# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: TA866

# Reference: https://twitter.com/WhichbufferArda/status/1608089945985486852
# Reference: https://www.virustotal.com/gui/file/f8cf2f07b20419758fbeaa23abae285c917df9c4e94a5259679993f8e9f37cab/detection
# Reference: https://www.virustotal.com/gui/file/aebb1578371dbf62e37c8202d0a3b1e0ecbce8dd8ca3065ab26946e8449d60ae/detection

http://141.98.82.254
/blob/8gu4bf.la5z
/blob/is4mlw.suqp

# Reference: https://tria.ge/221227-ktbbsshg51/behavioral1

http://116.202.18.132
/blob/q3k6tk.xi8o

# Reference: https://twitter.com/AnFam17/status/1607477672057208835
# Reference: https://twitter.com/AnFam17/status/1607479956870950913
# Reference: https://www.joesandbox.com/analysis/733720/0/html
# Reference: https://www.virustotal.com/gui/file/00f6b0a064a86b2566643178456211043732edbde4f6a5e9f829791c10e47141/detection
# Reference: https://www.virustotal.com/gui/file/4f9ad8a74aca60bf0cf3750c876313acc1e70d74e07a52dfeb3cb3c21f545b7a/detection

http://185.145.245.124

# Reference: https://www.virustotal.com/gui/file/4f9ad8a74aca60bf0cf3750c876313acc1e70d74e07a52dfeb3cb3c21f545b7a/detection

http://85.208.136.26
/blob/5iqmtn.iq54

# Reference: https://twitter.com/malware_traffic/status/1608673979132436481
# Reference: https://app.any.run/tasks/ceef5e3f-1f42-473b-8c7d-4692dcd117f1/

http://162.33.178.106
noetpode.com
/blob/5mloob.qqvr

# Reference: https://twitter.com/malware_traffic/status/1610385687781449730
# Reference: https://www.malware-traffic-analysis.net/2023/01/03/index.html

noteepad.hasankahrimanoglu.com.tr
/gjntrrm/zznb2o.hgfq

# Reference: https://twitter.com/1ZRR4H/status/1610590795278712832
# Reference: https://twitter.com/1ZRR4H/status/1610590799112159232

http://45.82.176.11
45.82.176.11:443
anydesk-for-desktop.com
aromaindianrestaurantlounge.com
install-anydesk.com
istaller-zoom.com
zoom-for-desktop.com
/blob/hf00ob.u4zc

# Reference: https://twitter.com/ViriBack/status/1610999181459738624

http://165.232.186.202
http://212.23.222.49
http://65.109.161.133
http://79.137.206.68
http://95.214.53.95

# Reference: https://twitter.com/Merlax_/status/1610830108373270530
# Reference: https://pastebin.com/yPBahSAk

http://104.168.32.136
http://107.148.130.121
http://146.70.157.76
http://152.89.196.174
http://167.172.69.255
http://167.235.202.111
http://172.86.123.86
http://179.43.142.109
http://179.43.142.142
http://179.43.142.29
http://179.43.142.37
http://179.43.154.157
http://179.43.154.168
http://179.43.154.212
http://179.43.155.136
http://179.43.155.144
http://179.43.156.145
http://179.43.156.151
http://179.43.162.115
http://179.43.162.79
http://179.43.163.118
http://179.43.175.136
http://179.43.175.230
http://179.43.175.34
http://179.43.176.13
http://179.43.176.39
http://179.43.176.54
http://179.43.176.68
http://179.43.176.78
http://179.43.187.233
http://179.43.187.95
http://185.209.160.18
http://185.209.160.99
http://185.223.93.141
http://193.233.234.13
http://193.38.55.7
http://193.42.33.180
http://193.42.33.42
http://193.42.33.73
http://193.47.61.174
http://194.4.49.152
http://217.12.201.112
http://31.41.244.157
http://31.41.244.38
http://34.150.88.233
http://45.138.74.237
http://45.144.30.114
http://45.182.189.195
http://45.66.151.81
http://45.81.39.102
http://47.57.236.111
http://5.182.39.203
http://5.230.73.134
http://5.75.171.154
http://62.204.41.57
http://62.233.50.246
http://62.233.51.95
http://78.46.190.160
http://79.137.194.240
http://79.137.202.78
http://85.209.135.172
http://88.210.12.126
http://89.22.230.175
http://91.202.5.208
http://95.179.136.89
104.168.32.136:443
107.148.130.121:443
146.70.157.76:443
152.89.196.174:443
167.172.69.255:443
167.235.202.111:443
172.86.123.86:443
179.43.142.109:443
179.43.142.142:443
179.43.142.29:443
179.43.142.37:443
179.43.154.157:443
179.43.154.168:443
179.43.154.212:443
179.43.155.136:443
179.43.155.144:443
179.43.156.145:443
179.43.156.151:443
179.43.162.115:443
179.43.162.79:443
179.43.163.118:443
179.43.175.136:443
179.43.175.230:443
179.43.175.34:443
179.43.176.13:443
179.43.176.39:443
179.43.176.54:443
179.43.176.68:443
179.43.176.78:443
179.43.187.233:443
179.43.187.95:443
185.209.160.18:443
185.209.160.99:443
185.223.93.141:443
193.233.234.13:443
193.38.55.7:443
193.42.33.180:443
193.42.33.42:443
193.42.33.73:443
193.47.61.174:443
194.4.49.152:443
217.12.201.112:443
31.41.244.157:443
31.41.244.38:443
34.150.88.233:443
45.138.74.237:443
45.144.30.114:443
45.182.189.195:443
45.66.151.81:443
45.81.39.102:443
47.57.236.111:443
5.182.39.203:443
5.230.73.134:443
5.75.171.154:443
62.204.41.57:443
62.233.50.246:443
62.233.51.95:443
78.46.190.160:443
79.137.194.240:443
79.137.202.78:443
85.209.135.172:443
88.210.12.126:443
89.22.230.175:443
91.202.5.208:443
95.179.136.89:443

# Reference: https://twitter.com/ViriBack/status/1611091230779138072

http://116.202.18.132
http://141.98.82.254
http://179.43.154.212
http://179.43.163.118
http://194.4.49.152
elon-first.com
myada2x.com
myevent22.net
v1477680.hosted-by-vdsina.ru

# Reference: https://twitter.com/0xrb/status/1611241904917876737

http://192.30.243.151
http://216.250.255.148
http://216.250.255.149
http://5.44.251.17
http://5.44.251.20
http://82.115.223.169
http://85.192.49.170
116.202.18.132:443
141.98.82.254:443
162.33.178.106:443
165.232.186.202:443
192.30.243.151:443
193.56.146.6:443
212.23.222.49:443
216.250.255.148:443
216.250.255.149:443
5.44.251.17:443
5.44.251.20:443
65.109.161.133:443
79.137.206.68:443
82.115.223.169:443
85.192.49.170:443
95.214.53.95:443

# Reference: https://twitter.com/suyog41/status/1611326908041682952
# Reference: https://www.virustotal.com/gui/file/ae82c37e4a6ec833aa743244b942033dcdd10f163cc45af519fa693ce035a002/detection

/blob/oay66h.aw7p

# Reference: https://twitter.com/Merlax_/status/1611412523663912961

kukazanatena.co.ke
theabevalle.com

# Reference: https://twitter.com/idclickthat/status/1612268584020971520
# Reference: https://twitter.com/1ZRR4H/status/1612472092326346752

install-zoom.com
virtualbse.com

# Reference: https://twitter.com/1ZRR4H/status/1613275088098304002

bluestacks-install.com
zoom-meetings-download.com
zoom-meetings-install.com
zoomus-install.com

# Reference: https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

anydleslk-download.com
install-anydeslk.com
zoom-video-install.com
zoomvideo-install.com

# Reference: https://threatfox.abuse.ch/ioc/1068137/

textedit-notepad.com

# Reference: https://threatfox.abuse.ch/ioc/1068138/

http://164.90.172.224

# Reference: https://www.virustotal.com/gui/file/a2e9a2389faf04b67fbbd6fc71134860a145db7643d88ba312390493d5619302/detection

/blob/jb59sc.rk2g

# Reference: https://www.virustotal.com/gui/file/da16f2574eeab4267e24f416d625ed8ced553ed25bc51f22860ef565fa1c3f92/detection

http://31.41.244.16
/chachacha/ec3wm4.8xb6

# Reference: https://twitter.com/1ZRR4H/status/1614728368334716932
# Reference: https://twitter.com/1ZRR4H/status/1614728371644125187
# Reference: https://twitter.com/1ZRR4H/status/1614821592550326275

http://77.91.122.230
fargonding.store
hughtexeideas.store
mororead.store
rontr.store
montofagasta.store
rontreal.store
slavyanmar.store
toysbrasnovo.store
obs-project.festcommerzblog.com

# Reference: https://twitter.com/IronNetTR/status/1615757537273315365
# Reference: https://github.com/IronNetCybersecurity/IronNetTR/blob/main/ironradar/rhadamanthys/ironradar_1d_rhadamanthys_2022_1_18.csv

152.89.198.59:443
157.254.194.23:443
172.105.5.70:443
179.43.142.40:443
179.43.156.132:443
179.43.175.114:443
179.43.187.233:3306
185.209.160.43:443
185.225.74.144:443
185.225.74.200:443
185.81.68.104:443
memtromeds.com
moosdies.top

# Reference: https://twitter.com/DonPasci/status/1616428435550740482

sourcegimp.com
sourcsegimp.com
soursegimp.com

# Reference: https://www.virustotal.com/gui/file/c27d7174b52a423cdd51187de5c53bd0f3dfebbc76f92575864f3ba4abf2f012/detection

http://79.137.197.29
/rfbqtotg/Dpcejhz.bmp

# Reference: https://twitter.com/crep1x/status/1623394701456859137
# Reference: https://tria.ge/230208-kpd7wshc6t/behavioral2
# Reference: https://www.virustotal.com/gui/file/b2a3e00ad2ee588b552137c94d5f3a4611c2f40d0be23ef6b6b12227baa24ae4/detection
# Reference: https://www.virustotal.com/gui/file/9b6f87d991b04b9eb7c1b5e4bff6b2fff7c8b53156396c1e60ee9523ddd9ece9/detection
# Reference: https://www.virustotal.com/gui/file/04aca53d460d19c73283bcd131e56ccbd4384d5303400dc318d3371b2edba522/detection

http://109.206.243.168
http://144.76.33.241
http://179.43.154.216
http://179.43.154.219
http://78.47.79.11
http://91.215.85.157
193.149.180.103:3301
193.149.180.103:666
/dewight1/colibri.api
/update/nti4ta.3dhh
/nti4ta.3dhh

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/Rhadamanthys_Stealer_Panels_10_02_2023.txt

http://179.43.142.71
http://179.43.154.164
http://179.43.176.21
http://94.142.138.26
179.43.142.71:443
179.43.154.164:443
179.43.176.21:443
94.142.138.26:443

# Reference: https://twitter.com/nao_sec/status/1625691518509121537

http://79.137.204.54
/custints/g73lab.id9x

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/Rhadamanthys_Panel_scan_16-02-2023_01-03-32.txt

45.137.66.211:443

# Reference: https://twitter.com/BroadAnalysis/status/1630680889771323392
# Reference: https://www.virustotal.com/gui/file/001e6a0bc8566e594f377a33e4d108bba5821e407d38ddd745fe2477ae23a7ff/detection

http://191.101.14.159
/abctop/rfvnq4.co0l

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Aurora_Stealer/txt/Aurora_Panel_scan_02-03-2023_19-30-23.txt

179.43.142.172:443
195.3.223.120:443
195.3.223.218:443

# Reference: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
# Reference: https://otx.alienvault.com/pulse/63e3c458fe346cfc050d6880
# Reference: https://www.virustotal.com/gui/file/09c26bfe15d9ac65a9a4a73ccaf20c352d496feecb6a7fd3d5ce3b27d16faeea/detection

http://79.137.198.60
annemarieotey.com
anyfisolusi.com
black-socks.org
bluecentury.org
duinvest.info
duncan-technologies.net
enigma-soft.com
expresswebstores.com
fgpprlaw.com
footballmeta.com
gfcitservice.net
listfoo.org
mikefaw.com
otameyshan.com
peak-pjv.com
repossessionheadquarters.org
samsontech.mobi
shiptrax24.com
southfirstarea.com
styleselect.com
thebtcrevolution.com
virtualmediaoffice.com

# Reference: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques
# Reference: https://otx.alienvault.com/pulse/63f63a41659035a81b740554

/blob/vpuu9i.7b4x

# Reference: https://twitter.com/AuCyble/status/1632625549964361730
# Reference: https://www.virustotal.com/gui/ip-address/185.137.235.119/relations

chatgptsinstall.com
exchangecash.online
getchatgptapi.com
getchatgptapp.com
gpt-chat-app.org
gptchatdownload.com
gptchatdownloadpc.com
gptchatdownlod.com
hyperplayofficial.com
inkscapeapps.com
installchatgpt.me
installchatgpt.online
installchatgpt.org
installwebex.com
installwebex.online
lastpass-app.com
lastpassinstall.com
lastpassofficial.com
lastpassofficial.me
lhyperplay.com
metamask-apps.com
officialhyperplay.com
officialschatgpt.com
officialstargate.com
setupchatgpt.com
sketchup-tool.com
snapclhats.com
snapclnats.com
web-ex-app.com
webex-meetings.com
webex.icu
webexsign.com
webexsign.org

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_10-03-2023_23-22-36.txt

193.149.185.118:443
45.77.66.151:443

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_16-03-2023_19-43-54.txt

87.251.67.40:443
91.215.85.157:443

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_23-03-2023_19-17-12.txt

185.225.73.180:443

# Reference: https://www.virustotal.com/gui/file/90bfffe7bfde826f6204ef3546d139b6293d37ef59dbf2cc9d685eb6bb6c8d23/detection
# Reference: https://www.virustotal.com/gui/file/4130ce135fbfab00618f261a0397e88479d2f61e1ed0d09ebcde525439774f3e/detection

/ggkanor/0mv8dc.bqmu
/0mv8dc.bqmu

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/csv/Rhadamanthys_2023-04-13_16-24-28.csv

http://108.61.189.120

# Reference: https://twitter.com/crep1x/status/1649067627996672000
# Reference: https://www.virustotal.com/gui/file/58105a9ffb1d4675481d1c945d20630807f9dc2dc3d107a66f2d928125508226/detection

http://104.156.149.126

# Reference: https://twitter.com/g0njxa/status/1645559497987850241

/fredom/YTmeta.api

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_27-04-2023_16-34-09.txt

http://179.43.142.172
http://185.225.73.180
http://45.77.66.151
179.43.142.172:443
185.225.73.180:443
45.77.66.151:443

# Reference: https://twitter.com/powershellcode/status/1678470714024939520

http://185.228.234.189
185.228.234.189:443

# Reference: https://twitter.com/g0njxa/status/1682332969451569153

rhadwikiwwzr6sfzygsr3qh7lwu5ghnaoupxwpsj2xuxjcgcebikh7id.onion
stealerskymtni3tiagmx3pqktjgkm2iigwj6e2touws773emrfjvoyd.onion

# Reference: https://threatfox.abuse.ch/ioc/1146917/

45.81.39.169:8889

# Reference: https://threatfox.abuse.ch/browse/malware/win.rhadamanthys/ (# 2023-08-03)

http://104.156.149.126
http://109.206.240.181
http://109.206.243.168
http://116.202.18.132
http://116.203.136.70
http://143.198.207.43
http://144.76.33.241
http://156.227.6.50
http://162.33.178.106
http://162.33.178.64
http://164.90.172.224
http://179.43.142.201
http://179.43.142.29
http://179.43.142.39
http://179.43.142.40
http://179.43.154.181
http://179.43.154.216
http://179.43.154.219
http://179.43.155.198
http://179.43.155.206
http://179.43.156.145
http://179.43.162.87
http://179.43.176.6
http://179.43.187.95
http://185.209.160.43
http://185.209.160.99
http://185.225.73.180
http://185.246.221.59
http://185.250.205.73
http://191.101.14.159
http://193.233.20.1
http://193.37.70.80
http://193.38.55.238
http://193.42.33.73
http://195.3.223.120
http://198.135.54.147
http://216.250.255.149
http://31.192.237.70
http://31.41.244.38
http://31.41.244.80
http://35.220.153.89
http://40.82.159.41
http://45.12.253.133
http://45.128.234.63
http://45.131.66.61
http://45.15.159.234
http://45.150.65.4
http://45.66.151.81
http://45.82.176.11
http://45.9.74.71
http://46.36.219.3
http://5.206.224.182
http://5.230.73.134
http://62.233.50.246
http://62.233.51.122
http://62.233.51.95
http://65.109.161.133
http://68.183.230.60
http://77.91.122.230
http://78.47.79.11
http://79.110.62.195
http://79.137.204.54
http://79.137.206.68
http://79.137.248.54
http://81.161.229.234
http://85.192.49.170
http://85.208.136.26
http://89.22.230.175
http://91.215.85.157
http://91.215.85.173
http://95.214.53.95
101.99.91.115:443
104.156.149.126:443
107.148.129.135:443
108.61.189.120:443
109.123.252.250:443
109.206.240.223:443
139.28.37.187:443
141.98.11.18:5351
141.98.6.20:2050
141.98.6.78:2205
142.11.215.202:443
144.76.33.241:443
146.190.162.187:443
146.190.228.125:443
159.65.13.48:443
162.0.217.254:443
163.123.142.243:443
164.90.172.224:443
165.22.48.84:443
167.235.139.187:443
176.113.115.86:443
179.43.142.104:443
179.43.142.107:443
179.43.142.23:443
179.43.154.183:443
179.43.154.219:443
179.43.154.224:443
179.43.154.240:443
179.43.154.245:443
179.43.156.141:443
179.43.156.143:443
179.43.162.2:443
179.43.162.87:443
179.43.162.89:443
179.43.162.94:443
179.43.162.99:443
179.43.163.126:443
179.43.175.195:443
179.43.175.197:443
179.43.176.6:443
179.43.187.197:443
179.43.187.201:443
179.43.187.217:443
179.43.187.80:443
185.107.237.56:443
185.17.0.142:4348
185.209.161.81:2022
185.209.162.190:8080
185.224.129.51:8080
185.225.73.181:443
185.242.87.157:443
185.246.222.251:7469
185.246.222.75:443
185.250.205.73:443
185.250.205.73:8080
185.254.37.92:443
185.43.223.200:443
185.99.133.136:443
188.225.35.87:443
193.149.180.103:443
193.233.20.1:443
193.37.70.80:443
193.37.70.91:443
193.38.55.238:443
193.42.32.236:9070
193.42.33.123:443
194.180.48.102:443
194.180.48.19:443
195.133.40.229:443
195.201.37.208:443
195.3.223.214:5130
212.192.246.118:443
212.193.30.57:8080
212.87.204.3:8080
23.106.124.111:443
23.254.167.32:5892
31.41.244.16:443
37.220.87.35:443
45.12.253.133:443
45.12.253.181:443
45.12.253.92:7079
45.128.234.197:443
45.128.234.63:443
45.150.67.45:443
45.153.186.15:443
45.159.188.236:6779
45.159.188.66:6893
45.159.189.31:3047
45.77.32.158:443
45.81.39.169:8889
45.9.74.150:8080
45.9.74.71:443
46.175.150.169:443
5.206.224.182:443
5.230.68.142:443
5.230.73.94:443
5.230.75.236:443
5.75.142.184:443
5.75.168.236:443
62.204.41.88:443
62.233.51.121:443
62.233.51.122:443
77.91.68.146:8080
79.133.180.168:443
79.137.195.45:8080
79.137.197.174:443
79.137.199.193:443
79.137.204.54:443
79.137.248.54:443
80.66.88.72:443
81.161.229.177:443
81.19.140.83:2077
82.115.223.174:8080
84.54.50.158:443
84.54.50.159:443
85.192.49.170:6636
85.217.144.82:443
87.120.88.209:5211
87.251.67.77:443
91.103.252.25:5894
91.213.50.62:443
91.215.85.145:443
91.228.197.254:443
94.131.106.71:443
94.142.138.27:443
95.214.25.203:4033
95.214.27.17:443
95.214.27.198:443
95.214.27.214:443
/blob/hiu6qd.5u17
/blob/swz9lm.1e3k
/blob/u4z70m.ft7e
/bnlib/upc0ac.61j3
/cylook/ki5lbl.zdvr
/logimamonta/LEND.api
/logimamonta/youtube.api
/modlib/o6u3ke.661c
/work/nfw74d.xos1
/84x7k7op.1fspl

# Reference: https://www.virustotal.com/gui/ip-address/5.255.107.172/detection

http://5.255.107.172

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_C2_21_07_to_31_08_2023.txt

100.95.210.126:443
136.243.177.54:8010
179.43.142.126:6546
185.17.0.221:3709
185.221.67.14:3142
185.225.73.49:4851
185.244.48.109:7314
192.236.147.141:1642
193.109.85.76:6623
208.91.189.147:2905
212.23.221.72:4907
23.152.0.240:7033
45.66.230.106:8748
91.103.252.25:4681
94.156.102.83:4925
94.156.253.150:7546
95.216.58.127:3364
95.217.10.109:7820

# Reference: https://www.virustotal.com/gui/file/717c6d49e4df554a386191492a5b0096dc3d07000de5ed58d2862872ef3b83cc/detection
# Reference: https://www.virustotal.com/gui/file/b904fa91c8949cb19ba7a9b91e87da13cc47facd826f8bf31f71bbd5ce201928/detection
# Reference: https://www.virustotal.com/gui/file/96a42e9c48bdff00a465e584305b5f031510da8e49409e78518022a8ee232304/detection
# Reference: https://www.virustotal.com/gui/file/457175fc2d1304df94e6e411944f188a97f11753991caf80f6e9f15e34d478b4/detection
# Reference: https://www.virustotal.com/gui/file/08f91bf3a2c4bc8e1cbf4c15a19c4d83ce3af95b2c36260e6ace75450ccc5df0/detection

http://172.217.16.206
http://45.12.253.137
connecteds.online
/files/wdssbp/Azaza
/files/wdssbp/Azaza3
/files/wdssbp/Fido
/files/wdssbp/Fido2
/files/wdssbp/GameBoy
/files/wdssbp2/Bronder
/files/wdssbp2/DoomInstaller
/files/wdssbp2/SensApiD
/files/wdssbp2/SensApiE
/files/wdssbp/
/files/wdssbp2/
/wdssbp/Azaza
/wdssbp/Azaza3
/wdssbp/Fido
/wdssbp/Fido2
/wdssbp/GameBoy
/wdssbp2/Bronder
/wdssbp2/DoomInstaller
/wdssbp2/SensApiD
/wdssbp2/SensApiE

# Reference: https://twitter.com/karol_paciorek/status/1703732303367672306
# Reference: https://tria.ge/230918-mx2dhagg7t/behavioral2
# Reference: https://tria.ge/230918-nbz4zsgh4s/behavioral1
# Reference: https://www.virustotal.com/gui/file/1aafbb728f50518d78e14ef7018338f07453a9715f5bc037606ce6c140ee44c3/detection

171.22.28.205:8181
185.244.48.240:3619
194.180.49.48:9715
31.222.238.209:7702
49.13.68.19:6435
79.133.180.126:3886
94.131.112.209:9856
94.156.102.165:443
95.214.55.177:2474

# Reference: https://twitter.com/JAMESWT_MHT/status/1717514680422313988
# Reference: https://twitter.com/reecdeep/status/1727969240756441236
# Reference: https://app.any.run/tasks/cc1a66bf-8b29-400e-967b-9687e2411abb/
# Reference: https://www.virustotal.com/gui/file/28ee2b81591ace7a552b3a921e9efb6128041cdf6634d5570283225ea3db7a20/detection

23.152.0.240:3957
/835a189ccf9d6badf60eacc/6rs81itm.nx5p8
/835a189ccf9d6badf60eacc/oafcpjjl.sp0ps
/835a189ccf9d6badf60eacc/oafcpjjl.sp0
/6rs81itm.nx5p8
/oafcpjjl.sp0ps
/oafcpjjl.sp0

# Reference: https://threatfox.abuse.ch/ioc/1196609/

65.21.101.233:4714

# Reference: https://threatfox.abuse.ch/browse/malware/win.rhadamanthys/ (# 2023-11-10)

http://163.123.142.243
185.170.144.159:6918
185.221.196.69:5127
185.250.45.93:8925
212.23.221.72:7797
31.192.236.94:6642
5.42.65.27:4811
82.115.223.128:9081
87.121.221.145:9271
91.103.252.25:1033
91.103.252.25:1746
91.103.253.174:1199
94.103.94.153:7414
94.156.102.175:443
95.181.173.164:9397
95.214.55.177:1689

# Reference: https://twitter.com/karol_paciorek/status/1727314303752208410
# Reference: https://www.virustotal.com/gui/file/a96d1f994a40cde4bb1bf6f80ce96af5b7e7d934edbb95100ab2fb777f8f2d84/detection

http://185.221.196.81

# Reference: https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
# Reference: https://www.virustotal.com/gui/file/bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf/detection

104.129.128.188:9537

# Reference: https://twitter.com/g0njxa/status/1743248482750652723
# Reference: https://app.any.run/tasks/616d2fa4-9595-4b0b-be84-dd5580df2fc5/

176.113.115.224:6230
185.130.226.143:6575
kms-full.com
kms-product.eu
kms-product.pro

# Reference: https://threatfox.abuse.ch/browse/malware/win.rhadamanthys/ (# 2024-01-05)

http://217.197.107.138
165.232.87.210:5945
185.209.161.162:19000
193.233.132.95:3699
195.3.223.126:4287
77.246.104.220:3422
91.92.242.217:19000
91.92.249.101:443
91.92.253.159:19000
91.92.253.3:19000
95.214.25.71:1645
95.217.82.39:19000

# Reference: https://twitter.com/reecdeep/status/1745391796706795673
# Reference: https://app.any.run/tasks/877c5718-df46-40e8-af49-4f9c139205ca/

141.105.68.140:9392

# Reference: https://any.run/malware-trends/rhadamanthys (# 2024-01-25)
# Reference: https://www.virustotal.com/gui/file/3cfb7fec43036027f8bde45526ecd6d3d4ee2a51fb6d4476d5cd398ced8a3c17/detection
# Reference: https://www.virustotal.com/gui/file/3778411ff33576685f13f163cac7b3452ea7bdce7caa92924ff5194d4b5d0785/detection

http://212.193.30.32
http://31.220.57.50
amxt25.xyz
motorline.pw
mylangroups.com
8002.motorline.pw
api.mylangroups.com
/CRYPTORPROLIV
/a6ba5b1ae6dec5f7c/
/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd
/a6ba5b1ae6dec5f7c/j5e4ok98.h44x9
/abctop/oy7xup.thms
/api/59ywc1.5oic
/api/5uwuz3.sr4b
/api/9wcnem.x0vs
/api/CRYPTORPROLIV
/api/mpnz0d.fxbz
/modlib/79q4x9.fkc9
/modlib/8q85xm.zmam
/wgetlist/in60fc.j42a
