# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/itaitevet/status/1035250414038474752
# Reference: https://pastebin.com/XT20EyJA

3gihg5esw7lxg2wh.onion

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=8442588975b9c69bf696447.83703696

/neam.meow

# Reference: https://myonlinesecurity.co.uk/trickbot-still-being-delivered-by-fake-payroll-emails/

/super.orb

# Reference: https://twitter.com/James_inthe_box/status/1047239965216665600
# Reference: https://twitter.com/James_inthe_box/status/1047241977043898368

/cantbe.played

Reference: https://www.malware-traffic-analysis.net/2018/10/05/index.html

/novich.gas

# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

excel-office.com

# Reference: https://app.any.run/tasks/fe58bf2c-065f-4505-a644-6baeeb7ee4cf

/78237_8219_9.php

# Reference: https://twitter.com/Racco42/status/1107351502878842880

/001928_112.php

# Reference: https://twitter.com/Racco42/status/1106547527334154240

/47238348_8820.php

# Reference: https://twitter.com/Racco42/status/1106225615705948167

/99208_929_991.php

# Reference: https://twitter.com/Racco42/status/1106201029127880704

/92112893892.php

# Reference: https://twitter.com/Racco42/status/1102869794502705152

/CPQpqCOuKV.php

# Reference: https://twitter.com/Racco42/status/1102590512228388866

/930_08.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353

/logHbst.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1109027309015715840
# Reference: https://app.any.run/tasks/738cc560-f3c6-4534-893d-3ea28dd60671

/shh.sshh

# Reference: https://twitter.com/Racco42/status/1110461029354487809

/993098_2.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1111236459930046464
# Reference: https://app.any.run/tasks/ca7a8278-2535-4101-b5be-ea70e7362617

/tot445/

# Reference: https://twitter.com/0bfusCat/status/1036577317190021127

95.213.251.200:443
/tt0002

# Reference: https://twitter.com/avman1995/status/1115514722751848448

3dnext.ru/43434673.php

# Reference: https://twitter.com/K_N1kolenko/status/1094871503303262208

/corona.mor

# Reference: https://twitter.com/JAMESWT_MHT/status/1117105783240577026

/7738_0019.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353
# Reference: https://twitter.com/K_N1kolenko/status/916192356847751168
# Reference: https://twitter.com/K_N1kolenko/status/900259914874073088

/worming.png

# Reference: https://twitter.com/K_N1kolenko/status/916551437647335424

/worming2.png

# Reference: https://twitter.com/K_N1kolenko/status/1017305694331121665

5g4c3a6jkk734fs5.onion

# Reference: https://twitter.com/malware_traffic/status/1118299982069628929

201.184.231.34:8082
/sat43/

# Reference: https://twitter.com/Racco42/status/1118476901876674561

/43455_5514_12.php

# Reference: https://twitter.com/malware_traffic/status/1119021844416405504

/8377_8298_99.php

# Reference: https://twitter.com/pancak3lullz/status/1106677558224060416
# Reference: https://twitter.com/pancak3lullz/status/1102629658221314048

103.119.144.250:8082
75.183.130.158:8082
/lib427/
/tot427/

# Reference: https://twitter.com/Racco42/status/1121379098834755584

/99200277_0.php

# Reference: https://twitter.com/James_inthe_box/status/1126175073759481857
# Reference: https://pastebin.com/T5U4SHQU

181.209.88.26:449
185.222.202.42:443
185.222.202.43:443
95.213.252.153:443
192.227.232.63:443
192.227.232.65:443
104.200.67.163:443
185.243.115.149:443
200.122.209.78:449
200.54.14.61:449
181.143.17.66:449
177.105.235.17:449
181.143.102.30:449
190.0.20.114:449
190.151.25.178:449
201.184.69.50:449
190.109.165.197:449
125.209.82.158:449
80.173.224.81:449
76.107.90.235:449
181.129.136.226:449
191.103.219.138:449
202.63.242.48:449
181.176.191.5:449
190.117.66.194:449
186.226.188.105:449
143.255.141.137:449
190.151.10.114:449
181.115.236.26:449
190.196.32.42:449
181.48.203.10:449
177.105.237.93:449
181.129.20.250:449
186.159.2.153:449

# Reference: https://twitter.com/malware_traffic/status/1128019457966735360
# Reference: https://twitter.com/malware_traffic/status/1136682537005305858

186.159.1.217:8082

# Reference: https://twitter.com/Racco42/status/1128955163023171584

/1124_938_0029.php

# Reference: https://twitter.com/binitamshah/status/1137743683586052096
# Reference: https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
# Reference: https://pastebin.com/wZ3R0gCa
# Reference: https://pastebin.com/ghGtMBLH

125.209.82.158:449
136.25.2.43:449
138.186.62.222:449
143.255.141.137:449
162.209.124.166:80
167.99.206.127:80
177.105.235.17:449
177.105.237.93:449
177.183.194.194:449
177.92.249.187:449
179.189.234.157:449
181.112.221.246:449
181.115.156.218:80
181.115.236.26:449
181.129.136.226:449
181.129.160.10:8082
181.129.20.250:449
181.129.49.98:449
181.143.102.30:449
181.143.17.66:449
181.176.191.5:449
181.209.88.26:449
181.48.203.10:449
181.57.97.138:80
185.117.73.140:443
185.183.96.219:443
185.183.97.37:443
185.198.57.70:443
185.244.150.148:443
186.10.243.70:8082
186.159.1.217:8082
186.183.151.194:8082
186.226.188.105:449
186.248.163.198:449
186.42.186.202:449
187.17.201.237:449
187.61.106.223:449
187.61.107.140:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
190.0.20.114:449
190.109.165.197:449
190.117.66.194:449
190.151.10.114:449
190.151.25.178:449
190.152.125.162:80
190.196.32.42:449
190.215.52.165:449
191.103.219.138:449
191.103.252.29:80
191.241.233.195:449
191.242.178.210:449
191.36.157.164:449
192.210.152.190:443
194.5.250.130:443
195.123.240.31:443
199.247.24.9:80
2.184.90.173:449
200.107.59.130:449
200.110.72.134:449
200.122.209.78:449
200.21.51.30:80
200.35.47.199:80
200.35.56.81:449
200.54.14.61:449
200.83.49.141:449
201.148.247.21:449
201.184.69.50:449
201.56.193.18:449
202.63.242.48:449
209.45.30.2:449
216.189.145.231:443
31.47.55.106:449
36.91.93.114:80
37.255.200.157:449
5.190.90.5:449
75.183.130.158:8082
76.107.90.235:449
79.137.119.209:443
80.173.224.81:449
85.133.183.174:449
85.209.162.148:443
89.46.223.252:443
90.215.52.165:449
91.242.178.210:449
91.98.159.58:449
93.115.146.119:449
93.115.147.198:449
94.101.182.156:449
97.87.127.198:80

# Reference: https://twitter.com/James_inthe_box/status/1090234438833778690
# Reference: https://app.any.run/tasks/5a12dfe2-ba7a-4efe-8062-d710e7350c94/

37.140.199.69:17655
37.140.199.69:25087

# Reference: https://twitter.com/ararora4/status/1144982095325990913
# Reference: https://garwarner.blogspot.com/2019/06/trickbot-new-injects-new-host.html

aefaldnessliverhearted.com
onlylocaltrade.com
remirollerros.com
wellsfargostrade.com

# Reference: https://twitter.com/malware_traffic/status/1146086054207873024

170.238.117.187:8082

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

mailchi.mp/d975f55661ef/4jzmygx2t9
pasini.info

# Reference: https://twitter.com/seguridadyredes/status/1054112048559329282

http://185.92.74.85/index.php
98.177.188.224:49225

# Reference: https://twitter.com/James_inthe_box/status/1151140239122894848
# Reference: https://pastebin.com/wTidM7a9

187.58.56.26:449
146.196.122.167:449
177.103.240.149:449
131.196.184.141:449
103.117.232.198:449
163.53.80.228:449
190.152.4.210:449
138.59.233.5:449
36.89.85.103:449
146.196.122.152:449
170.84.78.186:449
131.255.82.24:449
186.138.152.228:449
180.250.197.188:449
181.129.93.226:449
186.42.226.46:449
190.13.160.19:449
186.183.199.114:449
177.8.172.86:449
181.129.140.140:449
103.87.48.66:449
177.52.79.29:449
168.227.229.112:449
186.42.186.202:449
138.121.24.78:449
131.0.142.120:449
181.129.49.98:449
181.115.168.69:449
172.245.241.25:443
185.141.26.80:443
107.191.109.143:443
193.124.176.170:443
206.217.143.91:443
23.94.137.179:443
23.94.137.223:443
94.103.94.97:443
92.38.171.12:443
104.194.215.57:443
89.105.203.180:443
185.141.25.101:443
195.133.196.102:443
185.252.144.213:443
198.46.190.37:443
78.155.206.85:443

# Reference: https://twitter.com/Racco42/status/1151098878466416641
# Reference: https://pastebin.com/94cAWDHm
# Reference: https://twitter.com/jcarndt/status/1154731650145763328

/hollyhole/c644.php
/hollyhole951/c644.php

# Reference: https://twitter.com/malware_traffic/status/1151540706508464134

luxuryvailrentals.com

# Reference: https://otx.alienvault.com/pulse/5d2f644f8fe9174629471028
# Reference: https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

qqcore.co
util98.com

# Reference: https://twitter.com/malwrhunterteam/status/1151382643277213696

get-office365.live

# Reference: https://twitter.com/Racco42/status/1152202184685236232

alco.co.in/images/flash_viewer.php
aloe-drink.com/host.php
alternativemedicinenis.com.au/images/view.php
amanchemicalsindia.in/images/visual.php
ambari.co.in/images/view_install.php
ambivium.org/fonts/myriad-pro-installerr.php

# Reference: https://twitter.com/Racco42/status/1152202311982354433

abarkagambia.com/backup.php
acaciarodriguez.com/images/gif_animator.php
accompagnatricidilusso.net/media.php
admimm.cl/images/flash_download.php
adminsystemcr.com/images/watermarks.php
ahangamalmagate.co.za/images/image_resizer.php

# Reference: https://twitter.com/Racco42/status/1152202470971625473

ambrosiapanama.com/images/imagedb.php
amcgsr.com.mx/images/imageresize.php
abidyahya.com/wp-test.php

# Reference: https://app.any.run/tasks/d8abd914-eccb-47f3-9619-734159777e1c/

23.94.93.106:443
192.243.102.102:447

# Reference: https://twitter.com/malware_traffic/status/1154511610649538560 (# Trickbot VNC Module)

107.155.66.16:5900

# Reference: https://twitter.com/matte_lodi/status/1155815877905997824

altxcode.com

# Reference: https://twitter.com/MalHunters/status/1158262554935713794

107.181.175.122:443
185.65.202.127:443
195.123.243.60:443

# Reference: https://twitter.com/ps66uk/status/1158446041643081728

/recenorg.php

# Reference: https://app.any.run/tasks/9cc66fab-9dba-4471-b77c-2dc461006ff0/

46.30.42.245:80
162.248.225.20:443

# Reference: https://twitter.com/425A_/status/1159152546805628930
# Reference: https://app.any.run/tasks/687bafc0-9d7c-4dd4-acb6-9162589e4b87/

http://5.53.124.203/index.php

# Reference: https://twitter.com/ps66uk/status/1159395052893933568

/inputok.php

# Reference: https://twitter.com/James_inthe_box/status/1164269734193274881
# Reference: https://pastebin.com/2R5TUnJS

103.207.1.44:449
103.84.238.3:449
107.175.33.16:443
107.181.175.122:443
131.196.184.141:449
146.185.219.27:443
168.227.229.112:449
177.103.240.149:449
178.170.189.117:443
180.250.197.188:449
181.129.140.140:449
181.129.49.98:449
181.129.93.226:449
181.176.160.145:449
185.172.129.146:443
185.174.172.60:443
186.156.52.78:449
186.183.199.114:449
186.42.186.202:449
186.42.226.46:449
186.47.40.234:449
186.47.82.6:449
187.58.56.26:449
189.80.134.122:449
190.13.160.19:449
190.13.190.178:449
190.151.213.140:449
190.152.36.30:449
190.152.38.66:449
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.3.146.179:443
198.12.97.212:443
198.46.198.12:443
200.119.45.140:449
202.9.120.79:449
31.184.253.6:443
36.89.85.103:449
37.228.117.250:443
45.237.240.178:449
5.53.124.49:443
79.143.31.94:443
82.118.21.99:443
89.105.203.184:443

# Reference: https://twitter.com/nahamike01/status/1166309356574347264
# Reference: https://www.virustotal.com/gui/file/bb23200f9c2c5f7764383d34d5d31aad164cd4e0281085256457872dd1ee2a8d/detection

45.137.151.112:443

# Reference: https://twitter.com/OttoScav/status/1169737229310275589

170.238.117.187:8082
186.10.243.70:8082
190.119.180.226:8082
131.161.105.206:8082
103.116.84.44:8082
200.35.43.105:80
103.194.90.242:80
103.87.48.54:80
190.152.125.162:80
103.84.238.3:80
192.3.105.136:443
54.37.229.180:443
192.227.142.155:443
23.94.204.80:443
5.230.26.41:443
45.80.148.236:443

# Reference: https://twitter.com/Artilllerie/status/1169924303053303808
# Reference: https://pastebin.com/aFeeUMJJ

103.116.84.44:8082
103.194.90.242:80
103.207.1.44:449
103.84.238.3:449
103.84.238.3:80
103.87.48.54:80
107.155.137.12:443
107.173.160.18:443
107.173.160.19:443
107.173.160.22:443
107.173.90.220:443
131.161.105.206:8082
131.196.184.141:449
146.196.122.167:449
168.227.229.112:449
170.238.117.187:8082
177.103.240.149:449
181.112.159.70:449
181.129.49.98:449
181.129.93.226:449
181.129.96.74:449
181.176.160.145:449
185.142.99.59:443
185.235.130.84:443
186.10.243.70:8082
186.156.52.78:449
186.42.186.202:449
186.42.226.46:449
186.46.63.58:449
186.47.40.234:449
187.58.56.26:449
189.80.134.122:449
190.109.189.119:449
190.119.180.226:8082
190.13.160.19:449
190.13.190.178:449
190.144.89.82:449
190.151.213.140:449
190.152.125.162:80
190.152.4.210:449
190.154.203.218:449
191.37.181.152:449
192.227.142.155:443
192.3.104.38:443
192.3.105.136:443
200.119.45.140:449
200.29.106.33:449
200.35.43.105:80
23.94.204.80:443
31.202.132.179:443
36.89.85.103:449
37.187.186.7:443
45.80.148.236:443
5.230.26.41:443
54.37.229.180:443
68.168.123.85:443
79.124.49.206:443
95.174.65.246:443

# Reference: https://www.ncsc.gov.uk/news/ryuk-advisory
# Reference: https://otx.alienvault.com/pulse/5d108ad7a63b52237073efd1

177.183.194.194:449
177.52.28.238:449
177.52.79.29:449
186.248.163.198:449
186.42.186.202:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
191.241.233.195:449
200.107.59.130:449
200.110.72.134:449
200.35.56.81:449
200.83.49.141:449

# Reference: https://twitter.com/0XCHAR/status/1175154224046452742

rvmzrf24dgmr4tce.onion
107.155.137.8:447
107.173.160.29:447
145.239.188.95:447
178.157.82.135:447
178.170.189.239:447
185.250.204.126:447
195.123.221.104:447
195.123.221.178:447
195.123.238.36:447
195.123.247.27:447
23.95.214.138:447
37.228.117.65:447
45.8.126.5:447
46.4.167.254;447
5.53.124.55:447
91.92.128.237:447
92.63.102.212:447

# Reference: https://twitter.com/makflwana/status/1176877958473977857
# Reference: https://app.any.run/tasks/a7be32af-a368-4200-b8c6-9b64b2d170be/

http://144.91.69.195/solar.php
51.254.69.244:443

# Reference: https://pastebin.com/5XF67ZmJ

103.194.90.242:80
103.84.238.3:80
103.87.48.54:80
104.244.73.115:443
107.172.143.155:443
138.185.25.228:449
138.59.233.5:449
146.196.122.167:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.115.168.69:449
181.129.49.98:449
181.129.93.226:449
181.196.61.110:449
181.199.102.179:449
181.49.61.237:449
185.222.202.49:443
185.70.182.162:449
186.183.199.114:449
186.42.185.10:449
186.42.186.202:449
186.42.226.46:449
186.42.98.254:449
187.110.100.122:449
190.13.160.19:449
190.152.4.210:449
190.152.4.98:449
192.227.142.155:443
193.29.56.122:443
200.153.15.178:449
200.21.51.38:449
200.29.106.33:80
200.35.56.81:449
201.184.137.218:80
23.94.204.80:443
36.89.85.103:449
45.161.33.88:449
91.207.185.73:449

# Reference: https://twitter.com/killamjr/status/1181657813417959424

185.130.104.157:443

# Reference: https://twitter.com/malware_traffic/status/1182090303420997632

cardesign-analytics.com
dzbvyejoy81.com
t7763jykqeiy.com
/leo20/

# Reference: https://twitter.com/James_inthe_box/status/1182999215833677826

172.245.118.105:446

# Reference: https://twitter.com/0xFrost/status/1184189273010032640

185.79.242.204:449
194.5.250.82:443
194.5.250.83:443

# Reference: https://twitter.com/killamjr/status/1184204867545513987
# Reference: https://pastebin.com/1xzBiPm6

109.234.34.135:443
138.185.25.228:449
170.233.120.53:449
170.84.78.117:449
177.103.240.149:449
181.113.20.186:449
181.115.168.69:449
181.129.49.98:449
181.49.61.237:449
185.222.202.222:443
185.222.202.223:443
185.244.150.142:443
185.70.182.162:449
185.79.242.204:449
185.79.243.37:449
186.42.185.10:449
186.42.186.202:449
186.42.98.254:449
187.58.56.26:449
188.137.81.201:449
189.80.134.122:449
190.13.160.19:449
190.152.4.98:449
190.154.203.218:449
194.5.250.82:443
194.5.250.83:443
195.93.223.100:449
200.116.199.10:449
200.21.51.38:449
200.35.56.81:449
31.184.253.37:443
31.214.138.207:449
36.89.85.103:449
45.142.213.58:443
45.161.33.88:449
45.66.11.116:443
45.80.148.30:443
46.30.41.229:443
5.185.67.137:449
66.55.71.11:443
78.88.188.42:449
81.190.160.139:449
85.11.116.194:449
89.25.238.170:449
91.207.185.73:449
94.156.144.3:443

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-1011-1018.html (# Win.Dropper.Trickbot-7340237-0)

46igeuohbyzeokpe.onion

# Reference: https://twitter.com/malware_traffic/status/1189950830448959488
# Reference: https://app.any.run/tasks/bec0f8ee-7050-4c37-999a-2a3c2f152c36/

144.91.79.12:443
85.204.116.139:443

# Reference: # Reference: https://twitter.com/malware_traffic/status/1190026665952497667

185.222.202.192:443
185.99.2.104:447
186.71.150.23:449

# Reference: https://pastebin.com/29uSdMAk

192.3.104.46:443

# Generic trails

/karlmarks.php
