# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: meduza stealer

# Reference: https://twitter.com/siri_urz/status/1582325545031069697
# Reference: https://www.virustotal.com/gui/file/2a0047fe9748f2a45196dbf75e4f1a951d249daad380cbc9eab85ff66fb35814/detection

medusa-stealer.cc

# Reference: https://twitter.com/g0njxa/status/1670054103899152384

http://77.105.147.140

# Reference: https://twitter.com/FalconFeedsio/status/1681963953507774464

http://193.233.133.153
http://193.233.133.198
http://193.233.133.243
http://193.233.133.97
http://5.61.49.177
http://77.105.146.254
http://79.137.199.199

# Reference: https://www.virustotal.com/gui/file/f0c730ae57d07440a0de0889db93705c1724f8c3c628ee16a250240cc4f91858/detection

79.137.203.39:15666

# Reference: https://www.virustotal.com/gui/file/ddf3604bdfa1e5542cfee4d06a4118214a23f1a65364f44e53e0b68cbfc588ea/detection
# Reference: https://www.virustotal.com/gui/file/91efe60eb46d284c3cfcb584d93bc5b105bf9b376bee761c504598d064b918d4/detection

79.137.203.37:15666

# Reference: https://www.virustotal.com/gui/file/d2ab97a60d2ed615e91c640fe0ee59e5ddc63fe985cdf5e9f24e0bce80e9870d/detection
# Reference: https://www.virustotal.com/gui/file/cbc07d45dd4967571f86ae75b120b620b701da11c4ebfa9afcae3a0220527972/detection
# Reference: https://www.virustotal.com/gui/file/a73e95fb7ba212f74e0116551ccba73dd2ccba87d8927af29499bba9b3287ea7/detection

79.137.207.132:15666

# Reference: https://www.virustotal.com/gui/file/e2cc35ec3dcbd33d5d75fe7cabe4400dcdf06cf5e7fc3e94a1b3b6f2d8cbd125/detection
# Reference: https://www.virustotal.com/gui/file/9e2b8c3888b8a93e8ebab39e7a6b636f921888edb7d15a6ab56b2e119693aaa8/detection

77.105.147.140:15666

# Reference: https://www.virustotal.com/gui/file/6d8ed1dfcb2d8a9e3c2d51fa106b70a685cbd85569ffabb5692100be75014803/detection

185.106.94.105:15666

# Reference: https://www.virustotal.com/gui/file/29cf1ba279615a9f4c31d6441dd7c93f5b8a7d95f735c0daa3cc4dbb799f66d4/detection

167.88.15.114:15666

# Reference: https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/
# Reference: https://otx.alienvault.com/pulse/64a2f554317bc46cc4bdb6e7

http://89.185.85.245

# Reference: https://www.virustotal.com/gui/file/1bce735ad1009327c2cc1ba36aa3cad6ec6f4dc3d0b3fff104d283845670c674/detection

5.42.72.7:15666

# Reference: https://twitter.com/g0njxa/status/1717563999984717991
# Reference: https://en.fofa.info/result?qbase64=aWNvbl9oYXNoPSItNTU5NjA4OTIwIg%3D%3D

http://103.178.234.127
http://104.194.128.75
http://109.107.173.48
http://109.107.181.169
http://109.172.45.21
http://116.202.205.243
http://116.203.191.125
http://146.70.161.13
http://154.91.90.121
http://162.33.179.114
http://178.20.43.135
http://178.20.46.217
http://178.236.246.253
http://178.236.246.39
http://178.236.247.9
http://185.106.92.204
http://185.106.94.31
http://185.106.94.70
http://185.149.146.159
http://185.161.251.204
http://185.17.0.222
http://193.233.133.81
http://194.87.71.159
http://20.0.25.177
http://212.113.116.56
http://212.118.52.90
http://41.208.73.44
http://45.150.65.121
http://45.155.249.38
http://45.74.19.107
http://5.182.87.160
http://5.182.87.27
http://5.42.72.48
http://5.42.72.7
http://5.42.77.121
http://5.42.77.239
http://5.42.78.61
http://51.81.243.237
http://74.50.93.136
http://77.105.147.136
http://77.105.147.90
http://78.141.239.24
http://79.137.195.27
http://79.137.202.225
http://79.137.203.233
http://79.137.203.254
http://79.137.203.80
http://79.137.205.179
http://79.137.205.201
http://79.137.207.226
http://79.137.207.240
http://79.137.207.251
http://79.137.207.44
http://8.217.23.144
http://85.192.63.240
http://85.192.63.35
http://85.192.63.65
http://89.185.85.132
http://89.185.85.34
http://89.208.103.215
http://89.208.107.135
http://89.208.107.158
http://91.92.242.146
http://94.228.162.22
http://94.228.170.3
http://94.228.170.86
http://95.181.173.181
http://95.181.173.233
http://95.181.173.235
http://95.181.173.28
http://95.181.173.8
http://95.216.100.78
185.26.239.246:81
202.92.4.174:8000
izh-85-232.nm-s.ru
journalpatrol.com
knoxdevelopers.com
limaxmakeup.com
makinika.com
markertingsbritishcouncil.com
tehranuniversity.website
dl.tehranuniversity.website
xxmc-h5.xinxinmuchang.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2023-12-07)

http://5.182.86.32
http://5.42.94.65
adsmahsa.xyz
appblendemulator.info
appblendstacks.top
basta-tourmoscow.ru
cdn.morisniff.ir
concert-uz.ru
convhandvideo.info
d1.morisniff.ir
easyvideoconverters.com
fhipp-dbms.top
handbrakeconv.top
highqualityconverter.com
hp22.weket.shop
ideastradeai.com
ideastradeai.top
ii.nggg.fun
marz6.adsmahsa.xyz
morisniff.cloudns.ph
morisniff.ir
nggg.fun
nimmajic.online
sc.nimmajic.online
test.morisniff.cloudns.ph
trustpilots.cam
xampp.info

# Reference: https://twitter.com/ShilpeshTrivedi/status/1737813215395074421
# Reference: https://www.virustotal.com/gui/file/0a7fea34c7f7732b275a6b4422fa2868937a97bcb4465a2dcb9e7abb1bb3d3db/detection

103.241.72.56:15666
103.241.72.56:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2023-12-25)

http://5.182.87.130
http://80.85.241.169
http://85.192.63.29
http://89.208.106.112
http://91.103.253.190
http://92.246.136.222

# Reference: https://twitter.com/FalconFeedsio/status/1741002630602883320

http://79.137.194.188
http://79.137.203.12

# Reference: https://twitter.com/FalconFeedsio/status/1743260044857397436
# Reference: https://twitter.com/RakeshKrish12/status/1743515007441322357
# Reference: https://twitter.com/karol_paciorek/status/1753060077278277977

http://141.98.83.242
http://185.225.200.120
http://45.141.215.173
http://45.61.158.176
http://45.61.165.114
http://45.61.169.23
http://45.93.20.207
http://51.195.28.168
http://77.232.142.8
http://85.192.63.57
http://91.103.253.184
http://91.92.248.223
http://94.228.162.149
http://94.228.168.159
94.228.162.149:15666

# Reference: https://twitter.com/banthisguy9349/status/1744362094869241869

37.110.19.55:88
ams-k-node1.vleo.ru
bloodyservice.online
cricketastroking.com
dddd-new.vreexy.top
fbadearnings.com
first.bloodyservice.online
game2.netbaazi.sbs
iamabdulqadeer.com
netbaazi.sbs
rahgozargermany21.vreexy.top
server-fr1.vreexy.top
third.bloodyservice.online
vreexy.top
zeaas.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-01-23)

http://193.233.255.60
http://212.113.116.110
http://77.73.131.73
goldelya.tech
kharej.goldelya.tech
medusa.goldelya.tech

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-02-03)

http://147.45.40.196
http://147.45.40.99
http://185.26.239.246
http://2.56.109.134
http://5.182.86.194
http://5.42.73.251
http://64.52.80.13
http://77.105.147.196
http://89.208.103.72
89.208.103.177:15666
abcd2.monster
carte-vitale-assurance.org
http://89.208.103.177
node1.abcd2.monster
oracle-panel.online
tunel.oracle-panel.online

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-02-04)
# Reference: https://twitter.com/ViriBack/status/1761394956374049266

http://45.15.159.130
http://5.182.87.145
http://79.137.197.6
http://92.246.136.161
http://94.156.65.246
sono.pw
sw.sono.pw
enter.showconfig.ru

# Reference: https://twitter.com/RustyNoob619/status/1758186122440503635

http://94.228.162.3

# Reference:  https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-02-27)

http://109.107.181.83
http://147.45.42.25
http://147.45.75.185
http://175.110.115.65
http://45.138.74.228
http://79.137.207.35
http://91.103.253.227
blazebit.bet
ftp.huboftest.ir
homeshopdigital.site
huboftest.ir
inspirestudiosteam.com
mzile.com
neweatz.com
yes.homeshopdigital.site
yes1.homeshopdigital.site

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-03-17)

http://144.202.23.219
http://185.161.248.199
http://217.197.107.145
http://46.226.164.150
http://46.226.166.200
http://77.221.148.13
http://79.137.207.163
http://85.192.40.131
http://89.185.85.207
http://91.202.233.135
http://95.181.173.126
109.107.181.83.sslip.io
147.45.42.25.sslip.io
5.42.73.150.sslip.io
79.137.207.163.sslip.io
asqrecruitment.com
autodiscover.inspirestudiosteam.com
buygamingnfts.com
ebookza.com
fleekbusiness.com
garciaprints.com
gulfcoastcoffeeroasters.com
homsiknet.com
complete.homsiknet.com
inc.sshadowso.ru
northpm.xyzdiosteam.com
panel.swain.ir
pars.northpm.xyz
skinsmonkey.complete.homsiknet.com
vpnu.top

# Reference: https://twitter.com/BushidoToken/status/1769397465109655597

http://103.241.72.56
http://139.180.191.68
http://185.112.83.36
http://37.110.19.55:88
http://45.138.16.132
http://5.42.73.150
http://77.105.147.157
http://79.137.202.68
http://79.137.207.132
http://85.192.63.42
dcu.golunite.com
mg.inspirestudiosteam.com
ug-argo.ru

# Reference: https://urlscan.io/search/#filename:%22Meduza-Xf1ectds.png%22

http://45.120.177.167
/Meduza-Xf1ectds.png

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-03-24)

http://103.161.224.131
http://5.42.106.164

# Reference: https://app.validin.com/detail?type=raw&find=Meduza+Stealer#tab=host_pairs

http://147.45.125.142
http://217.196.98.138
http://5.182.86.229
http://79.137.202.60
http://91.103.255.188
http://94.156.10.121
79.137.202.60.sslip.io
bnd-servers.komakhazine.com
clientcisco.com
clientciscovpn.com
coffin-jazzed.online
coinmarketcap-tm.ru
crdom.top
izh-85-207.nm-s.ru
komakhazine.com
plano-safra.online
purpleflowers.org
roseflash.in
salaamt.top
al.salaamt.top
sam.coffin-jazzed.online
sam.coinmarketcap-tm.ru
svma.arcovip.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-04-11)
# Reference: https://www.virustotal.com/gui/file/ccd22e81e0ae336c87a51d6273b7d2f813512226857d820aabe3e20f92a2b92f/detection
# Reference: https://www.virustotal.com/gui/file/28f08075554d51a59cb56805c6e1e9923b2a2950a9f75e72a6071fd825eece01/detection
# Reference: https://www.virustotal.com/gui/file/1a19faf516901697a43fd04342ba42298e7b126a2cab5236742addc526d82636/detection
# Reference: https://www.virustotal.com/gui/file/512ec746b8318aa67bb11aa498a94d0e9848c241e7296c46757dcf1997e28be4/detection

http://109.107.181.48
http://109.120.176.38
http://109.120.177.177
http://109.120.177.48
http://109.120.177.64
http://109.120.178.115
http://109.120.184.181
http://147.45.69.114
http://185.174.137.2
http://193.233.232.6
http://212.113.116.79
http://37.221.93.9
http://45.15.158.144
http://45.150.64.135
http://5.182.87.218
http://5.42.101.184
http://5.42.101.189
http://5.42.107.163
http://77.105.146.13
http://77.105.147.171
http://77.221.156.5
http://77.232.142.83
http://77.91.70.104
http://79.137.195.24
http://79.137.197.154
http://79.137.199.246
http://79.137.202.147
http://79.137.202.152
http://79.137.203.232
http://81.19.137.248
http://89.208.103.63
http://89.208.105.144
http://91.92.250.224
http://94.142.138.190
http://94.228.170.127
183.249.20.106:8090
185.174.137.2:15666
209.141.35.151:888
212.113.116.79:15666
36.152.201.67:65535
39.134.69.79:17080
45.150.64.135:15666
77.105.147.171:15666
79.137.199.246:15666
79.137.202.147:15666
79.137.203.232:15666
81.19.137.248:15666
89.208.103.63:15666
45.15.158.144.sslip.io
topoldgate.site
a.topoldgate.site
aeza.mozeabi.online
g2.sazmanemelalemotahed.tech
hodin.iranneda.cfd
ir.skhshop.xyz
it12.nosuhiyan.site
it13.intelvpn.site
it45.intelvpn.site
izh-85-44.nm-s.ru
kivernik.ru
krezify.softether.net
mahdi.intelvpn.site
moscow-daily.ru
mozg55.com
mozeabi.online
shatel.surreal1.store
ssh1.rezamoody.online
surreal1.store
vpn.itops.one

# Reference: https://twitter.com/drb_ra/status/1779039516499583111

http://193.233.232.6

# Reference: https://www.virustotal.com/gui/file/29a522d6063c16d08a83091979941a3e2cbc0857faa1dcf0154acc38c5fd34d4/detection

109.107.181.83:15666

# Reference: https://twitter.com/peterkruse/status/1781286319680848116
# Reference: https://www.kruse.industries/l/en-analyse-af-meduza-stealer/

bmo-canada-secure-onlinealert.com
funtechco.top
obsproject.viatorfabula.com
online-geld-ontvangst.icu
ontvangst-online.icu
overeenkomstenonline.icu
prex20.olinatok.is
rufus.mygrayco.com
safe-service.icu
supportninja.top
veilige-omgeving.icu
vnekontakte.ru
xdq20.top

# Reference: https://twitter.com/banthisguy9349/status/1782452285806678109

http://94.156.71.143

# Reference: https://twitter.com/malpulse/status/1782403496110620888

http://109.120.177.43

# Reference: https://twitter.com/ShanHolo/status/1785267745954664871
# Reference: https://www.virustotal.com/gui/file/53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d/detection
# Reference: https://www.virustotal.com/gui/file/9f2c70239fe518552ee44423564b075a85e0fc1e7bd80dc233bcc1f882ffceb9/detection

oasisnetwor.one

# Reference: https://x.com/drb_ra/status/1799876810689130617

http://94.228.166.50

# Reference: https://search.censys.io/search?q=services.software.uniform_resource_identifier%3D%22cpe%3A2.3%3Aa%3Ameduza-stealer%3Ameduza-stealer%3A%5C%2A%3A%5C%2A%3A%5C%2A%3A%5C%2A%3A%5C%2A%3A%5C%2A%3A%5C%2A%3A%5C%2A%22&resource=hosts

http://109.107.181.111
http://147.45.71.7
http://31.177.108.30
http://77.105.147.23
http://77.221.157.6
http://79.137.207.27
http://89.169.52.127
http://89.169.52.177
http://89.169.53.116
http://91.103.252.124
http://91.214.78.238
http://91.92.249.70

# Reference: https://app.validin.com/detail?type=hash&find=3a7a175f1cd6cf6d80ed6190fa77401ba0e7a046

closel.top
uieaqo.life
ail.servientregatracking.info
chl.closel.top
ci.closel.top
cl.closel.top
shop.uieaqo.life

# Reference: https://www.virustotal.com/gui/file/03bf7f15e422037ce60e2f49dde182b69b3063fe62ba2030ef85790c2de523ca/detection

45.59.120.155:15666

# Reference: https://www.virustotal.com/gui/ip-address/154.26.130.199/detection

http://154.26.130.199

# Reference: https://www.virustotal.com/gui/ip-address/91.214.78.237/relations

colse-com.top
tracie.top
talabat.cyou
mobi.tracie.top
test.colse-com.top

# Reference: https://app.validin.com/detail?find=79.137.196.188&type=ip4&ref_id=dadabbd8ccf#tab=host_pairs_v2

http://79.137.196.188
newgame.tech
fbr.newgame.tech
ii.newgame.tech

# Reference: https://app.validin.com/detail?find=77.73.131.73&type=ip4#tab=host_pairs_v2

ger3online.website
aa3.ger3online.website

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-06-22)

http://45.141.215.44
http://45.59.120.155
http://46.226.167.205
http://5.182.87.173
http://77.221.151.32
http://79.137.205.182
http://89.169.54.70
http://94.228.168.216
iriallo.shop
katookivpn.com
tala.monster
vipserver.monster
aref.katookivpn.com
eflukpant.iriallo.shop
hena.tala.monster
shop.vipserver.monster

# Reference: https://www.virustotal.com/gui/ip-address/91.214.78.237/relations

http://91.214.78.237
uieaqo.life
shopi.uieaqo.life

# Reference: https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.software.vendor%3D%22Meduza+Stealer%22

http://109.120.176.15
http://212.113.100.91
http://38.22.104.179
http://5.42.107.78
http://77.105.146.121
http://79.137.207.237

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s.csv

http://104.161.36.41
http://157.254.223.210
http://45.141.215.119
http://5.42.106.42
http://77.221.157.163
http://79.137.203.159
109.107.181.83:8080

# Reference: https://www.virustotal.com/gui/ip-address/85.192.63.3/detection

http://85.192.63.3

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-08-18)

http://109.237.99.23
http://193.33.153.62
http://46.226.166.245
http://74.208.205.101
http://91.214.78.199

# Reference: https://app.validin.com/detail?find=e7a2bb050f7ec5ec2ba405400170a27d&type=hash&ref_id=231b42e39bb#tab=host_pairs_v2

http://77.105.146.8
79.137.203.159.sslip.io
dapsoaa.shop
de1.moscow.xn--6frz82g
h.direct.pooyasharifi8208.ir
moscow.xn--6frz82g
ns2.dapsoaa.shop
ns2.shoppaly.shop
s-teamrn.com
shoppaly.shop

# Reference: https://x.com/banthisguy9349/status/1826296862942384508
# Reference: https://www.virustotal.com/gui/file/2eab850166944175e5fac4c89706328a58dcef55dbc22ff20342d1d246ba76b9/detection

5.42.106.42:15666
soyjak.download

# Reference: https://search.censys.io/hosts/5.42.103.11/data/table#80-TCP-HTTP

http://5.42.103.11

# Reference: https://search.censys.io/search?q=services.software.product%3D%22Meduza+Stealer%22&resource=hosts (# 2024-09-04)

http://188.40.247.207
http://62.133.60.75
http://89.169.53.23
http://89.208.97.95
http://94.156.177.177
http://94.228.162.24
46.226.166.245.sslip.io
77.105.147.243.sslip.io
order.fastfoodshopbot.biz

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-08)

http://109.107.181.162
http://46.226.165.237
http://95.181.173.140
breratgvpn.ru
metaanet.cfd
naeb.pro
panel.metaanet.cfd

# Reference: https://x.com/RacWatchin8872/status/1832785087944884579

http://45.9.148.254

# Reference: https://threatfox.abuse.ch/browse/malware/win.meduza/ (# 2024-09-09)

http://111.90.148.191
http://176.124.222.218
http://185.225.200.240
http://45.15.157.116
147.45.40.148:15666
62.133.60.75:15666
2koohe.rayangadget.com
d1msk.pinkman7710.workers.dev
de1.pinkman7710.workers.dev
ded.shuprobika.ir
germanyyy.pinkman7710.workers.dev
mobilepedaryan.rayangadget.com

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-14)

http://109.120.178.28
http://195.133.18.15
http://195.133.18.88
http://5.42.102.43

# Reference: https://www.virustotal.com/gui/ip-address/45.15.157.116/relations
# Reference: https://app.validin.com/detail?find=61bb7807022669b2de848b1de015c03d&type=hash&ref_id=3783ad360af#tab=host_pairs_v2

guven.top
keloziro.life
nena.guven.top
mairacco.keloziro.life
ns1.keloziro.life

# Reference: https://app.validin.com/detail?find=e7a2bb050f7ec5ec2ba405400170a27d&type=hash#tab=host_pairs_v2
# Reference: https://search.censys.io/hosts/144.76.68.247/data/table#80-TCP-HTTP

http://144.76.68.247
static.247.68.76.144.clients.your-server.de

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-22)

http://109.120.179.61
http://31.177.110.52
http://5.42.103.173
http://89.185.85.128

# Generic

/MeduzaPrivate%231.exe
