# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/gui/file/06e3abeed1bc98ed56d5587e9732c9d39ea41879c250dff68ce8815953fcf7ad/detection

196.217.98.188:8080
liouas.ddns.net

# Reference: https://www.virustotal.com/gui/file/ed91f9fee04d08dc613e56eedf98b8c56a6e1e6be8ff3f29360550a2ef98c886/detection

91.193.75.132:2343
2343.hopto.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-10%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/a86d61c62ad71f43dc2ad27a876ddccffab8d038d1f8b70248f4d4586c64d1ea/detection

su1d.nerdpol.ovh

# Reference: https://twitter.com/c_APT_ure/status/1621579054888501249

147.185.221.223:30420

# Reference: https://www.virustotal.com/gui/file/e6bf87ec571628e096e6505ee87f617f594ed7664782bf4f82810be28028147b/detection
# Reference: https://www.virustotal.com/gui/file/e58026e101ae93162cbf114997a2a2c78a80adfb6e6469823dd0d90572cef140/detection

154.12.234.207:7000
207.244.236.205:7000
mywormtwon.ddns.net
wormxwar.ddns.net

# Reference: https://twitter.com/InQuest/status/1626758679843205120
# Reference: https://twitter.com/Gi7w0rm/status/1626763227643224064
# Reference: https://tria.ge/230218-b9ngmaad96/behavioral2

45.139.105.105:7000
stanthely2023.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2b786b8895d814c5d825f4eac99b009eb6aa16f66f6e5191b023e4ebc99fda66/detection
# Reference: https://www.joesandbox.com/analysis/811606?idtype=analysisid#iocs

209.145.51.44:7000

# Reference: https://twitter.com/suyog41/status/1631191121660444674
# Reference: https://www.virustotal.com/gui/file/098c9ebce4811fd2bb86654911581f21eb473f7afd5d27f7c09db57d5bfc1b62/detection
# Reference: https://www.virustotal.com/gui/file/aca8bf1de89203e445270f3cc76b3eaf9190b57fa35ef0d4425528ee639366cb/detection

209.25.140.180:38979
209.25.141.180:38979
according-psp.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/a7c707d2409f0190693aa7a7223c2576262b5bcd9da42ff5c3b375826c32b222/detection

91.193.75.191:55443
vcmkpl.duckdns.org

# Reference: https://twitter.com/petrovic082/status/1638652084492070912
# Reference: https://app.any.run/tasks/500f883b-fe97-44e1-a87f-67101bd0c30c/

95.214.24.38:5000
updateccdata.duckdns.org
urlcallinghta6.blogspot.com

# Reference: https://twitter.com/ScumBots/status/1639388448967766016
# Reference: https://www.virustotal.com/gui/file/01407e324f0b8090467eded47a97acbdb3ef42d0f12820cd57b0bc5b87ffe510/detection

181.141.1.67:3737
wormsito.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3964d69f2a321257a8a745aa9583eaed3cb53c070f79eba3945f6506dda0a2cb/detection

31.220.76.124:2137

# Reference: https://twitter.com/phage_nz/status/1653173706951397376
# Reference: https://www.virustotal.com/gui/file/5814ab23cf46820a0f911fac078dbe77a521ee36722ae2ac313c54c04e0c5601/detection

141.98.6.220:7001

# Reference: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
# Reference: https://otx.alienvault.com/pulse/64624bf528c55e0976f2bf71

kbowlingslaw.com

# Reference: https://twitter.com/suyog41/status/1671102046324269059
# Reference: https://www.virustotal.com/gui/file/22af50c2e5d1f1efcf96e317c22af9bbf6f31705c7575454e6314eaf7d131929/detection
# Reference: https://www.virustotal.com/gui/file/6671bd81d7714bbfd2189dd1642ae4c3789c02e06c5afaad1e26c3632974b124/detection

167.94.81.75:63434

# Reference: https://www.virustotal.com/gui/file/128a56ddbecc3d569646730bdccce1c045479122061f4d0feb8ec24670374eb2/detection

213.152.161.240:58538
notaire8081.duckdns.org

# Reference: https://twitter.com/suyog41/status/1678763978925932544
# Reference: https://www.virustotal.com/gui/file/331549b24c0e2eefd56c4dc74806aeaeab706fee5ddb019763330c811b6fb9e0/detection

194.59.31.105:7398
85.208.139.131:222

# Reference: https://threatfox.abuse.ch/ioc/1139291/

173.249.196.39:7092

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/

149.102.231.91:5000
20.125.118.35:7000
3.69.115.178:14042
zoer12.dns.army

# Reference: https://twitter.com/JAMESWT_MHT/status/1683405358272839680

stores-anytime.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1685615126412414976

51.107.0.117:4954

# Reference: https://twitter.com/ScumBots/status/1685849690221199360
# Reference: https://www.virustotal.com/gui/file/72ab332da034bd819d83d26272974048b24de773a3440d641202872161b3e514/detection
# Reference: https://www.virustotal.com/gui/file/a4ea9aac544248e1346d88e3c93fbc6973419ff7ce5266c7cb00be39518f1f11/detection

173.0.60.172:7000
dapperdesigns.for-better.biz

# Reference: https://www.virustotal.com/gui/file/52634ade55558807042eae35e2777894e405e811102e980a2e2b25d151fde121/detection

167.235.75.225:8895
momentmoney79.duckdns.org
