# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: elephantrat, gh0st, pcrat, smanagerrat

# Reference: https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

bj6po.a1free9bird.com
beiyeye.401hk.com

# Reference: https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant
# Reference: https://otx.alienvault.com/pulse/5c9900511d123a6d16e75561/
# Reference: https://www.virustotal.com/gui/file/54f62979c8c7637af238093fbf204b1edb16e9ce7ca371f9f62c4039f934cede/detection
# Reference: https://www.virustotal.com/gui/file/d3dfa0f0582818e24caaccdda78c0b0833d30aa97a8ca9c43cacc7fe3bebab67/detection
# Reference: https://www.virustotal.com/gui/file/23414344a6c2afdec92a4679f7947b44498db151dff2822ca7c72d704c6e28e0/detection
# Reference: https://www.virustotal.com/gui/file/beade05902c2bd59b1aafe77e0a043766f5e507ac4024640f17ad1fe7c890d6c/detection
# Reference: https://www.virustotal.com/gui/file/cbd875b7f9516d4662526457c2132f17e4ac4596380202aac105bc3c146ea93a/detection
# Reference: https://www.virustotal.com/gui/file/d4dec64053fa6de0aa85fefd692ce71fb71d3cdd295e7169c8b9b9bd4210b023/detection
# Reference: https://www.virustotal.com/gui/file/ea49fbabc6f69ffc9f93993e3d7d5fe47f743fbdc1cc031557a8595fb1594d94/detection
# Reference: https://www.virustotal.com/gui/file/d4a21390dd9c85fe6f3b41038a4b270de055a30ad6f9500699775e3ae78d7fd1/detection
# Reference: https://www.virustotal.com/gui/file/77722a09b3cc0b17159e27433945548b3e6bd9160d4de4919b02ea6eea671111/detection
# Reference: https://www.virustotal.com/gui/file/8e1c369e8b470c9bad0aee715da300dda9a50db153a025b3c797c219d537bb68/detection
# Reference: https://www.virustotal.com/gui/file/6d79053611e0d0e2f586061636f337d27de51325b24070edefe08af7d9c5006d/detection
# Reference: https://www.virustotal.com/gui/file/88df6448d091acba48dfea761e5360d111f4f50acaf15b4bd2734d81a79ab21b/detection
# Reference: https://www.virustotal.com/gui/file/1f824c7b70667072964e4c08a372305cc78a0833beacad52b3e0d24a84e89065/detection
# Reference: https://www.virustotal.com/gui/file/0caf2987bca2ca7f644c2cb33099950eb8a5aebe03244ddf8de5e6f3fc8bf1cf/detection
# Reference: https://www.virustotal.com/gui/file/45a84d5bb8ce67685504a4409bf4604a500628e454e80ef3f3b832507a4cf855/detection
# Reference: https://www.virustotal.com/gui/file/af8f6c9a5a588e4d61913d54c2ae4fb3de2e50b43f57290b0657b11466a18779/detection
# Reference: https://www.virustotal.com/gui/file/dfe0e061279f0d67ba84bb4f945b0115b20759f6c48a91dd6c09782cb232266e/detection
# Reference: https://www.virustotal.com/gui/file/3b925244721054a15cbb845ba4b617e5c7c46d80ea1c78e7fa5d02bb2069553b/detection
# Reference: https://www.virustotal.com/gui/file/258b70d70b856484b65bdaaf4a5c23efb200b160af0babfb21ccd0679bd09749/detection
# Reference: https://www.virustotal.com/gui/file/d19bf8ad35b8d494e68ca817a324a4eac3d456a527c8963145e438db9c1e6924/detection

106.14.45.61:15963
106.14.45.61:18566
106.14.45.61:19637
106.14.45.61:19931
106.14.45.61:19932
106.14.45.61:19934
106.14.45.61:25553
106.14.45.61:25563
106.14.45.61:29931
106.14.45.61:3654
113.28.187.169:15963
113.28.187.169:18566
113.28.187.169:19931
113.28.187.169:3654
123.129.224.185:15963
123.129.224.185:18882
123.129.224.185:18883
123.129.224.185:19931
123.129.224.185:19932
123.129.224.185:3654
129.28.23.76:81
221.229.207.145:19931
221.229.207.145:3654
221.7.12.156:19637
221.7.12.156:19931
221.7.12.156:19932
221.7.12.156:19934
221.7.12.156:25553
221.7.12.156:25563
221.7.12.156:29931
221.7.12.156:3654
23.101.115.41:18566
23.101.115.41:19931
23.101.115.41:3654
43.229.153.122:19931
43.229.153.122:3654
58.218.66.180:19931
58.218.66.180:3654
60.169.10.86:15963
60.169.10.86:19637
60.169.10.86:19931
60.169.10.86:19934
60.169.10.86:25553
60.169.10.86:25563
60.169.10.86:29931
60.169.10.86:3654
61.147.125.184:19931
61.147.125.184:3654
95.211.102.25:19931
95.211.102.25:3654
mdzz2019.noip.cn
yuankong.info

# Reference: https://twitter.com/lazyactivist192/status/1112449219653193736
# Reference: https://www.virustotal.com/gui/file/f1cd38bbb504b38d115b5c127afa913572cef4233395416b5b08aff5f718cfea/relations

z-hacker-y.win

# Reference: https://twitter.com/Jan0fficial/status/1102912998975434752
# Reference: https://twitter.com/lazyactivist192/status/1168582672752566279
# Reference: https://pastebin.com/D2pUSzcS
# Reference: https://app.any.run/tasks/1837b1d1-a62c-4e1b-9223-b6d40dc32d9f
# Reference: https://www.virustotal.com/gui/file/2fcc9c48d5d8a5c6889ca3302fcaa9f6296a9e36b167526033a0371172ab1693/detection

haohai.hopto.org
ip.yototoo.com
116.196.18.237:8082
122.114.192.241:8082
139.196.209.127:923
183.104.6.120:923

# Reference: https://twitter.com/malware_traffic/status/949057588250865665
# Reference: http://www.malware-traffic-analysis.net/2018/01/04/index.html

etybh.com

# Reference: https://twitter.com/JAMESWT_MHT/status/843829412370046977

45.125.17.15:443

# Reference: https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906

nicetiss54.lflink.com

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html (# Win.Trojan.Gh0stRAT-6993126-0)
# Reference: https://otx.alienvault.com/pulse/5d074c94248332bdb80099af

278267882.f3322.org
850967012.f3322.org
a3328657.f3322.org
a678157.oicp.net
cfhx.f3322.org
ddos-cc.vicp.cc
guduyinan.gnway.com
guduyinan.gnway.net
jie0109.hackxd.net
linchen1.3322.org
q727446006.gicp.net
touzi1616.com
xm974192128.3322.org
xueyang22.gicp.net
y927.f3322.org
zy520.f3322.org
sweety2001.dating4you.cn
paleb.no-ip.org
honeypus.rusladies.cn
marina99.ruladies.cn
youwave932.no-ip.biz
x.93ne.com
ns1.helpchecks.at
ns1.helpchecks.by
ns1.helpchecks.com
ns1.helpchecks.eu
ns1.helpchecks.info
ns1.helpcheck1.com
ns1.helpcheck1.net
ns1.helpcheck1.org
mskgh.ddns.net
yeswecan.duckdns.org
sabridz.no-ip.biz
mskhe.ddns.net
karem.no-ip.org
cdn.zry97.com
dmar-ksa.ddns.net
alkhorsan2016.no-ip.biz
amiramir.noip.me
katarinasw.date4you.cn

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.Gh0stRAT-7059563-0)

79575465.f3322.net
chhacke.win
cx820329965.f3322.net
e2.luyouxia.net
guxiaosen.f3322.net
labixiaoxin.e2.luyouxia.net
mf123.f3322.net
mingyemo.3322.org
yaoyao.f3322.net

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0719-0726.html (# Win.Dropper.Gh0stRAT-7073937-0)

1321.f3322.org
254143.f3322.net
53ca.meibu.net
feng12763.3322.org
jwl520.xicp.net
pass.5sfox.com
pzss.f3322.org
pzss.foxdos.cc
separa.f3322.org
wfs2015.f3322.net

# Reference: https://twitter.com/P3pperP0tts/status/1157179581348163584

haohai.ddns.net

# Reference: https://twitter.com/dcTavvy/status/1168906154602373122

154.221.22.25:8080

# Reference: https://twitter.com/killamjr/status/1196089316986032128
# Reference: https://app.any.run/tasks/3d38cda0-3987-49e4-aa1c-d72ecd82e997/

106.54.57.80:8080

# Reference: https://www.virustotal.com/gui/file/89e9b8338dcf5e6fedee17b76dd2416dc83f3e2476f0cea77de9f0fa56754f2c/detection
# Reference: https://www.virustotal.com/gui/file/80b01aa49dd4812b5a4b9d15bc8800c4ee1eeaea6897f6475e00d680771ae703/detection

106.54.57.80:80
106.54.57.80:94

# Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1129-1206.html (# Win.Dropper.Gh0stRAT-7414189-0)

107.163.241.193:6520
107.163.56.251:6658
host123.zz.am

# Reference: https://twitter.com/pancak3lullz/status/743123575146586112

183.61.165.228:8000
243145432.f3322.org

# Reference: https://twitter.com/securiteoff/status/739622863485931520

qqqq374281.f3322.org

# Reference: https://twitter.com/pancak3lullz/status/739619999334031360

115.239.229.196:8090

# Reference: https://twitter.com/lazyactivist192/status/1214302017981702144

1j5p551644.iok.la

# Reference: https://www.virustotal.com/gui/file/b8d20eeb7bc3ec8451c72b69b4d2defd9c3981be6cc8b6ba6935a1a724e6d041/detection

218.94.148.242:2015
218.94.148.242:2554

# Reference: https://www.virustotal.com/gui/file/c29621bf50fb69d65de52b6e41a590eb6f804359008324936b94b4e7ec59d812/detection

61.142.176.23:2014

# Reference: https://app.any.run/tasks/2624d66e-c37e-4f50-a199-c5eddd8a1cf1/

xilongxi.net
45.138.209.61:8080

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Worm.Gh0stRAT-7571319-1)
# Reference: https://www.virustotal.com/gui/file/c3d1a51bc8f0bd2dca95900d274d575d3d2fd50cdb128f78877d25a5beba7fc9/detection

67.198.149.218:6720
67.198.149.220:8590

# Reference: https://twitter.com/Vishnyak0v/status/1226873846504075264
# Reference: https://www.virustotal.com/gui/file/f96adc9e046ecc6f22d3ba9cfea47a4af75bcba369f454b7a9c8d7ca3d423ac4/detection

192.225.226.217:80

# Reference: https://www.virustotal.com/gui/file/4a7cf906c8cc871176d0702245953eeee5065f9651186cd8ae594e6835b8a8eb/detection

192.225.226.217:8443

# Reference: https://www.virustotal.com/gui/file/ade0514ccb90c39a61ab8a4c16818fbcd352984e2a26b2ffcd92165975e07fd5/detection

192.225.226.217:443
192.225.226.217:53

# Reference: https://app.any.run/tasks/3987798b-6cbe-4236-955e-2413166ef9f9/

137.220.135.36:8000

# Reference: https://app.any.run/tasks/0611a18e-76be-468a-bfc3-d9491b8f9003/

vip38000a.com
30.554205.com

# Reference: https://app.any.run/tasks/12956eb4-d209-4449-9e63-09ee83a64714/

183.236.2.18:8888
haidishijie.3322.org

# Reference: https://twitter.com/wwp96/status/1232326236636090370
# Reference: https://otx.alienvault.com/pulse/5e526a70e6dc03c41340eceb

425rt.rapiddns.ru
ref.tbfull.com

# Reference: https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
# Reference: https://otx.alienvault.com/pulse/5e5542330b83d1a8b5dc1f27

cloud.newsofnp.com
load.collegesmooch.com
ssl.newsofnp.com

# Reference: https://www.threatcrowd.org/malware.php?md5=55d149450d27b69d3ad00287a9164c02

chdvks88.dns0755.net

# Reference: https://www.virustotal.com/gui/file/60d7cae08475fb78cab77e09df43468cc0f6d2f01f847fc7582f56731672b0e8/detection

101.200.58.177:16233

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0228-0306.html (# Win.Trojan.Gh0stRAT-7603864-1)
# Reference: https://www.virustotal.com/gui/ip-address/210.222.25.223/relations
# Reference: https://www.virustotal.com/gui/ip-address/113.214.1.34/relations

113.214.1.34:52
117.78.50.197:333
210.222.25.223:7718
210.222.25.223:7748
cq52.top
w1464642840.f3322.org
xiaoxinzadan.gicp.net

# Reference: https://www.virustotal.com/gui/file/fe4625e54603f5c382ab06f0ed1b231e23cbf5bd84f5c30d62e7978217ccea84/detection

210.222.25.223:8562

# Reference: https://www.virustotal.com/gui/file/a67acdaf14970b6fc528707c959554dc76e3869d4d63001fe4f3862e1ad21a05/detection

107.163.56.243:18963
107.163.56.246:18530

# Reference: https://www.virustotal.com/gui/file/370b81561ce4692c46baaa8f64c06d65dad9f816fdda51261a69bedcf93586b7/detection

107.163.56.250:18963

# Reference: https://www.virustotal.com/gui/file/a0eca39b75b4d86e2d363c3200c5b8e0542da3a94ca0e06294c356fab5a5d1c9/detection

107.163.56.245:18963

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0320-0327.html (# Win.Keylogger.Gh0stRAT-7639975-0)
# Reference: https://www.virustotal.com/gui/file/0349a3917f7f5a79f7edb0b0573acefcda39e51db6ff44456e339e88f422c129/detection
# Reference: https://www.virustotal.com/gui/file/4228b03f92fecdd4333d791397ea6dcf109b78ebd518165e5c424028511434da/detection
# Reference: https://www.virustotal.com/gui/file/64e9703811f78071523f5f493b2ea39435dcd405a20f6bc1ee644cb83dfd8917/detection
# Reference: https://www.virustotal.com/gui/file/89346a8fbd4d9fd02887a508c02e4d3a0b1f45dfa43672cf8dff84efef316a3c/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/5789ece7e834c45289e85ec65358f422b4562635a3a918b18e22ed4a64daddf3/detection
# Reference: https://www.virustotal.com/gui/file/0f1efaaa2da0908afd3582e9bac7e9542f3acaac422f4d22c0145cd6a7748a73/detection
# Reference: https://www.virustotal.com/gui/file/e7502dfbc56b998b54e0944758b3fe7b2dd55b06043764b1ebf36f280cb92344/detection
# Reference: https://www.virustotal.com/gui/file/c1d7a774961bd01b96e4d8161632af09b97e3a6f85325dfcd08173282cc819b1/detection

106.9.144.132:7777
106.9.146.161:7777
116.62.168.250:24649
123.207.217.39:90
129.28.191.60:8000
129.28.191.60:99
174.128.255.252:8000
183.131.80.101:90
43.248.201.209:27268
49.232.147.19:8080
8686.f3322.net
ccidc.f3322.net
qqqqdddd.e2.luyouxia.net
qyefeng.vicp.net
wzbbk.com

# Reference: https://blog.talosintelligence.com/2020/05/threat-roundup-0501-0508.html (# Win.Trojan.Gh0stRAT-7737919-0)

1.93.49.73:2012
104.143.150.115:2012
142.4.97.105:2012
155604.f3322.org
182.91.107.168:2012
192.210.63.230:2012
198.74.98.230:2012
aa7899.f3322.org
j8666.f3322.org
jiuyin.f3322.org
kingsir.6600.org
linlinwoaini.f3322.org
q1299771210.f3322.org
qq0104.gicp.net
songkeliang.eicp.net
vves.3322.org
wuer1985.9966.org
xiaoxiannv.gnway.net
xiaozijun.f3322.org
xyllz.com
yangman520.f3322.net
youlanxiangyin.vicp.cc
yzc110110.meibu.net
zuoyi5201314.5166.info

# Reference: https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
# Reference: https://otx.alienvault.com/pulse/5edfe5c18832f5af1aaf33e3

45.76.6.149:443
comcleanner.info
mlcrosoft.site

# Reference: https://www.virustotal.com/gui/file/3179a8de034c4547ed9b45898cf60a73816e8b6363e53c7e8aeda0fe17499f1d/detection

103.133.177.250:4563
quasa.ddns.net

# Reference: https://www.virustotal.com/gui/file/68844c9403b2b7357050755b9729b21fd22bb4986b5cbf627685a59413c0e1ab/detection

103.40.101.68:4563

# Reference: https://www.virustotal.com/gui/file/42ee8000ef9f2084b5ecffb1d2ca8889615ec58856785eccab3c8f87c53178ae/detection

43.248.11.151:4243
pclient.ddns.net

# Reference: https://app.any.run/tasks/b584a05c-2f6d-47cf-83e7-657b2e0cf4b1/

http://118.107.47.110
118.107.47.104:8000
118.107.47.104:8001

# Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1009-1016.html (# Win.Packed.Gh0stRAT-9776529-0)
# Reference: https://www.virustotal.com/gui/file/086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b/detection

122.114.28.118:3522
xmrminer.f3322.net

# Reference: https://app.any.run/tasks/be0fe876-bcf2-4de7-9ff0-9df1935d0e3b/

103.74.173.145:6688
pc.8686dy.com

# Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1030-1106.html (# Win.Dropper.Gh0stRAT-9786931-0)

1x1elma7.xiaomy.net
22i5b37672.51mypc.cn
2313u080t2.imwork.net
232mr66094.iok.la
26k4593i06.51vip.biz
273o4d5660.wicp.vip
27ow345733.wicp.vip
2z213948z7.iask.in
a731940742.gicp.net
y2291815a1.51mypc.cn

# Reference: https://app.any.run/tasks/4d47550f-cc3b-4b49-8af8-0ccad1760a9e/

27.124.10.245:4753
syy.skt-one.com

# Reference: https://twitter.com/wwp96/status/1327897784213794816
# Reference: https://app.any.run/tasks/e5baf985-6f1d-48ac-bcf2-1302d4a3086d/

143.92.57.83:8001
143.92.57.83:8080

# Reference: https://www.virustotal.com/gui/file/99d47a61b580eedd39efa6d6c7fb9d13fa1fca3c9fe628cee0f49f1c8f97e8db/detection

xiaohai2013.f3322.org

# Reference: https://otx.alienvault.com/pulse/5fc0eb77569dc57d9686fb39

graceland777.ddns.net
mitty1.freemyip.com
williamz20.ddns.net

# Reference: https://otx.alienvault.com/pulse/5fc8d47bae040ead5cfc4767

cloudbase-init.pw
compprotect.com

# Reference: https://twitter.com/lazyactivist192/status/1216814092725506049

zjq1993.meibu.com

# Reference: https://twitter.com/_re_fox/status/1238188943587377155
# Reference: https://app.any.run/tasks/f2118744-26c3-4523-8e82-d7203e3bb1e4/

193.203.215.52:2011
online.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/12d847b384f2aa42db19236178ccd18cf39feb4f18477e48b957816c537d854c/detection

104.149.136.66:2011
mail.update--microsoft.com

# Reference: https://www.virustotal.com/gui/file/b739076d107965600dfdb92536faa8638deb6d0dcfba5fc6e653ec12853c215c/detection

live.korearac.com

# Reference: https://www.virustotal.com/gui/file/4c652657944ba7f09a4dbeff95ea66d69f7d82c3bea44808e0428935c513273b/detection
# Reference: https://www.virustotal.com/gui/file/4ecc8864e91febef66a6efc6538749e29af715f1a61807b78cd25efebe372449/detection

107.175.137.138:59170
211.149.209.11:59170
lijiejie.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1127-1204.html (# Win.Dropper.Gh0stRAT-9800485-0)

53074960.nat123.cc
bqcyyx.com
lht1361828085.3322.org
mingyemo.3322.org
seo.kfj.cc

# Reference: https://www.virustotal.com/gui/file/9b757b63b31061e0b77a31b5706911f223376283ace22140a415203cbe8040e3/detection

35084ea6.nat123.cc

# Reference: https://blog.talosintelligence.com/2020/12/threat-roundup-1204-1211.html (# Win.Dropper.Gh0stRAT-9802375-0)
# Reference: https://www.virustotal.com/gui/file/e347ced607de94a87801a27edc9b3faec0551829dbd78294748d93460e28346c/detection

118.193.233.10:7360
a13932873816.f3322.org
cescmouad.zapto.org

# Reference: https://twitter.com/wwp96/status/1337849110536347650
# Reference: https://app.any.run/tasks/8edcf322-5fba-49ea-a98e-dec554b3d9d0/

202.58.105.174:8000

# Reference: https://twitter.com/wato_dn/status/1356965355650863106
# Reference: https://twitter.com/kienbigmummy/status/1361965176451264517
# Reference: https://app.any.run/tasks/b91747ae-ea86-4875-9cbf-8a2b78487cc1/
https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html

103.255.177.138:8080

# Reference: https://www.virustotal.com/gui/file/2fadd1cb04e54811ca3d3538b9833c254a31db8b875a96794d44aa49db3faa60/detection

43.248.201.209:21922
yg484698405.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/dba5987cbe9958bb86bd08eeccdb72999e0327b032821c0b2df4ea5b537c4072/detection

43.248.201.209:29719
xiaok66.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/429cd23868b064297dd5c536ea420152394b2b5210d8b1f6f1802d353759e7a6/detection

43.248.201.209:32520
xiaoren234.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/e407517a144c10e6946082afded7cf7f6afbf4beb4808894fd6b7ac170830a85/detection

43.248.201.209:27140
mmp224460.e2.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/f711c717473bb221b7f39a6f13d2c1aaa9403f7fcc5791dc53c38468efead20d/detection

43.248.201.133:28672
hax0fdafda.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/9eed6ad63fd1688c0e906ef294a1c6f0489cb6356c3736584c12a34ceea0ff0d/detection

43.248.201.133:27731
damm25969.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/09291140c7cd8b73219fa7a95564ec75c54bbfea92dd92cbccfb47c6a7699736/detection

222.186.170.35:29802
zhangjian123.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/23ad910aadc455b38b41446ba7425cb891d00f3791d64c7cf8b2c7b47ddf1fe7/detection

43.248.201.133:2021
yindixiang.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/130a026be6e1c01d23c3a94052db892950dd00cf2195cc7e54d7e3add19f6278/detection

43.248.201.133:21727
fxd9988019.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/0a80a258c199b864b1de65ed260b2cfed02934eb1e51a45e89ae192fb3afa787/detection

43.248.201.133:28316
q3088429300.e1.luyouxia.net

# Reference: https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html (# Win.Trojan.Gh0stRAT-9831483-1)

aka.f3322.net
gyxin1314.xicp.net
god_xinghe.f3322.org
ljwser.xicp.net
nt520.f3322.org

# Reference: https://app.any.run/tasks/67e24e08-584b-4cca-a8a1-b1ca12f70e95/

125.65.79.5:5522
103.119.1.139:1987

# Reference: https://twitter.com/wwp96/status/1368417388543180800
# Reference: https://app.any.run/tasks/39d974b3-6fe0-4278-8695-98684eb35c1f/

113.212.91.178:4753
six.skt-one.com

# Reference: https://www.virustotal.com/gui/file/32f2fe76ed68ffaa93baaf3e05ab0cabb058c48a431974e2f8312e2661849a93/detection

45.154.198.168:4753
sy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/91c422b4d9d826ff83ba875f46091c5907b61dcac8a7829ad25aebe181bdc359/detection

45.154.198.160:4753
mm.skt-one.com

# Reference: https://www.virustotal.com/gui/file/fd77950eb7f104dfef6eb7f535a5d324069e8f7fb7cca7057e67e427d248f1ff/detection

202.5.23.125:4753
ss.skt-one.com

# Reference: https://www.virustotal.com/gui/file/90085f7de94a2ca42f3f534d628318854d7dea91d97a4527ca5b3545fe75094b/detection

27.124.10.245:4753
syy.skt-one.com

# Reference: https://www.virustotal.com/gui/file/a99f4c0c9653bb121c9d6875b756203adf3e4d9086f2111e0fe0243355f26e36/detection

73.23.200.124:44579

# Reference: https://www.virustotal.com/gui/file/7f8742297042b4da3914c65c79bec5608eb166fe2034fa054f3d108f7d4f8131/detection
# Reference: https://www.virustotal.com/gui/file/2d26ef7b55e8345369b4e6c184441197304532dcf0557022431e5689fd2e9552/detection

113.212.90.152:4753
113.212.91.215:4753
tmh.skt-one.com

# Reference: https://www.virustotal.com/gui/file/4359b20a9570083d6126fc013d74d5fb65de09a628a287ae291cd3b7335eb5e3/detection
# Reference: https://www.virustotal.com/gui/file/ad101c55122b9bd5be2d5a64d27de50b1826b5908741355e1a28cf38cde79b79/detection
# Reference: https://www.virustotal.com/gui/file/ae90ea48bb6a9501de26f6d2763ead816047dab1bed91e5565c477113c63ddef/detection

103.135.101.189:4753
ax.skt-one.com

# Reference: https://www.virustotal.com/gui/file/2d3d7817dfaf66265cf2db4a3b8a1806394b74530ae36e7d6d3ad0ba95a0606e/detection

27.124.10.245:4753
ssy.skt-one.com

# Reference: https://blog.talosintelligence.com/2021/04/threat-roundup-0326-0402.html (# Win.Keylogger.Gh0stRAT-9847918-1)

36ho560717.wicp.vip
cn-xz-bgp.sakurafrp.com
lolsb.cn

# Reference: https://twitter.com/wwp96/status/1385603503998095361
# Reference: https://app.any.run/tasks/8b366bb8-90d3-422c-bf28-c20fad648817/

122.114.68.46:1990
39.103.200.111:14996
qjy888.f3322.net
ref.tbfull.com

# Reference: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html
# Reference: https://www.virustotal.com/gui/file/55ade218a34f3e727186c9e9c645265f161d7a9b7f55a721ba29e6ef5c3a12da/detection

download.adobe-air.com

# Reference: https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html (# Win.Dropper.Gh0stRAT-9871236-0)

gaoshouzaimimang.f3322.org

# Reference: https://twitter.com/wwp96/status/1409713019802710029
# Reference: https://app.any.run/tasks/9de5a384-d5aa-4e56-9ead-6a6e63a3731b/

192.250.240.130:8000

# Reference: https://twitter.com/wwp96/status/1410328605389905923

103.194.104.94:8080

# Reference: https://www.virustotal.com/gui/file/156673535edad847a0bfaa2e3ed0d641b912b7c9704a576c458a968c9d64bb35/detection

160.20.147.36:2019 
23.82.19.11:2019
cc.nainainainainainainainainainainai.com

# Reference: https://www.virustotal.com/gui/file/4c244d5aa5e534df85e0e56f4b7816029a9d03f26bbff03c1dbb4fec5366b8a4/detection

160.20.147.36:8888

# Reference: https://blog.talosintelligence.com/2021/07/threat-roundup-0716-0723.html (# Win.Malware.Gh0stRAT-9880225-1)

aaas0000.codns.com
adobeservice.codns.com
gkgk5421.codns.com
gkgk5544.codns.com
gmdals87.codns.com
guswns740.codns.com
sex5844.ddns.net
tmal44.codns.com
wldhr15.codns.com

# Reference: https://blog.talosintelligence.com/2021/08/threat-roundup-0730-0806.html (# Win.Trojan.Gh0stRAT-9882928-1)

zxl520.f3322.org

# Reference: https://www.virustotal.com/gui/file/f942f8d6fdc97692ed7f864732f4ef0a91f13116f85b56a651eab059f51e3fca/detection

bodyres.f3322.net
dahuilianglaile.f3322.net

# Reference: https://otx.alienvault.com/pulse/61c708f7de699b6b1d490dcd
# Reference: https://www.virustotal.com/gui/file/b70da60888ac5237fb74c6dd5fcbb4c4c1c0b26ab0ff5709339c629e54167a9a/detection

106.13.228.81:2025

# Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0910-0917.html (# Win.Dropper.Gh0stRAT-9892254-0)

107.183.41.149:3204

# Reference: https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html (# Win.Malware.Gh0stRAT-9893485-1)

qc4.pw
qqqzxc.win
tak9.win
tzzpt.win
wyx146.top

# Reference: https://www.virustotal.com/gui/file/85e4be57ce216b2123ba6ded2d65696bd7d6040ccf63fa7593fe4e2f64869e7a/detection

anonymousdzss.no-ip.biz
anonymousso.no-ip.biz
anonymousuhytsa.no-ip.biz
anonymusblack12.no-ip.biz
anthonycamis.no-ip.biz

# Reference: https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html (# Win.Dropper.Gh0stRAT-9899606-0)

110.34.174.66:8000

# Reference: https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html (# Win.Trojan.Gh0stRAT-9928675-1)

67.198.215.213:3204

# Reference: https://www.virustotal.com/gui/file/000a2ceaa0c6a10dadcece38e9b37f0b4e7adc0bb26936801f330ca1b7b56b1a/detection

107.163.241.197:12354
107.163.241.198:6520

# Reference: https://www.virustotal.com/gui/file/aeba2bd0382eb3e80387fdc5a0182175a50208922d6aab56f090968676e3b32f/detection
# Reference: https://www.virustotal.com/gui/file/c11430593fe348d7d2c6c2b5c38004af815e63c2ac87b1bcc09707499de5c160/detection

107.163.241.194:6520
107.163.241.195:12354

# Reference: https://www.virustotal.com/gui/file/a80c87e032a84b4a1df56f5a882b2da1f1f392208258648748277ddbe2749410/detection

107.163.241.191:16300
107.163.241.192:12354

# Reference: https://www.virustotal.com/gui/file/c2769cf66869f1207b0e1d498f541e66d47ba373306b8ff6728ed5ddaddd83d6/detection

107.163.241.189:12354
107.163.241.190:16300

# Reference: https://www.virustotal.com/gui/file/0debc35d129e03a8c856b14fba71671de04906b2de1546754396c63944a8ef00/detection

107.163.241.187:16300
107.163.241.188:12354

# Reference: https://www.virustotal.com/gui/file/09d56d1c1070532b70d5ea512849d432affe85e7e7a5d120e3c8a308e243b243/detection

107.163.241.185:16300
107.163.241.186:12354

# Reference: https://www.virustotal.com/gui/file/4f131307faa566c5780630e2f58beec65fef4f6e068d0834cdb0f6b99991ff9c/detection

107.163.241.183:16300
107.163.241.184:12354

# Reference: https://www.virustotal.com/gui/file/2b11428f8477dc1ab6e3aeafc8e8a4a749df748225ead91bcba07f946c8eae62/detection

107.163.43.143:12388
107.163.241.181:16300
107.163.241.182:12354

# Reference: https://www.virustotal.com/gui/file/72f947ca4affb5dc522b08c079fec7757412a3616abf333c73295f26e843ceeb/detection

107.163.241.179:16300
107.163.241.180:12354
107.163.56.110:18530

# Reference: https://www.virustotal.com/gui/file/c133d06d32d03a0a315455ecbc5845f242ee244068162fba160b63d614b6fc1c/detection

107.163.241.175:16300
107.163.241.176:12354

# Reference: https://www.virustotal.com/gui/file/04370baf78b59a171007f518b3eb4d5854637f8c036ad7022d078af4abef8980/detection

107.163.241.202:12354
krnaver.com

# Reference: https://twitter.com/honeymoon_ioc/status/1487546093911085070
# Reference: https://twitter.com/vinopaljiri/status/1487653340699844610
# Reference: https://tria.ge/220129-1rwgysaabj/behavioral1
# Reference: https://www.virustotal.com/gui/file/5c07770e22f6b69b150d3b43f2ef2145020f73738d3ba4610932189a0b62927e/detection

185.199.224.169:8145
185.199.224.169:9090
exiles.site

# Reference: http://blog.talosintelligence.com/2022/02/threat-roundup-0128-0204.html (# Win.Packed.Gh0stRAT-9937867-1)

98.126.40.18:3204

# Reference: https://www.virustotal.com/gui/file/004744315ef2277a8bd1078173fe88080a97a91dbe0e37ff9fdea7701151f191/detection

107.163.56.241:18530
107.163.56.240:18963

# Reference: https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
# Reference: https://otx.alienvault.com/pulse/615c2a13c152c6c325889282

tftpupdate.ftpserver.biz

# Reference: https://www.virustotal.com/gui/file/4cf08b61835581ebafacd5913eba5d5c743d500c005fe23238650e011ce180f7/detection
# Reference: https://www.virustotal.com/gui/file/7d080b7bcd89791afd112738c5d40af4d41a0ef84dde15a906cad764df8ef20b/detection

http://45.125.218.178
http://45.125.218.179
45.125.218.178:8000
45.125.218.179:8000

# Reference: https://blog.talosintelligence.com/2022/04/threat-roundup-0422-0429.html (# Win.Trojan.Gh0stRAT-9946565-1)

1sf.8800.org
black123.gnway.net
ddos.zhanglianlian.com
hao.2sqj.com
l.emp666.org
one2ada.f3322.org
senlin1996.3322.org
shiyong.8866.org
sszhuan.3322.org
vip.523sew.com
yangzihouyuanhui.6600.org
yplinfo.gnway.net

# Reference: https://twitter.com/1ZRR4H/status/1523791593278345217

154.23.191.157:5896
nishabii.live

# Reference: https://www.virustotal.com/gui/file/28114eb0261850e8d744be4605b506cd2058ca3acd7c2da7387464f038f4c438/detection

223.171.55.127:1999

# Reference: https://tria.ge/220423-hdggrsaha2/behavioral2

144.202.74.176:2012
asd1738402137.f3322.org

# Reference: https://tria.ge/220425-z1573sddd3/behavioral2

3.13.191.225:14136

# Reference: https://tria.ge/220427-bncs1afad6/behavioral2

171.38.77.97:42419
171.38.77.97:42420
171.38.77.97:42421
chaofeng1.f3322.org

# Reference: https://www.virustotal.com/gui/file/d9d1d2c440fffc40d5ac6abeb16bb83cc98267b0130637e54b8e79e22dce87e4/behavior/Microsoft%20Sysinternals

154.23.182.128:8089

# Reference: https://www.virustotal.com/gui/file/cec8082b581df5a734ff3d6c6582c94fa1cb12f08c3bd3390a4c58960dd1de8f/behavior/VirusTotal%20Jujubox

23.224.97.111:5555

# Reference: https://www.virustotal.com/gui/file/f563029f4a88368711eed2b7acbdf244cc865027945407098c3bc7e2e504d2c6/behavior/VirusTotal%20Jujubox

134.175.141.126:2022

# Reference: https://www.virustotal.com/gui/file/39af9d875717c9a93fbe97fdd5f5b5da1d7dbb76cae14fdeeae4556da9827813/behavior/C2AE

216.83.45.203:7500

# Reference: https://www.virustotal.com/gui/file/f75d645400b91e9b1ea1f1f3f4806c1f59b378399684e1a499061b79724a0a68/behavior/Microsoft%20Sysinternals

110.186.58.114:9797

# Reference: https://www.virustotal.com/gui/file/a09ff60f0acaef699dc08ee06aac0bdc9a6ab4c1427b15dace33752ab753f92c/behavior/Microsoft%20Sysinternals

193.218.38.158:8080

# Reference: https://www.virustotal.com/gui/file/95e5988e40f7655cd95b70b5ae927ca25ac8ceb486117bd933fbfabe5456bf3e/behavior/VirusTotal%20Jujubox

43.248.201.133:21328
a798370668.e1.luyouxia.net

# Reference: https://www.virustotal.com/gui/file/a120d80235eccb05e995c3f6d72acf3c89e5b8809a72f366bc01171e40d69608/behavior/Dr.Web%20vxCube

103.194.104.10:8089

# Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0506-0513.html (# Win.Malware.Gh0stRAT-9949686-0)

1.15.252.63:3339

# Reference: https://blog.talosintelligence.com/2022/05/threat-roundup-0520-0527.html (# Win.Dropper.Gh0stRAT-9950358-1)
# Reference: https://www.virustotal.com/gui/file/05a9987be765d374c21143d6aa92ed0b6405e28bd96291375cf0d28f21a165ec/detection
# Reference: https://www.virustotal.com/gui/file/188328a03eafa8a5ab8e1fcd971e10eacb6fe4428741fb72e8a965cdda850f0d/detection
# Reference: https://www.virustotal.com/gui/file/388d77e4fa716c49dde738b8897b7ed13313a6800155de7d388e59cd23eebab7/detection

154.221.21.125:65004
nianqing.xyz
yckz.5453.top

# Reference: https://www.virustotal.com/gui/file/999e537d3fe2789a074121cee8f83d6858ca7d0baf7b54e6e24ed5f91a231444/detection

47.97.103.217:2012

# Reference: https://twitter.com/r3dbU7z/status/1624977660735528962
# Reference: https://www.virustotal.com/gui/file/12b71b648d7b07fcd01b954e2615e21548e7c818effa5748dfa20fbba08d2ef2/detection

182.92.235.68:1990

# Reference: https://otx.alienvault.com/pulse/63f361ef1a12fc11df419438

lanzuanpay.xyz

# Reference: https://twitter.com/wwp96/status/1627448220182872064
# Reference: https://app.any.run/tasks/33efb5a3-5668-44bb-a98d-e24ee0510a54/

114.96.97.0:1997

# Reference: https://twitter.com/wwp96/status/1630019574816182272
# Reference: https://app.any.run/tasks/8fb9ad39-57dc-444d-88d8-d71ac942cddc/

47.94.241.76:43

# Reference: https://twitter.com/wwp96/status/1630343778367344640
# Reference: https://app.any.run/tasks/93bad3ed-b2d5-4e2a-9c02-f1b8c9c3d889/

58.221.57.142:7777

# Reference: https://twitter.com/wwp96/status/1632152368178659328
# Reference: https://app.any.run/tasks/3bbe3ab0-33d4-4248-bd12-d52d368f804a/

39.109.113.141:7777

# Reference: https://twitter.com/0xToxin/status/1633009525530800131
# Reference: https://app.any.run/tasks/2d6ac745-bdbe-401b-9099-f5d1d5ee63d5/

http://124.220.35.63
103.127.83.43:8225

# Reference: https://twitter.com/JAMESWT_MHT/status/1633019264675241984
# Reference: https://www.virustotal.com/gui/file/05974133505a3e988edff7e6f12db30b978a7b1f222aa180bc37cae4fa235633/detection

124.220.35.63:8880

# Reference: https://www.virustotal.com/gui/file/79a46b45d026b26a52c76fd5729a7dbd43a3c3233300c0624122cd578dd6c0b8/detection

124.220.35.63:8081

# Reference: https://www.virustotal.com/gui/file/cb321addb3a80115ca704ce53d3d395ab9ff994863c8e04ad4e6082def455113/detection

124.220.35.63:8001

# Reference: https://twitter.com/pollo290987/status/1654581586342338560
# Reference: https://www.virustotal.com/gui/file/f1b2416eafb95e5e027569b21e575c5c19c8994b26c5be785c833d18c77488ed/detection

111.92.242.184:2200

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/

http://2.58.64.219
101.132.125.131:8000
101.43.124.250:16823
103.145.86.39:7777
103.145.86.6:7777
103.145.87.50:7777
103.163.46.120:10086
103.193.188.98:8000
103.193.192.90:8000
103.20.193.166:2015
103.21.117.137:7375
103.25.19.32:9735
103.37.1.131:443
103.45.138.180:1369
103.46.128.46:26098
103.99.63.138:8900
104.232.98.28:2222
107.175.50.207:20327
110.249.156.50:9522
110.76.158.75:11024
114.110.198.107:8886
114.110.198.107:8889
114.110.208.215:7747
115.231.218.18:12611
115.236.153.170:11302
115.28.142.7:2433
116.62.165.107:5555
118.121.184.235:8023
118.184.169.48:80
121.4.122.206:37936
123.160.10.39:60756
123.57.186.60:8088
123.99.198.201:12611
125.240.117.220:2221
125.65.79.5:7777
129.211.208.176:8000
13.58.157.220:16180
139.155.178.173:19060
150.242.98.19:29514
154.204.209.197:8008
154.221.18.47:7777
154.221.30.106:7777
154.39.66.37:18443
156.234.127.6:8000
171.38.76.144:42421
175.107.89.72:8287
18.189.106.45:10874
183.105.164.105:10798
183.236.2.18:1031
183.236.2.18:1212
183.236.2.18:12588
183.236.2.18:1300
183.236.2.18:1415
183.236.2.18:17
183.236.2.18:1980
183.236.2.18:1989
183.236.2.18:1994
183.236.2.18:1997
183.236.2.18:2007
183.236.2.18:2011
183.236.2.18:2222
183.236.2.18:2223
183.236.2.18:3565
183.236.2.18:44
183.236.2.18:4821
183.236.2.18:512
183.236.2.18:5408
183.236.2.18:6000
183.236.2.18:61
183.236.2.18:6666
183.236.2.18:7001
183.236.2.18:7308
183.236.2.18:7732
183.236.2.18:7740
183.236.2.18:800
183.236.2.18:8000
183.236.2.18:8001
183.236.2.18:8084
183.236.2.18:81
183.236.2.18:8181
183.236.2.18:83
183.236.2.18:8312
183.236.2.18:8686
183.236.2.18:8786
183.236.2.18:8787
183.236.2.18:9820
202.163.158.147:9735
210.97.234.97:13966
211.173.73.165:2333
219.153.12.4:8786
23.106.215.217:1017
23.225.73.110:8000
23.251.41.162:7777
3.134.125.175:14136
3.134.39.220:14136
3.14.182.203:14136
3.141.177.1:10874
3.142.81.166:16180
3.17.7.232:14136
3.22.30.40:14136
38.181.58.21:8000
38.47.204.154:7777
43.129.192.59:7777
43.142.38.153:8520
43.249.195.178:9595
43.255.241.176:1337
45.153.241.207:1016
47.112.163.50:8086
47.114.98.223:8888
58.138.234.82:9065
58.138.247.121:7745
58.138.247.121:8286
58.138.247.121:8287
58.138.247.121:8288
58.158.177.102:4116
58.221.72.142:7777
61.160.236.44:9015
188s.co
s7.188s.co

# Reference: https://twitter.com/sicehice/status/1689863652122255360
# Reference: https://www.virustotal.com/gui/file/21c3b30041dc16f6fb0fe758c4cd1767e272133ff45dd21aee22506e6d9199aa/detection

193.142.58.208:443
193.142.58.208:8888

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-08-23)

103.145.86.153:6000
88.218.195.109:60601

# Reference: https://threatfox.abuse.ch/ioc/1151937/

82.157.254.217:8000

# Reference: https://threatfox.abuse.ch/ioc/1151949/

123.99.198.201:20973

# Reference: https://threatfox.abuse.ch/ioc/1152213/

115.236.153.170:58669

# Reference: https://threatfox.abuse.ch/ioc/1152289/

115.236.153.181:41719

# Reference: https://threatfox.abuse.ch/ioc/1152321/

60.247.148.188:2023

# Reference: https://threatfox.abuse.ch/ioc/1155822/

115.236.153.170:41719

# Reference: https://twitter.com/naumovax/status/1703765086014152778
# Reference: https://twitter.com/naumovax/status/1704062570510877176
# Reference: https://www.virustotal.com/gui/file/e7eb91b0994a94a22d4a27f9cd85997d4570ffe2e1c02a690930e78486b7d43e/detection
# Reference: https://www.virustotal.com/gui/file/c161bedddebc92c399f6bd8edf0005e3e594c635a2ac6d072a46d4a0232251ec/detection

103.218.0.125:6000
124.222.139.41:6000
163.197.241.150:6000
27.124.3.48:6000
34.92.223.98:6000
38.55.186.235:6000
8.218.169.130:6000

# Reference: https://threatfox.abuse.ch/ioc/1164419/

47.111.82.157:53637

# Reference: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
# Reference: https://www.virustotal.com/gui/ip-address/103.59.103.99/relations
# Reference: https://www.virustotal.com/gui/file/2fd76b7c461cfa5d1cbc0a753cc408e9787df2f176407ac4ab7ad99733b44f06/detection
# Reference: https://www.virustotal.com/gui/file/1e792148cee06743f14b0e96d3cc3c2cc81353af5344b61294b64bd56dc35489/detection
# Reference: https://www.virustotal.com/gui/file/43e21ba4a2290cfedfce1acff67f6a14b8020a6a8672165bb8c235ccb8f81e1a/detection
# Reference: https://www.virustotal.com/gui/file/0ac2f42a2e07a6c5fd6e4f1272e714ef98f85ee8150ee705092df4a338aef24a/detection

http://103.145.22.215
http://178.236.42.11
http://27.124.12.21
http://45.119.52.243
103.105.23.34:3368
103.59.103.99:3366
27.124.12.2:3367
bitoke.top
bitokex.top
haoyun2.top
fakaka16.top
kakasone.top
rus3rcqtp.hn-bkt.clouddn.com
/5555/cdyxf.png
/5555/ty.txt
/6700/cdyxf.png
/6700/ty.txt
/7788/cdyxf.png
/7788/ty.txt

# Reference: https://app.any.run/tasks/a7d9af4e-7c0e-4bc1-844a-cef9b3ac3617/

bensonman-1318879887.cos.accelerate.myqcloud.com

# Reference: https://twitter.com/naumovax/status/1711430493822976216
# Reference: https://twitter.com/Jane_0sint/status/1711716833970020835
# Reference: https://app.any.run/tasks/38e0a2e7-fb09-4e3b-8c6a-081821e24a0d/

122.10.15.8:7060
164.88.140.82:7000
27.124.6.64:7700
38.165.9.247:7000
38.6.160.10:7000

# Reference: https://twitter.com/naumovax/status/1712461549494014420
# Reference: https://app.any.run/tasks/4f50dd6b-99a6-4b46-b0ee-40c9eb82ab07/
# Reference: https://www.virustotal.com/gui/file/9ee6e44f1d3444f3d17614273d11cd9e373f7bec152be4de262da9e8a3a07d07/detection

http://134.122.138.2
134.122.138.2:2023

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-10-13)

1.13.249.49:7070
103.148.245.125:999
106.52.216.65:999
106.55.28.59:5688
115.236.153.170:32592
116.63.35.42:12000
121.5.136.143:2012
123.99.198.130:12323
123.99.198.130:12611
124.222.227.63:12345
124.223.199.81:8808
124.248.67.83:12323
124.248.67.83:12611
125.229.22.79:3456
125.229.22.79:3458
144.202.74.176:81
180.97.238.254:8000
202.63.172.122:47779
202.95.8.183:8888
211.101.247.155:8000
222.222.106.47:8008
38.181.20.78:6000
47.111.82.157:42090
51.222.230.191:443
61.147.199.238:8000
85.214.255.25:53

# Reference: https://twitter.com/g0njxa/status/1715081804649046128
# Reference: https://app.any.run/tasks/1246e115-7cd2-4b91-8723-f61bd9bd5b8a/
# Reference: https://www.virustotal.com/gui/file/d565948a3b1b0d86166b62553864a7739284a292cc9c832fddf696bb274f8166/detection

195.130.202.155:450
195.130.202.232:8004

# Reference: https://threatfox.abuse.ch/ioc/1195820/

106.12.126.136:8086

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-11-01)

103.71.154.163:6000
121.22.243.241:47779
121.62.16.112:8000
156.224.27.167:8000
61.147.93.153:999
10-10.telecgram.com
10.cmananan.com
15.cmananan.com
17.cmananan.com
30.cmananan.com
3005.qmananan.com
3009.qmananan.com
3010.qmananan.com
3011.qmananan.com
3012.qmananan.com
3013.qmananan.com
3015.qmananan.com
3016.qmananan.com
4.cmananan.com
482e6192z0.goho.co
6.cmananan.com
6x514937w5.goho.co
6xj.telegramh.net
7001.aadaa1.cc
7002.aadaa1.cc
7003.aadaa1.cc
792c682w73.goho.co
a2.aadaa1.cc
aadaa1.cc
chao1323301.e1.luyouxia.net
cmananan.com
hdalulnc.e3.luyouxia.net
hei.xjbtv.com
hk.yunpingbao.com
kekn.asselst.com
knight114.e1.luyouxia.net
kyy1010.e1.luyouxia.net
lfh520.e1.luyouxia.net
lfh521.e1.luyouxia.net
lyh111.e3.luyouxia.net
nmslcnmsb1.e2.luyouxia.net
nzh995188.e2.luyouxia.net
op114514.e1.luyouxia.net
player1.e3.luyouxia.net
qmananan.com
rere.e3.luyouxia.net
sccwangluo.asselst.com
shaoshuai3.top
shengfutong-pay.com
t1492261251.e1.luyouxia.net
telecgram.com
telegramh.net
vb147258.e1.luyouxia.net
wangchenchao.e1.luyouxia.net
xy1.youjucan.com
zhj08.e2.luyouxia.net
zhodaji.com

# Reference: https://threatfox.abuse.ch/ioc/1198075/
# Reference: https://www.virustotal.com/gui/ip-address/20.96.151.88/detection

http://20.96.151.88

# Reference: https://www.virustotal.com/gui/ip-address/51.222.230.191/relations

http://51.222.230.191
51.222.230.191:443

# Reference: https://www.virustotal.com/gui/ip-address/146.59.220.235/relations

http://146.59.220.235
146.59.220.235:443

# Reference: https://www.virustotal.com/gui/ip-address/54.38.116.47/relations

http://54.38.116.47
54.38.116.47:443

# Reference: https://threatfox.abuse.ch/ioc/1199251/

http://211.149.226.68

# Reference: https://www.virustotal.com/gui/ip-address/184.73.185.248/detection

184.73.185.248:443

# Reference: https://www.virustotal.com/gui/ip-address/94.191.187.105/detection

http://94.191.187.105

# Reference: https://www.virustotal.com/gui/ip-address/46.32.37.132/detection

http://46.32.37.132

# Reference: https://www.virustotal.com/gui/ip-address/213.179.32.9/detection

http://213.179.32.9

# Reference: https://www.virustotal.com/gui/ip-address/222.190.108.207/detection

222.190.108.207:443

# Reference: https://www.virustotal.com/gui/ip-address/109.190.79.33/detection

http://109.190.79.33

# Reference: https://www.virustotal.com/gui/ip-address/149.210.20.118/detection

149.210.20.118:443

# Reference: https://www.virustotal.com/gui/ip-address/163.44.43.131/detection

http://163.44.43.131
163.44.43.131:443

# Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/detection

http://180.184.71.135

# Reference: https://www.virustotal.com/gui/ip-address/180.184.71.135/community

http://180.184.71.135
180.184.71.135:443

# Reference: https://www.virustotal.com/gui/ip-address/52.61.168.199/community

http://52.61.168.199

# Reference: https://www.virustotal.com/gui/ip-address/87.26.121.156/community

http://87.26.121.156

# Reference: https://www.virustotal.com/gui/ip-address/37.255.148.139/detection

http://37.255.148.139
37.255.148.139:443

# Reference: https://www.virustotal.com/gui/ip-address/149.210.4.170/community

149.210.4.170:443

# Reference: https://www.virustotal.com/gui/ip-address/220.90.135.156/community

220.90.135.156:443

# Reference: https://www.virustotal.com/gui/ip-address/149.210.74.229/community

149.210.74.229:443

# Reference: https://www.virustotal.com/gui/ip-address/114.35.162.47/community

http://114.35.162.47

# Reference: https://www.virustotal.com/gui/ip-address/54.233.162.122/community

http://54.233.162.122

# Reference: https://threatfox.abuse.ch/ioc/1204672/

43.248.137.153:8000

# Reference: https://threatfox.abuse.ch/ioc/1206321/

47.92.53.65:13155

# Reference: https://threatfox.abuse.ch/ioc/1206537/

yy3088429300.e2.luyouxia.net

# Reference: https://twitter.com/naumovax/status/1730567945862995981
# Reference: https://tria.ge/231125-paex4aba7y/behavioral1
# Reference: https://tria.ge/231127-snxxlshd37/behavioral1

103.216.155.149:44156
192.252.181.27:13150
xingxing.asselst.com

# Reference: https://www.virustotal.com/gui/ip-address/100.20.96.2/relations

http://100.20.96.2

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2023-12-10)

103.165.81.82:10086
103.45.128.143:8000
104.37.185.125:6543
107.151.244.80:6000
134.122.135.75:8000
134.122.135.81:8000
143.92.40.173:6108
149.88.73.191:8000
154.23.141.34:8000
154.55.135.102:6666
154.55.135.102:8888
163.181.92.82:1688
206.233.128.72:8899
43.136.78.18:8000
dlink.host
gettimi.top
book.cookielive.top
new.gettimi.top
q3472884397.e2.luyouxia.net

# Reference: https://twitter.com/naumovax/status/1734225709994803206
# Reference: https://tria.ge/231204-mefdbaae3w
# Reference: https://www.virustotal.com/gui/file/e847385dc200a5a101344a0912de4766cbd97aedfd7f4fa3a0c69e39025fd2fa/detection
# Reference: https://www.virustotal.com/gui/file/e1e94dd9014aa9707605fbde38d2e3753dc8b23da507344d45416ba9583da31e/detection
# Reference: https://www.virustotal.com/gui/file/9883f7808137667b448dbb4ce94c7202af626f4e34e021b581173e666ac6d8c8/detection

http://1.14.71.246
1.14.25.37:1443
1.14.25.37:1444
139.186.228.218:443

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.50/community

http://89.247.50.50

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.206/community

http://89.247.50.206

# Reference: https://twitter.com/naumovax/status/1738198104996774145
# Reference: https://www.virustotal.com/gui/ip-address/202.63.172.17/relations
# Reference: https://tria.ge/231212-kwqjhaabgj/behavioral2
# Reference: https://www.virustotal.com/gui/file/bf5a41c08bbc65bac437d651c7334a8ea6c2113a6fa20c817a1c5623124da047/detection

202.63.172.17:27100

# Reference: https://tria.ge/231205-qkdnfsbe87/behavioral1
# Reference: https://twitter.com/naumovax/status/1740305905990971642

http://38.54.25.23
http://49.129.12.59
1.14.70.108:8668
103.207.166.117:13842
206.238.199.226:8668
206.238.221.105:8668
38.60.204.65:53261
45.112.206.130:18496

# Reference: https://www.virustotal.com/gui/ip-address/18.136.0.29/community

http://18.136.0.29

# Reference: https://www.virustotal.com/gui/ip-address/106.38.221.252/relations

http://106.38.221.252

# Reference: https://www.virustotal.com/gui/ip-address/18.170.11.119/relations

http://18.170.11.119

# Reference: https://www.virustotal.com/gui/ip-address/34.211.241.194/community

http://34.211.241.194

# Reference: https://www.virustotal.com/gui/ip-address/83.22.228.184/community

http://83.22.228.184

# Reference: https://twitter.com/ShanHolo/status/1746848612120744282
# Reference: https://www.virustotal.com/gui/file/3a33ee8017eeb09a4e9d416370172d49691ddf1d2e2c9388de53a4816b78d25a/detection

http://45.150.67.155
http://64.176.37.64
http://8.219.91.175
http://80.92.205.55
45.150.67.155:443
64.176.37.64:443
8.219.91.175:443
80.92.205.55:443

# Reference: https://www.virustotal.com/gui/ip-address/54.200.228.98/community

http://54.200.228.98

# Reference: https://threatfox.abuse.ch/ioc/1231443/

129.204.53.10:8081

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.125/community

http://89.247.50.125

# Reference: https://www.virustotal.com/gui/ip-address/217.31.202.98/community

http://217.31.202.98

# Reference: https://www.virustotal.com/gui/ip-address/13.245.184.253/community

http://13.245.184.253

# Reference: https://www.virustotal.com/gui/ip-address/188.127.24.220/community

http://188.127.24.220

# Reference: https://www.virustotal.com/gui/ip-address/89.247.50.191/community

http://89.247.50.191

# Reference: https://www.virustotal.com/gui/ip-address/100.21.141.96/community

http://100.21.141.96

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-03-24)

http://175.203.14.166
http://221.159.15.231
1.92.90.232:8000
110.42.102.82:6688
111.67.195.90:6000
115.231.218.42:14363
123.99.198.201:20064
124.248.69.29:14363
156.236.72.163:8000
175.24.197.196:8001
18.158.249.75:14210
18.192.31.165:14210
198.44.174.170:10086
198.44.174.232:10086
216.83.40.187:7777
3.124.142.205:14210
3.125.223.134:14210
42.237.24.42:7899
42.237.25.52:7899
43.248.129.152:8000
8.130.11.62:8000
54412.e3.luyouxia.net
66ddjkr.e3.luyouxia.net
ad2916985983.e2.luyouxia.net
asjidoaiosdjo.e3.luyouxia.net
cn-he-plc-2.openfrp.top
fdsfhkjf.e3.luyouxia.net
gx121.e1.luyouxia.net
hfs666.top
i.wanna.see.20242525.xyz
kx5555.e3.luyouxia.net
latiao.ddns.net
996m2m2.top
xc091221.e2.luyouxia.net
xiaoyuwudi.e3.luyouxia.net
zxyhwww.top

# Reference: https://twitter.com/RacWatchin8872/status/1787150297049027027
# Reference: https://www.virustotal.com/gui/file/0b997cf73baa61d852212bd26044cbaaf5e7e366553043bc10b6d17f20d2df96/detection

http://60.204.249.34
60.204.249.34:8000

# Reference: https://twitter.com/naumovax/status/1787433507536384139
# Reference: https://tria.ge/240402-bd4hzaca7x/behavioral2
# Reference: https://www.virustotal.com/gui/file/fdf08d6b2e7283f7317a2a32a6ef8665d9e0f7c346c59867be407892bb165cb6/detection

154.12.85.161:3020

# Reference: https://x.com/ShanHolo/status/1792835827464282545
# Reference: https://www.virustotal.com/gui/file/677cea91ba7171d1a19f3c49d077db58bd66da053a190df60ac258a45407c48f/detection

103.214.23.195:42534
119.81.27.109:42534
se1f.cc
dgz.se1f.cc

# Reference: https://www.virustotal.com/gui/file/6c01c1ddc969faaede15958721a1eab7cd4f79009235bde37b4087968be805f7/detection
# Reference: https://www.virustotal.com/gui/file/7e239cdc3d9598732c711475fb81f9ec40668668b9f20db60e4a7f5a68f723c3/detection

119.81.125.20:2082
148.66.129.146:2082
211.20.120.161:2082
51.79.160.233:2082
serv.se1f.cc
serv1.se1f.cc

# Reference: https://www.virustotal.com/gui/file/68fc0e714bd7982ac3e2cbfd00a4362f6a4daffe1be6a0efaa632064b7981a20/detection

103.147.186.4:2082
148.66.129.146:2082
works01.se1f.cc
works02.se1f.cc

# Reference: https://www.virustotal.com/gui/file/651fe4b8be23c8c42db4b85e69cef5a7bd5694476a49ea88d9c9ec93575ab398/detection

dl.se1f.cc
dow.se1f.cc
downer.se1f.cc

# Reference: https://x.com/SBousseaden/status/1795166821030543649
# Reference: https://www.virustotal.com/gui/file/8b24e43d325a556c6797cc7753f6a555d47b0c7f24bad99b2009baf8a0796065/detection
# Reference: https://www.virustotal.com/gui/file/7d5961b64d45bd62968eca15f2811c7aa1df243dcc57e5aafdf4de2f4f47c9c3/detection
# Reference: https://www.virustotal.com/gui/file/5d6539defb2a24752445dd1c4a3698253f7199e1a0c27af7c4feb7130809d6a9/detection

http://198.176.59.144
154.19.70.72:443
195.130.202.48:449
195.130.202.52:35
206.119.117.209:8001

# Reference: https://x.com/burp_heart/status/1799455219543404633
# Reference: https://www.virustotal.com/gui/file/a4b25c7a464cabbedef80a704ec8c7cd84a98073b055ddc42f2fb5b7d81ff250/detection

146.19.100.7:8000
154.201.91.59:44557

# Reference: https://www.virustotal.com/gui/file/39345b9dc44db0aec3ceb63efa9f4b0bb74753da4fa421745acff9835f50debc/detection

123.249.25.73:5653

# Reference: https://www.virustotal.com/gui/file/4997ad5623cd3aba8ad80c894482b69a3b5d51669bf6d02e5f393e4e1ecb6da1/detection

123.249.25.73:7830

# Reference: https://asec.ahnlab.com/ko/67509/

http://121.204.249.123
121.204.249.123:8077
154.201.87.185:999
164.155.205.99:999

# Reference: https://x.com/lontze7/status/1808764061288395023

http://122.51.183.116
122.51.183.116:443

# Reference: https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure

147.50.253.109:44119

# Reference: https://x.com/malwrhunterteam/status/1813892619170418949
# Reference: https://www.virustotal.com/gui/file/8fe382f79d4834a4dbc9abda1681a77187c08c087b704f9a5ad8af50f128c2ce/detection

http://206.238.196.148
206.238.196.148:6666

# Reference: https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat
# Reference: https://github.com/esThreatIntelligence/iocs/blob/main/Gh0stGambit_Gh0stRAT/Gh0stGambit_Gh0stRAT.txt

http://104.143.46.143
http://104.143.47.226
http://154.23.179.113
http://38.181.34.153
http://38.181.34.182
http://38.181.34.219
http://38.181.34.72
http://38.181.35.129
http://38.181.35.71
1683.org
asj658g.cyou
bb6575.cyou
bbnhh.icu
bngcp.icu
hzj66.vip
mk65yui45876.cyou
mm6695.cyou
nnnjkj.bond
pplilv.top
pplilvbest.cyou

# Reference: https://www.virustotal.com/gui/file/db4d47190376d2bd3f2a00c7433ddba94a3a09db4148a99aa920b92642f0aee9/detection

156.247.32.199:6666
156.247.32.199:8080
fadale.cc

# Reference: https://x.com/malwrhunterteam/status/1820498954104209643
# Reference: https://www.virustotal.com/gui/file/f0c3c3aff910d8790469b522a37c27a8bf084c70003aa94e4d4e153f9a9f47e3/detection
# Reference: https://www.virustotal.com/gui/file/38d506ff86e4fa113a7cfce2d8834be9769e5c6ec1c68bdc29428a052058cc69/detection

http://206.119.117.61
103.145.86.153:6666
43.156.96.21:8080
qaqbba.com
qaqbba.top

# Reference: https://www.virustotal.com/gui/file/a7bdd967748664c18c128920641d73669af8f9ad81c013f64d7709deeae6a78f/detection

benson-1318162842.cos.accelerate.myqcloud.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-08-18)

http://122.51.35.39
http://122.9.69.40
http://60.204.235.186
1.92.90.232:8080
103.158.37.147:443
103.44.246.66:8000
103.71.152.68:1000
115.231.218.42:10299
117.24.12.243:8888
12123das.f3322.net
122.199.186.108:6215
122.9.69.40:8000
123.99.198.130:10299
124.222.81.240:81
124.248.69.14:14363
12512.e3.luyouxia.net
137.220.137.85:24818
154.12.93.14:1153
154.12.93.14:13855
154.91.90.216:6666
171.38.43.209:42421
183.131.85.64:14363
202.63.172.119:47779
202.63.172.120:47779
206.233.240.70:5808
206.238.199.35:6000
206.238.220.206:7777
206.238.43.211:6666
24365426.e3.luyouxia.net
27.25.156.47:8000
36.212.238.69:8000
43.139.48.143:1450
47.111.82.157:14352
47.115.207.251:8006
47.120.59.37:6161
60.205.132.75:13155
62.234.90.4:8000
8.210.206.52:1725
8.210.22.92:6000
8.217.223.172:6000
U22.zgwl.eu.org
aiac.f3322.net
bj.caobibibi.com
honchengkeji.f3322.net
jjjj7371.e1.luyouxia.net
kinh.xmcxmr.com
microsoftel.com
newyk5.e3.luyouxia.net
nnmz.e3.luyouxia.net
q596110.3322.org
sy12311.e3.luyouxia.net
twrata.com
xisafjasfjip.u1.luyouxia.net
zhangkedong.u1.luyouxia.net
zxww.e3.luyouxia.net

# Reference: https://x.com/malwrhunterteam/status/1829810337350025447
# Reference: https://www.virustotal.com/gui/file/e05826b2375f069043fa220f92b8ae2dafa2f798930bfb56ca86251b6cbb7fc6/detection
# Reference: https://www.virustotal.com/gui/file/d1f4e345dbdb06016b682f5dd2ff9dc4f2206059e4b8b7baa9d7745b1ff2a5ae/detection
# Reference: https://www.virustotal.com/gui/file/c8d76cbe86dcbe77f983e85107c2a6f7367e3d0e82c8bf2b8fd1801da67d675c/detection
# Reference: https://www.virustotal.com/gui/file/2eee70c3f0da076439e680bd576302e073f71e9175952c1d8259b216762fc627/detection

103.158.36.181:8000
104.233.187.200:3000

# Reference: https://threatfox.abuse.ch/browse/malware/win.ghost_rat/ (# 2024-09-22)

http://124.221.28.167
http://140.143.203.107
http://143.92.58.218
101.17.46.79:11631
103.199.101.81:1000
103.73.161.186:8080
115.230.124.27:7317
115.230.124.27:9026
116.62.193.113:222
221.10.93.196:2499
221.10.93.196:2500
27.155.132.108:23801
27.156.64.174:23801
27.156.64.88:23801
27.25.148.152:8080
8.146.204.76:8000
