# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

brokenbones.ru

# Reference: http://sanesecurity.blogspot.com/2015/03/pentafoodscom-invoice-2262004.html

accalamh.aspone.cz
awbrs.com.au

# Reference: https://otx.alienvault.com/pulse/56288ace4637f21ecf2b3149/
# Reference: http://blog.dynamoo.com/2015/10/malware-spam-invoice-for-payment_21.html

inferno.name
btros.co.uk
networking4africa.com
hubbardproducts.com
serverconnect.se
paramountdistributors.com
helicoptersjob.com
theciosummits.org

# Reference: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

btt5sxcx90.com
rottastics36w.net

# Reference: https://resources.netskope.com/h/i/339100944-latest-microsoft-office-zero-day-served-via-godzilla-botnet

btt5sxcx90.com
hyoeyeep.ws
rottastics36w.net

# Reference: https://www.bromium.com/mapping-malware-distribution-network/ (Figure 3 – Dridex and IcedID shared distribution infrastructure)

104.131.7.40:443
95.211.148.20:1443
37.59.1.74:3389
89.22.103.32:3389

# Reference: https://twitter.com/VK_Intel/status/1114477236890083329

193.29.57.193:443
109.94.110.82:443
185.243.114.241:443
5.149.254.28:443

# Reference: https://twitter.com/Zerophage1337/status/1135584186553819136

http://212.68.198.234
212.129.37.217:3389
174.136.5.242:1801

# Reference: https://twitter.com/VK_Intel/status/1141575181640654850

69.164.194.184:443
167.99.108.97:170
85.234.143.94:170
46.105.131.65:691

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0614-0621.html (# Win.Malware.Dridex-6995476-1)

05p60clujw.com
0hox6fnkju.com
0kgr0svsdw.com
11exvnzpds.com
1di9yqmr4e.com
1ohvaomcea.com
3rw4hwziej.com
49jucwch3k.com
ahy9qgaqjw.com
ahzu9hhyqj.com
dpnrq4kpe7.com
egntxfch2f.com
ejglgrlsfv.com
ijzuyfo6m9.com
ikzjlvrxat.com
nnd9bsodkx.com
p8o6adliq7.com
tkhrjexxyn.com
tqzvsormbw.com
u6vpjfufqz.com
uxnyhqblpm.com
v2xeifg35d.com
wzykyninkd.com
x6n5szq1jb.com

# Reference: https://twitter.com/JRoosen/status/1144313588686958597

138.197.76.168:443

# Reference: https://www.vkremez.com/2018/09/lets-learn-dissecting-dridex-banking.html

104.236.24.85:443
107.170.220.167:4431
188.240.231.15:3889
securityupdateserver4.com

# Reference: https://twitter.com/Bank_Security/status/1148471450422140929
# Reference: https://pastebin.com/0XNMhLP2

144.76.111.43:443
46.105.131.77:443
71.217.15.111:443
97.76.245.131:443
24.40.243.66:443
159.69.89.90:3389
159.89.179.87:3389
62.210.26.206:3389
akamai-static5.online
bustheza.com
cachejs.com
topdalescotty.top

# Reference: https://twitter.com/James_inthe_box/status/1149715067308429312
# Reference: https://twitter.com/malware_traffic/status/1149698996660854784

216.98.148.151:443
188.166.156.241:443
94.23.53.34:443
5.39.91.110:691
5.133.242.156:170
89.22.103.139:8000
ponestona.com

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-for-0705-0712.html (# Win.Packed.Xcnfe-7012508-0)

5twtwy19pp.com
b7qxyidhg5.com
c62yc6xsm1.com
coxymk80cd.com
ct1wlbyjzx.com
exgk5nzv7m.com
fvtbhlnxj0.com
fwn4l9u2gb.com
fynzp0oht8.com
glixbn9lnj.com
gzw0bfzxhb.com
hludxizrvf.com
huga7gshpk.com
in4lprxgui.com
lqdu4kraxu.com
lrv8bvrmhq.com
porsukgrlq.com
rjhw2tvcvh.com
rm1cbe2kvb.com
seqamoa4jp.com
t0uetiplqk.com
tcp1twzitf.com
uttn4zziks.com
xpqvri1vhh.com

# Reference: https://twitter.com/oguzpamuk/status/1161379594320175105

195.181.210.12:8000

# Reference: https://twitter.com/VK_Intel/status/1161524612938772480

207.180.208.175:884
178.254.6.27:884
212.71.237.140:884
103.31.232.93:443

# Reference: https://twitter.com/killamjr/status/1164563798939832321

5.230.24.45:8800

# Reference: https://twitter.com/killamjr/status/1168900295725858822

158.69.130.55:8080
neinorog.com
rocknrolletco.top

# Reference: https://twitter.com/ps66uk/status/1179491078279487491
# Reference: https://app.any.run/tasks/ab422490-f2b7-4a83-af46-3394123544af/

185.14.148.44:3389
185.52.3.84:3389
192.254.173.31:1443

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain:-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/ (# Domains used in Dridex phishing campaign)

corporatefaxsolutions.com
onenewpost.com
xeronet.org

# Reference: https://twitter.com/James_inthe_box/status/1189502725433614336
# Reference: https://twitter.com/luc4m/status/1189512038495801344

37.59.60.80:3389
37.59.60.80:443
37.59.60.80:691

# Reference: https://twitter.com/sugimu_sec/status/1189808608013217793

185.52.3.84:3389
216.177.137.35:3389
