# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/Antelox/status/768023996923277312

193.164.131.58:10000

# Reference: https://twitter.com/James_inthe_box/status/1080521422823337984

193.42.107.7:3687

# Reference: https://twitter.com/ostinjohn/status/994560995615039488
# Reference: https://www.hybrid-analysis.com/sample/3aca697f1ac623ac970764dd1b248339d03f18acd5ba1b4a443ff9d5016f8e4e/5af3d6237ca3e179812bdfc5

178.238.230.52:3828
178.238.230.52:6828
178.238.230.52:11226 

# Reference: https://twitter.com/Antelox/status/810488762140684288
# Reference: https://www.virustotal.com/gui/file/f0b27a8c47f6d9f82489e0e5fba75f70fab8acdbb63b05c93cb3cceec90295ae/community

37.48.84.229:9901

# Reference: https://twitter.com/Antelox/status/770613975662796803
# Reference: https://www.virustotal.com/gui/file/c88095a28fea80409da7b2fc601b4c68828f0d31b7faebe4453217887f9e3241/community

5.189.161.200:7865

# Reference: https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf (# Crimson C&C)

bhai123.no-ip.biz
bhai1.ddns.net
sudhir71nda.no-ip.org
178.238.228.113:7861
193.37.152.28:9990
213.136.87.122:10001
5.189.143.225:11114

# Reference: https://twitter.com/killamjr/status/1190456533588598784

139.28.36.82:53631

# Reference: https://twitter.com/DynamicAnalysis/status/1197938882026901504

5.196.210.44:33401

# Reference: https://twitter.com/DeadlyLynn/status/1213338265308155904
# Reference: https://www.virustotal.com/gui/file/6078b55381e39779f915032533a93d725bab98982b303998fa8ba2ecfc675737/detection
# Reference: https://www.virustotal.com/gui/file/ecd7d7a27a2a043919a233bb91e3b009c05b7c81ff132a7c29228e1c45d2b6a6/detection

167.114.138.12:6828

# Reference: https://twitter.com/DynamicAnalysis/status/1220432888019214337
# Reference: https://medium.com/@dinu135dk/revive-of-crimson-rat-6b8838920c02

160.20.147.59:2987
bjorn111.duckdns.org
newsupdates.myftp.org

# Reference: https://www.virustotal.com/gui/file/d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f/detection

192.169.69.25:2987

# Reference: https://app.any.run/tasks/9ca972d6-3574-4d85-bd68-a9cd26c203ee/

185.140.53.91:6711

# Reference: https://twitter.com/malwrhunterteam/status/1229780080517357568

64.188.25.232:3263

# Reference: https://twitter.com/w3ndige/status/1235184651699998721
# Reference: https://www.virustotal.com/gui/file/370a108b98b8652aacd4acec5d140cab685291ad77e2a4a0821734aad614eb6a/detection

185.174.100.63:34891
185.174.100.63:3920
transfer-shopping-malls.webredirect.org

# Reference: https://app.any.run/tasks/8527edcf-6459-48f6-aee2-85eaf817571c/

198.46.177.73:6421

# Reference: https://twitter.com/killamjr/status/1232071072096239617
# Reference: https://app.any.run/tasks/2eeeb372-d6ba-4f9f-add7-8b1532f938ec/

alrazi-pharrna.com

# Reference: https://twitter.com/_re_fox/status/1236483115037704192

198.46.168.28:2581

# Reference: https://twitter.com/_re_fox/status/1235941826634354688
# Reference: https://app.any.run/tasks/d8b93681-2730-4d03-b796-c52562260328/

181.215.47.169:3368

# Reference: https://twitter.com/_re_fox/status/1232493185475104771

107.175.64.209:6728

# Reference: https://twitter.com/_re_fox/status/1232402275181703169

185.136.163.197:4442

# Reference: https://twitter.com/srcr/status/1232288977790668801

185.244.30.102:4590

# Reference: https://twitter.com/killamjr/status/1232071072096239617

185.244.30.102:4950

# Reference: https://twitter.com/_re_fox/status/1237740569293701120

64.188.25.205:3692

# Reference: https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/
# Reference: https://otx.alienvault.com/pulse/5e6fa2a12088756147d24648

email.gov.in.maildrive.email

# Reference: https://app.any.run/tasks/7fe802ae-9d74-4e40-91e3-bb65cd06a458/

107.175.95.107:6790
westvalleyhospicecare.theworkpc.com

# Reference: https://www.virustotal.com/gui/file/9f7bc1ac97d28d614f9b1965709a284511b9b13f3bd9685707f8f377b949efe5/detection

78.159.131.80:10001
superingtest.zapto.org

# Reference: https://app.any.run/tasks/250c2c2d-fdfb-4f46-8565-a9b2538c1ace/

107.175.64.251:6286

# Reference: https://twitter.com/_re_fox/status/1280221170307137538
# Reference: https://app.any.run/tasks/3b6fa50a-2496-400e-b7cf-fd2d4d48f405/

173.212.226.184:3169

# Reference: https://app.any.run/tasks/26933c3a-127f-4b12-8396-8684d7bdec44/

185.136.161.124:8761

# Reference: https://twitter.com/JAMESWT_MHT/status/1290952335192195072
# Reference: https://www.virustotal.com/gui/file/f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92/detection

193.142.59.56:1131
lawdvmercy.site

# Reference: https://www.virustotal.com/gui/file/6d3982d6c6ca753d6d1daa71d88678c07718dd1919a874959a0c7975619c37fc/detection

151.106.56.32:3561

# Reference: https://www.virustotal.com/gui/file/db37f6755e954367a3365c3264e3916e5fd00c4c3e4c609515fa8599d36ca681/detection

64.188.26.219:4820

# Reference: https://securelist.com/transparent-tribe-part-1/98127/
# Reference: https://www.virustotal.com/gui/file/a860ba3861df2ae0add2b695071c04468f83c0973525519d62679dd4cd4d0026/detection
# Reference: https://www.virustotal.com/gui/file/59c6721a5ec5f97ef9b35e17057a5edb4f0075d1430c0cbd3eecfd44ccfe272c/detection
# Reference: https://www.virustotal.com/gui/file/e4d1f8ff1282ac60adc0134aec2420aa652250ac8ddafe866e56d2fab165a132/detection
# Reference: https://www.virustotal.com/gui/file/d2cc95b72c3e72b3888e9fa35f6fe0563f9dbbd08b76d0c3546065ceca3c5961/detection

173.212.192.229:3364
173.212.192.229:8264
173.249.14.119:6865
newsbizupdates.net
uronlinestores.net

# Reference: https://twitter.com/ShadowChasing1/status/1298268550340067329
# Reference: https://twitter.com/CyS_Centrum/status/1298565025985069057

209.127.16.126:4768
209.127.16.126:6758
209.127.16.126:11066
209.127.16.126:14824
209.127.16.126:18614

# Reference: https://twitter.com/ShadowChasing1/status/1304347789917212672
# Reference: https://www.virustotal.com/gui/file/9e305566f7d342adc8eaf30471aa3eb95c049acffc742ae23a5830a44f96e51d/detection

185.174.102.105:2991
tasnimnewstehran.club

# Reference: https://www.virustotal.com/gui/file/a5f02bb70acdf335bed9c0fc8439ab3a220027a28c7eb44f459afda0ec7b62eb/detection

151.106.14.125:6818

# Reference: https://www.virustotal.com/gui/file/137c059adda4df22eb29785fada54ebc00a22d150bfdc423f87ff1f6093bd827/detection

185.136.161.124:11614

# Reference: https://www.virustotal.com/gui/file/87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad/detection

185.136.161.124:6128

# Reference: https://www.virustotal.com/gui/file/60d46513d3473c2cb4fdfcf64229f4e99d1e202a2f840503d77fa07978dcb025/detection

104.227.97.53:2548

# Reference: https://twitter.com/mg2_tracy1/status/1314754343124365312
# Reference: https://www.virustotal.com/gui/file/dba5d00a87ad96b74d234d1415ca5172285cd7d781556d45b6609fd738bfc747/detection

172.245.247.112:3878
172.245.247.112:5648

# Reference: https://www.virustotal.com/gui/file/e3fe87254b405fa132a52daf1651d2ff11296691131956bf3f0059031135dcdd/detection

45.147.231.191:3626

# Reference: https://twitter.com/_re_fox/status/1317499039932362753
# Reference: https://app.any.run/tasks/355396a2-6711-4750-98ec-e492625d4d54/

45.147.231.191:8226

# Reference: https://twitter.com/c3rb3ru5d3d53c/status/1338192738135789570
# Reference: https://www.virustotal.com/gui/file/47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e/detection
# Reference: https://www.virustotal.com/gui/file/b9446d663f2aef34efdb579ae02e62923b5c3bc02b9d0fe537f5974ae439a422/detection
# Reference: https://www.virustotal.com/gui/file/5a449782c6d286a5af7fd5cbab5d5d46dd4dd153cbc46e4aeae0ea54f2785980/detection

64.188.12.126:6658

# Reference: https://app.any.run/tasks/b129aead-e7cb-4ba7-ba72-842644cf7c97/

173.212.246.247:4368

# Reference: https://twitter.com/_re_fox/status/1337411756818395136
# Reference: https://www.virustotal.com/gui/file/5920a3300107b7b1cf8c230a071a0e5f2f5ff5941a5c450ef911582a7ce08346/detection

45.32.151.155:6126

# Reference: https://twitter.com/ShadowChasing1/status/1369196724544106504
# Reference: https://www.virustotal.com/gui/file/4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73/detection

172.245.87.12:6276

# Reference: https://twitter.com/ShadowChasing1/status/1397419326160793600
# Reference: https://www.virustotal.com/gui/file/eb7c34343944a6ae52b052bb263d29e2c627368aeee2080da0481f33a72f2085/detection

142.105.157.110:8181

# Reference: https://twitter.com/teamcymru_S2/status/1402607930046832645

185.136.169.139:14565
185.136.169.139:20555
185.136.169.139:28443
185.136.169.139:4561

# Reference: https://www.virustotal.com/gui/file/5f736d23d5d7f7382afb78acdc3b125ec101c0629327fb9a7fc5545b32ec0c38/detection

167.160.166.80:12214
167.160.166.80:16441
167.160.166.80:18822
167.160.166.80:6288
167.160.166.80:8868

# Reference: https://www.virustotal.com/gui/file/e052a90bdb716da64928b1286d86b3670efe5192115175ba25bf0c191398323d/detection

104.144.198.105:12816
104.144.198.105:14572
104.144.198.105:16286
104.144.198.105:4289
104.144.198.105:6722

# Reference: https://www.virustotal.com/gui/file/899a755ff675dbbf66d8bbcf6300bca7aa0c13d794430a1173f6fdc5cb87bd66/detection

178.238.239.176:7624

# Reference: https://www.virustotal.com/gui/file/0335de8eadbbd5dc7cbe92ef869bcea6f6596ac39a38680142c982ec6e97ecde/detection

185.136.161.124:15822
185.136.161.124:17443

# Reference: https://twitter.com/RedDrip7/status/1486997244310351873
# Reference: https://www.virustotal.com/gui/file/cffb0b0695abe36c0d23894650214f9329c530703f52cf44bc8853ca79a107cf/detection

96.47.234.102:12961
96.47.234.102:20886
96.47.234.102:22668
96.47.234.102:5898
96.47.234.102:8796

# Reference: https://twitter.com/James_inthe_box/status/1488987814066753538
# Reference: https://app.any.run/tasks/c1ccd827-a257-4598-aa9b-5872cdc44a40/

92.12.144.246:5321

# Reference: https://twitter.com/0xrb/status/1491665998382247938
# Reference: https://www.virustotal.com/gui/file/d5484ddde1ea4aefcbf40f9845f911b059818ec0bb57d0d48922ed25d161e0ea/detection

78.138.107.166:16864

# Reference: https://twitter.com/0xrb/status/1492030514035060741

161.97.164.144:9168
164.68.108.169:16292
164.68.108.169:16484
164.68.108.169:6681
164.68.112.101:20864
164.68.96.32:8543
168.119.98.243:12184
173.249.14.119:12865
173.249.19.32:8866
173.249.50.243:22464
173.249.50.243:9248
185.136.161.169:18556
185.136.161.169:28443
185.136.169.214:11262
185.136.169.214:3561
185.136.169.214:8164
185.197.249.247:8543
207.180.227.55:10666
5.189.170.4:4268
5.189.170.4:8843
5.189.176.185:12262
75.119.133.15:10101
75.119.133.15:4401
75.119.133.15:8832
79.143.177.122:10468
79.143.177.122:14486
95.111.230.252:1051

# Reference: https://twitter.com/0xrb/status/1493467587619221507

139.28.36.77:2012

# Reference: https://twitter.com/PrakkiSathwik/status/1733923613437460525
# Reference: https://www.virustotal.com/gui/file/da298e4d09a9e151c6bf60e8ebfdd8fc2e633d078c705db768e3284acdad0678/detection

204.44.124.81:19182
204.44.124.81:20917
204.44.124.81:28791
204.44.124.81:26376
204.44.124.81:9159
adiptv.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8ff61163c7b74653da80dd1990123dd1977a5ec4e774f0c2f47d37f1360a6a9d/detection

95.119.198.38:3898
r6xyvcqm04wp1i4p.myfritz.net

# Reference: https://www.virustotal.com/gui/file/ffa0b1fcdf51cc0851a0b878df16577ea180a9d245e31166d81670372bc8b338/detection
# Reference: https://www.virustotal.com/gui/file/feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767/detection
# Reference: https://www.virustotal.com/gui/file/b922698e7884f524cee2dd334f611b0cac193568c9de9f8073ef9c637f5833f0/detection
# Reference: https://www.virustotal.com/gui/file/b5db0dd322656c19a05bc78f3ce1d8bed30e72fb8c1ac5071fce4afa720f2696/detection
# Reference: https://www.virustotal.com/gui/file/7a07fbc4903e443f237fc7c99976a8cdb751a983860ea17b891a8c617a820ad0/detection
# Reference: https://www.virustotal.com/gui/file/2ab7a3c53e31187bab9675b184bf1e891bd76ceb2967b609a6aa66c4e7626419/detection

173.212.228.121:12460
173.212.228.121:16484
173.212.228.121:2836
173.212.228.121:5638
173.212.228.121:8626

# Reference: https://threatfox.abuse.ch/browse/malware/win.crimson/ (# 2024-01-01)

107.172.76.170:11408
119.157.27.213:16780
144.91.125.70:8489
144.91.72.22:8484
154.127.54.168:10019
160.20.147.56:6582
161.97.139.248:12262
161.97.139.248:8143
161.97.176.42:12184
161.97.176.52:12468
161.97.176.52:18584
164.68.112.101:14684
164.68.96.32:12861
167.86.71.146:3482
168.119.111.43:12184
173.249.0.199:12168
173.249.14.119:3285
173.249.50.57:2642
178.238.235.88:12536
185.137.122.104:8484
185.161.208.57:1912
194.163.139.252:4698
194.61.120.134:999
194.9.178.85:9109
198.23.144.126:10480
198.23.145.12:10480
198.23.210.211:4898
198.23.213.44:7776
23.226.132.105:6959
38.242.211.87:8143
45.14.194.253:10243
5.189.183.63:16568
62.171.130.47:2201
62.171.135.174:8589
66.154.103.101:9108
66.235.175.91:1051
66.235.175.91:23001
79.143.177.122:8682
79.143.181.178:8861
84.46.251.145:1717
84.46.251.145:901
91.229.77.1:999

# Reference: https://www.virustotal.com/gui/file/3cd76330e2cbcf7c37d6fc9d21779c60fd3552ba5d777a32ba49ca949379019f/detection

185.161.208.46:909
indiamails.info
