# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: hworm, h-worm, wshrat

# Reference: https://twitter.com/DissectMalware/status/986467663353442305

pm2bitcoin.com

# Reference: https://twitter.com/Racco42/status/1047173279553900551

toheeb.publicvm.com

# Reference: https://twitter.com/Racco42/status/1044562743519584257
# Reference: https://twitter.com/Racco42/status/1040353263579738113
# Generic trail

/is-ready

# Reference: https://twitter.com/Racco42/status/1053747018835869696

fud.fudcrypt.com

# Reference: https://twitter.com/Racco42/status/1102879193631731713

185.198.26.245:3843

# Reference: https://twitter.com/Racco42/status/1110868159492489216

brothersjoy.nl
newmenow.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1016808667692204032

windefendeupdate.duckdns.org

# Reference: https://twitter.com/Jan0fficial/status/1009009607988187137
# Reference: https://pastebin.com/MxR1p5wG

stanman.linkpc.net
/is-sending

# Reference: https://twitter.com/avman1995/status/963273945955864577

ines0049.ddns.net

# Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/

149.28.14.103:535

# Reference: https://twitter.com/pmelson/status/1119756002503606272

updatesystem.linkpc.net

# Reference: https://twitter.com/Racco42/status/1120981890947854336

185.101.94.172:3018

# Reference: https://twitter.com/Racco42/status/1121350734350413824
# Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/

194.187.249.104:7777

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09

105.105.218.193:4433

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection

updatefacebook.ddns.net
197.162.66.49:2

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection

23.227.201.158:3047

# Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a

office-update.services
104.24.112.139:2082

# Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513

savelifes.tech

# Reference: https://twitter.com/James_inthe_box/status/1138092566820212737

doughnut-snack.live
mynameisstaff.warzonedns.com

# Reference: https://twitter.com/luc4m/status/1138430833533104128

unknownsoft.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139458016611356672

sirkashmoremoney.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139461501113311232

chance2019.ddns.net

# Reference: https://twitter.com/HONKONE_K/status/1141181986523844612

bylgay.hopto.org
microsoftoutlook.duckdns.org
soucdtevoceumcuzao.duckdns.org

# Reference: https://twitter.com/Bank_Security/status/1141388470293655552
# Reference: https://pastebin.com/P4h3NHJE

tcoolsoul.com

# Reference: https://twitter.com/Racco42/status/1143054336563564544
# Reference: https://twitter.com/dvk01uk/status/1143027551151042560
# Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/

doughnut-snack.live
microsoft.btc-crypto-rewards.cash
160.202.163.246:9966
185.247.228.14:7755
