# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ViriBack/status/1023286939858939906

http://5.8.88.25

# Reference: https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/

lulaaura.top

# Reference: # Reference: https://samples.vx-underground.org/APTs/2010/2010.01.27/Paper/Operation%20Aurora%20Detect%20Diagnose%20Respond.pdf

33iqst.com
360.homeunix.com
blog1.serverbeer.com
demo1.ftpaccess.cc
ftp2.homeunix.com
s11.homelinux.org
update.ourhobby.com

# Reference: https://www.virustotal.com/gui/file/5e449a2664be9d024e78d660e9cad4099c64bb7d91fb40d08459dec274de02dc/detection

a0653691.xsph.ru
/AuroraLoader/check.txt
/AuroraLoader/CheckAccount.php?jopa=
/AuroraLoader/LoaderVersion.php?jopa=
/AuroraNEW/check.txt
/AuroraNEW/CheckAccount.php?jopa=
/AuroraNEW/LoaderVersion.php?jopa=

# Reference: https://twitter.com/crep1x/status/1592270231585816576
# Reference: https://www.virustotal.com/gui/file/0878bfc99e884abac4cba8339944045ccf16c99c942dc681729b152a3a9e6f25/detection

45.15.156.97:8081

# Reference: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/#h-aurora-c2
# Reference: https://otx.alienvault.com/pulse/637baa6081d4bafd9cb4afec

138.201.92.44:8081
146.19.24.118:8081
167.235.233.95:9865
185.173.36.94:8081
185.209.22.98:8081
193.233.48.15:9865
37.220.87.2:8081
45.137.65.190:8081
45.144.30.146:8081
45.15.156.115:8081
45.15.156.22:8081
45.15.156.33:8081
45.15.156.80:8081
45.15.157.137:8081
49.12.222.119:8081
49.12.97.28:8081
5.9.85.111:8081
65.108.253.85:8081
65.109.25.109:8081
78.153.144.31:8081
81.19.140.21:8081
82.115.223.218:8081
85.192.63.114:8081
89.208.104.160:8081
95.214.55.225:8081
cheatcloud.info
winsoft.cloud

# Reference: https://twitter.com/James_inthe_box/status/1594750999759310849
# Reference: https://twitter.com/ViriBack/status/1594758845297229824
# Reference: https://app.any.run/tasks/241b198d-622a-4d57-989c-84690b82d99b/

37.220.87.2:8081

# Reference: https://twitter.com/malwrhunterteam/status/1595119413384314880
# Reference: https://www.virustotal.com/gui/file/533d6c8a642edd24cd046a6749655e7463548adfa3585ef0a7efe63515090d8f/detection

212.86.108.41:7000
212.86.108.41:8081

# Reference: https://twitter.com/idclickthat/status/1595082222851481600
# Reference: https://tria.ge/221122-s1r7wscd21/behavioral6
# Reference: https://www.virustotal.com/gui/file/04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5/detection

79.137.195.171:8081
mividajugosa.com

# Reference: https://twitter.com/ViriBack/status/1597746330830794752

http://45.137.65.190
http://45.15.156.24
http://45.15.156.33
http://45.15.157.137
http://49.12.222.119
http://65.108.225.214
http://82.115.223.218

# Reference: https://twitter.com/malwrhunterteam/status/1599001245804814339
# Reference: https://www.virustotal.com/gui/file/15a24027de069f52e9ad493901e91e110e5ca64630ac30a57ba07a827fca832a/detection

85.192.63.42:8081

# Reference: https://twitter.com/0xToxin/status/1600510379586719746
# Reference: https://tria.ge/221204-rtkc2agc97/behavioral2

185.17.0.138:8081

# Reference: https://www.virustotal.com/gui/file/d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e/detection
# Reference: https://www.virustotal.com/gui/file/af1f5335d497726e81237f3049d3918c32f8ac999b9ca21cf3535a57162f0fc9/detection

62.204.41.3:8081

# Reference: https://www.virustotal.com/gui/file/02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef/detection

89.107.10.175:8081

# Reference: https://www.virustotal.com/gui/file/911ad4d55923322ce584ffe2478a37e9d39875611f09b1059592376f1d2f87bb/detection

37.139.129.125:8081

# Reference: https://twitter.com/0xrb/status/1607255904831037443
# Reference: https://threatfox.abuse.ch/browse/tag/Aurora%20Stealer/ (26 Dec 2022)

103.179.143.146:8081
116.203.236.141:8081
135.181.197.26:8081
152.89.247.30:8081
172.86.122.46:8081
176.124.216.38:8081
185.106.93.245:8081
185.106.93.246:8081
185.106.93.251:8081
191.101.130.41:8081
193.42.33.110:8081
193.42.33.176:8081
193.42.33.5:8081
194.113.106.228:8081
195.123.217.171:8081
195.43.142.218:8081
20.68.243.166:8081
213.239.213.187:8081
23.88.97.138:8081
3.238.130.38:8081
45.10.40.246:8081
45.138.74.160:8081
45.15.156.140:8081
45.15.156.26:8081
45.15.156.83:8081
45.15.157.142:8081
45.32.79.170:8081
49.12.245.165:8081
5.75.160.178:8081
65.109.12.241:8081
77.73.131.156:8081
77.73.134.10:8081
77.73.134.27:8081
77.73.134.57:8081
77.73.134.7:8081
78.47.192.53:8081
79.137.206.138:8081
82.115.223.138:8081
82.115.223.249:8081
85.192.63.158:8081
87.251.77.59:8081
89.23.100.223:8081
95.179.187.111:8081

# Reference: https://threatfox.abuse.ch/browse/malware/win.aurora_stealer/ (29 Dec 2022)

http://103.179.143.146
http://116.203.236.141
http://135.181.197.26
http://152.89.247.30
http://172.86.122.46
http://176.124.216.38
http://185.106.93.245
http://185.106.93.246
http://191.101.130.41
http://193.42.33.110
http://193.42.33.176
http://193.42.33.5
http://194.113.106.228
http://195.123.217.171
http://195.43.142.218
http://213.239.213.187
http://23.88.97.138
http://45.10.40.246
http://45.138.74.160
http://45.15.156.135
http://45.15.156.140
http://45.15.156.184
http://45.15.156.22
http://45.15.156.67
http://45.15.156.70
http://45.15.157.142
http://45.32.79.170
http://49.12.245.165
http://5.75.160.178
http://65.109.12.241
http://77.73.131.156
http://77.73.134.57
http://77.73.134.7
http://78.47.222.65
http://79.137.206.138
http://82.115.223.138
http://82.115.223.249
http://89.107.10.180
http://89.23.100.223
http://95.179.187.111
129.146.9.178:8081
147.124.212.238:8081
167.235.141.208:8081
185.246.220.16:8081
194.87.31.137:777
2.232.150.231:8081
217.195.155.154:8081
37.220.87.13:8081
45.15.156.130:8081
45.15.156.135:8081
45.15.156.184:8081
45.15.156.59:8081
45.15.156.67:8081
45.15.156.70:8081
45.86.86.197:8081
49.12.190.58:8081
5.199.169.19:8081
65.108.225.214:8081
77.73.133.57:8081
77.73.134.55:9865
78.47.222.65:8081
89.107.10.180:8081
allsoftware.store
kvitochka.store

# Reference: https://twitter.com/1ZRR4H/status/1615029840520032256
# Reference: https://www.virustotal.com/gui/file/3d242f0d9a6e40018c226e162c1b70c3cfdeb25b20d42d8f05e107070040f5b2/detection

195.123.218.52:8081
ahydk.click

# Reference: https://isc.sans.edu/diary/rss/29448
# Reference: https://otx.alienvault.com/pulse/63c8222df2bcbec18baaf78f

79.137.133.225:8081
notopod-plos-plus.com
obsqroject.com

# Reference: https://twitter.com/DonPasci/status/1616461046360805382
# Reference: https://www.virustotal.com/gui/ip-address/104.21.74.62/relations
# Reference: https://tria.ge/230120-sy37daaf9t/behavioral1

45.15.156.210:8081
battlenet-install.top
driver-updates.site
kodfem.hemsida.eu

# Reference: https://tria.ge/230122-ffpj2sha8z

45.15.156.242:8081

# Reference: https://tria.ge/230121-yzzhgadg24/behavioral1

2.232.150.231:8081
servicestarting.hopto.org

# Reference: https://tria.ge/230121-vddgbsdb36/behavioral2

95.217.235.8:8081

# Reference: https://tria.ge/230118-llkqyaaf9t/static1

85.209.135.29:8081

# Reference: https://twitter.com/Artilllerie/status/1618980737679765504

notepad-setup.top

# Reference: https://twitter.com/Artilllerie/status/1620018615725735936
# Reference: https://twitter.com/Artilllerie/status/1620094871515316224
# Reference: https://twitter.com/JAMESWT_MHT/status/1620062867860111361
# Reference: https://twitter.com/DonPasci/status/1620059736837361666
# Reference: https://tria.ge/230130-q5gkvaaf39

notepad-editor.space
notepad-install.top
rocketpool-net.website
goverment.duckdns.org

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Aurora_Stealer/Aurora_C2s_09_02_2023.txt

http://167.235.60.69
http://176.124.214.54
http://185.106.93.132
http://185.106.93.199
http://185.106.93.203
http://193.188.23.177
http://45.15.156.153
http://45.15.156.172
http://45.15.156.175
http://45.15.156.187
http://45.15.156.206
http://45.15.156.210
http://45.15.156.219
http://45.15.156.220
http://45.15.156.234
http://45.15.156.246
http://45.15.156.250
http://45.9.74.11
http://79.137.133.225
http://89.22.227.50
http://94.142.138.14
http://94.142.138.15
http://94.142.138.18
http://94.142.138.22
http://94.142.138.23
http://94.142.138.28
http://94.142.138.30
http://94.142.138.32
http://94.142.138.34
http://94.142.138.36
http://94.142.138.38
http://94.142.138.6

# Reference: https://twitter.com/TrackerC2Bot/status/1612428317814128640

82.115.223.77:8081

# Reference: https://twitter.com/ULTRAFRAUD/status/1625557844371144707

download-nwidia.website

# Reference: https://twitter.com/abuse_ch/status/1625755033085087744
# Reference: https://www.virustotal.com/gui/ip-address/104.21.2.12/relations

driver-nvidia.site
nvidia.services
nvidia1.top

# Reference: https://twitter.com/AnFam17/status/1625990921488674816
# Reference: https://www.virustotal.com/gui/ip-address/45.9.74.21/relations
# Reference: https://www.virustotal.com/gui/file/aa349ad45bb48e85b5cd1b55308ae835353859219f28ece9685c8ae552e8e63a/detection

185.106.93.135:8081
app-python.com
pyithon.com
python-acc.com
python-app-software.com
python-application.com

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Aurora_Stealer/Aurora_Panel_scan_16-02-2023_01-01-07.txt

http://159.69.108.164
http://45.15.157.130
http://94.142.138.29
http://94.142.138.60

# Reference: https://twitter.com/spicy_bear_/status/1628473821878534144

http://85.192.63.49
http://9.152.217.95

# Reference: https://twitter.com/0xrb/status/1628611690274385922

http://107.182.129.73
http://109.172.45.197
http://135.181.107.76
http://147.124.212.238
http://157.245.55.151
http://157.90.232.2
http://157.90.241.140
http://159.69.80.167
http://162.55.126.111
http://163.172.13.53
http://167.235.134.202
http://167.235.147.73
http://167.235.18.89
http://176.124.201.212
http://176.124.210.153
http://185.106.93.135
http://185.17.0.138
http://185.181.10.117
http://185.197.160.20
http://185.219.220.239
http://185.219.80.224
http://185.239.239.194
http://185.62.56.10
http://193.233.20.134
http://193.29.62.24
http://193.42.33.157
http://194.104.136.143
http://199.247.24.79
http://2.232.150.231
http://212.192.31.29
http://37.220.87.13
http://45.128.234.60
http://45.144.30.146
http://45.15.156.147
http://45.15.156.221
http://45.15.156.224
http://45.15.156.249
http://45.15.156.59
http://45.15.156.86
http://45.151.144.19
http://45.61.139.86
http://45.84.1.87
http://46.105.147.137
http://5.75.144.249
http://5.75.175.231
http://77.83.173.136
http://77.91.77.67
http://80.92.204.59
http://82.115.223.135
http://82.115.223.190
http://82.115.223.51
http://82.115.223.64
http://85.192.63.77
http://85.209.135.29
http://87.251.77.59
http://89.23.97.58
http://94.130.27.94
http://94.142.138.100
http://94.142.138.50
http://94.142.138.64
http://94.142.138.73
http://94.142.138.88
http://94.142.138.94
http://95.215.108.15
http://95.217.152.9
http://95.217.193.56
http://95.217.235.8
107.182.129.73:8081
109.172.45.197:8081
135.181.107.76:8081
145.239.202.13:8081
157.90.232.2:8081
157.90.241.140:8081
159.69.80.167:8081
163.172.13.53:8081
167.235.134.202:8081
167.235.147.73:8081
167.235.18.89:8081
167.235.60.69:8081
176.124.201.212:8081
176.124.210.153:8081
176.124.214.54:8081
185.106.93.132:8081
185.106.93.193:8081
185.106.93.199:8081
185.106.93.203:8081
185.106.93.247:8081
185.181.10.117:8081
185.219.220.239:8081
185.219.80.224:8081
185.62.56.10:8081
193.188.23.177:8081
193.233.20.134:8081
193.29.62.24:8081
195.123.217.108:8081
199.247.24.79:8081
212.113.106.47:8081
212.162.152.199:8081
212.192.31.29:8081
213.166.71.21:8081
45.128.234.60:8081
45.132.106.77:8081
45.144.31.252:8081
45.15.156.147:8081
45.15.156.151:8081
45.15.156.153:8081
45.15.156.172:8081
45.15.156.175:8081
45.15.156.182:8081
45.15.156.187:8081
45.15.156.206:8081
45.15.156.209:8081
45.15.156.219:8081
45.15.156.220:8081
45.15.156.221:8081
45.15.156.224:8081
45.15.156.234:8081
45.15.156.246:8081
45.15.156.249:8081
45.15.156.250:8081
45.15.156.54:8081
45.15.156.7:8081
45.15.156.86:8081
45.15.157.130:8081
45.151.144.19:8081
45.61.139.86:8081
45.84.1.87:8081
45.9.74.11:8081
45.9.74.87:8081
46.105.147.137:8081
49.12.203.54:8081
5.34.180.208:8081
5.75.144.249:8081
5.75.175.231:8081
65.109.216.5:8081
77.83.173.136:8081
77.91.124.12:8081
77.91.68.46:8081
77.91.77.67:8081
79.20.32.223:8081
82.115.223.135:8081
82.115.223.51:8081
82.115.223.64:8081
85.192.63.77:8081
87.251.77.225:8081
89.22.227.50:8081
89.22.237.237:8081
89.23.97.58:8081
94.130.27.94:8081
94.142.138.100:8081
94.142.138.14:8081
94.142.138.18:8081
94.142.138.22:8081
94.142.138.23:8081
94.142.138.29:8081
94.142.138.32:8081
94.142.138.34:8081
94.142.138.36:8081
94.142.138.38:8081
94.142.138.4:8081
94.142.138.50:8081
94.142.138.60:8081
94.142.138.64:8081
94.142.138.6:8081
94.142.138.73:8081
94.142.138.88:8081
94.142.138.94:8081
95.215.108.15:8081
95.217.152.9:8081
95.217.193.56:8081
java-download1.space
java-download2.space
java-download3.space
miracleapps.store
notepad-download.online
notepad-plus-plus-setup.top
nvidia-geforce1.space
nvidia-geforce2.space
nvidia-geforce3.space
nvidia.agency
nvidia.best
nvidio-geforce.info
nvidio-geforce.site
nvidio-geforce.us
nvidio-geforce.website
nvidio-qeforce.info
nvidio-qeforce.site
nvidio-qeforce.us
nvidio-qeforce.website
nvldio-geforce.info
nvldio-geforce.site
nvldio-geforce.us
nvldio-geforce.website
python-official.xyz
software-planet.ru
