# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Yellow Cockatoo RAT, Polazert, solarmarker

# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf
# Reference: https://redcanary.com/blog/yellow-cockatoo/
# Reference: https://otx.alienvault.com/pulse/5faf00679c90b876019cc653
# Reference: https://otx.alienvault.com/pulse/5fcab7a1accb28c015a5717d

blackl1vesmatter.org
gogohid.com
mixblazerteam.com
spacetruck.biz
vincentolife.com

# Reference: https://www.virustotal.com/gui/file/dbba731937d435681ed98af6e42ab52d53af4f9ebe8db955a2b4b9ab63b4b06c/detection

5.254.118.226:80

# Reference: https://www.virustotal.com/gui/file/38508585ab7911fa8c6475b14086e11db6e829c541b392634bcc921ae6cdda35/detection

http://216.230.232.134

# Reference: https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
# Reference: https://www.virustotal.com/gui/file/e3680602deb66e1196bcffe531cdeeab32663efc62c5e16178a0f9f4df745007/detection
# Reference: https://www.virustotal.com/gui/file/8447b77cc4b708ed9f68d0d71dd79f5e66fe27fedd081dcc1339b6d35c387725/detection

http://37.120.237.251
http://45.42.201.248

# Reference: https://www.virustotal.com/gui/file/60c570bd5f5f0d8ea3760317f9becaa78a9be16b2fb2dc7399bf270ca855c0a1/detection

http://45.146.166.186

# Reference: https://twitter.com/th3_protoCOL/status/1488508291642626057
# Reference: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/

http://104.223.123.7
http://146.70.24.173
http://146.70.41.157
http://149.255.35.179
http://167.88.15.115
http://185.244.213.64
http://188.241.83.61
http://192.121.87.53
http://216.230.232.134
http://23.29.115.175
http://37.120.237.251
http://37.221.114.23
http://45.146.165.221
http://45.42.201.248
http://46.102.152.102
http://5.254.118.226
http://69.46.15.151
http://91.241.19.110
http://92.204.160.110
http://92.204.160.233
abocomteamsd.site
chargraman.ml
passesleeson.site
pdfdocdownloadspanel.site
sseiatca.site
triplegnuise.site

# Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2021-November/030492.html

noelfpar.com

# Reference: https://www.virustotal.com/gui/file/e2ee962de73184eb406a9b403a87b4a8b2d8dc2a2b048977748a0273d1f90ab6/detection

http://146.70.88.119

# Reference: https://unit42.paloaltonetworks.com/solarmarker-malware/

http://146.70.101.97
http://146.70.53.153
http://37.120.247.199
http://37.221.113.115
http://84.252.95.225
http://89.44.9.108
http://92.204.160.101
http://92.204.160.114

# Reference: https://twitter.com/SquiblydooBlog/status/1515345814314373123
# Reference: https://www.virustotal.com/gui/file/8aaf2a9920c23cbccf4ee9686679ad605ed3943685e80855192cdaf27913d9b7/detection

http://86.106.20.155

# Reference: https://tria.ge/220421-q74hdsbaan

http://37.120.247.120

# Reference: https://www.virustotal.com/gui/file/c884f80accda415c39632e495f11e1d143649d0439d6eecd8a9d4851d041c444/detection

http://146.70.71.174
