# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Raspberry Robin, QNAPWorm, Roshtyak, hacked qnapnas

# Reference: https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/
# Reference: https://www.qnap.com/en-us/security-advisories/
# Reference: https://otx.alienvault.com/pulse/5f4d3b803650ae87f911b28c

165.227.39.105:1234
165.227.39.105:3730
165.227.39.105:5678
165.227.39.105:80
165.227.39.105:8096
165.227.39.105:9393

# Reference: https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices
# Reference: https://www.virustotal.com/gui/ip-address/179.60.150.126/relations
# Reference: https://www.virustotal.com/gui/ip-address/195.158.67.252/relations

179.60.150.126:8080
195.158.67.252:8080
0e.si
4q.pm
5qw.pw
6w.re
6y.re
c7.lc
f0.tel
i6n.xyz
j2.gy
j4z.co
jjl.one
k5m.co
k6c.org
kr4.xyz
lwip.re
mirw.wf
mwgq.net
mzjc.is
omzk.org
p9.tel
q2.rs
r6.nz
ri7.biz
rx3.xyz
s8.cx
t7.nz
tz6.org
u0.pm
uoej.net
uz3.me
xjam.hk
zbs.is
zk.qa
/80wOpGuotSU/
/5CBniie70Rw/

# Reference: https://twitter.com/x3ph1/status/1572228866789502977
# Reference: https://www.virustotal.com/gui/ip-address/61.244.156.107/relations
# Reference: https://www.virustotal.com/gui/file/9af18d0a651daf5fc264150ac1e2d1c3522caa3e603108d4211488c0587ea25b/detection
# Reference: https://www.virustotal.com/gui/file/04fe16cada29101117cc454d956a9231959b10d7e896c3c54cc8df63965216a7/detection

1h3.me
2i.nu
5kj.xyz
5s.pm
5v0.nl
6t.nz
6wr9.com
7yfb.com
8t.pm
8t.wf
9r.re
c0.wf
cb3u.com
e9.wf
ejk.bz
fnx.wf
i0.wf
j5m.biz
jrx.tw
k6j.me
m0.yt
mn1.biz
mz3.biz
n54.me
n5k.me
rn9v.com
t0.wf
u0.rs
u8wp.com
vs.gy
w0.pm
w4.nz
xz4.biz
zjc.bz

# Reference: https://twitter.com/1ZRR4H/status/1588766861612617728
# Reference: https://www.joesandbox.com/analysis/738633/2/html

85.56.236.45:49845
85.56.236.45:8080

# Reference: https://redcanary.com/blog/raspberry-robin/
# Reference: https://otx.alienvault.com/pulse/6274f50b11f1e83fe900d4bf

3h.wf
v0.cx
ivuoq6si2a.com

# Reference: https://twitter.com/felixaime/status/1524406445978136576

77.99.129.181:8080

# Reference: https://github.com/avast/ioc/tree/master/RaspberryRobin
# Reference: https://www.virustotal.com/gui/ip-address/185.55.243.109/relations

0dz.me
0i.pm
0t.yt
0v.wf
0w.pm
0x9.biz
13j.me
1i.pm
1j.pm
1j4.xyz
1k4.xyz
1n4.xyz
1u.pm
21k.website
2i.pm
2j4.xyz
2um.xyz
2yd.eu
3e.pm
3h1.xyz
4c.pm
4j.pm
4j1.xyz
4j5.xyz
4k1.xyz
4kx.xyz
4m.wf
4s.pm
4s3.me
4w.rs
4w.wf
5j8.xyz
5jb.me
5jk.club
5kx.me
5qe8.com
5z.wf
66j.me
6id.xyz
6qo.at
6t.re
6xj.xyz
7d.rs
9r.sk
aij.hk
as3.biz
b3vv.com
b8x.org
b9.pm
bpyo.in
c4z.pl
d4j.club
dj2.biz
doem.re
dsi.mk
egso.net
ej3.xyz
ejk.li
euya.cn
fxb.tw
fz.ms
g3.rs
g4.tel
g4.wf
getmyfile.eu
glnj.nl
gz3.nl
h0.wf
i0up.com
i49.xyz
i4x.xyz
iz.gy
j1n.me
j3n.xyz
j4r.xyz
j4z.xyz
j5n.xyz
j68.info
j8.si
jrtz.re
jrx.fr
jzm.pw
k0.pm
k1n.club
k5j.one
k5x.xyz
k6j.pw
kglo.link
kj1.xyz
kjaj.top
krrz.pm
l5k.xyz
l6nk.com
l9b.org
lgf.pw
lwxa.eu
m0.wf
m5n.biz
mnem.wf
msix.pm
n3.wf
n5.ms
n51.biz
nk0.club
nwz.li
nz4.xyz
nzm.one
oj8.eu
p3.ms
pjz.one
q0.pm
qji6.com
qmpo.art
r0.pm
r0.wf
r4e.pl
s0.pm
skqv.eu
tiua.uk
trzx.eu
ue2.eu
uqw.futbol
vn6.co
w4.rs
w4.wf
w6.nz
wak.rocks
y0.wf
y3x.biz
ynns.uk
yuiw.xyz
z7s.org
zie5.com
zk4.me
zk5.co
zxn.fyi

# Reference: https://twitter.com/malwrhunterteam/status/1572968889197150209
# Reference: https://www.virustotal.com/gui/file/dc0d4c35716a41be5c19f274fbba881505071cc206ac1e843b99ac9228e2c9e2/detection

220.135.222.186:8080
0j.re
0p.rs
2i.wf
2t.pm
2t.wf
3z.nu
4n.wf
5z.pm
6t.pm
7d.wf
q0.wf
g4.nu
gz.qa
h6.re
m0.nu
u0.nz
/AkBIoJY1ou07oX/celS6c2LNQal0iQ/
/ymANLl6ViZl/0s96yYaFStRcmPx4vffZTOqpvtdo/
/0s96yYaFStRcmPx4vffZTOqpvtdo/
/AkBIoJY1ou07oX/
/Aly5NW5lm/
/BlAcepWx9xjNwCtQOGKeQ/
/BNBH26SDSNM6upvcKpKobq9h6LM8S/
/BXB6pgOgqT1sCWK7Yms/
/celS6c2LNQal0iQ/
/mbhlMpvzllz/
/OxjYaLnal1V/
/rpT5w9Nr8d8H17tjt/
/ymANLl6ViZl/

# Reference: https://www.virustotal.com/gui/file/f7b9e262f52af04086b26988ce980dd28cae38f36ca16cc896418dbc0b8f2714/detection

82.46.34.46:8080
/yxyhTBLSNaVBSMBY/kF/Y2R8p/
/yxyhTBLSNaVBSMBY/

# Reference: https://www.virustotal.com/gui/file/d6463d8191fcb7850703ecef692aaa40634c80b9958400a9fafaa9624e38a9cf/detection
# Reference: https://www.virustotal.com/gui/file/b31629e423c4fabf8d9734b9c23bcc77cd0cd41d6fd69a3ca01041ea8d8c133c/detection
# Reference: https://www.virustotal.com/gui/file/a8602aaf11458f826659e44b3bb47d99058228866242361af76439b46267faa4/detection
# Reference: https://www.virustotal.com/gui/file/5da9e410971f68b2447cee61a1e22da60217c7eb744e6eacaf4b14f1988f41da/detection
# Reference: https://www.virustotal.com/gui/file/532cfcc07c32a774d546681cc8032c0cf4ec0bbaed382eb3e699bd5918c4bec1/detection

14.200.211.18:8080
213.22.1.225:8080
/AMB/U98GXRx5IdwBdEs/
/yMyVqr74TqZsCeDTs4jpLXDMR/x8O/596ac/
/yMy3gcw0EH3gJUwBUG9VJld0y76MWmWm/
/yAyWywwnv0Dxx4W2XVo7N4ayKF1haZb8AQA/
/yDASWuZoFaLmiSl3XmbhlMpvzluWuxXpE4w7/e/
/yDASWuZoFaLmiSl3XmbhlMpvzluWuxXpE4w7/
/yMyVqr74TqZsCeDTs4jpLXDMR/
/U98GXRx5IdwBdEs/

# Reference: https://www.virustotal.com/gui/file/d34e8779799f74938b2f3756f6440bcdc697a7ecb077ee90e246813b89d65b47/detection
# Reference: https://www.virustotal.com/gui/file/9eade2054d3efd2ec2fe81612f26f43c8838d6bbbbf79e4206fbfb0dc19ea61a/detection
# Reference: https://www.virustotal.com/gui/file/947b2ba998bc8e123a94993db359e1746de7ca57633f4def39bd9266f15015c3/detection
# Reference: https://www.virustotal.com/gui/file/432f3f264d7fef16dd303412c4259c0b9367998adfe31c44d130c64b4741daff/detection

124.168.120.117:8080
/AZA0qrMiHcVdS/tR/cmPx4vffonl/
/AdAel/L7uIfp3f98W1Rc0BspXUdorvydVeBqqfAEkQbx/v/
/ySy/BL9sC7GM9Ljp5kAPDRK15QeRDZw/Zp5i9/qrDx/
/AZA0qrMiHcVdS/
/BL9sC7GM9Ljp5kAPDRK15QeRDZw/
/BSArv8u89akrL69jep9wyoHJ/
/cmPx4vffonl/
/L7uIfp3f98W1Rc0BspXUdorvydVeBqqfAEkQbx/

# Reference: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/20220704_QNAP_Worm_Infrastructure

03s30.com
0i.wf
0j.wf
1u.wf
27o.nl
4aw.ro
4xq.nl
5ap.nl
5g7.at
5qy.ro
60i.nl
6ax.nl
6t4.nl
6uy.at
bcomb.net
bo2sv.com
d0.wf
e0.wf
eznb.net
g0.pm
getmyfile.click
getmyfile.link
h0.pm
ldnr.net
li1iv.com
n9fz.com
o7car.com
u7u.ro
vqdn.net
xtabr.com
y0.pm

# Reference: https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

2qlvvvnhqyda2ahd.onion
3bbaaaccczcbdddz.onion
5j7saze5byfqccf3.onion
76qugh5bey5gum7l.onion
answerstedhctbek.onion
archivecaslytosk.onion
bcwpy5wca456u7tz.onion
bitmailendavkbec.onion
clgs64523yi2bkhz.onion
cmgvqnxjoiqthvrc.onion
cyphdbyhiddenbhs.onion
expressobutiolem.onion
fncuwbiisyh6ak3i.onion
gl3n4wtekbfaubye.onion
habaivdfcyamjhkk.onion
hd37oiauf5uoz7gg.onion
ihdhoeoovbtgutfm.onion
kyk55bof3hzdiwrm.onion
njalladnspotetti.onion
pornhubthbh7ap3u.onion
psychonaut3z5aoz.onion
qqvyib4j3fz66nuc.onion
sejnfjrq6szgca7v.onion
sgvtcaew4bxjd7ln.onion
tapeucwutvne7l5o.onion
torwikignoueupfm.onion
ugw3zjsayleoamaz.onion
ynvs3km32u33agwq.onion
zdfsyv3rubuhpql3.onion

# Reference: https://blog.sekoia.io/raspberry-robins-botnet-second-life/
# Reference: https://otx.alienvault.com/pulse/63bd98efc676e4b6c7858e1c
# Reference: https://www.virustotal.com/gui/file/12f05d82487b9cee35476d8b8de81daf118014f195dd81d4219352fa08f0513e/detection

94.10.67.162:8080
gloa.in
/Qvt3YjpXH4k/

# Reference: https://www.virustotal.com/gui/file/f0dbd45e60816b6193ce17e15c74124bfd522f1a11333b95a917ebee46f39ea7/detection

73.84.232.188:8080
77.20.37.151:8080
/KmJo8so8904/

# Reference: https://www.virustotal.com/gui/file/e24a094c5e9ae8cb79c7575e07f60016425f7222efabaa89e2ae456095d2df7e/detection

173.54.51.210:8080
176.25.167.244:8080
77.20.37.151:8080
84.231.5.50:8080
/U81FxNWIdSB/

# Reference: https://www.virustotal.com/gui/file/ae33a1ebee017279112a029a33e771bb63a1780f7bf1ddc96d1f45d0fd30ff2a/detection

24.150.220.32:8080
/Su4WNNlh9N0/

# Reference: https://www.virustotal.com/gui/file/a090b38024ae69a32d0869bb28fd6d9d849c68968ff0fd9a648acc7cccca7dab/detection

109.250.7.127:8080
/TM9vBlPS2WX/

# Reference: https://www.virustotal.com/gui/file/96ff8e9a493b5d43010d6682960a7c9f3e6b4f3adc392bda4b8b80be722851aa/detection

172.124.74.77:8080
/JRfdc66PdMP/

# Reference: https://www.virustotal.com/gui/file/334863561713b7c59dd9f87348d3f4453ec2045166cb6d9afe82fcb0ddd5b7c3/detection
# Reference: https://www.virustotal.com/gui/file/83a69c1c951863a84d27749f5a0936ec436ee01867de291a413f642340e38051/detection

179.60.150.126:8080
216.48.162.99:8080
77.20.37.151:8080
/IzVtNTfU2xD/

# Reference: https://www.virustotal.com/gui/file/81183d996bf7ad22961480facd4865c523daedf4747dc2bfbdccd342d1dc84c9/detection

76.184.196.154:8080
/VSYQQV5alFZ/

# Reference: https://www.virustotal.com/gui/file/0a78ec57f50462d29f50319eb194b4294d386f561dbeae0bf633e5b0ad536b92/detection

/NRAMSGu6Xsk/

# Reference: https://twitter.com/1ZRR4H/status/1613068335104626690

2ipn.com
4w.pm
a5az.com
a7k.ro
c43p.com
hlv1.com
ubv5.com
v4a3.com

# Reference: https://twitter.com/BushidoToken/status/1616386734928928770
# Reference: https://www.virustotal.com/gui/file/e74cf1c88298d16af252c0ef6ce81fdbff4adae0226d5f962de4744016f1fcb6/detection

76.95.39.48:8080

# Reference: https://twitter.com/BushidoToken/status/1618611195266887683
# Reference: https://www.virustotal.com/gui/file/c8ff8a9793a99c0f6ac19a1a3bdcf6b34862a6e38a4130c7e1390752a20579a9/detection

61.244.156.107:8080
fgcz.net

# Reference: https://twitter.com/malwrhunterteam/status/1562081732983128064
# Reference: https://www.virustotal.com/gui/ip-address/58.177.98.79/relations
# Reference: https://www.virustotal.com/gui/file/5867549d009fbecef49d924ff55fe7e809583b7d72decf6bd49ef453e1366680/detection
# Reference: https://www.virustotal.com/gui/file/03f63afedfd4126975418147a2450ba510c7173f3cc1faf966dfd7ebfb2c81f2/detection

220.135.222.186:8080
37.103.169.218:8080
58.177.98.79:8080
3p.ms
6c.nz
7k.rs
a0.pm
/B/ZyqCiaZCij2tRl1yWkrtqckK1x/
/BNBH26SDSNM6upvcKpKobq9h6LM8S/
/ZyqCiaZCij2tRl1yWkrtqckK1x/

# Reference: https://threatfox.abuse.ch/browse/tag/raspberryrobin

118.167.131.52:8080
118.167.144.103:8080
218.221.150.148:8080
61.68.74.170:8080
naskk.myqnapcloud.com

# Reference: https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

2jks.com
2kbq.com
3fvz.com
3lzj.com
6gcr.com
79r.nl
i1.pm
iyw5.com
j0.wf
l0.wf
p0.wf
v0.wf
w0iq.com
x1vl.com
yt6.ro
zf0.ro
zi9f.com

# Reference: https://twitter.com/1ZRR4H/status/1653873318510952448

13i6.com
4osq.com
7r6.nl
9b.nu
c4x.at
hv9.at
l45w.com
tu6p.com
z19.ro

# Reference: https://twitter.com/BushidoToken/status/1656293067064836096
# Reference: https://www.virustotal.com/gui/file/14d488d94656f25cec3a1011b37e352da9c8df1a46dfd419d7b529fd48b350f8/detection

80.78.24.30:8080
