# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/ViriBack/status/1023286939858939906

http://5.8.88.25

# Reference: https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/

lulaaura.top

# Reference: # Reference: https://samples.vx-underground.org/APTs/2010/2010.01.27/Paper/Operation%20Aurora%20Detect%20Diagnose%20Respond.pdf

33iqst.com
360.homeunix.com
blog1.serverbeer.com
demo1.ftpaccess.cc
ftp2.homeunix.com
s11.homelinux.org
update.ourhobby.com

# Reference: https://www.virustotal.com/gui/file/5e449a2664be9d024e78d660e9cad4099c64bb7d91fb40d08459dec274de02dc/detection

a0653691.xsph.ru
/AuroraLoader/check.txt
/AuroraLoader/CheckAccount.php?jopa=
/AuroraLoader/LoaderVersion.php?jopa=
/AuroraNEW/check.txt
/AuroraNEW/CheckAccount.php?jopa=
/AuroraNEW/LoaderVersion.php?jopa=

# Reference: https://twitter.com/crep1x/status/1592270231585816576
# Reference: https://www.virustotal.com/gui/file/0878bfc99e884abac4cba8339944045ccf16c99c942dc681729b152a3a9e6f25/detection

45.15.156.97:8081

# Reference: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/#h-aurora-c2
# Reference: https://otx.alienvault.com/pulse/637baa6081d4bafd9cb4afec

138.201.92.44:8081
146.19.24.118:8081
167.235.233.95:9865
185.173.36.94:8081
185.209.22.98:8081
193.233.48.15:9865
37.220.87.2:8081
45.137.65.190:8081
45.144.30.146:8081
45.15.156.115:8081
45.15.156.22:8081
45.15.156.33:8081
45.15.156.80:8081
45.15.157.137:8081
49.12.222.119:8081
49.12.97.28:8081
5.9.85.111:8081
65.108.253.85:8081
65.109.25.109:8081
78.153.144.31:8081
81.19.140.21:8081
82.115.223.218:8081
85.192.63.114:8081
89.208.104.160:8081
95.214.55.225:8081
cheatcloud.info
winsoft.cloud

# Reference: https://twitter.com/James_inthe_box/status/1594750999759310849
# Reference: https://twitter.com/ViriBack/status/1594758845297229824
# Reference: https://app.any.run/tasks/241b198d-622a-4d57-989c-84690b82d99b/

37.220.87.2:8081

# Reference: https://twitter.com/malwrhunterteam/status/1595119413384314880
# Reference: https://www.virustotal.com/gui/file/533d6c8a642edd24cd046a6749655e7463548adfa3585ef0a7efe63515090d8f/detection

212.86.108.41:7000
212.86.108.41:8081

# Reference: https://twitter.com/idclickthat/status/1595082222851481600
# Reference: https://tria.ge/221122-s1r7wscd21/behavioral6
# Reference: https://www.virustotal.com/gui/file/04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5/detection

79.137.195.171:8081
mividajugosa.com

# Reference: https://twitter.com/ViriBack/status/1597746330830794752

http://45.137.65.190
http://45.15.156.24
http://45.15.156.33
http://45.15.157.137
http://49.12.222.119
http://65.108.225.214
http://82.115.223.218

# Reference: https://twitter.com/malwrhunterteam/status/1599001245804814339
# Reference: https://www.virustotal.com/gui/file/15a24027de069f52e9ad493901e91e110e5ca64630ac30a57ba07a827fca832a/detection

85.192.63.42:8081

# Reference: https://twitter.com/0xToxin/status/1600510379586719746
# Reference: https://tria.ge/221204-rtkc2agc97/behavioral2

185.17.0.138:8081

# Reference: https://www.virustotal.com/gui/file/d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e/detection
# Reference: https://www.virustotal.com/gui/file/af1f5335d497726e81237f3049d3918c32f8ac999b9ca21cf3535a57162f0fc9/detection

62.204.41.3:8081

# Reference: https://www.virustotal.com/gui/file/02074294a16b02d4deb61f85f16c2ef3847f47cf5c53c5c15c011a854486f1ef/detection

89.107.10.175:8081

# Reference: https://www.virustotal.com/gui/file/911ad4d55923322ce584ffe2478a37e9d39875611f09b1059592376f1d2f87bb/detection

37.139.129.125:8081

# Reference: https://twitter.com/0xrb/status/1607255904831037443
# Reference: https://threatfox.abuse.ch/browse/tag/Aurora%20Stealer/ (26 Dec 2022)

103.179.143.146:8081
116.203.236.141:8081
135.181.197.26:8081
152.89.247.30:8081
172.86.122.46:8081
176.124.216.38:8081
185.106.93.245:8081
185.106.93.246:8081
185.106.93.251:8081
191.101.130.41:8081
193.42.33.110:8081
193.42.33.176:8081
193.42.33.5:8081
194.113.106.228:8081
195.123.217.171:8081
195.43.142.218:8081
20.68.243.166:8081
213.239.213.187:8081
23.88.97.138:8081
3.238.130.38:8081
45.10.40.246:8081
45.138.74.160:8081
45.15.156.140:8081
45.15.156.26:8081
45.15.156.83:8081
45.15.157.142:8081
45.32.79.170:8081
49.12.245.165:8081
5.75.160.178:8081
65.109.12.241:8081
77.73.131.156:8081
77.73.134.10:8081
77.73.134.27:8081
77.73.134.57:8081
77.73.134.7:8081
78.47.192.53:8081
79.137.206.138:8081
82.115.223.138:8081
82.115.223.249:8081
85.192.63.158:8081
87.251.77.59:8081
89.23.100.223:8081
95.179.187.111:8081

# Reference: https://threatfox.abuse.ch/browse/malware/win.aurora_stealer/ (29 Dec 2022)

http://103.179.143.146
http://116.203.236.141
http://135.181.197.26
http://152.89.247.30
http://172.86.122.46
http://176.124.216.38
http://185.106.93.245
http://185.106.93.246
http://191.101.130.41
http://193.42.33.110
http://193.42.33.176
http://193.42.33.5
http://194.113.106.228
http://195.123.217.171
http://195.43.142.218
http://213.239.213.187
http://23.88.97.138
http://45.10.40.246
http://45.138.74.160
http://45.15.156.135
http://45.15.156.140
http://45.15.156.184
http://45.15.156.22
http://45.15.156.67
http://45.15.156.70
http://45.15.157.142
http://45.32.79.170
http://49.12.245.165
http://5.75.160.178
http://65.109.12.241
http://77.73.131.156
http://77.73.134.57
http://77.73.134.7
http://78.47.222.65
http://79.137.206.138
http://82.115.223.138
http://82.115.223.249
http://89.107.10.180
http://89.23.100.223
http://95.179.187.111
129.146.9.178:8081
147.124.212.238:8081
167.235.141.208:8081
185.246.220.16:8081
194.87.31.137:777
2.232.150.231:8081
217.195.155.154:8081
37.220.87.13:8081
45.15.156.130:8081
45.15.156.135:8081
45.15.156.184:8081
45.15.156.59:8081
45.15.156.67:8081
45.15.156.70:8081
45.86.86.197:8081
49.12.190.58:8081
5.199.169.19:8081
65.108.225.214:8081
77.73.133.57:8081
77.73.134.55:9865
78.47.222.65:8081
89.107.10.180:8081
allsoftware.store
kvitochka.store
