# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/silence-is-best/c2db#ursa-loader

/nj41.php

# Reference: https://app.any.run/tasks/20f85f4b-ffc8-4e15-841c-03ecc150c4a4/

http://45.132.242.89

# Reference: https://twitter.com/JAMESWT_MHT/status/1290523174136946688
# Reference: https://www.virustotal.com/gui/file/e84bd675169dd1ccc077454d08aad592dd97d6a188e841ad02a2e888bd7c1a48/detection

http://104.44.143.28

# Reference: https://twitter.com/luc4m/status/1291985996850925576

mageurox01.hopto.org

# Reference: https://app.any.run/tasks/09bfdbe7-e8d7-42d5-a1cd-fc29586bd74b/

/bd21.php

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/
# Reference: https://otx.alienvault.com/pulse/5f610cb62458e403adeca72d

http://191.235.99.13
http://51.143.39.80
http://66.70.237.175
http://51.222.39.128
http://51.81.104.17
http://104.44.143.28
/lp1a.php

# Reference: https://twitter.com/sirpedrotavares/status/1318924601162870785
# Reference: https://www.virustotal.com/gui/file/b29028058aa066a993379f424482b3da2ac0b799b71f2da529071616919c4ead/detection
# Reference: https://www.virustotal.com/gui/file/4219d9606f428e914a91edb807d48e4bd30387827e3704318b32bb9a103a7d27/detection
# Reference: https://www.virustotal.com/gui/file/773fd094f93cd9db61173a29bbec99a6293e1a64f181186f36685d6f01827a99/detection
# Reference: https://www.virustotal.com/gui/file/3a4fe7cb28eac0a6fdb2a4831fae4f705b4715af8570e97cf73d07f3f2f598d1/detection
# Reference: https://www.virustotal.com/gui/file/7695ea92f052ada409ec014319a03588606d49125bab96128715ff1a3811463d/detection
# Reference: https://www.virustotal.com/gui/file/c867e31b5dd19dae446f9a3ea0735acfde45f8e2c87b3b7d2d1ce317f10f1f08/detection

http://104.41.57.9
http://142.44.218.78
http://191.235.78.73

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/

http://104.41.57.9
http://104.44.143.28
http://13.58.123.122
http://142.44.218.78
http://144.217.32.24
http://191.235.78.73
http://191.235.99.13
http://191.239.122.4
http://40.70.86.161
http://45.132.242.89
http://51.143.39.80
http://51.222.39.127
http://51.222.39.128
http://51.81.104.17
http://52.91.227.152
http://54.233.78.131
http://54.39.33.188
http://66.70.237.175
http://87.98.137.173

# Reference: https://twitter.com/sirpedrotavares/status/1328012434087555072
# Reference: https://www.virustotal.com/gui/file/b2c2319b2b73ffc89e93508845eef2e544a7046d0c337b8973ba86558d4d5271/detection

http://40.65.223.174
http://40.84.210.148
http://70.37.106.179

# Reference: https://app.any.run/tasks/8b1d33f6-a637-4c0a-a315-95952d89796f/

http://149.56.76.254

# Reference: https://twitter.com/sirpedrotavares/status/1362034175696662530
# Reference: https://app.any.run/tasks/31a56984-5e8b-4bf9-98be-34b5ff3be475/

http://144.217.17.185
http://185.150.117.9
http://192.95.2.164

# Reference: https://twitter.com/pollo290987/status/1380418256285089793

http://51.79.9.85

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1395699114826928129

mcdonalds-cupon.s3.us-west-000.backblazeb2.com

# Generic

/aj31.php
/ak51.php
/bd21.php
/bd22.php
/bd23.php
/bk71.php
/h781.php
/h783.php
/ju61.php
/ju62.php
