https://github.com/pan-unit42/tweets/blob/master/2020-08-25-IOCs-for-Emotet-with-Trickbot.txt

91.200.103.236:447

# Reference: https://tria.ge/200831-4tkx1hyjd6/behavioral1

51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449

# Reference: https://www.virustotal.com/gui/file/54c3e01a3dee75c7137c63a25915b7bec1876a8fc65047eff99b97d9ca6cd5c6/detection

66.70.218.37:443
86.104.194.108:443

# Reference: https://www.virustotal.com/gui/file/75682633e0cf3922340da72927e6c2c0900f055368afbbc1438f9112115e1f61/detection

http://66.70.218.37
http://85.204.116.188

# Reference: https://otx.alienvault.com/pulse/5ea7262636e7f750733c7436

bestgame.bazar
coastdeny.bazar
eventmoult.bazar
forgame.bazar
newgame.bazar
portgame.bazar
realfish.bazar
tallcareful.bazar
thegame.bazar
workrepair.bazar
zirabuo.bazar

# Reference: https://twitter.com/malware_traffic/status/1303501213225365505

http://185.172.129.67

# Reference: https://twitter.com/malware_traffic/status/1309698130468896768
# Reference: https://app.any.run/tasks/018be08a-518e-449f-b7cc-3bc8b5cd8031/

179.97.246.23:449
195.123.242.119:443
89.249.65.23:447

# Reference: https://www.virustotal.com/gui/file/c184c87b5b9f87c864b5356695afbe4b147e83de5a7cba789824856b3d346275/detection

79.110.52.39:80

# Reference: https://www.virustotal.com/gui/file/05e43d0d10284517dbdfe13647eb049ffba1ab119b4a39738365b685e3a30e9b/detection

185.99.2.123:443

# Reference: https://www.virustotal.com/gui/file/707a8f2e9bd5c1edafe780fddf79ee2936438e9b62324bb7d1e1a9d96c16a3a7/detection

http://62.108.35.29

# Reference: https://twitter.com/theDark3d/status/1314618824008892417
# Reference: https://www.virustotal.com/gui/file/4013945c4997c0c02b6d094186dde0ae4fa499bc33afae5bbbc0207f2754fe39/detection

131.153.22.145:443
45.89.127.118:443
45.89.127.119:443
51.77.112.255:443

# Reference: https://app.any.run/tasks/671907b6-e1a2-48cb-ac31-e4657bc78702/
# Reference: https://twitter.com/malware_traffic/status/1314662732684296192

helmut0.dll

# Reference: https://twitter.com/malware_traffic/status/1314664855236947969

104.161.32.111:443
185.117.73.190:447
185.234.72.147:447
185.99.2.210:447
194.5.249.224:447
195.123.240.130:447
37.220.6.101:447
45.148.10.164:447
45.148.120.152:447
45.148.120.154:447
45.89.127.128:447
45.89.127.129:447
51.89.204.242:447
86.104.194.106:447
86.104.194.76:447
88.150.180.33:447

# Reference: https://www.virustotal.com/gui/file/2ae54dde3652a1cceef7ec5fcc8f2fdf5a07833fba685f0c0ee9964c5c2429d4/detection

148.251.185.165:443
185.234.72.35:443
185.99.2.243:443
194.87.110.144:443
195.123.240.104:443
195.123.240.113:443
213.32.84.27:443
45.67.231.68:443
45.89.125.148:443
5.152.210.188:443
5.182.211.223:443
51.89.163.40:443
85.204.116.173:443
89.223.126.186:443
103.36.48.103:449
103.76.169.213:449
117.222.63.145:449
117.252.214.138:449
125.165.20.104:449
177.190.69.162:449
179.127.88.41:449
179.97.246.23:449
181.143.186.42:449
190.99.97.42:449
200.24.67.161:449
36.91.87.227:449
36.94.33.102:449
45.224.213.234:449
45.237.241.97:449

# Reference: https://twitter.com/malware_traffic/status/1318710455678926848

199.38.120.89:449
45.89.127.244:447

# Reference: https://twitter.com/pancak3lullz/status/1319727630933950464

103.76.169.213:449
216.250.248.102:447
5.182.210.106:447
5.182.210.219:447
5efxqhk2zhgnc24l.onion

# Reference: https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/
# Reference: https://www.netscout.com/blog/asert/dropping-anchor
# Reference: https://otx.alienvault.com/pulse/5fa1e69430b6b9d591b9a8ba
# Reference: https://app.any.run/tasks/433d0ef1-1a0d-4dbb-9837-553125c0db42/

ericrause.com
onixcellent.com
westurn.in
wonto.pro

# Reference: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

104.250.138.194:443
138.201.44.28:443
188.116.23.98:443
193.9.28.24:443
27.208.131.97:443
36.37.176.6:443
37.1.209.51:443
37.109.52.75:443
46.22.211.34:443
5.12.28.0:443
68.179.234.69:443
80.79.114.179:443
84.232.251.0:443
91.219.28.103:443
91.219.28.77:443

# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware

/campo/v/v

# Reference: https://www.virustotal.com/gui/file/0466b5055d26489dffb46f9d170330591f372785cd2f56a289c1167d83e97e59/detection

http://207.154.235.218
/campo/q/q

# Reference: https://twitter.com/James_inthe_box/status/1325863857328332801
# Reference: https://twitter.com/malware_traffic/status/1325871455201005568
# Reference: https://www.virustotal.com/gui/file/52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929/detection

156.96.128.237:443
185.163.47.157:443
51.81.112.135:443

# Reference: https://tria.ge/201110-tjb64jlajj

195.123.240.40:443
195.123.241.226:443
66.85.183.5:443
94.140.115.99:443

# Reference: https://www.virustotal.com/gui/file/f2b59fd4fb474f8faa420984fb13915375cc8d01e19995ec9c70017194e597be/detection

http://167.86.123.83
http://185.163.47.157

# Reference: https://www.virustotal.com/gui/file/d6751c233f5e4abc384fa891f8f34fbd7ac6358c1f55d2546d4dff73e5aab358/detection

http://195.123.241.222
tomkruzback.bazar

# Reference: https://twitter.com/wwp96/status/1329234844438630401

103.131.157.102:449

# Reference: https://twitter.com/James_inthe_box/status/1329451751079079940
# Reference: https://app.any.run/tasks/48289cb3-ef55-4aad-8db0-980fc8b4a0a8/
# Reference: https://www.virustotal.com/gui/file/b3880e41e54550f102ed4ddc0b255d5e8282d2e0522d96b2ed50423673afe288/detection

http://207.154.206.177
/campo/d/d
/campo/o/o

# Reference: https://twitter.com/ffforward/status/1328761489067536384
# Reference: https://tria.ge/201117-8m75mhtc9x/static1
# Reference: https://otx.alienvault.com/pulse/5fb6f498d6c0b4e186658305

http://194.36.191.186
info.businesssec.me

# Reference: https://twitter.com/JAMESWT_MHT/status/1329746592082092035
# Reference: https://app.any.run/tasks/b5a1a482-65de-4ec3-b099-7bc7eb4a2151/

103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
103.156.126.232:449
103.146.232.5:449
46.21.153.247:447

# Reference: https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/
# Reference: https://otx.alienvault.com/pulse/5fbc07e4072cac8e2f2eff7a
# Reference: https://www.virustotal.com/gui/file/47560bd7409f20782c6948159602e6427cb1a67e93a7f30ca040cce0445325ca/detection
# Reference: https://www.virustotal.com/gui/file/4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21/detection
# Reference: https://www.virustotal.com/gui/file/77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3/detection

102.164.206.129:449
103.150.68.124:449
103.52.47.20:449
81.91.234.196:443
morganfreeman.bazar

# Reference: https://twitter.com/h2jazi/status/1331342523462258696
# Reference: https://www.virustotal.com/gui/file/5220f86bf7ae58b02715d1bcafc82736437a4e9a05ab3830857141c172f76a89/detection
# Reference: https://www.virustotal.com/gui/file/846cd2a3e425cfec72b0e490e71026ec8cd3c9ebf3bb15362d8235761074f49e/detection

http://103.131.157.161
http://103.131.156.21
http://102.164.206.129
http://103.146.232.5
http://103.131.157.102
http://103.52.47.20
tophomedesignz.com/sport.dll

# Reference: https://www.virustotal.com/gui/file/34d0f4c650c7e7caa5a4f68de82205ba12852d936a8f4ca50f39d91be3fd9b7b/detection

http://209.97.175.120

# Reference: https://twitter.com/dark0pcodes/status/1334238062126231557

116.90.224.158:449
177.221.108.198:449
187.62.208.234:449
49.156.41.74:449
80.242.220.146:449
89.40.206.116:449
94.45.210.13:443

# Reference: https://www.virustotal.com/gui/file/6ff785f5d5cc583551f5126af1e2984b3cd836eb79b6f83586664729ae281fc6/detection

berlitzalahsa.sa/jdnskjfn

# Reference: https://twitter.com/dark0pcodes/status/1335957656184512514

156.96.47.3:443
177.221.108.198:449
178.134.55.190:449
184.95.51.178:443
192.3.247.125:443
194.5.249.71:443
195.123.242.207:443
41.243.29.182:449
80.242.220.146:449
94.158.245.90:443

# Reference: https://twitter.com/dark0pcodes/status/1337121926205075461

103.65.196.44:449
103.87.25.220:443
103.87.25.220:449
103.98.129.222:449
196.45.140.146:449
41.243.29.182:449

# Reference: https://twitter.com/ffforward/status/1337345314278281219
# Reference: https://app.any.run/tasks/8c58c917-c763-4648-a291-7b632188074c/

186.47.209.222:443
45.141.59.212:443

# Reference: https://twitter.com/dark0pcodes/status/1337372954477387777

170.245.30.121:443
182.253.0.90:449
185.97.135.16:449
186.46.168.43:449
195.238.101.125:449
94.142.179.138:449

# Reference: https://twitter.com/dark0pcodes/status/1338932562966753281

177.91.179.128:443
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443

# Reference: https://twitter.com/Artilllerie/status/1339218918091710466
# Reference: https://0paste.com/117103

102.164.208.44:449
102.164.208.48:449
103.110.53.174:449
103.112.145.58:449
103.126.185.7:449
103.137.81.206:449
103.150.68.124:449
103.61.100.131:449
103.61.101.11:449
103.65.195.95:449
103.65.196.44:449
103.87.25.220:443
103.87.25.220:449
103.98.129.222:449
192.3.247.117:447
196.45.140.146:449
41.243.29.182:449
45.12.110.195:447

# Reference: https://twitter.com/makflwana/status/1246718741460770816
# Reference: https://twitter.com/makflwana/status/1246720193981755393

w0rm.in

# Reference: https://blog.cyberint.com/trickbot-malware-as-a-service

5.34.180.168:443
34.116.68.148:12711
41.243.29.182:449
45.12.110.206:443
52.88.83.54:2726
62.116.88.136:11687
80.242.220.146:449
94.158.245.90:443
102.164.208.44:449
102.164.208.48:449
103.110.53.174:449
103.112.145.58:449
103.126.185.7:449
103.137.81.206:449
103.150.68.124:449
103.250.70.163:443
103.61.100.131:449
103.61.101.11:449
103.65.195.95:449
103.65.196.44:449
103.87.25.220:443
103.87.25.220:449
103.98.129.222:449
113.216.22.71:53158
118.69.133.4:443
141.136.0.42:443
146.91.245.192:44966
156.96.47.3:443
167.199.192.121:1702
177.221.108.198:449
178.134.55.190:449
184.95.51.178:443
186.130.221.30:24230
188.225.219.74:15270
189.89.218.190:33446
192.119.171.230:443
192.3.247.125:443
192.3.73.165:443
194.5.249.71:443
195.123.242.202:443
195.123.242.207:443
196.45.140.146:449
201.210.174.234:32166

# Reference: https://www.virustotal.com/gui/ip-address/172.105.126.54/relations

http://172.105.126.54

# Reference: https://twitter.com/malware_traffic/status/1343630789683118081

103.61.101.11:447
131.196.202.122:443
134.255.254.52:443
176.58.123.25:443
23.160.192.125:447

# Reference: https://twitter.com/malware_traffic/status/1344476617192574977

103.14.232.46:443
173.222.63.100:449
187.189.99.216:447
hiperdoscolchoes.com/demoimg.gif

# Reference: https://twitter.com/dark0pcodes/status/1346472484246233093

149.54.11.54:449
178.132.223.36:443
36.89.191.119:449
41.159.31.227:449

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-01-05-Emotet-and-Trickbot-IOCs.txt

103.220.47.220:447

# Reference: https://twitter.com/dark0pcodes/status/1347535219767832576

107.152.46.188:443
107.172.188.113:443
195.123.241.214:443
198.46.198.116:443
200.52.147.93:443
23.254.224.2:443
5.34.180.180:443
5.34.180.185:443
64.74.160.228:443

# Reference: https://twitter.com/malware_traffic/status/1349100952649953283

222.124.7.150:447
45.230.244.20:443

# Reference: https://www.virustotal.com/gui/file/878e0b2fddd35cfd243442a9e818bf813ab7d75fbcdd7ec1d89577e7485dad97/detection

195.161.114.131:443

# Reference: https://twitter.com/rcwht_/status/1350156081406877698
# Reference: https://app.any.run/tasks/5a251d79-f156-4e93-a6b5-ca66b4608bc4/
# Reference: https://www.virustotal.com/gui/file/7f40d0fe270f72aec76ec5348630f3b354ea4dd010d60edcdd865693824981de/detection

sometestfirstdom.info

# Reference: https://twitter.com/dark0pcodes/status/1351865694405750787

107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
83.151.14.13:443
85.204.116.83:443
91.200.100.143:443

# Reference: https://twitter.com/reecdeep/status/1351934161276305413

http://172.104.129.156

# Reference: https://twitter.com/InQuest/status/1354110791197335553

http://172.105.79.146

# Reference: https://twitter.com/dark0pcodes/status/1354446957998178305

216.128.130.16:443
192.46.229.48:443
178.79.138.253:443
172.105.25.190:443
172.105.196.53:443
172.105.190.51:443
172.105.107.25:443
158.247.219.186:443
144.202.106.23:443
139.162.44.152:443
107.191.61.39:443

# Reference: https://www.virustotal.com/gui/file/e487318a3263588f81d496b040c3b9ff93edf19f892d3cee6dfa188be7fab8b9/detection

http://45.234.248.66
45.226.124.226:447
45.234.248.66:449

# Reference: https://www.virustotal.com/gui/file/c898c1b02d424a3f41ffd1ba8c604b2b9098e46f6867ce100b4e8a40f55b5709/detection

117.212.193.62:449
202.21.103.194:449

# Reference: https://www.virustotal.com/gui/file/835405f4a416b475bebe372e8be0b8498b27fb271c2b4f0e0de1c561ee85cbfc/detection

118.67.216.238:449

# Reference: https://www.virustotal.com/gui/file/4fccd66a9ad43406130ec8b69c3240a795da7fe4fd1184346954ef59253557b8/detection

92.242.214.203:449

# Reference: https://www.virustotal.com/gui/file/36128848b18bac4f9c58fe07b232662231c6248ca19e03601a7b6cd0e5a2f84e/detection

103.91.244.102:449

# Reference: https://www.virustotal.com/gui/file/b624ce7d201f109bdbfd7882192e81e25b2e64f426e4c8c87d07117ba3582807/detection

179.191.108.58:449
37.143.150.186:449

# Reference: https://www.virustotal.com/gui/file/14b913ecddad3d672acc57e388e606857c6f586ac205cbca0136555d3d3eab8a/detection

169.239.45.42:449
85.93.159.98:449

# Reference: https://www.virustotal.com/gui/file/40dbf8e35eb8ced6d27a53b0ec082241888a6cf33462d9c08c257d540a32b6b9/detection

201.184.190.59:449

# Reference: https://twitter.com/ffforward/status/1357363005600759812
# Reference: https://bazaar.abuse.ch/sample/fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de/
# Reference: https://tria.ge/210204-yl1ee7erg2

149.56.80.31:443
85.159.214.61:443
103.29.185.138:449
79.122.166.236:449

# Reference: https://twitter.com/James_inthe_box/status/1358805039628750850

greyfade.co.tz/terms_files/uptodate.php

# Reference: https://twitter.com/dark0pcodes/status/1359175408470675456
# Reference: https://twitter.com/dark0pcodes/status/1359175969140076544

108.170.20.72:443
134.119.186.200:443
134.119.186.201:443
185.234.72.84:443
188.34.142.248:443
195.123.241.195:443
45.14.226.115:443
45.83.129.224:443
45.89.127.240:443
85.204.116.134:443
94.158.245.54:443

# Reference: https://twitter.com/ale_sp_brazil/status/1360888555350986753

soberlifeco.com/contra/storage.php

# Reference: https://twitter.com/wato_dn/status/1361265356430479365
# Reference: https://tria.ge/210215-jnlne9kk8x

http://139.162.191.228

# Reference: https://malware.news/t/trickbot-tricks-again/44812

165.226.231.80:1273
168.140.17.62:39938
171.138.104.153:58232
194.255.156.239:25317
96.139.163.83:10616

# Reference: https://twitter.com/reecdeep/status/1362082254558756865

destinostumundo.com/layout/recruter.php

# Reference: https://twitter.com/p5yb34m/status/1362837301055819777
# Reference: https://tria.ge/210219-61w8cm88fn

108.170.20.75:443
134.119.186.202:443
142.202.191.164:443
182.253.107.34:443
185.163.45.138:443
186.137.85.76:443
186.250.157.116:443
193.8.194.96:443
194.5.249.156:443
200.52.147.93:443
36.94.62.207:443
45.155.173.242:443
45.230.244.20:443
94.140.114.136:443
chipmania.it/mails/open.php

# Reference: https://twitter.com/p5yb34m/status/1364990417029111809

103.130.6.244:449
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
177.85.133.118:449
180.92.238.186:449
187.20.217.129:449
192.162.238.186:449
201.20.118.122:449
202.91.41.138:449
41.77.134.250:449
95.210.118.90:449
sundancemotelwy.com
/dummy/counters.strike

# Reference: https://twitter.com/FewAtoms/status/1365682998121811971

http://195.123.220.220

# Reference: https://twitter.com/wato_dn/status/1365489611091238916

http://195.123.220.249

# Reference: https://twitter.com/p5yb34m/status/1366456267254886402
# Reference: https://tria.ge/210301-37nldw7616/behavioral1

102.164.211.138:449
103.119.117.42:443
103.146.2.152:449
103.73.101.98:449
103.76.20.226:443
103.84.164.87:443
111.235.66.83:443
154.79.252.132:449
167.179.194.205:443
168.232.188.88:449
173.81.4.147:449
177.47.88.62:443
178.54.230.164:443
179.60.243.52:443
182.48.66.106:443
186.195.199.238:449
187.19.200.154:449
190.152.71.230:443
200.6.169.124:443
202.142.151.190:449
221.176.88.201:449
36.92.93.5:449
36.94.202.131:443
37.235.230.123:449
80.78.75.246:443
80.78.77.116:449
beachtreepestcontrol.com/viewer/app.counter

# Reference: https://twitter.com/K_N1kolenko/status/1366623099836379139

beachtreepestcontrol.com/viewer/counter.php

# Reference: https://twitter.com/K_N1kolenko/status/1366680439822368770

ptpmeccatronica.eu/sorman/123.php

# Reference: https://urlhaus.abuse.ch/host/195.123.219.21/

http://195.123.219.21

# Reference: https://twitter.com/p5yb34m/status/1366803980941074432

187.190.116.59:443
metalin-cr.com/appdata/datafile.php

# Reference: https://twitter.com/James_inthe_box/status/1368972637725097985
# Reference: https://www.virustotal.com/gui/file/68eb43b8e87657e66f8b25400926f55498bfde185252ee24eb068928d698e90d/detection

103.146.185.107:447
103.239.165.24:447
117.210.210.179:447
181.191.67.186:447

# Reference: https://twitter.com/pmmkowalczyk/status/1370088158776455171

quanticemotions.com/sitemaps/maps.php
quanticemotions.com/sitemaps/solution.iops

# Reference: https://otx.alienvault.com/pulse/6048b5f9d61853672118e00f

nirvanaeyehospital.com
pureaqua.pk
simplithy.co.uk
sklep.omax.pl

# Reference: https://twitter.com/p5yb34m/status/1371534955419865091

g1ba4tt4ngq5nl7w.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1372088639748988929

bfdnews.xyz

# Reference: https://twitter.com/p5yb34m/status/1372967220184186882

itelsys.ma/prod/education.php

# Reference: https://tria.ge/210319-tcpzt1jape

104.4.84.130:443
108.161.11.44:443
137.27.148.14:443
156.19.152.218:443
184.188.210.34:449
24.227.152.42:443
47.37.90.57:443
47.51.21.82:443
50.197.243.125:443
50.75.131.6:443
50.84.233.214:443
65.158.28.70:443
67.212.241.178:443
67.48.50.58:443
67.48.54.37:443
68.201.55.46:443
70.118.50.62:443
70.119.149.64:443
71.40.62.107:443
71.42.188.85:443
71.66.92.190:443
72.128.158.51:443
72.131.216.28:443
73.103.36.158:443
73.6.0.166:449
75.118.158.174:443
96.88.45.25:443
98.6.49.38:443

# Reference: https://www.virustotal.com/gui/file/d021f3c83a2fb22da832e301962d63c695194907ab415d0b978858699e22952a/detection

gainme.xyz

# Reference: https://twitter.com/malware_traffic/status/1375237822941134850
# Reference: https://app.any.run/tasks/13af58ee-8b4d-4343-b3ba-fff8dc994fc2/

whynt.xyz

# Reference: https://twitter.com/FewAtoms/status/1373307603267239946

call2.xyz

# Reference: https://twitter.com/James_inthe_box/status/1374753801769394178
# Reference: https://www.virustotal.com/gui/file/c777a87756b14abbe4745957c7705a76c7a944419447dd7e7a6e34a44ab25f34/detection

103.102.220.50:443
truemerit.io/databases/merit.php

# Reference: https://twitter.com/pmmkowalczyk/status/1374323909626109957

ballpro.xyz

# Reference: https://www.virustotal.com/gui/ip-address/176.111.174.53/relations

anetapp.xyz
fate3.xyz
gopigs.xyz
pwrpro.xyz
ship4.xyz

# Reference: https://twitter.com/p5yb34m/status/1375161717064302594

shatteredglass.io/uo/date.php

# Reference: https://twitter.com/tosscoinwitcher/status/1376596291413635073
# Reference: https://www.virustotal.com/gui/file/aa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4/detection

mineiro.ch/casrtnoar/count.php

# Reference: https://twitter.com/luc4m/status/1376627849705222146

103.155.239.1:443
103.242.104.43:443
115.127.160.171:443
123.231.149.122:443
131.72.153.199:443
167.179.194.205:443
181.176.221.243:443
186.46.28.202:443
27.110.228.186:443
45.127.222.7:443

# Reference: https://tria.ge/210329-x7skaky76e

137.27.167.58:443
162.155.10.150:443
162.155.225.130:443
162.155.69.74:443
173.198.151.86:443
173.219.76.169:443
174.105.233.82:443
174.105.236.140:443
216.186.128.26:443
24.153.175.236:443
24.182.101.64:449
47.190.2.12:443
47.51.219.98:443
50.208.68.153:443
67.212.241.127:443
67.79.117.70:443
70.119.220.241:443
70.125.241.196:443
70.235.74.189:443
71.15.77.155:443
72.164.254.204:443
72.180.57.176:443
75.87.15.158:443
96.68.79.18:443
98.6.253.142:443
99.147.197.147:443

# Reference: https://tria.ge/210407-qcf37tycg6

102.68.17.97:443
103.76.150.14:443
103.9.188.23:449
109.185.139.90:449
138.185.72.142:443
148.216.32.55:443
173.81.4.147:443
182.253.184.130:449
185.205.250.162:443
190.122.168.219:443
196.41.57.46:449
200.90.11.177:449
202.166.211.197:443
31.134.124.90:443
31.211.85.110:443
41.77.134.250:443
5.59.205.32:443
62.213.14.166:443
77.95.93.132:449
78.138.187.231:443
81.95.45.234:449
84.21.206.164:449
85.112.74.178:449
87.116.151.237:449
87.76.1.81:449
89.250.208.42:449
91.185.236.170:449
91.225.231.120:443
96.9.77.142:443

# Reference: https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/
# Reference: https://otx.alienvault.com/pulse/606f2e77342bd3d1fa7e8d34

costacars.es/ico/ortodox.php

# Reference: https://twitter.com/reecdeep/status/1381914284544917512

living-traditions.com/blogs/click.php

# Reference: https://twitter.com/jh__1995/status/1382641572152537097
# Reference: https://tria.ge/210415-rbfwnlhcz6/behavioral1
# Reference: https://www.virustotal.com/gui/ip-address/176.111.174.62/relations

glass3.xyz
hall4.xyz

# Reference: https://fr3d.hk/blog/campo-loader-simple-but-effective
# Reference: https://otx.alienvault.com/pulse/6079aceeacc38ce480df8869

about2.xyz
ballpro.xyz
beauty1.xyz
board3.xyz
call2.xyz
fate3.xyz
gainme.xyz
gopigs.xyz
hellomydad.xyz
nightsalmon.xyz
pickthismotel.xyz
pipkaboss.xyz
pwrpro.xyz
ship4.xyz
sported.xyz
steeltits.xyz
superstartart.xyz
veso2.xyz

# Reference: https://twitter.com/teamcymru_S2/status/1386758544800763905

103.102.220.50:443
177.84.63.252:443
185.119.120.213:443
36.95.27.243:443
83.220.115.230:443

# Reference: https://twitter.com/z0ul_/status/1387112303611498496
# Reference: https://www.virustotal.com/gui/file/39d99432698540f5ea6b8acf77b2323e2cde143638694bbd726e161924885059/detection

lie3.xyz

# Reference: https://twitter.com/James_inthe_box/status/1389569228626268165

deluciaspizza.com/netmouser.dll

# Reference: https://tria.ge/210504-dkv3rmt786

102.176.221.78:443
103.111.199.76:443
103.124.173.35:443
103.54.41.193:443
103.66.72.217:443
103.90.197.33:443
109.207.165.40:443
115.73.211.230:443
117.252.68.211:443
117.54.250.246:443
131.0.112.122:443
139.255.116.42:443
154.79.244.182:443
154.79.245.158:443
154.79.251.172:443
158.181.179.229:443
178.134.47.166:443
178.254.161.250:443
178.72.192.20:443
181.176.161.143:443

# Reference: https://twitter.com/executemalware/status/1390331263043739648
# Reference: https://pastebin.com/PLCTxpAT

36.95.27.243:443
5.202.120.150:443

# Reference: https://twitter.com/malware_traffic/status/1390373738084982786

bomovie.net
bravomovies.net
out2.xyz

# Reference: https://twitter.com/MBThreatIntel/status/1392950776792698885

mastercarebath.com/wp-netmon.dll

# Reference: https://www.virustotal.com/gui/file/0f2ab41f9ce221dc8fb3778416f80f059e86578f030b2b8d8dd5bdcaae501335/detection

http://134.119.186.200
http://169.239.45.42
http://202.21.103.194
http://45.89.127.240
http://194.5.249.93
194.5.249.93:447

# Reference: https://www.virustotal.com/gui/file/2178a85feb486f06e18997447b61a874a0e804716a71d37a1ffd0664afc8d50a/detection

http://202.136.89.226
http://212.3.104.50
http://41.41.179.239
202.136.89.226:449
212.3.104.50:449
41.41.179.239:449

# Reference: https://www.virustotal.com/gui/file/2de994f3d961293aa64516c7be274bf1fbee8de16da9ff12c0f8072610511428/detection

http://202.169.244.252
http://203.176.135.38
http://43.242.141.59
http://43.245.216.190
http://43.255.113.180
202.169.244.252:449
203.176.135.38:449
43.242.141.59:449
43.245.216.190:449
43.255.113.180:449

# Reference: https://www.virustotal.com/gui/file/5b428809c1d2cb63b2b3129aad700cfdb1a36e383b071d7ceb0b72d02e3a4e3a/detection

http://43.239.152.240
http://45.230.8.34
43.239.152.240:449
45.230.8.34:449

# Reference: https://www.virustotal.com/gui/file/a33cf50b4423a277ca2b9d651f7077a5354a32b2de26a3150a7bc630ddc23429/detection

http://41.203.215.122
41.203.215.122:449

# Reference: https://www.virustotal.com/gui/file/c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be/detection

49.156.41.74:449

# Reference: https://tria.ge/210519-lqhwwwz81n/

181.176.174.139:443
181.176.221.151:443
182.16.165.38:443
185.138.78.73:443
185.242.88.63:443
185.242.89.198:443
186.32.3.108:443
186.46.168.46:443
188.137.76.235:443
188.254.102.79:443
190.255.36.100:443
190.96.84.250:443
200.170.149.209:443
200.58.84.94:443
203.80.171.162:443
203.80.171.189:443
206.192.254.100:443
31.129.228.122:443
36.71.150.118:443
36.91.98.231:443
36.95.4.29:443
41.189.214.11:443
43.225.148.118:443
45.182.190.142:443
45.234.248.146:443
45.7.56.172:443

# Reference: https://twitter.com/malware_traffic/status/1395158205811068930

tear2.xyz

# Reference: https://twitter.com/z0ul_/status/1398351080300453892
# Reference: https://twitter.com/z0ul_/status/1398352022664003588
# Reference: https://www.virustotal.com/gui/file/896af1d48a0952bf86c19d6b97240a018308f33133015af47f32e04d9bb4bd85/detection

141.136.0.93:443
213.59.119.42:443

# Reference: https://twitter.com/jaimeblascob/status/1400190815180410880
# Reference: https://otx.alienvault.com/indicator/file/fd05481da74a6d89ac3c60db954e8f02a85711f9abaf12ede2d4e54eaf06a032

144.48.139.206:443
197.254.14.238:443
download3.xyz
download4.xyz

# Reference: https://twitter.com/InQuest/status/1400880724748779524
# Reference: https://www.virustotal.com/gui/file/94e0fb454ceac3661246c926658b44aa56167d0f988dd3c4c4bd3c8143f9af26/detection

download4.club

# Reference: https://www.virustotal.com/gui/file/8c206ff3cf89ee0ddf05f2608ef0535b7a2c17710e6ccec34ec6439d417dab69/detection

http://103.126.185.7
http://66.70.246.0
66.70.246.0:443

# Reference: https://twitter.com/MBThreatIntel/status/1402649681990238208
# Reference: https://www.virustotal.com/gui/file/869aceb1e0c477626683939d3fc8a670194eaa9695f8cf2048f077a70430ad2b/detection

downl0ads9.club
microsotf.club

# Reference: https://twitter.com/reecdeep/status/1403256216613232641
# Reference: https://app.any.run/tasks/d89b9654-57ab-448e-9e8c-b0a21017c2bc/
# Reference: https://tria.ge/210611-pwt1byfxkj

http://185.180.199.125
103.101.104.229:443
103.12.160.164:443
103.124.145.98:443
103.242.104.68:443
114.7.240.222:443
116.0.6.110:443
123.231.149.122:443
123.231.149.123:443
131.0.112.122:443
146.196.121.219:443
177.221.39.161:443
178.72.192.20:443
180.178.106.50:443
182.160.116.190:443
45.5.152.39:443
46.209.140.220:443
85.175.171.246:443
85.248.1.126:443
88.150.240.129:443
89.37.1.2:443
94.142.179.179:443
94.142.179.77:443
94.183.237.101:443

# Reference: https://tria.ge/210628-61ybdfys16

103.122.228.44:443
105.30.26.50:443
113.160.132.237:443
118.173.233.64:443
119.202.8.249:443
14.232.161.45:443
143.0.208.20:443
177.10.90.29:443
178.216.28.59:443
181.114.215.239:443
185.17.105.236:443
185.189.55.207:443
186.225.119.170:443
196.216.59.174:443
200.236.218.62:443
202.165.47.106:443
220.82.64.198:443
222.124.16.74:443
41.57.156.203:443
45.201.136.3:443
45.239.233.131:443
45.239.234.2:443
49.248.217.170:443
82.159.149.37:443
91.237.161.87:443

# Reference: https://twitter.com/malware_traffic/status/1410347443053604864
# Reference: https://www.virustotal.com/gui/file/5d3825ec62b0f2f30deace7e1ae3a9dc22e00fb9879e76cc63499ba94bb182f2/detection
# Reference: https://www.virustotal.com/gui/file/3cda97c2bd92917db2be92fbb5a120004f6131cbcdc61611ca514a0b679022c9/detection

14.241.244.60:443
144.48.138.213:443
144.48.139.206:443
172.104.241.29:443
172.105.15.152:443
177.67.137.111:443
181.129.116.58:443
181.129.242.202:443
181.167.217.53:443
185.189.55.207:443
185.9.187.10:443
186.225.63.18:443
186.66.15.10:443
186.97.172.178:443
187.19.167.233:443
189.206.78.155:443
190.110.179.139:443
196.41.57.46:443
196.43.106.38:443
197.254.14.238:443
202.131.227.229:443
202.138.242.7:443
202.166.196.111:443
212.200.25.118:443
27.72.107.215:443
36.94.100.202:443
36.94.27.124:443
37.228.70.134:443
41.77.134.250:443
43.245.216.116:443
45.229.71.211:443

# Reference: https://github.com/pan-unit42/tweets/blob/master/2021-06-28-TA551-IOCs-for-Trickbot.txt

12.23.113.82:443
12.23.113.83:443
12.23.113.84:443
12.23.113.85:443
12.23.113.86:443
12.23.113.87:443
12.23.113.88:443
12.23.113.89:443
12.23.113.90:443
12.23.113.91:443
12.23.113.92:443
190.109.204.126:443
45.239.234.2:443

# Reference: https://twitter.com/malware_traffic/status/1410712988135342090

45.201.136.3:443

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html (# Win.Packed.Trickbot-9874595-0)

load3rd.casa

# Generic trails

/2NquxQZ2oK4a45L.php
/2VJDZ6JaqzEiq.php
/2vOOR7gAPrc1eq.php
/34fhjdgEN3q.php
/6f04e0be46qb4Zc.php
/717VRBNDFF84qs.php
/countryyelow.php
/o3Mrg8bqRzC.php
/fRTe1z0xiWu8q.php
/karlmarks.php
/lU90i5Fjqb6cZ.php
/Wg4NI94598qBF.php
/Ui4VMX.php
/6ng688x8
/B1Dgs7jd
/DJNvad97v1
/DSKVJBdsj2
/DSVdv2vefasd
/DVkjbsdv37
/Huey4truyew7342
/Jygrfewhrbf3wr
/KJSDBViad7
/KVJbdisfv8sd
/SDVJKBsdkhv1
/SDVe2f2fds
/SDVjkhb7831r
/SDVsdv23
/SDVsdv23r
/YTWur324rwf5regd
/tt0002/
/djnvad97v1
/dvkjbsdv37
/hgx1bgs
/hrkddvsdv7
/qY3DRY3N
/qy3dry3n
/sdvsdv23r
/vbdh72F
/vdbh72f
/goodweb/pwofiles.php
/IuNbOpen/oiUnbYATR.php
/junkreps/sllep.php
/sport/rockstar.php
/Pan/dbloader.php/?func=
/zag/UpdateHelp.php
/zag/BorovHelp.php
/oiUnbYATR.php
/ololomadam.php
/opwasaythatthisverygoodinfo.php
/pwofiles.php
/ser0626/
/campo/a/a
/campo/b/b
/campo/c/c
/campo/d/d
/campo/e/e
/campo/f/f
/campo/g/g
/campo/h/h
/campo/i/i
/campo/j/j
/campo/k/k
/campo/l/l
/campo/m/m
/campo/n/n
/campo/o/o
/campo/o/u
/campo/p/p
/campo/q/q
/campo/r/r
/campo/s/s
/campo/t/t
/campo/u/u
/campo/v/v
/campo/w/w
/campo/x/x
/campo/y/y
/campo/z/z
/campo/a/a1
/campo/b/b1
/campo/c/c1
/campo/d/d1
/campo/e/e1
/campo/t/e2
/campo/f/f1
/campo/g/g1
/campo/h/h1
/campo/i/i1
/campo/j/j1
/campo/k/k1
/campo/l/l1
/campo/m/m1
/campo/n/n1
/campo/o/o1
/campo/p/p1
/campo/q/q1
/campo/r/r1
/campo/s/s1
/campo/t/t1
/campo/u/u1
/campo/v/v1
/campo/w/w1
/campo/x/x1
/campo/y/y1
/campo/z/z1
/campo/a/a2
/campo/b/b2
/campo/c/c2
/campo/d/d2
/campo/e/e2
/campo/f/f2
/campo/g/g2
/campo/h/h2
/campo/i/i2
/campo/j/j2
/campo/k/k2
/campo/l/l2
/campo/m/m2
/campo/n/n2
/campo/o/o2
/campo/p/p2
/campo/q/q2
/campo/r/r2
/campo/s/s2
/campo/t/t2
/campo/u/u2
/campo/v/v2
/campo/w/w2
/campo/x/x2
/campo/y/y2
/campo/z/z2
/campo/aa/a1
/campo/ba/b1
/campo/ca/c1
/campo/da/d1
/campo/ea/e1
/campo/fa/f1
/campo/ga/g1
/campo/ha/h1
/campo/ia/i1
/campo/ja/j1
/campo/ka/k1
/campo/la/l1
/campo/ma/m1
/campo/na/n1
/campo/oa/o1
/campo/pa/p1
/campo/qa/q1
/campo/ra/r1
/campo/sa/s1
/campo/ta/t1
/campo/ua/u1
/campo/va/v1
/campo/wa/w1
/campo/xa/x1
/campo/ya/y1
/campo/za/z1
/campo/a2/a2
/campo/b2/b2
/campo/c2/c2
/campo/d2/d2
/campo/e2/e2
/campo/f2/f2
/campo/g2/g2
/campo/h2/h2
/campo/i2/i2
/campo/j2/j2
/campo/k2/k2
/campo/l2/l2
/campo/m2/m2
/campo/n2/n2
/campo/o2/o2
/campo/p2/p2
/campo/q2/q2
/campo/r2/r2
/campo/s2/s2
/campo/t2/t2
/campo/u2/u2
/campo/v2/v2
/campo/w2/w2
/campo/x2/x2
/campo/y2/y2
/campo/z2/z2
/campo/li/e3
/campo/gl/gl3
/haurf/a/a
/haurf/b/b
/haurf/c/c
/haurf/d/d
/haurf/e/e
/haurf/f/f
/haurf/g/g
/haurf/h/h
/haurf/i/i
/haurf/j/j
/haurf/k/k
/haurf/l/l
/haurf/m/m
/haurf/n/n
/haurf/o/o
/haurf/p/p
/haurf/q/q
/haurf/r/r
/haurf/s/s
/haurf/t/t
/haurf/u/u
/haurf/v/v
/haurf/w/w
/haurf/x/x
/haurf/y/y
/haurf/z/z
/haurf/a2/a2
/haurf/b2/b2
/haurf/c2/c2
/haurf/d2/d2
/haurf/e2/e2
/haurf/f2/f2
/haurf/g2/g2
/haurf/h2/h2
/haurf/i2/i2
/haurf/j2/j2
/haurf/k2/k2
/haurf/l2/l2
/haurf/m2/m2
/haurf/n2/n2
/haurf/o2/o2
/haurf/p2/p2
/haurf/q2/q2
/haurf/r2/r2
/haurf/s2/s2
/haurf/t2/t2
/haurf/u2/u2
/haurf/v2/v2
/haurf/w2/w2
/haurf/x2/x2
/haurf/y2/y2
/haurf/z2/z2
/m105.dll
/mon102.dll
/mon103.dll
/mon41_cr.dll
/mon42_cr.dll
/mon44_cr.dll
/mon48_cr.dll
/mon4498.dll
/mon64.dll
/mon65.dll
/mon67.dll
/mon80.dll
/mon81.dll
/m123.dll
/mon117.dll
/mon117_cr.dll
/mon123.dll
/mon127.dll
/netmouser.dll
/wp-netmon.dll
/NgkxCQkxMTU5NUM2MTY3QkExQjcx/
