# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/

unknownposdhmyrm.onion

# Reference: https://twitter.com/InQuest/status/1306629050052509698
# Reference: https://twitter.com/James_inthe_box/status/1306632726594740228

212.8.246.213:4858
a2204a0w.beget.tech

# Reference: https://twitter.com/James_inthe_box/status/1312131470119510017
# Reference: https://www.virustotal.com/gui/file/ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d/detection

193.239.147.16:4561

# Reference: https://www.virustotal.com/gui/file/1309f6fa224d2fd53c8fd1399fdb06cc602c80456650fcac7a99ff972ef33fa9/detection

193.239.147.16:5995

# Reference: https://app.any.run/tasks/33316cee-cc80-4b93-afa1-a7d986787900/

86.105.252.202:1337

# Reference: https://app.any.run/tasks/cb155241-20d8-4544-b8fb-bc094c6b4a41/

185.244.128.7:9944

# Reference: https://app.any.run/tasks/698342fb-4581-496e-bcef-d372de715556/

62.173.149.200:1488

# Reference: https://twitter.com/wwp96/status/1328339029021118465
# Reference: https://app.any.run/tasks/27a07edd-459f-47d7-895b-30be0fa69ccb/
# Reference: https://app.any.run/tasks/ecc90db0-667c-4848-a3a7-42763f7de0bd/

79.134.225.14:8070
nexty.dnsupdate.info

# Reference: https://twitter.com/wwp96/status/1336838211008667651
# Reference: https://app.any.run/tasks/53b96245-a143-47f7-bd16-764eb7ff6c6c/

http://192.236.195.143
192.236.195.143:44220

# Reference: https://app.any.run/tasks/716bb70e-5d69-4d95-a090-8b9fd091ff46/

5.9.86.48:4559
watchmovie.world

# Reference: https://twitter.com/reecdeep/status/1345411411829260289
# Reference: https://twitter.com/James_inthe_box/status/1345428580499509248
# Reference: https://app.any.run/tasks/73fc7745-00d6-4ad3-839a-0b615a9143c0/
# Reference: https://www.virustotal.com/gui/file/f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44/detection

45.15.143.195:5366
kabuto.tk

# Reference: https://twitter.com/executemalware/status/1348826729176059905
# Reference: https://pastebin.com/riNucR5r

45.15.143.216:5210

# Reference: https://app.any.run/tasks/76f62a1a-a1b5-468c-bb08-132270b8736d/

185.239.242.74:5505

# Reference: https://app.any.run/tasks/adcf19e2-10b0-41c7-a224-409b3ed01c53/

76.6.213.195:1337
iceyrattedyou.ddns.net

# Reference: https://app.any.run/tasks/d192b25d-d66f-4860-a80a-25b618431c27/

51.81.241.89:8331

# Reference: https://twitter.com/James_inthe_box/status/1366773490112630786
# Reference: https://app.any.run/tasks/0974f171-7f1d-4086-a33e-0907f343d2fb/

192.227.217.243:5060
bitmama.ddns.net

# Reference: https://twitter.com/wwp96/status/1366840097719652359
# Reference: https://app.any.run/tasks/c56eff7f-f8c5-4c54-9ca4-4365650c380f/

185.118.164.167:2442
ps5gaming.ddns.net

# Reference: https://app.any.run/tasks/031a6166-c9bd-4c62-bab7-de2f9ea03cc1/

51.195.57.232:4480
bbtratlopaspm21.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1367780791711858689
# Reference: https://app.any.run/tasks/21ba270a-dc77-4c47-a62f-3f646a72b75f/

192.129.178.226:8080

# Reference: https://twitter.com/JAMESWT_MHT/status/1369611654800044033

allplainbartatibotr.com

# Reference: https://www.virustotal.com/gui/file/e2acc1548804137b072871cac70133b33fc2c81906c0b5454eb3ca721b2487ef/detection
# Reference: https://www.virustotal.com/gui/file/102a1c8cb0870145e85fb2ef39e407559b9ee06cf493b1a1c0a8b3cafa154060/detection
# Reference: https://www.virustotal.com/gui/file/e3cb90b326221bd741b7d25101723686645d3cee8a15e2e2aa70cc08f5a7932f/detection

105.112.108.188:4567
185.244.30.156:4567
79.134.225.13:4567
primo1.hopto.org

# Reference: https://twitter.com/Circuitous__/status/1395078617709826052
# Reference: https://twitter.com/ffforward/status/1395083197776646146
# Reference: https://tria.ge/210519-lwckr1nhex/behavioral1

37.153.1.10:9001
5.9.29.183:9002
92.38.163.191:9001
94.130.246.106:9001
cajyn27ifx3cmmfj.com
et5bjiyeg33jmp.com
itzdfcc.com
lwbgzobn3.com
nazwe6jz.com
spvnm.com
xegkrcp52yyadqby4jxta.com

# Reference: https://twitter.com/StopMalvertisin/status/1396136539520786432
# Reference: https://tria.ge/210522-96v87ajff6/behavioral1
# Reference: https://www.virustotal.com/gui/file/1c63ebb7a2f131b8f7a79c14dde26f4bedcc30409c780057e08b193ccbdf4e7c/detection

193.169.254.216:6464

# Reference: https://app.any.run/tasks/746e2df0-b32c-46e8-b119-bb9050c4b252/

79.134.225.75:7739

# Reference: https://twitter.com/reecdeep/status/1400481387258552326
# Reference: https://www.virustotal.com/gui/file/960908cfb5d254bac4b09f16688589ec62197ba1372f8bb06915b6db03ccf437/detection

79.142.76.244:43147
0b1.duckdns.org

# Reference: https://twitter.com/phage_nz/status/1402796421691056130
# Reference: https://tria.ge/210610-tvq26cva56

45.133.1.212:50855
faithheals.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1408506126157504515
# Reference: https://app.any.run/tasks/95bb54c8-f98f-4063-ac8b-9cb392a4c831/

20.98.18.253:2222
resereved.nerdpol.ovh

# Reference: https://twitter.com/pollo290987/status/1411593842160189440
# Reference: https://www.virustotal.com/gui/file/827db97b1bc0843a4098668d4571804efdcc68a9047b0df4963bf0d1262dfe7e/detection

192.121.245.14:9088
publiquilla.linkpc.net

# Reference: https://gist.github.com/silence-is-best/ac1440dcf7aec90a53905ae86559e621
# Reference: https://www.virustotal.com/gui/file/18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b/detection

191.101.130.145:2880
eewe.ddns.net

# Reference: https://twitter.com/Racco42/status/1422325067577495552
# Reference: https://app.any.run/tasks/33ed2642-b879-4507-a0c2-66136fde62ae/

20.194.35.6:7904

# Reference: https://twitter.com/b3ard3dav3ng3r/status/1445892714965340167

redlabelvacation.com

# Reference: https://twitter.com/tosscoinwitcher/status/1484599260108574722
# Reference: https://twitter.com/James_inthe_box/status/1484606522667663362
# Reference: https://www.virustotal.com/gui/file/61f2d36c819dbbdc6d78cb574b399788fedc0b74b253144a3421f3363f7716d9/detection

bitranew3500.duckdns.org

# Reference: https://www.virustotal.com/gui/file/55afaccb3c05610eefaa5cbe314c9809d38a0665cfbe12ae7e30f6e0be9f1493/detection

5.39.217.241:7500
privatemicrosoft.ddns.net

# Reference: https://github.com/pr0xylife/nworm/blob/main/nworm_10.02.2022.txt

hvnctoday.duckdns.org

# Reference: https://www.virustotal.com/gui/file/0e0e32d97744830242368a28d0d6031818d690e865849dd4eddda23ece80ac01/detection
# Reference: https://www.virustotal.com/gui/file/794bcfb84b20f5e74a85d54aa222cc580600a7a6f9ee90ad667989ee1f2f13a5/detection

3.139.82.211:9050
79.134.225.79:9050
learnatallcost2.ddns.net
xcloudfiled.serveirc.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-02-09%20BitRAT%20IOCs

bitratnew9100.duckdns.org

# Reference: https://www.virustotal.com/gui/file/5f4bd8751b7f69a3c41de37b2ffdb32a4434c4c9af179211f7047b18cfd34302/detection

136.175.200.54:8090

# Reference: https://twitter.com/tosscoinwitcher/status/1494045089449975808
# Reference: https://twitter.com/James_inthe_box/status/1494051152312233985
# Reference: https://www.virustotal.com/gui/file/a3164dd898dcd6458275e739d3e05383e831d80b30f30c07cdc0eac7c4189ff7/detection

verifiedrisky.duckdns.org

# Reference: https://twitter.com/peterkruse/status/1494056302330404874

bitpeople.duckdns.org
fourgenerationbit.duckdns.org
jointbitandstrig.duckdns.org
newmanes.duckdns.org
page1bit.duckdns.org
whelenjs.duckdns.org
wsnan2js.duckdns.org
yakbitpeople.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3ab1f343f5fde1980fdb3735cff794d025fc2f9814fbf7cb0bdb64c1030ca621/detection

103.73.64.115:9700
spotlessbeautydivine0722.nerdpol.ovh

# Reference: https://twitter.com/c_APT_ure/status/1503777711898206211

185.213.155.164:55140
toopdyno2.duckdns.org

# Reference: https://www.virustotal.com/gui/file/9a54f6643e51b0d853270b541259cdbe937867cc6774cfe01c81c3cbbde6d3bd/detection

5.254.30.26:1177
dr875782.ddns.net

# Reference: https://www.virustotal.com/gui/file/9d23dc18603087f549b815ee1f6961fb7a64311d936d0821ace690f11e1bab72/detection

212.192.241.252:9264
guemzovhdf.ratkings.net

# Reference: https://www.virustotal.com/gui/file/f346cda71cf69d00c47867ee844a76729ff28ffd1375b6979a5aa1b1b3d7b626/detection

212.192.241.50:9464
vmaufhqzia.ratkings.net

# Reference: https://www.virustotal.com/gui/file/f6175e31dfb760d4656d19bd3e3ba305f5b45db735ff12e99a3df7a8d6475f66/detection
# Reference: https://www.virustotal.com/gui/file/f6175e31dfb760d4656d19bd3e3ba305f5b45db735ff12e99a3df7a8d6475f66/detection
# Reference: https://www.virustotal.com/gui/file/c089132bfcb9452baec5075eb27b2570826bebf49d7afc59dfdb7ae87b5137e3/detection
# Reference: https://www.virustotal.com/gui/file/ae5b0eab5769b53f1e200d8f78b9f9cf89917109a8d9af92197dcbda20dbba5b/detection
# Reference: https://www.virustotal.com/gui/file/092fa70e35f528348dc884f505bb9e7c21b8d882f2200d1aec4bbf028f4d4b62/detection

45.133.1.136:4873
goxnaugeuvns.ratkings.net

# Reference: https://www.virustotal.com/gui/file/79dfc139c47db4388bd5211adea4e189fd1b1d2202897320b277a9a4b32bbcf5/detection
# Reference: https://www.virustotal.com/gui/file/9c241d5e281ea864900820ab6b3275141a9c8dddf49a71991c2f79a67205eee9/detection

91.134.183.114:6930
ovjaicyencbapr.ratkings.net

# Reference: https://www.virustotal.com/gui/file/f346cda71cf69d00c47867ee844a76729ff28ffd1375b6979a5aa1b1b3d7b626/detection

212.192.241.50:9464
vmaufhqzia.ratkings.net

# Reference: https://www.virustotal.com/gui/file/de6c971541126d3eb172fde067de88fc073e836399968a94f1fef3dcc4fd4a4c/detection

136.144.41.129:9573
gtceaolbutc.ratkings.net

# Reference: https://www.virustotal.com/gui/file/d88c2ef2778e2cfa03ca27f59f1e6b67e86dccb3bf4a4c68436b66e3988cd8d8/detection

195.133.40.167:9824
vmolaihvlqivszey.ratkings.net

# Reference: https://www.virustotal.com/gui/file/2d01db532167eebf691872391503f9a78db139e34310814e25498ae0637f93c2/detection

37.0.11.164:9174
vmoauhrqf.ratkings.net
yqbzpqutnalf.ratkings.net

# Reference: https://www.virustotal.com/gui/file/24a7122da520f5da0773a6a91277a7fecc23d55e49600e212777ddb480d53cc0/detection

195.133.40.197:9581
usnapqofbwk.ratkings.net

# Reference: https://twitter.com/James_inthe_box/status/1511749376900624385
# Reference: https://app.any.run/tasks/bd0eae1d-a5cd-4355-821d-60744feb7c6e/

88.214.59.176:9200
bitratnew9200.duckdns.org

# Reference: https://twitter.com/pr0xylife/status/1522561274852302848
# Reference: https://www.virustotal.com/gui/ip-address/194.147.140.17/relations

194.147.140.17:9300
bitrat9300.duckdns.org

# Reference: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
# Reference: https://www.virustotal.com/gui/file/b2fab34e628b367bc6520abc456cbfc90c4b8ac8307ad87b91d3016c2bc479d1/detection
# Reference: https://www.virustotal.com/gui/file/b740cf13ea8ab620eeb11eed8e4e9ca3123681818c8371829880318f83345c6c/detection

86.107.21.237:57387
pingsolex.duckdns.org
bornagroup.ir/11d/
bornagroup.ir/js/

# Reference: https://www.virustotal.com/gui/file/122cd4f33d1e1b42ce0d959bc35e5d633b029f4869c5510624342b5cc5875c98/detection

31.210.20.235:9870
fantasticbeast.ddnsgeek.com

# Reference: https://www.virustotal.com/gui/file/cb2e737c30449e86e13554939c36df07594c746510d2f04c18a0c1a519e92ab1/detection

65.108.68.54:890
maraipasoo.duckdns.org

# Reference: https://twitter.com/tosscoinwitcher/status/1534604532218404865
# Reference: https://tria.ge/220608-wjbelaeeb4

20.106.79.78:2223
oka.nerdpol.ovh

# Reference: https://www.virustotal.com/gui/file/21e45f1ffe142084c79bb640f43a153d592b96af0be126ed0a940a8889bc251c/detection

45.61.136.146:1234
martinman99.hopto.org

# Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Bitrat/Bitrat-%2027062022

154.16.67.29:9400
bitrat9400.duckdns.org

# Generic

/step_1.php?hwid=
/step_2.php?hwid=
/hwid_update.php?hwid_old=
/client/clientcreate.php?hwid=
