# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MichalKoczwara/status/1641113392843718660
# Reference: https://twitter.com/MichalKoczwara/status/1641117793612447747

129.151.170.99:443
139.162.52.150:443
139.59.227.34:443
142.93.154.140:443
143.198.62.146:443
143.42.110.206:443
144.126.202.135:443
158.101.169.125:443
165.154.231.221:443
165.232.123.47:443
167.114.115.246:443
170.187.232.126:443
173.254.204.109:443
18.140.234.35:443
18.204.35.247:443
185.163.204.32:443
185.163.45.65:443
185.216.71.178:4443
188.166.170.1:443
192.46.211.76:443
194.87.218.16:443
2.58.14.26:443
20.12.180.13:443
20.67.246.154:443
203.150.243.176:443
204.48.29.223:443
206.189.22.24:443
209.151.155.42:443
212.87.204.177:443
23.105.212.89:443
23.95.44.80:8443
27.124.44.241:8443
3.72.110.16:443
3.8.184.124:443
31.220.89.214:443
34.229.221.1:443
34.243.164.16:443
35.198.216.30:443
42.193.116.134:443
43.133.22.48:443
43.142.149.130:443
44.192.60.164:443
44.202.199.164:443
45.125.67.244:443
45.135.135.107:443
45.144.30.143:443
45.144.31.129:443
45.77.74.229:443
46.101.79.16:443
47.109.41.48:443
64.176.39.146:443
64.227.8.84:443
65.20.75.178:443
77.91.73.143:443
8.210.103.41:443
8.210.104.188:443
80.158.37.73:6443
81.70.249.195:443
82.223.64.37:443
82.66.183.37:443
89.58.33.82:443
94.102.49.165:443
99.238.119.93:443

# Reference: https://twitter.com/Gi7w0rm/status/1625645124247076870
# Reference: https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace
# Reference: https://www.virustotal.com/gui/file/dba614a3b64db6ab346bf37683a9d13b5013fb4b7def2acdd8a697d26b62e48d/detection
# Reference: https://www.virustotal.com/gui/file/f577e247a29f74cf5517d47cc4821dc4d087cb96d5456ebb2f6f858dbe828ccd/detection
# Reference: https://www.virustotal.com/gui/file/ccb6d9742cf9329f2cb8030a25be663d098878ece7ffcfaa483b50856ad3c08e/detection
# Reference: https://www.virustotal.com/gui/file/c9a395ec3fb69e124c672823333ec165fce21a5773618153bc251cc8b2503dc4/detection
# Reference: https://www.virustotal.com/gui/file/b19f1eb30638f1f4695fe0741a1ccdb8ce0aa78b6ea343b4799a64ca1f1b1971/detection
# Reference: https://www.virustotal.com/gui/file/aea22bdf30f2b5ece1f867d4193ddbf48a5e8ebf812d9b7586db4aa54f1abf5d/detection

http://146.190.48.229
146.190.48.229:2323
146.190.48.229:3939
146.190.48.229:6963
146.190.48.229:7777
146.190.48.229:9797

# Reference: https://twitter.com/MichalKoczwara/status/1642218400691699851

194.36.190.103:443

# Reference: https://twitter.com/sicehice/status/1647624379830812673
# Reference: https://www.virustotal.com/gui/file/c0c13de44f445a1e38d1b2ebc5e87882e8bd9af82d0a1c9a90b721cc67a99e54/detection

4.240.86.147:1337
4.240.86.147:8080

# Reference: https://twitter.com/sicehice/status/1647650130684723202

159.223.250.77:9090

# Reference: https://twitter.com/drb_ra/status/1651298448757358608

190.135.186.92:443

# Reference: https://twitter.com/drb_ra/status/1652021857502019622

18.208.213.147:443

# Reference: https://twitter.com/drb_ra/status/1652384835946659840

50.255.107.170:443

# Reference: https://twitter.com/drb_ra/status/1652384849074835458

51.15.133.32:443

# Reference: https://www.virustotal.com/gui/file/c234a376a6de44dcc5f311937d3d705311599233804db547d7271cee796e86fb/detection

81.161.229.121:8080

# Reference: https://twitter.com/drb_ra/status/1653109032226283543

http://3.105.246.81

# Reference: https://twitter.com/drb_ra/status/1653109056112844804

13.41.55.238:443

# Reference: https://twitter.com/drb_ra/status/1653109091340804106

165.227.106.175:443

# Reference: https://twitter.com/drb_ra/status/1653109102019506177

167.99.194.51:443

# Reference: https://twitter.com/drb_ra/status/1653109118775746580

185.239.225.17:8443

# Reference: https://twitter.com/drb_ra/status/1653109134575689752

http://192.99.223.135

# Reference: https://twitter.com/drb_ra/status/1653109137385873422

205.185.113.85:443

# Reference: https://twitter.com/drb_ra/status/1653471476383727616

80.249.147.147:8081

# Reference: https://twitter.com/drb_ra/status/1653471492196188172

157.245.55.19:443

# Reference: https://twitter.com/MichalKoczwara/status/1652988028011290625

5.252.178.157:443
85.209.135.74:443
91.107.130.122:443
stingray.gay

# Reference: https://twitter.com/drb_ra/status/1653833821219856399

http://13.246.26.24

# Reference: https://twitter.com/drb_ra/status/1653833832926158864

16.171.56.119:8443

# Reference: https://twitter.com/drb_ra/status/1653833844863148053

18.158.68.206:443

# Reference: https://twitter.com/drb_ra/status/1653833854883340289

18.208.213.147:4443

# Reference: https://twitter.com/drb_ra/status/1654458500326514691

157.245.199.109:443

# Reference: https://twitter.com/drb_ra/status/1654458530617753601

209.250.255.119:443

# Reference: https://twitter.com/drb_ra/status/1655283458623647746

185.158.94.217:8000

# Reference: https://twitter.com/drb_ra/status/1655645809193410563

3.105.246.81:443

# Reference: https://twitter.com/drb_ra/status/1655645838612258824

51.68.148.55:443

# Reference: https://twitter.com/drb_ra/status/1655645853019693076

70.29.173.138:443

# Reference: https://twitter.com/MichalKoczwara/status/1655994573280116756

http://51.68.148.55
http://51.83.182.155
51.83.182.155:443

# Reference: https://twitter.com/drb_ra/status/1656008250775543808
# Reference: https://twitter.com/drb_ra/status/1656008254307147783

http://3.249.31.242
3.249.31.242:443

# Reference: https://twitter.com/drb_ra/status/1656008271600263190

13.246.26.24:4444

# Reference: https://twitter.com/drb_ra/status/1656008292634697733

51.83.182.155:443

# Reference: https://twitter.com/drb_ra/status/1656008305427324940

51.255.45.74:443

# Reference: https://twitter.com/drb_ra/status/1656008318282866708

52.19.114.156:443

# Reference: https://twitter.com/drb_ra/status/1656008337362677764

146.59.10.45:443

# Reference: https://twitter.com/drb_ra/status/1656370613445881886

51.68.148.48:443

# Reference: https://twitter.com/drb_ra/status/1656370630160183309

54.160.113.74:445

# Reference: https://twitter.com/drb_ra/status/1656370660740853772

198.211.102.42:443

# Reference: https://twitter.com/drb_ra/status/1656733184384442369

35.136.215.120:443

# Reference: https://twitter.com/drb_ra/status/1656733205938962457

65.21.56.40:443

# Reference: https://twitter.com/drb_ra/status/1656733220782604290

109.106.255.148:443

# Reference: https://twitter.com/drb_ra/status/1656733232786702394

114.117.244.233:443

# Reference: https://twitter.com/drb_ra/status/1656733250180481037

http://165.22.21.249

# Reference: https://twitter.com/drb_ra/status/1657095463651139605

3.26.1.74:443

# Reference: https://twitter.com/drb_ra/status/1657095499281752080

76.65.175.53:443

# Reference: https://twitter.com/drb_ra/status/1657095516113494024

107.172.90.146:443

# Reference: https://twitter.com/drb_ra/status/1657095546828382213

176.123.8.200:443

# Reference: https://twitter.com/drb_ra/status/1657095561009397761

193.233.48.14:443

# Reference: https://twitter.com/drb_ra/status/1657458200063385602

104.200.20.89:8881

# Reference: https://twitter.com/drb_ra/status/1657458238734888973

190.133.143.80:443

# Reference: https://twitter.com/drb_ra/status/1657820277173092353

167.58.245.20:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/

http://108.177.235.233
http://128.199.207.220
http://13.213.147.86
http://13.246.26.24
http://135.181.254.184
http://142.93.45.33
http://149.28.207.18
http://165.22.21.249
http://177.67.71.17
http://188.191.106.251
http://190.135.176.171
http://192.99.223.135
http://193.43.94.63
http://194.4.51.90
http://195.123.241.72
http://20.109.45.183
http://20.126.20.79
http://3.105.246.81
http://3.249.31.242
http://3.85.21.250
http://45.12.253.239
http://5.188.87.39
http://51.158.77.242
http://64.227.130.238
http://66.55.65.150
http://74.207.237.246
http://82.223.64.37
100.26.241.235:445
101.42.246.105:443
101.42.246.105:4433
103.253.43.146:443
104.248.120.60:4343
107.172.90.146:8443
107.174.95.55:443
108.174.57.187:443
108.177.235.233:443
109.105.198.141:443
109.172.44.233:443
109.94.110.94:443
118.31.66.10:443
123.249.38.254:9999
129.150.46.86:443
129.151.233.130:443
13.125.17.253:443
13.244.111.157:443
13.244.144.1:443
13.39.48.10:443
13.93.75.195:443
134.122.45.166:443
136.244.80.185:443
137.184.100.52:443
137.74.253.250:443
138.68.103.181:443
139.144.22.116:443
139.144.39.22:443
139.144.57.50:443
139.180.144.171:443
140.238.217.117:443
141.164.45.80:443
143.198.105.62:443
143.198.136.12:8089
143.198.218.5:443
143.198.53.218:443
143.42.110.206:555
146.190.104.255:443
146.190.120.225:443
146.70.35.170:443
146.70.87.109:443
147.182.241.180:443
149.28.207.18:443
151.236.25.237:4444
151.236.25.237:4445
157.245.47.66:443
157.254.195.51:443
158.247.223.37:4444
159.223.202.160:443
159.223.250.77:443
159.65.149.47:8443
164.92.241.44:443
165.22.12.239:443
166.88.77.16:443
167.172.106.238:443
167.56.104.241:443
167.56.105.95:443
167.56.112.216:443
167.56.122.192:443
167.56.122.29:443
167.56.194.219:443
167.56.196.20:443
167.56.198.150:443
167.56.198.48:443
167.56.203.196:443
167.56.66.214:443
167.58.233.226:443
167.59.76.141:443
167.59.76.50:443
168.138.174.173:2083
168.138.174.173:2087
168.138.174.173:2096
168.138.174.173:40006
168.138.174.173:8443
170.187.142.23:8899
172.105.66.217:443
172.86.78.127:443
172.93.165.118:41686
172.93.165.118:443
174.138.28.5:11443
174.138.28.5:41156
175.178.226.246:443
176.124.32.160:443
177.67.71.17:443
179.25.216.69:443
179.25.221.138:443
179.25.222.247:443
18.134.161.59:443
18.157.84.230:443
18.185.111.207:443
18.196.203.78:33688
18.196.203.78:443
18.214.99.112:443
18.224.73.25:443
182.61.19.90:443
182.61.19.90:48888
184.73.53.214:443
185.112.144.20:443
185.112.144.20:8443
185.163.45.244:443
185.203.118.50:443
185.225.74.223:4433
185.247.224.13:443
185.32.126.34:443
185.39.204.47:443
185.64.247.201:443
185.74.222.204:443
187.95.25.167:443
188.166.251.121:443
188.191.106.34:443
190.133.129.34:443
190.133.130.250:443
190.133.139.168:443
190.133.150.121:443
190.133.150.206:443
190.133.155.21:443
190.133.159.153:443
190.133.232.69:443
190.133.235.6:443
190.133.236.207:443
190.133.237.30:443
190.133.238.68:443
190.134.139.110:443
190.134.148.138:443
190.134.155.238:443
190.134.200.111:443
190.134.202.117:443
190.134.43.116:443
190.134.50.10:443
190.135.124.228:443
190.135.126.109:443
190.135.168.212:443
190.135.176.171:443
190.135.177.179:443
190.135.182.53:443
190.135.184.127:443
190.135.209.12:443
190.135.233.148:443
192.121.163.90:443
192.153.57.181:443
192.153.57.73:443
192.99.223.135:443
193.37.69.123:443
193.43.94.63:443
194.135.33.127:9080
194.58.98.232:443
194.58.98.232:8888
195.123.241.72:443
195.24.66.110:443
195.85.114.214:443
20.109.45.183:443
20.115.112.114:443
20.15.162.87:443
20.158.49.49:443
20.235.26.66:443
20.74.236.100:443
20.92.20.220:443
20.94.83.139:9000
207.148.127.136:10025
209.141.50.192:443
209.38.232.99:443
209.79.69.200:443
212.227.9.150:443
23.106.215.192:443
23.94.59.56:15443
3.17.156.183:443
3.26.10.74:443
3.67.64.179:40156
3.67.64.179:4043
3.71.188.11:443
3.72.1.193:8443
3.72.106.201:443
31.187.76.237:443
34.136.114.164:443
34.18.9.224:443
35.158.109.72:443
35.207.109.124:443
35.226.91.165:443
35.75.17.242:443
37.187.123.146:443
38.54.107.202:443
38.54.107.202:8082
39.99.45.71:2443
4.196.211.113:443
4.231.105.17:8443
40.76.236.54:443
43.153.184.17:3389
43.153.184.17:443
44.200.59.2:443
44.203.114.48:4443
45.117.81.126:443
45.125.67.100:443
45.125.67.117:443
45.153.242.73:443
45.56.76.86:443
45.77.233.83:443
45.77.254.85:443
45.79.90.123:40000
45.8.251.210:7443
45.9.149.144:443
45.9.150.150:443
45.93.28.77:443
46.161.53.217:443
46.183.184.149:443
46.29.234.73:443
47.90.254.130:443
5.161.197.230:443
5.252.178.146:443
5.255.97.196:443
5.44.42.124:443
5.53.125.31:7443
51.15.195.71:443
51.15.59.83:443
51.158.77.242:443
51.158.77.242:5555
51.158.77.242:8443
52.147.196.140:443
52.211.176.121:443
54.144.152.176:443
54.246.21.155:443
54.251.23.219:443
54.64.152.213:8443
54.78.24.98:443
62.234.185.181:443
64.176.34.205:443
64.176.34.205:8443
64.176.47.227:443
64.176.47.227:8080
64.176.47.227:8888
64.226.111.133:443
64.227.130.238:443
64.227.130.238:8080
66.55.65.150:443
68.183.185.231:443
74.119.193.28:443
74.207.237.246:8443
74.234.230.67:443
77.139.130.110:443
77.91.73.143:4433
8.208.95.78:443
8.217.111.67:443
8.222.230.219:443
85.206.172.192:443
88.99.28.233:5000
89.147.108.250:8085
90.107.73.133:443
91.92.128.200:443
94.131.102.61:443
94.131.110.14:9090
98.252.137.125:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-07-28)

104.168.237.121:443
108.177.235.191:443
146.190.113.107:443
168.138.174.173:443
18.219.102.188:443
23.83.133.160:443
23.83.133.164:443
24.99.36.214:443
35.90.217.46:443
44.202.218.193:443
44.212.22.10:22222
54.255.154.71:443
77.223.122.145:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-07-30)

http://95.164.47.3
13.39.237.2:443
16.171.60.36:443
45.81.34.65:11443
95.164.47.3:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (#2023-07-31)

139.99.66.96:443
185.39.204.47:447
64.227.79.229:10025
http://146.70.145.212

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (#2023-08-01)

106.55.228.192:4455
16.171.60.36:22222
185.239.225.17:7744
35.202.166.59:443
43.131.252.233:443

# Reference: https://twitter.com/TheDFIRReport/status/1686338899314987008

45.92.1.60:5111

# Reference: https://threatfox.abuse.ch/ioc/1146718/

146.70.145.212:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-03)

http://185.246.189.72
109.106.255.148:8443
109.106.255.148:40055

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-05)

http://54.211.1.105
151.236.216.137:443
163.172.140.159:443
206.189.143.81:443
43.131.252.233:8888
45.61.169.102:443

# Reference: https://twitter.com/sicehice/status/1687601960164216833

157.245.47.66:8080

# Reference: https://urlhaus.abuse.ch/url/2640642/

mott54874.b-cdn.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-07)

54.238.83.76:3306
54.238.83.76:443

# Reference: https://threatfox.abuse.ch/ioc/1149181/

http://85.206.172.192

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-09)

13.48.45.227:443
138.68.174.88:443
5.182.37.3:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-11)

http://146.190.29.203
http://176.31.163.140
106.55.228.192:8080
13.214.204.113:443
167.56.66.27:443
176.31.163.140:443
20.160.143.1:443
207.244.226.182:443
34.100.240.82:443
43.153.87.78:443

# Reference: https://www.virustotal.com/gui/file/53e8a1861bed12148803a34ea8bc2b844c4dab73759df6882f77c301f1151dcd/detection

161.97.156.7:43595
havoc718.ddns.net

# Reference: https://twitter.com/drb_ra/status/1691523144966610945

3.87.213.122:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-16)

http://52.88.128.181
134.209.147.35:443
185.158.248.34:443
34.231.34.198:443
39.100.87.25:443
52.157.71.131:443
52.88.128.181:443
81.161.229.45:443
90.212.33.49:8443

# Reference: https://threatfox.abuse.ch/ioc/1150423/

http://34.231.34.198

# Reference: https://threatfox.abuse.ch/ioc/1150556/

64.227.130.114:443

# Reference: https://threatfox.abuse.ch/ioc/1150868/

52.76.227.205:443

# Reference: https://threatfox.abuse.ch/ioc/1150887/

http://77.91.68.133

# Reference: https://twitter.com/drb_ra/status/1693334655540363746

38.47.107.170:443

# Reference: https://twitter.com/drb_ra/status/1693334699224011263
# Reference: https://threatfox.abuse.ch/ioc/1151516/

209.38.225.63:443
209.38.240.41:443

# Reference: https://twitter.com/drb_ra/status/1693697132304257088

20.224.91.188:443

# Reference: https://threatfox.abuse.ch/ioc/1151453/

2.59.254.20:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-08-22)
# Reference: https://search.censys.io/hosts/78.135.73.140
# Reference: https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets

http://159.203.122.205
38.47.107.170:8443
77.91.68.133:443
78.135.73.140:10443
78.135.73.140:35667
78.135.73.140:47878
94.128.22.194:443

# Reference: https://twitter.com/drb_ra/status/1694421398062506302

http://47.100.30.74

# Reference: https://twitter.com/drb_ra/status/1694965057107468557

77.74.208.123:443

# Reference: https://threatfox.abuse.ch/ioc/1152181/

16.171.254.242:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-01)

http://100.25.164.220
http://158.247.243.219
http://164.215.103.105
http://164.92.134.166
http://2.56.10.6
http://207.244.226.182
http://34.100.240.82
http://47.245.126.218
100.25.164.220:443
109.228.61.245:443
109.63.232.77:443
129.158.249.215:443
141.136.44.52:443
149.40.63.23:443
152.228.170.254:443
16.171.242.239:443
167.99.147.192:8443
170.187.207.78:443
178.128.48.128:443
181.164.204.99:443
188.166.159.86:443
206.166.251.95:443
207.244.226.182:8443
217.6.46.91:8443
34.100.240.82:40056
34.93.29.231:443
34.92.127.28:443
43.132.172.77:443
43.153.193.220:443
47.245.126.218:443
51.255.45.74:40016
78.157.163.36:443
94.131.112.139:443

# Reference: https://twitter.com/drb_ra/status/1696958168209772953

http://164.215.103.173

# Reference: https://twitter.com/drb_ra/status/1696958171774877936

164.215.103.173:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-06)

http://159.223.205.33
http://46.101.97.100
http://73.196.213.146
117.50.178.24:8088
139.180.212.188:443
167.172.86.3:443
167.172.86.3:8080
206.188.197.20:443
206.71.148.148:443
24.199.106.201:443
37.120.239.175:443
46.101.97.100:443
64.226.81.144:443
66.135.16.39:443
73.196.213.146:443
80.85.152.108:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-11)

152.89.198.175:443
34.231.97.149:443
34.235.159.186:443
45.131.3.18:443
5.61.41.71:443
61.4.102.37:443
86.82.10.130:53
92.39.211.142:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-12)

http://165.232.151.90
http://64.176.211.167
168.100.10.213:443
139.180.158.92:443
139.180.158.92:7443
159.223.205.33:443
193.149.190.230:443
206.71.148.79:443
209.38.212.101:443
3.215.181.98:443
38.6.163.12:443
45.195.204.20:443
45.195.204.29:443
45.195.204.53:443
51.68.169.167:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-19)

http://103.101.205.215
http://164.90.162.240
http://172.233.67.65
http://3.215.181.98
http://52.202.108.119
http://52.194.222.149
103.101.205.215:443
124.156.167.196:4433
128.199.88.129:443
164.132.229.221:443
164.90.162.240:443
172.233.67.65:443
217.182.199.147:40070
217.182.199.147:443
217.6.46.91:4443
47.122.21.21:443
50.255.107.171:443
51.16.9.5:8443
52.192.111.170:443
52.202.108.119:443
74.207.242.75:443

# Reference: https://twitter.com/drb_ra/status/1703481233949237614

5.182.37.3:444

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-21)

http://172.105.139.42
http://51.210.243.250
101.33.116.17:10249
16.171.237.4:443
175.27.146.212:443
178.128.122.128:443
192.144.211.13:443
193.117.208.108:7305
193.218.118.143:8083
193.218.118.143:8085
202.162.108.120:443
34.116.228.55:443
43.135.138.227:443
45.183.247.131:443
47.245.42.208:443
65.21.105.102:443
165.22.58.208:8443
172.105.92.100:443
193.218.118.14383

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-25)

http://134.122.54.122
http://164.215.103.86
http://198.148.112.58
http://47.96.174.148
104.248.149.186:443
146.190.67.179:443
16.170.217.78:443
37.120.239.175:23450
40.117.129.162:40056
45.79.238.141:8080
47.96.174.148:443
162.0.231.130:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-09-29)

http://8.217.13.6
101.99.91.224:443
103.214.157.66:4443
134.195.198.40:443
138.68.69.79:443
168.100.11.139:443
173.212.236.170:443
18.195.241.171:443
185.243.114.106:443
185.243.115.154:443
185.243.115.252:443
192.153.57.227:443
192.53.171.76:443
194.26.192.110:443
20.52.249.198:443
3.6.98.232:18976
31.223.16.23:443
34.227.89.96:443
34.227.89.96:8443
40.117.129.162:888
44.202.151.94:443
45.138.16.248:443
45.195.204.20:3320
45.195.204.29:3320
45.195.204.53:3320
45.61.136.107:443
51.158.107.162:443
54.202.46.22:4443
54.211.1.105:40056
66.94.109.152:443
91.90.192.233:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-07)

http://172.105.183.87
http://172.105.190.170
111.90.148.125:443
178.128.111.190:443
178.128.216.62:443
194.182.78.107:443
20.19.1.146:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-09)

http://185.235.138.63
http://54.146.112.196
139.180.195.227:443
51.142.94.204:443
98.66.139.133:8443
aadcdn.the-admiralty.co.uk
aadcdn.ukho.org
acad.bmcybersecurity.net
acadtr.bmcybersecurity.net
support-par8o.com
addressverification.support-par8o.com
alerts-service.com
backstopsolution.net
bankbubyan.com
banochotelgh.com
biswapvoilet.com
bluelinedevelop.com
caldwellmedical.org
cenaa3.viverindia.com.br
centrecertifieplus.com
chuangshiclub.com
contrariancapital.backstopsolution.net
cpcontacts.banochotelgh.com
cpcontacts.biswapvoilet.com
jagoanstoregame.duckdns.org
cpcontacts.jagoanstoregame.duckdns.org
crm.banochotelgh.com
deltidentalil.com
erci.banochotelgh.com
fahope.com
files.bmcybersecurity.net
givex.help
gracefoundme.top
if00d.com.br
iglensonc2.com
l2chartsapi.com
banochotelgh.com
lime.banochotelgh.com
linkair.top
login.doc-usign.net
login.officeonline.ri-rqc.sk
login.ri-rqc.sk
lucie.ddns.net
alerts-service.com
mail.alerts-service.com
backstopsolution.net
mail.backstopsolution.net
mail.biswapvoilet.com
biswapvoilet.com
myalectra.com
nginx-rev-prox-rj33nb72rsqni.westeurope.cloudapp.azure.com
officeonline.ri-rqc.sk
omricybersecurity.com
purple.cassa.my.id
ri-rqc.sk
salvation.banochotelgh.com
siptestasets.com
artsavingsclub.co.za
staging.artsavingsclub.co.za
support-par8o.com
suse.space
the-admiralty.co.uk
uiurbur.guieoer.pserver.ru
google-service.workers.dev
update.google-service.workers.dev
update.netsecgroup.com
netsecgroup.com
bmcybersecurity.net
biswapvoilet.com
vulnmetrics.bmcybersecurity.net
webdisk.biswapvoilet.com
webmail.biswapvoilet.com
perubahan-tarif-brlmo.com
webmail.perubahan-tarif-brlmo.com
wss.payloads.online
payloads.online
yinksoft-update.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-11)

120.53.93.251:443
157.245.142.4:443
54.146.112.196:443
95.217.219.48:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-13)

http://163.172.234.31
16.171.65.50:443
163.172.234.31:443
164.92.168.80:443
176.124.215.91:443
185.225.17.127:4433
2.102.90.244:4444
alexis-dasilva.com
sharepointoneline.com
stellantis-invite.com
stellantis-service.com
idpm.stellantis-invite.com
wapprod.stellantis-service.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-16)

http://194.180.49.251
104.233.140.137:8088
16.171.54.181:8443
164.92.168.80:40056
185.165.169.117:443
43.135.163.36:443
89.116.72.113:21024
air-canadaa.com
search-online.workers.dev

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-19)

http://172.233.192.25
http://216.128.180.160
http://95.92.201.169
13.53.84.163:443
130.51.20.136:5900
134.195.198.40:40056
137.184.84.90:443
138.68.174.88:40056
141.94.69.198:443
161.35.25.219:443
172.233.192.25:443
185.193.125.140:443
194.169.175.238:8083
194.169.175.238:8443
195.77.176.178:4444
23.94.50.240:443
45.12.253.39:443
52.56.179.139:443
54.246.47.176:443
88.99.71.225:443
89.147.111.205:4443
adblockext.ru
securitytest.lat
api.microsoft-service.workers.dev
login.sharepointoneline.com
microsoft-service.workers.dev

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-23)

5.255.123.86:443
5.255.123.86:5000
alexis-dasilva.pro
bitwarden-server.payloads.online
cesig8.online
vip.cesig8.online

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-25)

http://66.219.103.8
141.105.71.141:443
157.230.124.53:443
158.160.74.251:8443
149.102.143.96:443
167.114.113.96:443
191.96.53.80:443
194.169.175.238:8080
3.6.115.64:10000
34.217.46.159:8443
34.93.89.189:443
38.242.132.121:443
47.157.37.112:5001
50.116.39.137:443
51.254.33.199:443
52.15.200.151:443
68.183.68.156:443
88.99.71.225:801
abaadoffice.net
aspidaprotection.com
atisgst.fit
msonline-security.com
prfectr.xyz
analytics.prfectr.xyz
staging.prfectr.xyz
mail.abaadoffice.net
login.msonline-security.com
wapprod.stellantis-invite.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-10-29)

http://146.70.79.19
http://83.212.96.62
136.243.185.107:443
139.84.144.181:443
161.142.78.158:8080
175.136.232.225:8080
175.136.232.226:8080
176.31.163.140:40056
24.144.90.189:443
35.221.29.34:443
57.128.171.220:443
80.78.22.31:443
buesem2021.com
havoc.riggcorp.com
idpm.stellantis-service.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-11-01)

208.115.220.176:443
35.167.204.55:443
46.8.158.224:443
heylele.com
msftonline.org
testsite.uno
config-update-ms.francecentral.cloudapp.azure.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-11-02)

136.243.185.107:8443
185.193.125.140:41909
20.220.86.194:443
20.94.83.139:443
35.178.199.73:443
35.226.174.151:443
64.227.179.34:443
91.92.255.32:443
mircofots.online
apix.mircofots.online

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-11-04)

http://172.208.90.130
http://176.126.113.164
http://212.71.238.198
http://40.76.55.180
http://8.208.95.78
128.140.47.106:443
13.215.191.59:4444
139.28.36.5:443
144.76.182.181:443
146.190.41.228:443
154.8.142.178:443
159.65.168.135:443
16.16.26.234:3306
16.16.26.234:443
164.92.189.96:443
165.22.184.182:443
167.71.38.111:443
167.71.6.13:443
170.64.171.160:443
172.232.123.21:443
173.255.196.101:443
174.138.4.105:443
176.9.43.114:8443
178.62.57.69:587
185.193.125.118:443
185.236.202.153:4444
194.169.175.238:443
194.169.175.238:9443
20.157.16.178:443
20.52.226.156:443
20.55.94.241:443
20.71.97.27:443
20.93.5.194:8089
203.135.101.181:82
31.220.94.133:443
34.224.40.221:443
34.232.77.201:443
35.178.199.78:443
35.178.203.77:443
40.76.55.180:8090
43.138.87.237:443
45.66.216.108:443
45.76.71.236:443
45.79.249.116:443
46.246.1.155:7443
51.15.195.71:40056
51.158.107.162:40056
52.151.252.137:443
52.87.167.149:443
54.188.132.103:443
54.93.236.31:443
54.93.236.31:8000
62.210.207.211:443
64.226.72.6:443
79.133.183.84:443
79.133.183.84:8081
79.141.169.72:4443
80.78.24.47:443
85.208.117.147:4443
88.214.25.36:443
91.206.14.228:8989
94.156.64.184:4433
95.165.99.74:443
7desktop.com
abb-bank.wiki
bedlinnenoutlet.nl
daanzeegersdesign.nl
donotopenthis.zip
toroz.nl

# Reference: https://threatfox.abuse.ch/ioc/1201397/
# Reference: https://www.virustotal.com/gui/file/fa02f2c47b8a22acff47d86da8e5b97f2453aee4606f585b5d979429eb85a0d3/detection

werbeagenturbraunschweig.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-11-22)

172.208.90.130:443
172.208.97.188:443
185.254.238.160:443
209.250.248.246:443
45.78.58.175:6379
blha.tail9ed4d.ts.net
cloudflare-tls.workers.dev
ctvnews.eastus.cloudapp.azure.com
launchpad.pusd.fi
login.pusd.fi
mstraffic.cloudflare-tls.workers.dev
pusd.fi

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-11-25)

http://172.208.97.188
104.237.11.5:443
172.105.66.217:23966
198.176.59.64:443
37.187.176.161:443
80.78.22.93:443
85.209.176.146:8088
88.99.150.167:8443
pwshrepo.com
sd-50950.dedibox.fr
vpn-eu.dsikw.com

# Reference: https://twitter.com/banthisguy9349/status/1731290942785601583

46.8.158.224:8000

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-12-03)

http://13.42.17.180
http://167.71.38.111
http://172.191.67.230
http://18.191.149.233
http://188.116.22.65
http://198.176.59.64
http://64.176.164.102
http://80.211.208.51
108.51.80.70:443
124.220.224.87:8888
124383.msk.web.highserver.ru
139.28.36.237:443
139.59.40.198:443
142.93.185.248:443
146.190.231.230:443
146.190.231.230:80
146.190.45.248:443
146.70.79.110:4445
148.135.75.34:443
157.230.223.248:443
165.22.159.164:443
178.128.122.128:40069
178.62.57.69:40056
18.196.5.34:443
185.221.216.103:443
198.176.59.64:6379
209.38.226.163:443
212.227.211.81:443
24.199.125.30:443
45.123.188.186:443
45.15.159.79:443
45.76.156.94:443
47.108.117.51:8081
5.161.118.248:443
504e165d.host.njalla.net
52.91.116.180:443
62.84.116.13:443
62.84.116.13:4443
62.84.116.13:61237
77.103.140.46:443
cdn239.for149.xyz
contato8.appsysten.com
kztime.ddns.net
lido-fi.dev
nginx-typhoon.westeurope.cloudapp.azure.com
wiipo.com.ht-hldrotermica.com.br

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-12-05)

http://113.52.134.114
http://141.94.69.198
http://207.180.215.36
http://35.92.41.20
104.248.15.194:443
113.52.134.114:443
113.52.134.114:4433
113.52.134.114:6379
158.160.84.31:443
159.89.4.80:443
162.216.241.236:443
167.172.45.219:443
174.138.7.112:40065
212.51.144.128:443
3.110.107.80:443
34.29.20.95:443
43.163.210.218:443
45.79.6.132:443
45.9.62.223:443
47.251.70.97:443
62.210.207.211:8000
62.234.202.129:443
66.228.60.47:8000
74.119.195.176:443
79.124.58.134:443
u1.cc0.ir
worker-jolly-unit-e3af.jacobnero11.workers.dev

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-12-17)

http://172.232.123.21
http://37.221.197.42
107.174.115.43:8443
138.68.123.125:40065
138.68.123.125:443
142.93.185.248:8080
16.170.155.141:443
170.64.204.218:443
185.216.68.69:443
185.216.68.70:443
192.46.215.47:443
193.181.23.43:443
194.33.191.214:40056
195.35.25.136:443
216.146.25.85:443
3.149.246.173:443
35.158.7.214:443
37.221.197.42:443
43.138.25.26:443
51.20.113.6:443
62.234.202.129:48892
66.228.60.47:443
87.121.87.101:444
92.220.154.91:8443
aadcdn.nolog.no
accounts.cdcadvania.no
accounts.nolog.no
analytics.nolog.no
apis.cdcadvania.no
apis.nolog.no
cdcadvania.no
content.cdcadvania.no
content.nolog.no
fonts.nolog.no
login.nolog.no
login.test.nolog.no
mail2.nolog.no
myaccount.cdcadvania.no
myaccount.nolog.no
nolog.no
notifications.nolog.no
ogs.nolog.no
play.cdcadvania.no
play.nolog.no
ssl.cdcadvania.no
ssl.nolog.no
test.nolog.no
tysers.ltd
www2.nolog.no
youtube.nolog.no

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2023-12-24)

http://13.209.21.1
http://139.196.241.226
http://18.116.150.89
http://20.107.115.8
http://206.237.23.155
103.174.114.187:443
124.222.63.238:8020
13.213.218.169:45923
13.38.219.27:443
139.196.241.226:40000
139.84.147.34:443
144.76.182.181:6666
15.188.15.165:443
15.188.62.181:443
18.116.150.89:443
185.196.11.27:8443
193.233.203.168:443
198.13.36.52:8443
198.13.36.52:9443
206.237.23.155:443
206.237.23.155:8443
207.180.215.36:443
3.110.107.80:40069
3.84.191.39:443
31.222.238.48:443
45.120.177.198:443
45.133.216.82:443
45.145.228.123:8080
45.76.184.28:443
62.204.41.67:443
65.20.84.176:443
69.164.199.179:8443
79.133.51.66:443
80.211.65.159:443
80.78.27.224:40056
91.92.250.227:443
91.92.253.137:443
crm.salesatelier.at

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-01)

http://109.206.246.130
http://207.174.28.42
109.206.246.130:30003
109.206.246.130:443
18.216.147.202:443
5.35.34.36:443
achiversacademy.shop
passwordsecurity.cloud
tracktheway.shop
lastpass.passwordsecurity.cloud
v2202304197391224451.megasrv.de
v2202304199058227026.goodsrv.de

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-03)

159.223.92.16:443
172.232.36.73:10443
35.173.234.124:8443
74.119.194.110:8888
85.215.215.94:443
activelifes.shop
authenticateoffice.com
cdn.authenticateoffice.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-05)

http://45.61.187.244
103.59.94.45:443
13.235.254.216:443
146.190.236.181:443
160.238.36.135:8080
179.96.164.30:445
179.96.164.40:445
188.166.39.71:443
64.156.192.19:2222
api.msservice.workers.dev
helpdesktops.com
lightfull.shop
msservice.workers.dev
v2202002114563109588.megasrv.de
v2202311142188246753.nicesrv.de
walbuschgruppe.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-06)

http://20.61.52.34
http://34.239.255.86
http://91.92.251.215
120.26.241.141:8443
139.84.172.20:8443
139.84.172.248:443
161.35.239.147:443
167.99.156.77:443
179.96.164.83:445
185.196.10.126:8443
188.166.39.71:4444
195.90.223.120:443
20.107.115.8:443
213.136.71.179:443
3.110.101.202:443
34.203.229.137:443
34.239.255.86:443
45.126.125.144:443
47.76.181.76:443
8.219.206.59:443
88.119.171.83:443
91.92.251.215:443
91.92.251.215:8443
20402177.xyz
cloud.cy-security.de
dl.info-163.com
esdm-internal.com
ethicalhackersworkshop.com
git.cy-security.de
hc.info-163.com
info-163.com
kasm.cy-security.de
login.microsoft.authenticateoffice.com
lucarne-films.com
microsoft-webservices.com
microsoft.authenticateoffice.com
nadon.net
namyonghospital.net
nvidiaapp.cloud
oxyphyllous.20402177.xyz
thesirenmika.xyz
vpn.cy-security.de

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-15)

http://13.235.248.157
http://193.222.96.163
107.172.57.92:443
125.229.208.221:8080
13.235.248.157:443
141.94.69.198:8443
164.92.79.49:443
172.105.109.228:443
193.222.96.163:7443
20.199.89.215:443
23.94.198.26:443
3.208.22.29:443
47.74.90.4:443
54.185.217.31:443
84.32.188.80:65534
90.46.97.127:4443
app.berkeleyisyou.com
berkeleyisyou.com
cy-security.de
havoc.redethics.online
kesselfoodmarket.com
redethics.online
whoami.cy-security.de

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-17)

http://167.172.80.227
http://172.172.163.9
http://52.66.109.117
138.197.4.123:443
16.62.217.129:443
172.172.163.9:443
20.84.6.140:443
45.126.127.218:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-23)

http://206.237.1.36
http://34.123.166.220
http://98.71.223.72
103.149.91.138:443
13.235.247.85:443
137.184.9.46:443
15.206.164.202:443
157.245.29.228:443
18.117.107.132:443
192.46.228.106:443
195.90.223.120:40056
20.197.230.164:443
206.237.1.36:443
209.97.131.69:443
23.26.55.9:443
34.123.166.220:443
34.123.166.220:6667
34.171.56.109:6667
35.209.123.246:8443
4.246.234.87:443
40.113.134.142:443
43.138.25.26:4431
52.76.234.184:443
64.23.154.205:443
83.97.20.211:443
98.71.223.72:443
99.153.7.177:443
cooltk.asia
ha.redethics.xyz
jamesdesign.blog
lmanage.net
longkey.02561854.xyz
primalbrainhacks.com
redethics.xyz
tradeplayz.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-28)

http://137.117.205.207
http://52.136.223.233
http://89.245.139.188
116.203.129.118:443
137.117.205.207:443
137.117.205.207:4444
141.144.233.60:443
146.70.155.203:443
15.235.130.29:10443
164.92.125.68:443
206.189.139.96:443
3.21.227.143:443
31.192.235.164:443
4.205.75.12:443
52.136.223.233:443
52.136.223.233:4444
89.245.139.188:443
89.245.139.188:4444
96.30.193.6:443

# Reference:  https://threatfox.abuse.ch/browse/malware/win.havoc/ (# 2024-01-31)

http://34.244.129.215
http://79.137.226.104
http://91.92.252.217
http://91.92.253.160
141.136.44.219:4443
34.244.129.215:443
38.242.209.51:443
49.157.28.96:443
50.118.225.41:443
91.92.252.217:10443
91.92.252.217:7443
91.92.253.138:443
98.186.108.222:443
ekfb.site
pgad.emkd.ru

# Generic

/Havoc/payload/
/Havoc/payloads/
