# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: 404 keylogger, snake keylogger

# Reference: https://habr.com/ru/company/group-ib/blog/477198/ (Russian)

404projects.xyz

# Reference: https://app.any.run/tasks/c87283f6-7087-4ab5-91ac-f8fdfa25ce9e/

srvc13.turhost.com

# Reference: https://app.any.run/tasks/94023cca-f07c-4a5f-8a72-2cc9fc4eb1be/

blackhillls.ddns.net

# Reference: https://twitter.com/wwp96/status/1328308638470066177
# Reference: https://app.any.run/tasks/c16aff7d-63be-4654-bc27-ae78b489fcee/

167.88.170.103:21
167.88.170.103:35060

# Reference: https://twitter.com/wwp96/status/1331116035680980992
# Reference: https://app.any.run/tasks/e3dd7875-4ef2-4f7f-ac5b-8616f3c132c4/

ckfashion.shop

# Reference: https://app.any.run/tasks/13b60c7f-f80e-4a7a-8f21-afd287113465/
# Reference: https://app.any.run/tasks/4b675b8e-4a84-4d75-a4a1-4dc6868bdc5a/

92.53.96.254:35705
bitrix370.timeweb.ru

# Reference: https://app.any.run/tasks/40ed1720-a991-4a6a-9e76-25907a359531/

188.225.21.131:35076
vh340.timeweb.ru

# Reference: https://app.any.run/tasks/824f076f-c5e6-473a-84b6-d114a4837863/

176.57.209.21:59257
premium34.timeweb.ru

# Reference: https://twitter.com/reecdeep/status/1364226980120465412

itrader-germany.de

# Reference: https://twitter.com/reecdeep/status/1371750624140857345

endovision.xyz

# Reference: https://twitter.com/Racco42/status/1372290134931083266
# Reference: https://app.any.run/tasks/bb98a4a5-192e-42c3-9fbc-7625dfffd4ff/

imginternational.xyz

# Reference: https://twitter.com/whitehoodie4/status/1374289414935961600

vespang.tk

# Reference: https://twitter.com/ps66uk/status/1381918013214064646
# Reference: https://tria.ge/210413-s27a2natdx

govidanatur.xyz

# Reference: https://twitter.com/ps66uk/status/1382274063658258440
# Reference: https://www.virustotal.com/gui/file/92a4c8920eda2528675ed61d4e72b4e2e6f51f6c47aab88581bab36d656a224a/detection

nobetone.xyz

# Reference: https://twitter.com/BushidoToken/status/1387495666184822785

nobettwo.xyz

# Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676
# Reference: https://www.virustotal.com/gui/file/a2c1e79d6f5f36ab9af9d623c37dedf201cb3552bade7cfc1f00bcaeaed98d5e/detection

lokalboyz.com

# Reference: https://www.virustotal.com/gui/domain/maisoui.us/relations
# Reference: https://www.virustotal.com/gui/file/64a17ddefb0368f4512f3d89fabbb0e220f80d2febd28b21fc4262779ceea635/detection

maisoui.us

# Reference: https://www.virustotal.com/gui/domain/1bayer.com/relations
# Reference: https://www.virustotal.com/gui/file/dd7d3cad1f509caedc2ea7a255a74cdc75498eeca31b67a5fa581ca67ba8b761/detection

1bayer.com

# Reference: https://twitter.com/reecdeep/status/1406925281928134661

iykmoreentrprise.org

# Reference: https://gist.github.com/silence-is-best/ac1440dcf7aec90a53905ae86559e621
# Reference: https://www.virustotal.com/gui/file/dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659/detection

cressi.xyz

# Reference: https://app.any.run/tasks/2be51146-6800-4820-a38a-8321bb6b6c5e/

hisensetech.xyz

# Reference: https://gist.github.com/silence-is-best/e2af8aa61000e4b740934331291c619b
# Reference: https://www.virustotal.com/gui/file/193ac87ce3fbdcbc7def7776cac94b2548c0eabcfa179f701b96f65d9cfe7631/detection

efinancet.shop

# Reference: https://www.virustotal.com/gui/file/413c67ee147430c3d1a39e18601b33b90e3c434db8850949c08e8b1a4fa4f399/detection

krsmakina.com

# Reference: https://www.virustotal.com/gui/file/23cfe2786b8343a225d7d8ca6906c364ab19d6f594c92dfea39c8f2eb26a635f/detection

guanyjfoods.com
mail.guanyjfoods.com

# Reference: https://www.virustotal.com/gui/file/f861b22de2dce92e689b895e8b862fe51bfab56cf466db8d1ea7513682cd3c36/behavior/VirusTotal%20ZenBox

trietlongvinhvien.info

# Reference: https://twitter.com/James_inthe_box/status/1486356525798998019
# Reference: https://www.virustotal.com/gui/file/db977a845e1b88d303bf7633ba8153a579e7be33904b0a46fc2cf61ac820801b/detection

http://18.159.59.253
rfebatics.xyz

# Reference: https://www.virustotal.com/gui/file/f77eb03582184792bb5bb2e7ca6f80de3e31e0ffb4e4084b28999858f1f489b0/detection

http://3.112.243.28
febbdin.xyz

# Reference: https://www.virustotal.com/gui/file/f4b4716fd756e090bc988dc4ca0ad23bdf22a238c3d1b4a329582fb936e8ee92/detection

febquip.shop

# Reference: https://www.virustotal.com/gui/file/c2672e6fd55b129125a19c7837943c0844c03ec02dcf165af183f9e4df4dccbc/detection

bajoost.xyz

# Reference: https://www.virustotal.com/gui/file/b9a46bd95fc23d278e97b151eecdfb95a0bc7649374a1c30fe6b95b384c7d196/detection

ackuc.icu

# Reference: https://twitter.com/peterkruse/status/1498602381403209730

yikun.cf

# Reference: https://twitter.com/James_inthe_box/status/1507047796121096193
# Reference: https://app.any.run/tasks/66fcd49d-0527-4f23-a1c1-c72d9ce0ac85/

facts-jo.com

# Reference: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware
# Reference: https://otx.alienvault.com/pulse/6185218842a91bb63bda21dc
# Reference: https://www.virustotal.com/gui/file/0910e1c2d33a73a0e5a7b5e87eaaae42b839de9bb6ab3f42a52cf3c438e1a56f/detection

http://3.64.251.139
restd.xyz

# Reference: https://www.virustotal.com/gui/file/6aaa23c5aa6f2fb2e99f5ec667194e22c4a9922df0106473d96b1d12fa7a93c5/detection

http://163.123.142.134

# Reference: https://twitter.com/0xToxin/status/1544369084405583873

dragonfruitting.com

# Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Snake%20Keylogger/Snake%20Keylogger%20-%2013072022
# Reference: https://www.virustotal.com/gui/file/b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf/detection

185.244.36.213:21
185.244.36.213:587
resultboxx.xyz
ftp.resultboxx.xyz
mail.resultboxx.xyz

# Reference: https://twitter.com/pollo290987/status/1565225398857879559
# Reference: https://www.virustotal.com/gui/file/29824b969da3b9237bf59813a07dea7c3294e2506be355a26e19932a9d8f82d3/detection

injectmmmmme.fra1.digitaloceanspaces.com

# Reference: https://twitter.com/kienbigmummy/status/1578388073422807040

http://185.216.71.120
/Nwdhlnuy.bmp

# Reference: https://twitter.com/reecdeep/status/1583409946791620608

grupoasei.com
ftp.grupoasei.com
mail.grupoasei.com
mx1.grupoasei.com

# Reference: https://gist.github.com/silence-is-best/213f7b2112a46acd56ceb78bf79286a8
# Reference: https://www.virustotal.com/gui/file/010287dcbcc3d730f170eb5b0cc06fe5b1c612e15c0228460e534b26a3f4c8dd/detection

http://208.67.105.148
cp5ua.hyperhost.ua
