# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://hackforums.net/printthread.php?tid=5655422

minergate.com
miningpoolhub.com
minexmr.com
pool.minexmr.com
moneropool.com
crypto-pool.fr
dwarfpool.com
xmrpool.eu
prohash.net
nanopool.org
ethereumpool.co
suprnova.cc
siamining.com

# Reference: https://www.multipool.us/

multipool.us

# Reference: https://mining-help.ru/

mining-help.ru

# Reference: https://xmrminer.cc/

xmrminer.cc

# Reference: https://www.monero.how/tutorial-how-to-mine-monero

supportxmr.com
monero.hashvault.pro
monerohash.com
monero.crypto-pool.fr
xmrpool.net
poolmining.org
pool.xmr.pt
xmr.prohash.net
xmr.poolto.be

# Reference: http://www.gandalph3000.com/

gandalph3000.com

# Reference: https://pangolinminer.com/

pangolinminer.com

# Reference: https://hellominer.com/

hellominer.com

# Reference: https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt

# coinhive.com
# coin-hive.com
# jsecoin.com
# reasedoper.pw
# mataharirama.xyz
# listat.biz
# lmodr.biz
# minecrunch.co
# minemytraffic.com
# crypto-loot.com

# Reference: https://www.virustotal.com/#/file/179c5390ba2023402283104fd85d6394033976bc2f21e45d32e7557cafaa7d41/detection

sparechange.io

# Reference: https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

8282.space
3389.space

# Reference: https://github.com/xmrig/xmrig/blob/master/src/net/strategies/DonateStrategy.cpp

fee.xmrig.com

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=7994909645aa0b75fc035d0.43847858

donate.xmrig.com

# Reference: https://isc.sans.edu/forums/diary/What+is+going+on+with+port+3333/23215

mine.moneropool.com
pool.cortins.tk
pool.supportxmr.com
xmr.crypto-pool.fr
xmrpool.eu

# Reference: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

koto-pool.work

# Reference: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

134.209.104.20:51640
minerxmr.ru

# Reference: https://twitter.com/bad_packets/status/1100625553822867456

119.23.222.239:26590

# Reference: https://twitter.com/James_inthe_box/status/1115591879586795521

47.97.119.5:19988

# Reference: https://twitter.com/infosec_dude/status/1117450131417313280
# Reference: https://www.virustotal.com/gui/ip-address/45.43.27.214/relations
# Reference: https://twitter.com/James_inthe_box/status/1117881448151666688

45.43.27.214:17555
r.twotouchauthentication.online

# Reference: https://twitter.com/luc4m/status/1123126706943008768

139.224.15.175:26591

# Reference: https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github

zarabotaibitok.ru
61.128.111.164:3335

# Reference: https://twitter.com/raby_mr/status/1133347073154097153
# Reference: https://app.any.run/tasks/7e23f973-5f69-4ef0-af26-427e975e308d/
# Reference: https://www.virustotal.com/gui/file/272e25e3aa9d792281a282c2f6cd40d59c5b8fe432ae93bb5015899ceb173dd1/behavior/Dr.Web%20vxCube
# Reference: https://www.virustotal.com/gui/ip-address/94.130.64.225/relations
# Reference: https://www.virustotal.com/gui/ip-address/46.4.119.208/relations

46.4.119.208:45700
94.130.64.225:45700

# Reference: https://github.com/guardicore/labs_campaigns/blob/master/Nansh0u/mining_pools_domains.md

lokiturtle.herominers.com
trtl.cnpool.cc
turtle.miner.rocks
trtl.pool.mine2gether.com

# Reference: https://twitter.com/liuya0904/status/1135901420958281729

noobxmr.com
minexmr.cn
moriaxmr.com
viaxmr.com
xmr-us.suprnova.cc
xmr.bohemianpool.com
xmr-usa.dwarfpool.com
miners.pro
zer0day.ru

# Reference: https://twitter.com/malware_traffic/status/1138999824613687298
# Reference: https://twitter.com/VK_Intel/status/1139926661162512384
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-14-tofsee-spambot-modules.notes.vk.txt

185.181.165.20:8087

# Reference: https://twitter.com/Artilllerie/status/1115258738368294913

185.212.129.80:8087

# Reference: https://otx.alienvault.com/pulse/5d0773672ba7e7853c4ad5cf

185.161.70.34:3333
202.144.193.184:3333
205.185.122.99:3333

# Reference: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/ (# Mining hosts)

system-update.info
system-check.services
185.193.126.114:443
185.193.126.114:8080
82.221.139.161:8080

# Reference: https://twitter.com/28bit/status/1159906315642253312

121.42.151.137:28850

# Reference: https://twitter.com/James_inthe_box/status/1165005466419658753

3.120.209.58:8080

# Reference: https://habr.com/ru/company/pt/blog/466877/ (Russian)

154.16.67.133:80

# Reference: https://twitter.com/Paladin3161/status/1171766464560238593
# Reference: https://pastebin.com/YWXQFF3Q

http://185.141.25.35
solarray.club

# Reference: https://twitter.com/pancak3lullz/status/1174012227130679297

65.154.226.109:14100
70.42.131.189:14100

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/

pool.usa-138.com
xmr.usa-138.com

# Reference: https://twitter.com/MalwareTechBlog/status/1190730471321112577
# Reference: https://otx.alienvault.com/pulse/5dbdf437299aea7cd396cd26
# Reference: https://www.virustotal.com/gui/file/8a87a1261603af4d976faa57e49ebdd8fd8317e9dd13bd36ff2599d1031f53ce/detection
# Reference: https://www.virustotal.com/gui/file/037dbddeda76d7a1be68a2b3098feabfbf5400a53e2606f5a0e445deb2e42959/detection

5.100.251.106:52057

# Reference: https://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

myxmr.pw
xmr.5b6b7b.ru

# Reference: https://www.virustotal.com/gui/file/f99833ef4d4bcb6cf9abcaee6edd3d1ba5b5825af4fd3f609654d343b137a8af/detection

91.121.140.167:3333

# Reference: https://www.accenture.com/_acnmedia/pdf-46/accenture-threat-analysis-monero-wannamine.pdf

pool.supportxmr.com
pool.minexmr.com
pool.support
pool.monero.hashvault.pro
xmrpool.eu
cryptonight-hub.miningpoolhub.com
xmrpool.net
xmr.nanopool.org
mixpools.org
minergate.com
viaxmr.com
moriaxmr.com
xmr.suprnova.cc
moneroocean.stream
xmrpool.eu
xmrpool.de
poolto.be
mineXMR.com
xmr.prohash.net
sheepman.mine.bz
xmr.mypool.online
bohemianpool.com
moneropool.com
moneropool.nl
iwanttoearn.money
pool.xmr.pt
monero.crypto-pool.fr
monero.miners.pro
minercircle.com
monero.lindon-pool.win
cryptmonero.com
teracycle.net
ratchetmining.com
dwarfpool.com
monerohash.com
monero.us.to
usxmrpool.com
xmrpool.xyz
minemonero.gq
alimabi.cn
pooldd.com
monero.riefly.id

# Reference: https://blog.talosintelligence.com/2020/01/vivin-cryptomining-campaigns.html
# Reference: https://otx.alienvault.com/pulse/5e29b7189d749995b2d4ea71
# Reference: https://www.virustotal.com/gui/file/6bc118693d6e69081e5f39fdab20a613d7536d3199c029562c192c5dbc9d1d1c/detection

37.59.43.136:4444
37.59.54.205:4444

# Reference: https://app.any.run/tasks/d6c87295-24a2-48eb-aef0-d3d5ac4ad2ae/
# Reference: https://mining.bittube.app/

mining.bittubeapp.com

# Reference: https://www.virustotal.com/gui/file/5eda21ea41febbdc5b69840894cb37cba8206f2865dc07e2cb85c29db5240d04/detection
# Reference: https://www.virustotal.com/gui/ip-address/163.172.204.213/relations
# Reference: https://www.virustotal.com/gui/ip-address/163.172.204.219/relations

163.172.204.213:3333
163.172.204.219:3333
163.172.207.198:3333
163.172.207.71:3333
crypto-pool.info
monero-master.crypto-pool.fr
pool.4i7i.com
xmr.ip28.net
xmr.simka.pw
xmrpool.me
xmr.crypto-pool.info
xmrf.520fjh.org
xmrf.fjhan.club
xmr.somec.cc
pool.somec.cc

# Reference: https://www.first.org/resources/papers/amsterdam2019/FIRST-TC-pres-v1.1.pdf    # Note: page 31
# Reference: https://www.virustotal.com/gui/ip-address/163.172.226.194/relations
# Reference: https://www.virustotal.com/gui/domain/xmr.crypto-pool.fr/relations
# Reference: https://www.virustotal.com/gui/file/87f9a5a38c1dce92317c50fe66f2fdc0fcfac19f0ea58951b9a3e747915c1827/behavior/Rising%20MOVES  # Note: different ports used

163.172.114.218
163.172.203.178
163.172.204.213
163.172.204.219
163.172.205.136
163.172.206.67
163.172.207.166
163.172.207.198
163.172.207.69
163.172.207.71
163.172.207.88
163.172.224.101
163.172.226.114
163.172.226.120
163.172.226.128
163.172.226.137
163.172.226.194
163.172.226.218

# Reference: https://www.virustotal.com/gui/file/fbcdd5c542bb5c66303e621829f0cd654be0bfb38ed0c50a335ef3c9dae0201f/detection

138.201.20.89:45700
138.201.27.243:45700
78.46.87.181:45700
88.99.142.163:45700

# Reference: https://www.virustotal.com/gui/file/c3affb76ff0fad78d77b0153b5c2a99d5bbd8d829ef13661c0af58d2988db344/detection

149.210.234.234:3333
litecoinpool.org

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1240732487195688962

covid19crypto.com

# Reference: https://blog.360totalsecurity.com/en/crazycoin-the-master-of-double-mining-double-white-utilization-and-resource-utilization/

47.101.30.124:13531
47.108.119.77:6000
f2pool.com
hns.f2pool.com
xmr.f2pool.com

# Reference: https://github.com/Monero-Monitor/monero-monitor/blob/master/data/html/options.html

monero.crypto-pool.fr
monerohash.com
moneropool.com
drill.moneroworld.com
cryptmonero.com
xmr.prohash.net
xmr.alimabi.cn
xmrpool.eu
supportxmr.com
minexmr.com

# Reference: https://www.virustotal.com/gui/file/eaef82223eeb8cf404a1d46613d36b9e582304b215201b5e557db578dd73e04e/behavior/Dr.Web%20vxCube

37.59.43.131:5555
37.59.43.136:5555
91.121.2.76:5555
37.59.45.174:5555
176.9.2.144:5555
78.46.91.134:5555
78.46.89.102:5555
37.187.154.79:5555
37.59.54.205:5555
37.59.55.60:5555

# Reference: https://s.tencent.com/research/report/948.html (Paragraph 6)
# Reference: https://otx.alienvault.com/pulse/5e863edb03f9ddbc8bc15b60

103.195.4.139:443
178.128.108.158:443
68.183.182.120:443

# Reference: https://www.virustotal.com/gui/file/455224893e266c7f5781bdc2e0c1cbb1a4f3c71c8a63ba7c690cd3067949ed5c/detection

178.63.48.196:5555

# Reference: https://blacklist.cyberthreatcoalition.org/vetted/url.txt

minerpool.pw
/xmrig/

# Reference: https://www.virustotal.com/gui/file/a38216166e363d752f37bdf0419d2e2694279beab8df66d40f56c679563e7a4f/detection

pool.hashvault.pro

# Reference: https://www.virustotal.com/gui/file/f47aa2f661eec457e659d0c0867902e4ed851993f8b884e03c22e27403f4876c/detection
# Reference: https://www.virustotal.com/gui/file/6eb73cfa98e35282a6f9a6d028f3f5ad84cf29ed4deb33b262d682c8bd246466/detection
# Reference: https://www.virustotal.com/gui/file/44cd3c7c0acb590fd5f1d5175171accedc602c702139ea47017dea782b859a8b/detection
# Reference: https://www.virustotal.com/gui/domain/hex7e4.ru/relations

134.122.57.234:3333
185.212.128.180:8080
45.61.136.51:3333
45.61.136.51:8080
97.68.239.202:3333
d1pool.ddns.net
d5pool.us
xmr.hex7e4.ru
xxx.hex7e4.ru

# Reference: https://www.virustotal.com/gui/file/f0fa9f69e15c349511fc1d2928507a69aefa908726d5c3aa5cd7e3ae83b412c5/detection

107.175.127.22:6661
emercoin.com
emercoin.net
emergate.net
seed.emercoin.com
seed.emercoin.net
seed.emergate.net

# Reference: https://twitter.com/r3dbU7z/status/1323120001604341760

13.77.155.141:5000
xmr.bepooh.com

# Reference: https://www.virustotal.com/gui/file/f1f8d8e09da07736059c4388bfdf35318d3e34726c5d362c5f986e5ed8d6a0d4/detection

51.81.245.40:5555
us-west.minexmr.com
webservicepag.webhop.net

# Reference: https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/
# Reference: https://otx.alienvault.com/pulse/5fad78631749dbff71a31f55
# Reference: https://www.virustotal.com/gui/ip-address/178.128.242.134/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.92.222.223/relations
# Reference: https://www.virustotal.com/gui/file/58bb90f11070a114442c4fa1cbbccefadcdf954510ae2b8d91c9b22b1a8a42d5/detection

178.128.242.134:443
185.92.222.223:443
104.140.244.186:3333
37.59.44.193:3333
45.136.244.146:3333
94.23.23.52:3333
donate.ssl.xmrig.com
donate.v2.xmrig.com
randomx.xmrig.com

# Reference: https://twitter.com/r3dbU7z/status/1326915356028493826

131.153.76.130:3333

# Reference: https://www.virustotal.com/gui/file/91c051a316c234d4f29a1ae939baa2b3ce28d8cc536442fc829c268d72b1cbcd/detection

109.94.208.3:28734
110.93.227.135:28734
182.1.2.238:28734
27.67.182.91:28734
35.225.125.226:28734
37.214.86.162:28734
89.183.110.221:28734
93.81.162.103:28734

# Reference: https://twitter.com/r3dbU7z/status/1330843370244214784

bizxmr.cc

# Reference: https://www.virustotal.com/gui/file/f2519c4978dd4339e0b625b875343bb4ae03c504268da799c4ec694802770585/detection
# Reference: https://twitter.com/rootprivilege/status/1331348542028275712

198.50.168.213:6233
198.50.152.135:6233
149.56.122.72:6233
144.217.67.71:6233
144.217.111.81:6233
192.99.233.217:6233
149.56.122.79:6233
192.99.203.53:6233
198.50.168.213:6234
198.50.152.135:6234
149.56.122.72:6234
144.217.67.71:6234
144.217.111.81:6234
192.99.233.217:6234
149.56.122.79:6234
192.99.203.53:6234
mine.zpool.ca

# Reference: https://www.virustotal.com/gui/file/a037c15659d91a7555fbd0ec17978c26f7974ea66909c8732629c4a1ec961f14/detection

209.141.35.17:8080
66.70.218.40:8080
xmr.givemexyz.in

# Reference: https://www.virustotal.com/gui/ip-address/3.120.98.217/relations

3.120.98.217:8080

# Reference: https://www.virustotal.com/gui/file/49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a/detection

172.65.200.133:3380

# Reference: https://www.virustotal.com/gui/file/a8174c8d4169bafa791bdaba5033bf0b67a6ab7dde9a362c5f04ac6d2088a677/detection

172.65.200.133:3357

# Reference: https://www.virustotal.com/gui/file/692627b99dc224be5f31321b5628c9736bc0b43a87358ccf544e39453d27eb4e/detection
# Reference: https://www.virustotal.com/gui/file/1d8c8e42e73eea50e0ca09124c0c2c3e7da21c5b232246129528cc955dc5a25f/detection

172.65.200.133:3333
172.65.245.55:3333

# Reference: https://www.virustotal.com/gui/file/f89c6d288cadbd5924496b664f6138c14523c338bef44407c0ed1a449b11e466/detection
# Reference: https://www.virustotal.com/gui/file/8b7aac6ab2d4b4a128c11c02b9b0269c08dec2c935c92e45804756a4ee5878e5/detection

172.65.195.177:3341
172.65.200.133:3341

# Reference: https://www.virustotal.com/gui/file/fd1d919e012353386a9d20af761109eaaa3099eec0bebec107b3bf000348f3fe/detection

172.65.200.133:3375

# Reference: https://www.virustotal.com/gui/file/1d1d2b6edf51a4262795b2d99f4bf21f2c71b68d2001f74a6d1b24b077a890f0/detection

172.65.200.133:3334

# Reference: https://www.virustotal.com/gui/file/09fb4ee5038c7f273273642b83926c84361ef34ae43ac835542c1ff065734437/detection

172.65.200.133:3347

# Reference: https://www.virustotal.com/gui/file/a9510408f55684801300e3bcb9df0405bd620091dc635493b190dc749d743f93/detection

172.65.192.67:3353
172.65.196.90:3353
172.65.200.133:3353
172.65.223.147:3353
172.65.229.122:3353
172.65.255.250:3353

# Reference: https://twitter.com/IntezerLabs/status/1341010531902050305
# Reference: https://www.virustotal.com/gui/ip-address/80.211.206.105/relations
# Reference: https://www.virustotal.com/gui/file/1ce687b9d97bc0932bc3bc107a6b5c9363bb5a6f1c2391a59f1664dfa68a2228/detection
# Reference: https://www.virustotal.com/gui/file/b0c8667eba81af1069e310055acea49e4f08fed8a071cb33da64a3d1e154d75d/detection
# Reference: https://www.virustotal.com/gui/file/402ce23a6b8c718d31a203eb27d1ac97dc614499b542ab630afcb5ac629d934a/detection
# Reference: https://www.virustotal.com/gui/file/603585df24d799e13d80145f071b2fbc3d81493d098a0df5e474ef4405b61fe4/detection
# Reference: https://www.virustotal.com/gui/file/3373bdf62d72c6f8ab62797aeda4f2b993f0d950964c3b5f9b8f96774abc25a6/detection
# Reference: https://www.virustotal.com/gui/file/037f28da0a7e825a21176c27123c9333bca46d37a8faf378c31766b82c653bbb/detection
# Reference: https://www.virustotal.com/gui/file/64db532ccfa34e01e697e68d5ee6d7360c9641440c38d2fd7850687837b24039/detection
# Reference: https://www.virustotal.com/gui/file/ee1024af67999dad6fc7a202f200526f70d54afbdf39f53121b020510fb103b8/detection
# Reference: https://www.virustotal.com/gui/file/b0adb691cf67bbe881c5b1946eb31f99fdddacef06078b94b8fe56a611bbe897/detection
# Reference: https://www.virustotal.com/gui/domain/donate.graef.in/relations

15.236.100.141:10001
15.236.100.141:10128
18.180.72.219:10001
18.180.72.219:10128
3.125.10.23:10001
3.125.10.23:10032
3.125.10.23:10128
34.252.195.254:10032
34.252.195.254:10128
80.211.206.105:5555
donate.graef.in
donate2.graef.in
xmrigcc.graef.in

# Reference: https://www.virustotal.com/gui/ip-address/61.147.103.140/relations
# Reference: https://www.virustotal.com/gui/file/e52afc60918b6ba83cff5362344b4d712e9fa29b639ee70e25c1c650bf93360d/detection

61.147.103.140:20570

# Reference: https://www.virustotal.com/gui/file/b7be211bbc842b461f8b729c3b6105c855df563e7b11e4fc51aaf9cafe250526/detection

185.154.13.213:3333

# Reference: https://twitter.com/r3dbU7z/status/1341352776459272195

54.188.223.206:10128

# Reference: https://twitter.com/r3dbU7z/status/1344547651564539904

149.248.6.193:13531

# Reference: https://www.virustotal.com/gui/file/cd889a03ea69d14e772e1f0996dedf7fd18cc927de21d40785f5942320e35cd1/detection

47.100.95.105:13531

# Misc (incidents)

213.252.245.67:450
213.252.245.67:453
213.252.245.67:454
213.252.245.67:457
213.252.245.157:450
213.252.245.157:451
213.252.245.157:452
213.252.245.157:454
213.252.245.157:457
213.252.245.197:451
213.252.245.197:452
213.252.245.197:453
213.252.245.197:454
213.252.245.197:457
213.252.245.223:450
213.252.245.223:451
213.252.245.223:452
213.252.245.223:457
