# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: romcom
# CERT-UA: UAC-0132

# Reference: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
# Reference: https://otx.alienvault.com/pulse/62f36c89909d6b719ba8d340

combinedresidency.org
optasko.com

# Reference: https://cert.gov.ua/article/2394117 (Ukrainian)
# Reference: https://www.virustotal.com/gui/file/c149474f97140c3381bda3ad2451f253e08e7ad4be76a68ac3a6f15bc4bd4e63/detection

185.56.137.104:4444
69.49.231.103:4444
69.49.245.55:4444
4qzm.com
advanced-ip-scaner.com
advanced-ip-scanners.com
aspx.io
notfiled.com
mill.co.ua
ua.aspx.io
mil.ua.aspx.io
gov.mil.ua.aspx.io

# Reference: https://twitter.com/Unit42_Intel/status/1588199843981402114
# Reference: https://twitter.com/malware_traffic/status/1588211727891570688

wveeam.com

# Reference: https://www.proofpoint.com/us/daily-ruleset-update-summary-20221104

keepas.org
you-supported.com

# Reference: https://twitter.com/TLP_R3D/status/1655687889391431680
# Reference: https://twitter.com/TLP_R3D/status/1655844785075224576
# Reference: https://twitter.com/TLP_R3D/status/1656270702700273666
# Reference: https://twitter.com/k3yp0d/status/1655840102638137347
# Reference: https://twitter.com/k3yp0d/status/1655841493934800896
# Reference: https://www.virustotal.com/gui/ip-address/104.234.10.207/relations
# Reference: https://www.virustotal.com/gui/file/c118895776e75eaa291d2a5f54f1de4f48756aec28cebaa1bf6fd9beb5d36301/detection
# Reference: https://www.virustotal.com/gui/file/1308146f161ed60c86532dd2d2de8de8b0401e27023fc56f83903f137fccacfd/detection
# Reference: https://www.virustotal.com/gui/file/a5dae9b7ff88276f699eece44eb4b183f1b1de6bef9e159c417ba621a949f744/detection

104.234.10.207:7931
15.235.203.250:444
2.57.90.16:7931
217.195.153.39:7931
46.246.98.15:7931
postnordpakker.com
rdp-devolutions.com
startleague.net
wexonlake.com
/itrdd/kcrs/file1.txt
/itrdd/kcrs/file2.txt
/itrdd/kcrs/

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1675803590462685185
# Reference: https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
# Reference: https://cert.gov.ua/article/5077168 (# UAC-0168)
# Reference: https://www.virustotal.com/gui/ip-address/213.139.204.173/relations
# Reference: https://www.virustotal.com/gui/file/3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97/detection
# Reference: https://www.virustotal.com/gui/file/a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f/detection
# Reference: https://www.virustotal.com/gui/file/ddf15e9ed54d18960c28fb9a058662e7a26867776af72900697400cb567c79be/detection

http://104.234.239.26
http://74.50.94.156
104.234.239.26:137
104.234.239.26:139
104.234.239.26:445
109.105.198.145:8080
65.21.27.250:8080
finformservice.com
ukrainianworldcongress.info
/mds/D--------------------------
/mds/O--------------------------
/mds/s--------------------------
