# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
# Reference: https://otx.alienvault.com/pulse/5d4431e60c6bf943f7f039aa

http://146.0.75.34
amnsns.com
calacs-laurentides.com
crypto-crypto.site
dsntu.top
elienne.net
gougounu.site
mmasl.com

# Reference: https://twitter.com/VK_Intel/status/1176927389328261121
# Reference: https://www.virustotal.com/gui/file/7976bfcea5c86a0b12266993b17176398d3eabe817f3c44f1a212bca9234698d/detection

fresher.at

# Reference: https://twitter.com/pancak3lullz/status/1334638629654814720

172.105.253.97:4001
http://172.105.253.97

# Reference: https://news.sophos.com/en-us/2020/12/16/systembc/
# Reference: https://otx.alienvault.com/pulse/5fe3992846c25c7182e066ed

advertrex20.xyz
advertsp74.xyz
asdasd08.com
asdasd08.xyz
decatos30.com
decatos30.xyz
gentexman37.xyz
mexstat128.com
sdadvert197.com
shopweb95.xyz

# Reference: https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
# Reference: https://otx.alienvault.com/pulse/601aedb7c7c215c1dc3bb6db/

alnujaifi-portal.com/ds/3101.gif
clinica-cristal.com/ds/3101.gif
eyeqoptical.ca/ds/3101.gif
gbhtrade.com.br/ds/3101.gif
newstimeurdu.com/ds/3101.gif
remacon.net/ds/3101.gif
skconstruction.info/ds/3101.gif
/ds/3101.gif

# Reference: https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/
# Reference: https://otx.alienvault.com/pulse/609abec825e7816948042cc0
# Reference: https://www.virustotal.com/gui/file/2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580/detection

23.227.202.22:4142
79.110.52.9:4142
193.29.104.187:443

# Reference: http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor

172.105.253.97:4001
80.85.84.79:4001

# Reference: https://www.virustotal.com/gui/file/114e10d27381de27f9442d15a57fd5a4afec3e287176cd793d7cd1689e96cf17/detection
# Reference: https://www.virustotal.com/gui/file/04eac372fbe81ab6bc47ea4d728323026a08324b5edc7aa62c9ebfc664eef824/detection

109.234.39.169:4001
adirtasolution.co.id

# Reference: https://www.virustotal.com/gui/file/5398d64f2fdfb55776a0ae2eec9d8702223356ff327a91e502eaa45f14d88632/detection

139.60.161.24:4658
192.53.123.202:4658

# Reference: https://www.virustotal.com/gui/file/00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555/detection

31.44.185.11:4001
31.44.185.6:4001
michaelstefensson.com

# Reference: https://twitter.com/0xrb/status/1509072321155579907

http://31.44.185.11
http://31.44.185.6

# Reference: https://asec.ahnlab.com/en/33600/
# Reference: https://otx.alienvault.com/pulse/625527f81b8187c8c082d7a4
# Reference: https://www.virustotal.com/gui/ip-address/194.67.92.180/relations

http://131.188.40.189
http://154.35.175.225
http://193.23.244.244
http://194.109.206.212
http://199.58.81.140
http://204.13.164.118
http://86.59.21.38
128.31.0.34:9131
128.31.0.39:9131
192.64.119.142:4044
194.67.92.180:40690
171.25.193.9:443
31.44.185.11:4001
31.44.185.6:4001
45.153.240.65:4044
45.32.132.182:4177
89.108.99.179:40690
96.30.196.207:4177
admex175x.xyz
dfhg72lymw7s3d7b.onion
mapfiles.info
pushsecs.info
servx278x.xyz
db1.mapfiles.info
db2.mapfiles.info
db1.pushsecs.info
db2.pushsecs.info

# Reference: https://twitter.com/0xrb/status/1516651127944941568
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1517368003389968384
# Reference: https://www.virustotal.com/gui/file/57eccf5d61a8ca0b2bea78e57df2c987ae07232f2e7ed43bb90314e73aeae543/detection

194.93.56.202:4001

# Reference: https://twitter.com/0xrb/status/1518499002681282560
# Reference: https://www.virustotal.com/gui/file/3f1e3e41c78f34a4012539afc1fa37eb88d12de49f12d688f40d86c8f4bbfe06/detection
# Reference: https://www.virustotal.com/gui/file/6aea048eb43309ce48f54eb1575c93d898ee8c3726dc6871a5e3a65d4f7810e9/detection

http://143.244.175.124
http://192.53.123.202
143.244.175.124:4225
192.53.123.202:4225

# Reference: https://twitter.com/0xrb/status/1519959623369113600
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

http://88.80.188.245
88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1519956419197677568
# Reference: https://twitter.com/abuse_ch/status/1534791877202956289
# Reference: https://www.virustotal.com/gui/file/d0f3211e3a351e4f7384243f983a33a0b4e989b61fea1e1c098bb5c8241ae102/detection

45.11.57.142:1488
62.182.82.33:1488
usaf.army

# Reference: https://twitter.com/0xrb/status/1523630947790626819
# Reference: https://www.virustotal.com/gui/file/9d396abb34553871ffd2776aa0ca2997c83c047ce852b2cf328f374438380853/detection

104.200.67.101:4001
nadrmcrosftn.com

# Reference: https://twitter.com/0xrb/status/1524266350042304512
# Reference: https://www.virustotal.com/gui/file/d20def2014332b3391f52f726374f221dbbb06b748e02371d37cbe7ec53f1664/detection

46.30.189.212:4210
62.113.196.57:4210

# Reference: https://tria.ge/201201-159fq8bewa/behavioral1

179.43.178.96:4141

# Reference: https://tria.ge/201129-7zy2lhx2rs/behavioral1

31.44.184.186:4132

# Reference: https://tria.ge/201128-7s6f8xmqga/behavioral1

23.106.215.30:4044

# Reference: https://twitter.com/jaydinbas/status/1554857469326901249
# Reference: https://tria.ge/220803-sz7aesdffq

20.115.47.118:4245
20.157.93.87:4245

# Reference: https://twitter.com/0xrb/status/1572547656257511424
# Reference: https://www.virustotal.com/gui/file/873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376/detection

http://146.70.101.95
146.70.101.95:4001

# Reference: https://twitter.com/nosecurething/status/1574964679280951297
# Reference: https://www.virustotal.com/gui/ip-address/194.67.119.190/relations

cloudupdatesss.com

# Reference: https://twitter.com/0xrb/status/1577918892248162304
# Reference: https://www.virustotal.com/gui/file/4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763/detection

185.215.113.105:4001

# Reference: https://twitter.com/bofheaded/status/1584268766229454850
# Reference: https://www.virustotal.com/gui/file/605fa356dc438ac90419f85f0e903bd64f34125b6c52aeac3e58dd0056122650/detection
# Reference: https://www.virustotal.com/gui/file/01a5005f3ad75fd7073b3eaccbc3dfc7b5a3fe71653abd9e811b9da3d3edda76/detection

http://45.15.156.48
45.15.156.48:4254

# Reference: https://www.virustotal.com/gui/file/fb10e32875d3c0c3a8fff27f74df07f2091cc9369d9f1021a437abb97e06d35f/detection

http://185.82.217.131
185.82.217.131:443

# Reference: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
# Reference: https://otx.alienvault.com/pulse/6359505e5a342ac921b5e94e
# Reference: https://www.virustotal.com/gui/file/e61b78e1e38008f7ef0aceb0a386175084f2c3d5cc360e133b6c02e87bb678bb/detection

http://185.82.219.201
185.82.219.201:443

# Reference: https://twitter.com/0xrb/status/1588045243236032512
# Reference: https://www.virustotal.com/gui/file/750cf12b5500d4837fa3acfbdbe75339c03d76b136ca200c5edf360e088c4db1/detection

45.182.189.231:443

# Reference: https://twitter.com/Merlax_/status/1582488153948323841

http://156.96.62.54
http://156.96.62.57
http://31.41.244.183
http://45.61.137.253
http://45.66.248.241
http://5.255.103.142
http://5.45.74.40

# Reference: https://www.virustotal.com/gui/file/c08def26508e296b96abad65537e8a265711b74e5e9856295143af848c3c6af9/detection

89.41.182.153:4001

# Reference: https://www.virustotal.com/gui/file/691de4b62a44a670c721c4015a854c157d73be1bf96e412133b0d1ea7124ae4e/detection

109.206.243.58:81
89.22.236.225:4193

# Reference: https://www.virustotal.com/gui/file/3cd56d548fd9c900601b6882a7450acf8d6cfce9fa505c16155b1e0b38696160/detection
# Reference: https://www.virustotal.com/gui/file/6db824ea5f4d66e385965fcdab37fe9e15a3212bc4ce0c3caf5b726736610e1f/detection
# Reference: https://www.virustotal.com/gui/file/7d752858a3e0f3f96cb0402c9daf0b39fd56e39f52f986a2cbe39872b258d35f/detection

5.45.76.16:4246
5.45.74.40:4246

# Reference: https://www.virustotal.com/gui/file/e270841232d0d3095f915ade9c899207a1da577bae4f83fdcc63ee14780e5304/detection

20.245.196.4:4001

# Reference: https://www.virustotal.com/gui/file/6c278ae9867cbc45cc7be476e60e455f525655e872b2a8231d36490262dbb7bb/detection

34.171.171.32:4248
46.23.109.147:4248
slavelever.info
slavelevereoewl.info

# Reference: https://www.virustotal.com/gui/file/c1f83eca657eb74769e9df053eb430c11cbcb123004179f2196fec6f45e48099/detection
# Reference: https://www.virustotal.com/gui/file/abb0274cd08aa1d818c2a3f3b3650a1f699aead09d435e63473dde45826cad43/detection

104.238.140.73:4177
149.28.72.85:4177

# Reference: https://twitter.com/bofheaded/status/1599036327294828545

http://104.238.140.73
http://149.28.72.85
http://20.245.196.4
http://46.23.109.147
http://5.45.76.16
http://89.22.236.225
http://89.41.182.153

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/321ff880be2af53ff3efab99a1e51e4ffad39e710f761188eab599c4a356cb7d/detection

hcwakentent.com
hcwakententx2.com

# Reference: https://www.virustotal.com/gui/file/8381178662754cf98d5a9a3ee9a8019874a4b2940f5e701f6c20bbc04275c286/detection

192.169.6.111:4175
67.198.232.34:4175
sadfsdfjj4838377aa.cc

# Reference: https://www.virustotal.com/gui/file/a18142eec089782245301e46c1cfd35a5b2b7b3ae51c69196077cbfc4d0d1ce5/detection

199.192.29.149:4035
jmlor.com
lisnm.com

# Reference: https://www.virustotal.com/gui/file/463fcd6210c8bdf47e79cb0a06c76333a40ecd4443b44642407074c82fccf404/detection

core-networking.com

# Reference: https://www.virustotal.com/gui/file/06ae0467cf443f36369f5e400a963aa57a7a26741d31ed187945fa31da7957fa/detection

142.4.5.169:4039
26asdcgd.com
26asdcgd.xyz

# Reference: https://www.virustotal.com/gui/file/0ce6da681584201acdb46a8a73395ffaf64db8944ad335511ec06a4f3bbdb73f/detection

194.58.112.174:4035
89.203.251.227:4035
bankshopstars.bar
bankshopstars.space
imana-chi.nl

# Reference: https://www.virustotal.com/gui/file/006716664383ab81ab3593dbe956c173b087bfcf1b94f53c710ba0557a8778b0/detection

195.2.73.159:4039
anarhi2402.com
anarhi2402.xyz

# Reference: https://www.virustotal.com/gui/file/23f400b92497928546a17a9fce1457b54096522b0bda372cbf750003aa6b073b/detection

asdasd05.com
asdasd05.xyz

# Reference: https://www.virustotal.com/gui/file/1142ce10f02a4a1fa3411db2b5e46f7e1b9e06792ee323c2a51b92ae5857c9f7/detection

142.4.7.183:4035
dasd13d.com
dasd13d.xyz
fb01ddd.com
fb01ddd.xyz

# Reference: https://www.virustotal.com/gui/file/1021deecef69ff06cb704b3cadae33fe7ffbf87f2b9daa670502569d2a387edf/detection

95.142.45.61:4039
dec15coma.com
dec15coma.xyz

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e/detection

scserv1.info
scserv2.info

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/5274078106ca260d04455bb46407cc2dd37ffa7b44eebe877dc3f7c1731e0e9f/detection

freesocksvpn.xyz
freevpnsocks.xyz

# Reference: https://www.virustotal.com/gui/file/b2d6b7c088ae1bde91bd043106a853c5b54bc1270e694847c2eafd8db0bdf29f/detection

51.91.209.190:4153
gambinos.space

# Reference: https://www.virustotal.com/gui/file/2420dca85bb446e3c494d9a0caf28ec24d448d4f562a1f47921514117ca9a426/detection

89.203.249.203:4035
gameblog18.xyz
gamelom20.com

# Reference: https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c

http://107.155.124.13
http://108.61.245.154
http://108.62.141.227
http://109.201.140.54
http://109.201.142.17
http://134.195.14.192
http://135.181.37.144
http://138.197.141.150
http://139.60.161.58
http://140.82.16.134
http://142.132.185.13
http://146.0.77.21
http://146.70.41.133
http://146.70.44.168
http://146.70.78.22
http://149.248.18.56
http://149.28.145.240
http://149.28.201.253
http://165.227.204.91
http://172.105.16.113
http://172.106.86.12
http://173.255.208.126
http://176.123.6.150
http://176.123.8.226
http://178.20.41.173
http://179.43.178.96
http://185.118.167.155
http://185.119.57.126
http://185.125.230.131
http://185.158.155.175
http://185.159.82.73
http://185.186.245.37
http://185.191.32.191
http://185.193.91.234
http://185.197.74.227
http://185.198.56.2
http://185.209.30.180
http://185.209.30.232
http://185.215.113.101
http://185.215.113.32
http://185.222.202.66
http://185.233.2.50
http://185.235.244.244
http://185.254.121.121
http://185.33.84.190
http://185.61.138.59
http://185.70.184.5
http://185.70.186.170
http://188.209.52.188
http://188.212.22.165
http://190.2.145.98
http://193.109.69.17
http://193.29.56.71
http://194.5.250.151
http://194.61.24.117
http://194.93.56.214
http://195.123.241.38
http://195.133.40.103
http://195.2.73.44
http://199.19.225.233
http://199.247.25.132
http://206.189.120.27
http://207.32.216.202
http://212.114.52.149
http://213.159.213.225
http://213.227.155.220
http://217.182.46.152
http://217.8.117.18
http://217.8.117.42
http://217.8.117.65
http://23.106.223.52
http://23.152.0.38
http://23.249.163.103
http://23.82.141.176
http://31.184.218.251
http://35.246.186.86
http://37.1.204.96
http://37.1.220.248
http://37.49.229.138
http://45.134.26.93
http://45.138.172.144
http://45.141.87.60
http://45.145.67.170
http://45.153.186.243
http://45.156.26.59
http://45.56.102.245
http://45.77.65.71
http://45.77.65.72
http://45.86.162.14
http://46.166.161.93
http://46.166.176.247
http://5.132.191.104
http://5.132.191.105
http://5.183.95.197
http://5.188.60.95
http://5.206.224.199
http://5.255.97.23
http://5.34.178.172
http://5.39.221.47
http://5.79.124.201
http://62.113.255.16
http://62.113.255.29
http://62.210.54.235
http://65.21.93.53
http://66.42.91.161
http://69.61.107.218
http://74.125.112.7
http://74.125.46.143
http://74.125.74.6
http://78.141.210.78
http://78.47.64.46
http://79.141.160.156
http://80.233.248.109
http://80.66.88.139
http://80.66.88.165
http://84.38.129.162
http://85.25.207.68
http://89.39.105.111
http://89.43.107.126
http://91.142.77.52
http://91.212.150.113
http://91.212.150.133
http://91.213.50.135
http://91.217.137.44
http://91.218.114.16
http://91.234.254.128
http://91.243.44.5
http://92.163.33.248
http://92.53.90.70
http://92.53.90.84
http://92.63.197.143
http://93.114.128.189
http://93.187.129.252
http://94.103.95.115
http://95.181.152.152
http://95.216.118.223
http://95.217.132.79
31337r.hk
3q5d4sgdxdxkkzhl.onion
4renewdmn.biz
63bwf6zdrgsmagpt.onion
adobeupd.host
aitchchewcdn.online
amendingnoum.xyz
annaklein.fun
annaweber.fun
arhi-lab.com
artkalyan.shop
avluboy.xyz
backpscpnl.xyz
bc.fgget.top
bitdesk.online
bljxlgj4h4yuxkju.onion
bmwsocksmozg.top
brabulco.ac.ug
buffalostores.cc
bullioncdn.com
carnessanjuanmedina.com
cashnet-server.com
cleanerwors.com
coinsdoctor.bit
coinupdater.bit
cp.nod32clients.com
criminal-records.life
data.servicestatus.one
dealsbestcoupons.com
dktigsgquxihyrik.onion
dwuhpii.bit
e6rldxwjc4jeb72c.onion
efydniaemviuxkfo.onion
fahrrados.de
farfisada.ga
fastconnectionbit.xyz
fgget.top
fhaaaggs.ml
fmk7kux2dsxowkks.onion
fragrant.digital
generalnetworking.net
gosigoji.bit
h4yk5u554epyhhen.onion
hfbplsny55xcsgbn.onion
infodialsxbz.com
jjj.rop.dev
jjj2.rop.dev
jlayxnzzin5y335h.onion
joiasbella.com.br
kvarttet.com
mainscpnl.xyz
maka.bit
maniodaris.com
masonksmith.me
masonksmith.tech
master-socks.cc
microsoftmirror.ac.ug
mobinetworks.xyz
mokkotapia.com
moscow11.icu
mydomain47267.xyz
mydomain47294.xyz
ncordercreatetest.com
ns1.vic.au.dns.opennic.glue
ns2.vic.au.dns.opennic.glue
ordercouldhost.com
polidestar.com
predatorhidden.xyz
proredirector.com
prorequestops.com
protoukt.com
proxybro.top
proxybum.xyz
proxyshmoxy.xyz
proxysteu5m36rdt.onion
qtrader.club
r55q2zj8sb89b33k.bit
rarlabarchiver.ru
reserveupdate.com
s.avluboy.xyz
s1.freesocksvpn.xyz
s1.freevpnsocks.xyz
s2.avluboy.xyz
sdkfjjkfasdjfiu435dzz.cc
shellcon.pro
socks5.eu
socks5.in
socks5v7v2snlwr7.onion
socksbswfjhofnbu.onion
srv1619541516.hosttoname.com
ssl.virtualpoolnet.com
sweetcloud.link
system.proredirector.com
systemhomeupdate.com
t6xhk2j3iychxc2n.onion
tbueguicsrwo64i7.onion
tdsstats.mooo.com
tik-tak-super-puper.xyz
tik-tak.club
verguliosar.com
vpnstart.chickenkiller.com
whatimnot.sc.ug
whatshoetowear.com
xxxxxxtnuhffpbep.onion
zghiexdgwfzi44b5.onion

# Reference: https://www.virustotal.com/gui/file/32cf4eecc1668f434411b8d87db27f4c9d49e2f749e44b48159e2f2a2823cdc2/detection

77.246.156.240:4153
dl-link.club
dl-link.network

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/ip-address/51.91.209.190/relations

admstat45.xyz
advertpage50.club
advertpush20.club
advertspace10.club
advertstar450.club
advertstar55.club
americalatina.club
bjkuipe.xyz
dasdasd28asd.com
devstudiakomp.com
dexblog90.club
fanblog79.xyz
fanstat18.club
femstat8.xyz
jiklasmsj.site
logstat17.club
mdadvertx17.xyz
pkspacex19.xyz
sasdcs28sd.xyz
spacestat7.xyz
spexblog17.xyz

# Reference: https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer
# Reference: https://www.virustotal.com/gui/file/b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074/detection

http://80.66.77.125
http://80.66.77.54
http://80.66.77.6
http://80.66.77.60
http://80.66.77.63
http://80.66.77.95
80.66.77.6:4001
80.66.77.60:4001
rafaeldutra.com

# Reference: https://twitter.com/Merlax_/status/1602757241580523520
# Reference: https://www.virustotal.com/gui/file/b17a48ba49a976f74de6ad6aaa02e89f5ddd32a0c29de705889bd7256d7d2bc7/detection
# Reference: https://www.virustotal.com/gui/file/b0976ba51a18f04b72f82746e6a640d486e9823dad8c4b4802c3a6e5f1e09bcc/detection

http://188.214.129.3
188.214.129.3:4223
188.214.129.3:443

# Generic

/systembc/exec.vbs
/systembc/password.php
/systembc/post.php
