# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
# Reference: https://otx.alienvault.com/pulse/5d4431e60c6bf943f7f039aa

http://146.0.75.34
amnsns.com
calacs-laurentides.com
crypto-crypto.site
dsntu.top
elienne.net
gougounu.site
mmasl.com

# Reference: https://twitter.com/VK_Intel/status/1176927389328261121
# Reference: https://www.virustotal.com/gui/file/7976bfcea5c86a0b12266993b17176398d3eabe817f3c44f1a212bca9234698d/detection

fresher.at

# Reference: https://twitter.com/pancak3lullz/status/1334638629654814720

172.105.253.97:4001
http://172.105.253.97

# Reference: https://news.sophos.com/en-us/2020/12/16/systembc/
# Reference: https://otx.alienvault.com/pulse/5fe3992846c25c7182e066ed

advertrex20.xyz
advertsp74.xyz
asdasd08.com
asdasd08.xyz
decatos30.com
decatos30.xyz
gentexman37.xyz
mexstat128.com
sdadvert197.com
shopweb95.xyz

# Reference: https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
# Reference: https://otx.alienvault.com/pulse/601aedb7c7c215c1dc3bb6db/

alnujaifi-portal.com/ds/3101.gif
clinica-cristal.com/ds/3101.gif
eyeqoptical.ca/ds/3101.gif
gbhtrade.com.br/ds/3101.gif
newstimeurdu.com/ds/3101.gif
remacon.net/ds/3101.gif
skconstruction.info/ds/3101.gif
/ds/3101.gif

# Reference: https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/
# Reference: https://otx.alienvault.com/pulse/609abec825e7816948042cc0
# Reference: https://www.virustotal.com/gui/file/2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580/detection

23.227.202.22:4142
79.110.52.9:4142
193.29.104.187:443

# Reference: http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor

172.105.253.97:4001
80.85.84.79:4001

# Reference: https://www.virustotal.com/gui/file/114e10d27381de27f9442d15a57fd5a4afec3e287176cd793d7cd1689e96cf17/detection
# Reference: https://www.virustotal.com/gui/file/04eac372fbe81ab6bc47ea4d728323026a08324b5edc7aa62c9ebfc664eef824/detection

109.234.39.169:4001
adirtasolution.co.id

# Reference: https://www.virustotal.com/gui/file/5398d64f2fdfb55776a0ae2eec9d8702223356ff327a91e502eaa45f14d88632/detection

139.60.161.24:4658
192.53.123.202:4658

# Reference: https://www.virustotal.com/gui/file/00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555/detection

31.44.185.11:4001
31.44.185.6:4001
michaelstefensson.com

# Reference: https://twitter.com/0xrb/status/1509072321155579907

http://31.44.185.11
http://31.44.185.6

# Reference: https://asec.ahnlab.com/en/33600/
# Reference: https://otx.alienvault.com/pulse/625527f81b8187c8c082d7a4
# Reference: https://www.virustotal.com/gui/ip-address/194.67.92.180/relations

http://131.188.40.189
http://154.35.175.225
http://193.23.244.244
http://194.109.206.212
http://199.58.81.140
http://204.13.164.118
http://86.59.21.38
128.31.0.34:9131
128.31.0.39:9131
192.64.119.142:4044
194.67.92.180:40690
171.25.193.9:443
31.44.185.11:4001
31.44.185.6:4001
45.153.240.65:4044
45.32.132.182:4177
89.108.99.179:40690
96.30.196.207:4177
admex175x.xyz
dfhg72lymw7s3d7b.onion
mapfiles.info
pushsecs.info
servx278x.xyz
db1.mapfiles.info
db2.mapfiles.info
db1.pushsecs.info
db2.pushsecs.info

# Reference: https://twitter.com/0xrb/status/1516651127944941568
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1517368003389968384
# Reference: https://www.virustotal.com/gui/file/57eccf5d61a8ca0b2bea78e57df2c987ae07232f2e7ed43bb90314e73aeae543/detection

194.93.56.202:4001

# Reference: https://twitter.com/0xrb/status/1518499002681282560
# Reference: https://www.virustotal.com/gui/file/3f1e3e41c78f34a4012539afc1fa37eb88d12de49f12d688f40d86c8f4bbfe06/detection
# Reference: https://www.virustotal.com/gui/file/6aea048eb43309ce48f54eb1575c93d898ee8c3726dc6871a5e3a65d4f7810e9/detection

http://143.244.175.124
http://192.53.123.202
143.244.175.124:4225
192.53.123.202:4225

# Reference: https://twitter.com/0xrb/status/1519959623369113600
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

http://88.80.188.245
88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1519956419197677568
# Reference: https://twitter.com/abuse_ch/status/1534791877202956289
# Reference: https://www.virustotal.com/gui/file/d0f3211e3a351e4f7384243f983a33a0b4e989b61fea1e1c098bb5c8241ae102/detection

45.11.57.142:1488
62.182.82.33:1488
usaf.army

# Reference: https://twitter.com/0xrb/status/1523630947790626819
# Reference: https://www.virustotal.com/gui/file/9d396abb34553871ffd2776aa0ca2997c83c047ce852b2cf328f374438380853/detection

104.200.67.101:4001
nadrmcrosftn.com

# Reference: https://twitter.com/0xrb/status/1524266350042304512
# Reference: https://www.virustotal.com/gui/file/d20def2014332b3391f52f726374f221dbbb06b748e02371d37cbe7ec53f1664/detection

46.30.189.212:4210
62.113.196.57:4210

# Generic

/systembc/exec.vbs
/systembc/password.php
/systembc/post.php
