# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: dinihou, duhini, hworm, h-worm, wshrat

# Reference: https://twitter.com/DissectMalware/status/986467663353442305

pm2bitcoin.com

# Reference: https://twitter.com/Racco42/status/1047173279553900551

toheeb.publicvm.com

# Reference: https://twitter.com/Racco42/status/1044562743519584257

185.141.27.177:4123

# Reference: https://twitter.com/Racco42/status/1040353263579738113
# Reference: https://app.any.run/tasks/f6eca300-7137-4e88-bd28-7f9a507a17d3/

46.243.189.128:6969

# Reference: https://twitter.com/Racco42/status/1053747018835869696

fud.fudcrypt.com

# Reference: https://twitter.com/Racco42/status/1102879193631731713

185.198.26.245:3843

# Reference: https://twitter.com/Racco42/status/1110868159492489216

brothersjoy.nl
newmenow.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1016808667692204032

windefendeupdate.duckdns.org

# Reference: https://twitter.com/Jan0fficial/status/1009009607988187137
# Reference: https://pastebin.com/MxR1p5wG

stanman.linkpc.net

# Reference: https://twitter.com/avman1995/status/963273945955864577

ines0049.ddns.net

# Reference: https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/

149.28.14.103:535

# Reference: https://twitter.com/pmelson/status/1119756002503606272

updatesystem.linkpc.net

# Reference: https://twitter.com/Racco42/status/1120981890947854336

185.101.94.172:3018

# Reference: https://twitter.com/Racco42/status/1121350734350413824
# Reference: https://www.virustotal.com/en/file/5efd79ed3058f656b6df2164a37f86e80978d8ebb5f8d5222be03decb03fc28b/analysis/1556133044/

194.187.249.104:7777

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.hybrid-analysis.com/sample/4ff921531d9cb5c21b3ee081a5fd1c52d12690332dd1ea1608230b8de918ac09

105.105.218.193:4433

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/b2dc457d16afa43c943b31021052b939d58aedfcdf2fad8e25e5b96edc71d180/detection

updatefacebook.ddns.net
197.162.66.49:2

# Reference: https://twitter.com/chen_erlich/status/1121406324884086787
# Reference: https://www.virustotal.com/gui/file/61c96cdb88877b3c737a1022bb6355e8489d2cc2019ecbcc15be978186552174/detection

23.227.201.158:3047

# Reference: https://www.hybrid-analysis.com/sample/442fe9bb6820ba79ca48429df8e5a01e991302be2a0d45a35c99c5d006a1d64a

office-update.services
104.24.112.139:2082

# Reference: https://twitter.com/JAMESWT_MHT/status/1130449106663616513

savelifes.tech

# Reference: https://twitter.com/James_inthe_box/status/1138092566820212737

doughnut-snack.live
mynameisstaff.warzonedns.com

# Reference: https://twitter.com/luc4m/status/1138430833533104128

unknownsoft.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139458016611356672

sirkashmoremoney.duckdns.org

# Reference: https://twitter.com/Racco42/status/1139461501113311232

chance2019.ddns.net

# Reference: https://twitter.com/HONKONE_K/status/1141181986523844612

bylgay.hopto.org
microsoftoutlook.duckdns.org
soucdtevoceumcuzao.duckdns.org

# Reference: https://twitter.com/Bank_Security/status/1141388470293655552
# Reference: https://pastebin.com/P4h3NHJE

tcoolsoul.com

# Reference: https://twitter.com/Racco42/status/1143054336563564544
# Reference: https://twitter.com/dvk01uk/status/1143027551151042560
# Reference: https://app.any.run/tasks/b6ac016b-3439-4710-9942-e1645343a261/

microsoft.btc-crypto-rewards.cash
160.202.163.246:9966
185.247.228.14:7755

# Reference: https://twitter.com/coderippers/status/1154003951152484352

9d1.myq-see.com
mzu.publicvm.com

# Reference: https://twitter.com/Timele9527/status/1159673642332016640

mmksba.dyndns.org
64.188.25.230:4455

# Reference: https://twitter.com/smica83/status/1166275236741955585

dbin240.ddns.net

# Reference: https://twitter.com/luc4m/status/1166765980489584640

91.132.139.181:9999

# Reference: https://twitter.com/wwp96/status/1171069954881392641
# Reference: https://app.any.run/tasks/d3b840d6-520a-4529-a561-b2ce8c05b432/

79.134.225.72:1104
165.22.129.173:7756
ablerightventures.duckdns.org
pluginsrv1.duckdns.org

# Reference: https://twitter.com/Paladin3161/status/1172178725959397378

plunder.nsupdate.info

# Reference: https://twitter.com/malware_traffic/status/1172610957929062410

81.92.202.176:5200
tain0077.warzonesdns.com

# Reference: https://twitter.com/KorbenD_Intel/status/1133469852579106816

pleasurekeys.hopto.org
suzuki-dc.biz
unknownsoft.duckdns.org

# Reference: https://www.virustotal.com/gui/domain/dz47.cf/relations

dz47.cf

# Reference: https://www.threatcrowd.org/listMalware.php?antivirus=Worm.VBS.Dinihou

4ever4.zapto.org
999mostafa999.no-ip.org
999mostafa999.sytes.net
aboodzainuddin.ddns.net
adda.no-ip.org
adolf2013.sytes.net
alfhaddd-hakr.no-ip.biz
anarqe77.no-ip.biz
anassrojola.ddnsking.com
androidupdate.myq-see.com
avg-antivirus.zapto.org
blackr00t5.no-ip.org
blkisdz.ddns.net
bog5151.zapto.org
bogus911.no.ip.biz
bogus911.no-ip.biz
brigittenetwork.hopto.org
chrome00.sytes.com
chuckey1.no-ip.org
cupidon.zapto.org
desermyth.dyndns.org
devil.hopto.org
diiimaria.zapto.org
dmar123.no-ip.biz
dodaaa.zapto.org
dz-drs.no-ip.biz
dz47.myq-see.com
elisou19.ddns.net
eroor.ddns.net
exxilero.ddns.net
ffff99fff.no-ip.biz
gerssy.zapto.org
google-1.linkpc.net
google00.ddns.net
google7.no-ip.org
greekwebtv.viewdns.net
h-w0rm.zapto.org
hadizz.no-ip.biz
haydar93.no-ip.biz
helps.zapto.org
introworld.no-ip.org
introworld.zapto.org
iphack.no-ip.info
j2w2d.no-ip.biz
jaberlovee.ddns.net
jhk.no-ip.org
khalode4me.no-ip.biz
killer---204.no-ip.biz
king25.zapto.org
kiyoma200.no-ip.biz
klonkino.no-ip.org
kusaisouf.no-ip.org
lastdance.ddns.net
lolokamal.zapto.org
maxxx12.serveftp.org
maxy.no-ip.info
mda.no-ip.org
memo8.no-ip.org
memo9.no-ip.org
mesopotemia222.zapto.org
microsoftsystem.sytes.net
microsoftwindows.sytes.net
migalou2012.no-ip.biz
mlcrosoft.serveftp.com
monas04.no-ip.info
mootje01.no-ip.org
mrkiller.no-ip.org
nouna1985.no-ip.org
pilo-raouf.no-ip.biz
pscho546.hopto.org
qqwe.hopto.org
qwqhack.no-ip.biz
redex.no-ip.info
righi.linkpc.net
rndaso.no-ip.info
romyo333.sytes.net
ronaldo-123.no-ip.biz
s-mz.sytes.net
saifnjrat55.no-ip.biz
sexcam.3utilities.com
shawaf.sytes.net
sidisalim.myvnc.com
smoky29902332.hopto.org
swanox.no-ip.org
tariqalr.zapto.org
terminator9.zapto.org
twiti2390.no-ip.biz
vpn-hacker.no-ip.biz
waforex2011.no-ip.info
winup.serveftp.com
wkooora.sytes.net
wvvw.sytes.net
x.dvr-ddns.com
yah00.sytes.net
ycemufkk6g.bounceme.net
youcef142.no-ip.biz
ysf.no-ip.biz

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=51549698551bff97f583c51.51712090

abdnjworm.no-ip.biz
abocasse.zapto.org
ahmedghost.no-ip.info
b-trese.no-ip.biz
boucraa.no-ip.org
dd.no-ip.bz
debili1.no-ip.biz
fuck-all.no-ip.info
hackers1990.no-ip.org
heartbraker.no-ip.biz
jnyn-99.no-ip.org
mda.no-ip.org
mmrick.zapto.org
mntm.no-ip.biz
mootje01.no-ip.org
mozaya46415.zapto.org
rouge166821.no-ip.biz
vanonymous.no-ip.org
vichtorio-israeli.zapto.org
zkzak.np-ip.biz

# Reference: http://ddos-info.weebly.com/blog/h-worm-plus-public-in-depth-analysis

adamdam.zapto.org
adolf2013.sytes.net
ahmad212.no-ip.biz
alii007.zapto.org
am1.no-ip.info
ballgogo.no-ip.biz
basss.no-ip.info
bg1337.zapto.org
bog5151.zapto.org
dataday3.no-ip.org
docteuur13.no-ip.org
doda.redirectme.net
dzhacker15.no-ip.org
g00gle.sytes.net
gerssy.zapto.org
googlechrome.servegame.com
hackediraq.no-ip.biz
hackeralbasrah.no-ip.biz
hattouma12.no-ip.biz
hmode123.no-ip.biz
karimstar.zapto.org
kiyoma200.no-ip.biz
koko.myftp.org
mda.no-ip.org
medolife.no-ip.biz
microsoftsystem.sytes.net
mootje01.no-ip.org
msgbox.zapto.org
new-hacker.no-ip.org
njnj.redirectme.net
no99.zapto.org
noooot.no-ip.biz
pess-123.zapto.org
pess-12.zapto.org
portipv6.redirectme.net
ronaldo-123.no-ip.biz
sawdz.no-ip.biz
securityfocus.bounceme.net
shagagy21.no-ip.biz
sidisalim.myvnc.com
silent9.zapto.org
terminator9.zapto.org
vpn-hacker.no-ip.biz
xbox720.zapto.org
xkiller.no-ip.info
yahia17.no-ip.org
zeusback.no-ip.biz
zoia.no-ip.org

# Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Jenxcus#tab=2
# Reference: http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Worm:VBS/Jenxcus#tab=2

a.servecounterstrike.com
eqe.sytes.net
jnj.redirectme.net
winlogon.servecounterstrike.com
3dmntk.no-ip.biz
999mostafa999.no-ip.biz
9d1.no-ip.org
a.servecounterstrike.com
abanas19.no-ip.biz
abdo1abdo.no-ip.biz
adolf2013.sytes.net
ahmad909.no-ip.biz
ajeeb.zapto.org
ali2010.no-ip.biz
aljabiry1.no-ip.biz
alnazee.no-ip.org
alnazee.no-ip.org
alsha2e.zapto.org
amere-ali.no-ip.biz
aore.no-ip.org
asmarany.no-ip.biz
asmarany.np-ip.biz
aymen112233.no-ip.org
bifrost-jordan.zapto.org
big-hack.no-ip.com
blackhawk.myftp.biz
cggfhddsscds.no-ip.biz
cxxz.no-ip.biz
damla.no-ip.org
dhuaa.no-ip.org
dnsip.servehttp.com
doopy99.zapto.org
fadliking.sytes.net
fons.no-ip.info
frostate.no-ip.biz
ghoster13.no-ip.biz
gmail2013.no-ip.info
hackeralbasrah.no-ip.biz
haedar.no-ip.biz
hanan96.no-ip.bizport
iraqi2013.servemp3.com
jn.redirectme.net
klagord.no-ip.org
kurd2013.no-ip.biz
localh0st.servehttp.com
loll1.no-ip.biz
m4b.no-ip.org
mda.no-ip.org
microsoftsystem.sytes.net
milito.no-ip.org
mohez.no-ip.org
msy.myvnc.com
naza.no-ip.biz
new-hacker.no-ip.org
oscar-bif.zapto.org
portipv6.redirectme.net
pthacker.no-ip.org
ramadan.zapto.org
sdgsg.no-ip.biz
shawaf.sytes.net
shee5iq.no-ip.biz
shee5iq.no-p.biz
sro7.no-ip.info
systemsxp.sytes.net
theghostholako.no-ip.org
thescorpionking.no-ip.org
utilesat.zapto.org
uty.myq-see.com
wahidhackerdz.no-ip.biz
xkiller.no-ip.info
xmx.no-ip.info
xxsc.no-ip.org
xxxxxx.no-ip.biz
yahoomail.3utilities.com
zilol.no-ip.org

# Reference: https://twitter.com/Racco42/status/1174605204353949697
# Reference: https://app.any.run/tasks/27a475ac-c113-49be-b947-f580662600e4/

91.132.139.181:9999

# Reference: https://twitter.com/Littl3field/status/1174624023709454336

178.124.140.148:3571

# Reference: https://www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf

dz47.servehttp.com
maroco.linkpc.net
maroco.myq-see.com
maroco.redirectme.net

# Reference: https://twitter.com/pmelson/status/1175928909264838660

185.251.38.91:5555

# Reference: https://twitter.com/dvk01uk/status/1176483058058440705
# Reference: https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc/

192.169.69.25:7757
79.134.225.100:2813
2813.noip.me

# Reference: https://twitter.com/Racco42/status/1178932126588297217

45.79.41.137:2344

# Reference: http://blog.morphisec.com/hworm-houdini-aka-njrat

chroms.linkpc.net
finix5.hopto.org
finixalg11.ddns.net
salh.linkpc.net

# Reference: https://twitter.com/fletchsec/status/1179891198615531521
# Reference: https://www.hybrid-analysis.com/sample/a1da7465c3893cb30408820ee821210c0c1c008dcfde0af167f33e9db61975a2/5d965b610288389582043002

186.85.86.96:1235
nfiefbwihf48h9wun3foisnc98ehfb9uwfu.duckdns.org

# Referencce: https://twitter.com/Racco42/status/1131130800630579200

admin1960.linkpc.net
savelifes.tech

# Reference: https://twitter.com/Racco42/status/1111615130272444416

181.52.113.177:8105
socketw3.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1092764605766483969

194.5.99.53:5732

# Reference: https://twitter.com/luc4m/status/1092483141619601408

easyresa.ddns.net
shkis.publicvm.com

# Reference: https://twitter.com/luc4m/status/1073257560625569792

goz.unknowncrypter.com

# Reference: https://twitter.com/Racco42/status/1064880890277494785

185.141.27.177:6544

# Reference: https://twitter.com/DissectMalware/status/1008387935199260672

suport.ddns.net

# Reference: https://twitter.com/DissectMalware/status/986467663353442305
# Reference: https://www.hybrid-analysis.com/sample/f0a1aeaf2a6f3c6098696d3802675097072459b89213177f1e4f1494a67c250a

185.209.85.177:5000

# Reference: https://twitter.com/Racco42/status/1017007079813451778

tune.tym-internationals.com

# Reference: https://twitter.com/Racco42/status/995955505221730304

ihsann.casacam.net

# Reference: https://app.any.run/tasks/505c6e4c-723b-46b0-8917-c200c65817ea/

181.215.247.18:3339
185.198.59.114:5000

# Reference: https://twitter.com/Racco42/status/982731639301267459

lordsdoing2017.ddns.net

# Reference: https://github.com/silence-is-best/c2db#dunihi

192.186.145.93:8885

# Reference: https://github.com/silence-is-best/c2db#houdini-aka-vjworm-vjw0rm

jihanenouhaila.ddns.net

# Reference: https://twitter.com/Racco42/status/1183666041706168321

194.5.98.216:10122

# Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923
# Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/

186.147.55.19:5473
186.147.55.19:8371
186.147.55.19:8372
192.169.69.25:8370
mozillamaintenanceservice.duckdns.org
papeleradereciclaje.duckdns.org
seguridaddewindows.duckdns.org

# Reference: https://app.any.run/tasks/1bd816aa-3764-480e-ba70-b57b36551bc7
# Reference: https://www.virustotal.com/gui/ip-address/213.208.152.217/relations

nascoman.ddnsgeek.com
213.208.152.217:14337
60.50.181.240:14337

# Reference: https://www.virustotal.com/gui/ip-address/79.134.225.80/relations

79.134.225.80:7776

# Reference: https://pastebin.com/29uSdMAk

185.165.153.172:3642
homi.doomdns.org

# Generic trails

/give-me-chpv
/is-cmd-shell
/is-enum-driver
/is-enum-path
/is-enum-process
/is-logs
/is-processes
/is-ready
/is-recving
/is-rinoy
/is-rlsartg
/is-sending
/is-sxtyuig
