# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Remcos-G/detailed-analysis.aspx

remcos.legacyrealestateadvisors.net
remcos2.legacyrealestateadvisors.net

# Reference: https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

dboynyz.pdns.cz
streetz.club
mdformo.ddns.net
mdformo1.ddns.net
vitlop.ddns.net
ns1.madeinserverwick.club
uploadtops.is
prince.jumpingcrab.com
timmason2.com
lenovoscanner.duckdns.org
lenovoscannertwo.duckdns.org
lenovoscannerone.duckdns.org
google.airdns.org
civita2.no-ip.biz
pimmas.com.tr
mervinsaat.com.tr
samurmakina.com.tr
paulocamarao.com
midatacreditoexperian.com.co
lebontour.com
businesslisting.igg.biz
unifscon.com

# Reference: https://twitter.com/MaelSecurity/status/1036551872008605696

test200.dynu.net

# Reference: https://twitter.com/ps66uk/status/1040576968750706689
# Reference: https://www.virustotal.com/#/ip-address/185.163.100.45

gclarke77.gotdns.ch
gclarke7.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1040620171692466176

yvonne.ddns.net

# Reference: https://twitter.com/avman1995/status/1040472512356855808

top.taijh.xyz

# Reference: https://twitter.com/Racco42/status/1040154199592509440

auxlorenagomez.ddns.net

# Reference: https://twitter.com/luc4m/status/1021670673247285248

worldwide.weldwire.top

# Reference: https://twitter.com/luc4m/status/1019948492947709953

gatewayglobal.strangled.net

# Reference: https://twitter.com/James_inthe_box/status/1018792273574678528

http://185.62.190.232

# Reference: https://twitter.com/ps66uk/status/1046900765493739520

menaxe.duckdns.org

# Reference: https://www.cyren.com/blog/articles/fake-invoice-carries-rescoms-malware-targeting-businesses-globally

infocolornido.publicvm.com

# Reference: https://twitter.com/ScumBots/status/1051360120834265088

satan969.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1044204804354957312

ddns.njegidi888.xyz

# Reference: https://twitter.com/Racco42/status/1027883312252108800

2419.damnserver.com
2419.duckdns.org
2419.geekgalaxy.com
2419.health-carereform.com
2419.pgafan.net

# Reference: https://twitter.com/Jan0fficial/status/986580332135829506

remrem.onmypc.net

# Reference: https://twitter.com/Jan0fficial/status/975661898363559937

emilylatta411.servehttp.com

# Reference: https://twitter.com/James_inthe_box/status/939146342357536768/photo/1

gemalto788.ddns.net

# Reference: https://twitter.com/Racco42/status/1054384363524235264

eskimoz.duckdns.org

# Reference: https://twitter.com/ScumBots/status/1102437794025295872

112.204.228.252:2323

# Reference: https://www.cert-pa.it/notizie/analisi-del-malware-remcos-veicolato-tramite-packer-delphi/

pekniecza.hopto.org

# Reference: https://twitter.com/dvk01uk/status/1108949343074054144
# Reference: https://app.any.run/tasks/5e5404b2-4018-4da4-a6a3-19465fa7cc9c

185.244.29.73:6767

# Reference: https://twitter.com/malwrhunterteam/status/1111352801693782016

castelfable.duckdns.org

# Reference: https://twitter.com/malwrhunterteam/status/1104327117309968384

infosblogwar.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1098553609375993856

194.68.59.41:1956

# Reference: https://twitter.com/pollo290987/status/1083401581670875136

194.5.98.173:7081

# Reference: https://twitter.com/ps66uk/status/1062514051165704192

argonsa.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1060547624418168839

cjmoney.duckdns.org

# Reference: https://twitter.com/ps66uk/status/1049011930411794432

185.148.241.58:2442

# Reference: https://twitter.com/FewAtoms/status/1104355364391305216

196.127.74.118:2402

# Reference: https://twitter.com/Racco42/status/1088469487387664384

utchmann.bounceme.net

# Reference: https://twitter.com/pancak3lullz/status/1075888625261387777

info1.duckdns.org
185.244.30.126:5552

# Reference: https://twitter.com/James_inthe_box/status/1063118942095331328

449ers.ddns.net

# Reference: https://twitter.com/Jan0fficial/status/986580332135829506

remrem.onmypc.net

# Reference: https://twitter.com/Jan0fficial/status/975661898363559937

emilylatta411.servehttp.com

# Reference: https://twitter.com/ViriBack/status/971430374919122944

top.carolp1.xyz
185.62.189.72:1992

# Reference: https://twitter.com/pollo290987/status/963073970542129152

jerryemperror2.punkdns.top

# Reference: https://twitter.com/avman1995/status/960419643704913920

obereagu.ddns.net

# Reference: https://twitter.com/Antelox/status/884773449520095232

178.73.210.233:100

# Reference: https://twitter.com/makflwana/status/1104376804293263360
# Reference: https://app.any.run/tasks/8149d283-b550-4b31-9adf-4b4c85962e7d

juanbouyant.ddns.net

# Reference: https://twitter.com/x42x5a/status/1114133426708340736

prueba00223.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1115258819473317888

triggerd.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1121754056517537792

winsec.ddns.net
46.246.86.67:2606

# Reference: https://twitter.com/dvk01uk/status/1123210727483957248
# Reference: https://app.any.run/tasks/0e57a079-57d4-4c2d-8e01-82d316ac2d55

ablegod.hopto.org
79.134.225.6:6691

# Reference: https://github.com/edchavarro/RAT_IoCs

lacoste587.lacoste587.agency
dsquared21.dsquared21.rocks
hugoboss01.hugoboss01.store
luisvuitton.luisvuitton.tech
supreme12.supreme12.recipes
automovil1.peugeot10.cc
comida2.kfc52.club
auto14.wolsvagen7.mobi
telefonia1.telcel75.asia
consola2.nintendo3.life
microsofteup.pdns.cz
lexusempresa.100chickens.me
mojarracompany.pdns.cz
camilo6541.pdns.cz
balvinnew.100chickens.me
mercadolibre.pdns.cz
ebayeup.pdns.cz
antonio6532.pdns.cz
daniel6536.pdns.cz
181.57.221.10:4450
181.57.221.10:4452
181.57.221.10:4851

# Reference: https://twitter.com/pancak3lullz/status/1009524847314194434

185.209.85.75:7921

# Reference: https://twitter.com/suyog41/status/1129322130078916608
# Reference: https://www.virustotal.com/gui/file/817e345ac4e63947b592e28774c71c4a01d7c0f2005324b028871e0dedd7c4ef/detection

bego.hopto.org

# Reference: https://twitter.com/HerbieZimmerman/status/1131977968950099968

185.244.31.137:6666

# Reference: https://twitter.com/James_inthe_box/status/1132292966062518272

manihackz.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1132294012100960257

amanihackz.ddns.net

# Reference: https://twitter.com/ffforward/status/1133631211337912320

mgc2.hopto.org

# Reference: https://twitter.com/dvk01uk/status/1133667461335801857
# Reference: https://app.any.run/tasks/5c919ea0-0f27-481a-af41-42057d090096/

185.244.31.137:6767

# Reference: https://twitter.com/dvk01uk/status/1134014391249252357
# Reference: https://app.any.run/tasks/8d26c7f7-70bc-40c7-bfe2-b664d555054b/

185.244.31.34:6868

# Reference: https://www.malware-traffic-analysis.net/2017/12/22/index.html

darlz.freeddns.org
185.62.190.214:1695

# Reference: https://twitter.com/anyrun_app/status/1138078003815206912
# Reference: https://app.any.run/tasks/2aa81217-cd73-41af-901b-d578b5bbf041/

13.250.1.111:1986
13.250.1.111:1992
194.67.209.128:1992
194.67.209.128:7707
216.38.8.168:1986
216.38.8.168:7707

# Reference: https://twitter.com/James_inthe_box/status/1139839056748011520

xcv87xcv7xc7sd5f67s5dxc67vxdsfwe342.publicvm.com

# Reference: https://twitter.com/James_inthe_box/status/1139881993607380993

stainlessplc.ddns.net
184.75.209.163:6799

# Reference: https://twitter.com/dvk01uk/status/1141314328362176512
# Reference: https://app.any.run/tasks/8f80f415-a02e-451b-9797-96a3d03c793d/

185.247.228.199:6868

# Reference: https://twitter.com/x42x5a/status/1142113259044179968

jaybaba2.bounceme.net

# Reference: https://twitter.com/James_inthe_box/status/1142187271283548160

91.189.180.203:3480

# Reference: https://twitter.com/x42x5a/status/1142436174755192833

cemileorucs.ddns.net

# Reference: https://twitter.com/DbgShell/status/1143669818652069894

vubhijk.duckdns.org

# Reference: https://twitter.com/gorimpthon/status/1144186368483975168
# Reference: https://app.any.run/tasks/e5283183-af56-4628-bff3-b12572b43896/

185.247.228.99:1998
terrymamela.ddns.net

# Reference: https://twitter.com/reecdeep/status/1145646210398773249
# Reference: https://app.any.run/tasks/e89b3c70-50a6-421a-b639-299a918e147c/

jerryo.duckdns.org
185.247.228.236:8815

# Reference: https://pastebin.com/S4ggik78

du4alr0ute.sendsmtp.com

# Reference: https://twitter.com/killamjr/status/1154121304213094401

talkmess.dns-cloud.net

# Reference: https://twitter.com/Racco42/status/1157207083382652928

newrr.duckdns.org

# Reference: https://twitter.com/Racco42/status/1157242080932089856

191.101.150.90:2950

# Reference: https://blog.talosintelligence.com/2019/08/threat-roundup-0726-0802.html (# Win.Malware.Remcos-7089920-1)

abeasinf.duckdns.org
remsalvados2019.duckdns.org

# Reference: https://twitter.com/killamjr/status/1161983614197936128

185.244.31.32:2404

# Reference: https://twitter.com/James_inthe_box/status/1148692646942015488
# Reference: https://twitter.com/killamjr/status/1167454907676467201
# Reference: https://app.any.run/tasks/1c8c17b6-2628-4a06-8c2a-deb889e3e010/

185.244.31.96:3090
top.subaroone.waw.pl

# Reference: https://twitter.com/reecdeep/status/1163796233363906560
# Reference: https://app.any.run/tasks/e990631e-57b0-49db-b0b0-750dc33927dc/

185.244.31.26:6265
safer.ddns.net

# Reference: https://twitter.com/wwp96/status/1163788636036501504

evergraced.ddns.net

# Reference: https://twitter.com/Paladin3161/status/1164517058672906241

daya4659.ddns.net

# Reference: https://twitter.com/killamjr/status/1165459331912888320
# Reference: https://app.any.run/tasks/211498a3-95a8-44ee-a87b-25cdac3d8edc/
# Reference: https://www.virustotal.com/gui/file/6b32d6a32540884c3fb1a195b32b02aec9dd06797c464dee1c02bbb6ee97ffd1/detection
# Reference: https://twitter.com/killamjr/status/1168575703656189952
# Reference: https://app.any.run/tasks/346f19a6-7cd8-4da7-b7ba-76651bc540f1/

193.56.28.241:4444
193.56.28.241:8888
23.105.131.202:8888
crackme.hopto.org
noface55.kozow.com

# Reference: https://twitter.com/oguzpamuk/status/1166293812714659841
# Reference: https://app.any.run/tasks/d069fcb1-1c81-4f87-97bc-d4afb40a06e7/
# Reference: https://twitter.com/Racco42/status/1168449724724084737

193.56.28.173:2404
95.216.17.186:2404
23.105.131.169:2404
rownip.3utilities.com
rownip.dyndnss.net
rownip.theworkpc.com

# Reference: https://twitter.com/ps66uk/status/1167016794260946944
# Reference: https://app.any.run/tasks/121e7cd1-6954-44be-a1b4-825c2615c11c/

79.134.225.48:3765
remcoss.onmypc.org

# Reference: https://twitter.com/de_aviation/status/1097547526763433985

du4alr0ute.sendsmtp.com
helloweenhagga.ddns.net
hhlari.ddns.net
moneybag123.ddns.net
revengerx111.sytes.net

# Reference: https://twitter.com/malware_traffic/status/1169050682386763776

37.19.193.217:2404
37.19.193.217:2405

# Reference: https://twitter.com/KorbenD_Intel/status/1169996681259245569

charlesremcos.duckdns.org

# Reference: https://twitter.com/wwp96/status/1170314034564018180

uaeoffice999.warzonedns.com

# Reference: https://twitter.com/wwp96/status/1170332469960331266

66.154.113.142:2404
jkharding2014.myddns.rocks
tomharry.ddns.net

# Reference: https://twitter.com/wwp96/status/1170334923892371459
# Reference: https://app.any.run/tasks/e2340ee4-ba30-44ec-b748-1d625e65db63/

79.134.225.77:2019
gratefulheart.ddns.net

# Reference: https://twitter.com/wwp96/status/1171448440535973888
# Reference: https://app.any.run/tasks/fcbb836f-7ade-44f1-bbeb-9c7d9047fbe1/

185.4.29.140:24009
inf111.ddns.net
inf111.hopto.org

# Reference: https://twitter.com/luc4m/status/1171783171677065217

charstiago6.dynu.net

# Reference: https://twitter.com/DynamicAnalysis/status/1172221575376134144

79.134.225.105:3368
sub2.haircaresupertouch.waw.pl

# Reference: https://twitter.com/dvk01uk/status/1176383495339483136

217.20.114.220:1010
myhousedubem.ddns.net

# Reference: https://twitter.com/VK_Intel/status/1176933671389081601

79.134.225.101:1188
sciano.duckdns.org

# Reference: https://twitter.com/Racco42/status/1179472593927200774
# Reference: https://twitter.com/Racco42/status/1179880257438003200
# Reference: https://www.virustotal.com/gui/ip-address/185.105.236.187/relations

185.105.236.187:5001
cepastr.ddns.net
manafuuh.ddns.net
teryts1802.sytes.net
updatechrome.duckdns.org

# Reference: https://twitter.com/VK_Intel/status/1179782506465366020

ulnews.duckdns.org

# Reference: https://twitter.com/Dashowl/status/1179833764651962369
# Reference: https://app.any.run/tasks/e38aa085-4cc2-43e6-befe-0b4d5caeb0b6/

204.152.219.70:5731
abundantgrace1.ddns.net

# Reference: https://app.any.run/tasks/9bfe4193-bfea-4523-be81-68953435e7b7/

181.215.247.18:2404

# Reference: https://twitter.com/MalwareConfig/status/1180886611602612224
# Reference: https://malwareconfig.com/config/daca573a51e9b080e2f3f6303611ee83

160.116.15.149:35364
henryofonyiri.ddns.net

# Reference: https://twitter.com/killamjr/status/1180968029858910209
# Reference: https://app.any.run/tasks/f9985b06-08a9-41dd-b2d4-d051e02f8c08/

137.116.73.45:2404
reneelauto.ddns.net

# Reference: https://twitter.com/teoseller/status/1179318648718188545
# Reference: https://www.virustotal.com/gui/file/550baa07a33c62d24636d672c5a0973dbb1babc8ddc75e434d316ece595296f6/detection

185.81.157.41:2404
santzo.warzonedns.com

# Reference: https://app.any.run/tasks/cb0e97af-6122-4181-87e5-842dedde0d77/

178.239.21.116:1795

# Reference: https://app.any.run/tasks/7634c4dc-dee9-41e0-a2c0-32b4ef3d1885/

213.184.126.134:1337

# Reference: https://twitter.com/P3pperP0tts/status/1181578274394251264
# Reference: https://www.hybrid-analysis.com/sample/47232b513efbd2c6fcd3dd1778aa00ca018710c8afd597d238ab1c94433747c4/5d9c9ed50288383e19febfe6

185.158.249.88:2404

# Reference: https://twitter.com/killamjr/status/1183421884794204160
# Reference: https://app.any.run/tasks/deed1a67-8d99-4e3c-9e87-5e63c39cb4c6/

top.intelprovidejordan.waw.pl

# Reference: https://github.com/edchavarro/RAT_IoCs/blob/master/README.md (# Remcos section)

181.57.204.130:4452
46.246.82.66:2000
bolso.gucci12.cc
celularmovil.huawei10.digital
consola2.nintendo3.life
consolajuego.nintendowii12.email
telefonia.claromovil1.work
tennis1.adidas3.tech

# Reference: https://any.run/report/613f437f01744740c4e96d84c970c51128929fcdaa1a9d7e31a1ee063bf49f8e/3ae8d7b9-9a47-4ac4-b564-96510dc901d7

185.217.1.173:2404
algheithcompany.duckdns.org

# Reference: https://twitter.com/smica83/status/1186542376355094529

91.189.180.214:7890

# Reference: https://twitter.com/killamjr/status/1188630140076658690
# Reference: https://app.any.run/tasks/a9de27e3-1bdc-43e9-8349-25bbe9c6cd90/

192.169.69.25:8077
redditmercy.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1189251481943363586
# Reference: https://pastebin.com/H5UqcHv1

37.19.193.217:2398
toptoptop2.online
toptoptop2.site
toptoptop3.online
toptoptop3.site

# Reference: https://twitter.com/James_inthe_box/status/1189202165161529344

79.134.225.95:4050
79.134.225.95:6080
mnx.duckdns.org

# Reference: https://twitter.com/w3ndige/status/1189301538142990339
# Reference: https://app.any.run/tasks/a8a4f079-0296-41fa-bcb0-546a54db9e56/

109.202.103.170:8733
213.152.161.40:8733
213.152.162.89:8733
213.152.162.109:8733

# Reference: https://twitter.com/VK_Intel/status/1189602729498464257
# Reference: https://www.virustotal.com/gui/file/9235b1f5f9cc8efbf0ad96e4b48872a4043286fcdd182423746ed2e3700e1559/detection

79.134.225.20:2404
hobbotgy.duckdns.org

# Reference: https://twitter.com/Paladin3161/status/1190072879242596352
# Reference: https://www.virustotal.com/gui/file/6e366fd065815118100c0a7fe8fa95208e87944b9dd4ce9df556c6d9f31151ec/detection

menaxe.nsupdate.info

# Reference: https://www.virustotal.com/gui/file/d23189d4520692301d6a013f60d59972fb61fd4bc3f011693411b20e9bdbd1e6/detection

185.244.31.85:4050
menaxe212.duckdns.org

# Reference: https://www.virustotal.com/gui/file/6ddca5e1a4a9a4afd6663da5c05252d4150c8e271fbe28a81b3ae3af4cbca49c/detection

185.165.153.185:4050

# Reference: https://pastebin.com/29uSdMAk

sub.thebest1jewels.waw.pl

# Reference: https://pastebin.com/29uSdMAk
# Reference: https://www.virustotal.com/gui/ip-address/79.134.225.29/relations

79.134.225.29:3018
bzsoftwaress.hopto.org
faxjohn01.dyn.ddnss.de
londonchap.duckdns.org
samuelcity.ddns.net
top.citycentrejo.waw.pl
sub.winkcaffe.waw.pl

# Reference: https://twitter.com/killamjr/status/1191192709727506438

79.134.225.73:2404

# Reference: https://app.any.run/tasks/508a6b73-18b4-490e-a1f3-69341ba72512/

79.134.225.80:2404
clintonlog.hopto.org
joseph3m.ddns.net

# Reference: https://app.any.run/tasks/880d03b6-ed40-4688-a1ee-7f27e9873013/

91.189.180.214:7890

# Reference: https://twitter.com/malwrhunterteam/status/1060836685771087873

35.237.81.215:1604
fuckerswashere.duckdns.org
