# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: 1xxbot, arechclient2, asatafar

# Reference: https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers

http://45.142.213.230

# Reference: https://twitter.com/P3pperP0tts/status/1197493278339469313
# Reference: https://twitter.com/P3pperP0tts/status/1196425019154403328
# Reference: https://app.any.run/tasks/efeb529d-fa5d-4adb-8527-7161080e722a/

51.15.22.167:228

# Reference: https://twitter.com/malwrhunterteam/status/1200742733805170688
# Reference: https://www.virustotal.com/gui/file/32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130/detection

94.242.206.163:228

# Reference: https://twitter.com/malwrhunterteam/status/1205495402721685509

firestarter.co.ug

# Reference: https://app.any.run/tasks/4827acc3-173d-4f4f-b4ca-212e4814ba44/

93.190.142.138:228

# Reference: https://twitter.com/Arkbird_SOLG/status/1348288401049608193
# Reference: https://www.virustotal.com/gui/file/4b3411887671db0dd5e57c2187260bd79f2c5cd4279d24b96de9724f492ce3f7/detection
# Reference: https://www.virustotal.com/gui/file/3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec/detection

34.253.207.79:15647

# Reference: https://www.virustotal.com/gui/ip-address/54.194.254.16/relations
# Reference: https://twitter.com/James_inthe_box/status/1348264657736269828
# Reference: https://app.any.run/tasks/279edbe8-a2d6-4816-8602-311fa33fd34b/
# Reference: https://www.virustotal.com/gui/file/2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66/detection

54.194.254.16:15647

# Reference: https://twitter.com/abuse_ch/status/1348271030322790400
# Reference: https://bazaar.abuse.ch/sample/bf802ba3e523c502a27e0c9044bc699f0db17ebb00e5b3b9c152038a13c856ed/
# Reference: https://www.virustotal.com/gui/file/bf802ba3e523c502a27e0c9044bc699f0db17ebb00e5b3b9c152038a13c856ed/detection

80.209.229.192:15646

# Reference: https://www.virustotal.com/gui/file/a24bf6fa910c0fe011cdabd3c1203d735f8a28f27c646fe0ae5981bbb7304e41/detection

80.82.77.221:15647

# Reference: https://www.virustotal.com/gui/file/8d2c8fab417257c558a379fc384a5fdda844b73ca507944b90b0a101591c7fae/detection
# Reference: https://www.virustotal.com/gui/file/17a7129edcb8c2bb353c6fc365455b630912da13d3af096e9fb148647551f6b4/detection

147.78.67.95:15646
147.78.67.95:15647

# Reference: https://www.virustotal.com/gui/file/9f204e8a44750d83e2d892357db881a241e16fe82eff4fc16f0d9adecec430a3/detection

185.195.26.100:54766

# Reference: https://www.virustotal.com/gui/file/cb64e1065259e2c9e0fb663bdf4ad73a4abc514399ca86f4c3b745b61c6ab530/detection

185.82.202.143:15647

# Reference: https://www.virustotal.com/gui/file/665747baf4f8bba24765b2a486f7677b7e1f199335cace6db075f8f3dd68fcef/detection
# Reference: https://www.virustotal.com/gui/file/f12f3ad220342c60304834a7df1345521e16e13242566dbc76fc21242765fe23/detection

195.2.78.227:228
195.2.78.227:54766

# Reference: https://www.virustotal.com/gui/file/b7a16329d7ca5a5ff38f6d424b426f33a29e1fff8490016530a7433134b391f6/detection

135.181.86.99:15464

# Reference: https://www.virustotal.com/gui/file/98f7e638f8cd14879f5c9fb2071e4f53df9922cdd77a64b632fb06a197d9f9e6/detection

202.59.10.176:15646

# Reference: https://www.virustotal.com/gui/file/3ca1a97e6b3e8d9bae5a054a2c5014db99c4375cab6554e33fb4217bf34a1858/detection

86.106.93.111:15646

# Reference: https://www.virustotal.com/gui/file/71c3e512e148941ff0435c9a556d75cf8fe5621a85a6a2ea4f7a20cb6a0c6856/detection

185.165.153.51:5025

# Reference: https://tria.ge/220627-kta12aaaal/behavioral1

34.159.232.110:15647

# Reference: https://twitter.com/1ZRR4H/status/1615231876817362944
# Reference: https://twitter.com/1ZRR4H/status/1615428216684175360
# Reference: https://threatfox.abuse.ch/ioc/1068570/
# Reference: https://www.virustotal.com/gui/file/a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910/detection

http://77.73.133.83
34.107.35.186:15647
77.73.133.83:15647

# Reference: https://twitter.com/idclickthat/status/1626069576868933632

http://179.43.142.86
anydesk-infopage.com
pputty.us

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/

http://157.90.151.122
135.181.156.70:15647
138.201.120.172:15648
144.76.163.55:15648
144.76.195.220:15647
157.90.151.122:228
162.55.188.246:15647
167.235.134.14:15647
185.143.223.9:15648
185.173.36.156:228
185.197.75.191:15647
193.111.210.150:15647
34.107.84.7:15647
34.141.167.33:15647
34.141.198.105:15647
34.141.92.1:15647
34.142.80.219:15647
34.159.180.55:15649
34.159.68.86:15647
34.27.150.38:15649
34.27.176.144:15647
34.91.185.62:15649
35.198.132.51:15647
35.204.188.251:15649
35.226.102.12:15649
35.230.153.115:15647
35.234.159.213:15649
35.242.150.95:15649
35.246.173.61:15647
37.1.206.174:228
46.175.147.8:15647
5.75.147.135:15647
5.75.149.1:15645
5.75.149.1:15648
5.75.153.165:15647
62.182.156.148:15647
65.108.101.156:15647
77.232.36.56:228
77.232.39.39:228
77.232.42.253:228
77.246.107.149:15647
88.218.170.169:15647
89.248.165.23:5865
91.142.77.238:228
91.142.78.27:228
94.130.51.115:15648
95.143.190.57:15647
cloudinstalller73489.shop
ggimp.us

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/ (# 2023-08-01)
# Reference: https://www.virustotal.com/gui/ip-address/217.107.219.92/relations
# Reference: https://www.virustotal.com/gui/ip-address/81.177.139.152/relations
# Reference: https://www.virustotal.com/gui/ip-address/81.177.140.194/relations

cdn-dwnld.ru
994safeweb.store
alarmhealth623.store
linkpower994.online
newtorpan.ru
newtorpan.site
newzone623.store
next-traf623.site
shadowlink994.store

# Reference: https://twitter.com/g0njxa/status/1687801004534747136
# Reference: https://app.any.run/tasks/80b166cb-7a36-41ce-9f18-58344e7bc138/
# Reference: https://www.virustotal.com/gui/file/d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c/detections

95.143.190.57:15648

# Reference: https://twitter.com/1ZRR4H/status/1699923793077055821

195.201.198.179:15647

# Reference: https://threatfox.abuse.ch/ioc/1150242/

95.217.105.184:15647

# Reference: https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks
# Reference: https://otx.alienvault.com/pulse/653fe482a1235f71266181a8

manojsinghnegi.com/2.tar.gpg

# Reference: https://twitter.com/Jane_0sint/status/1723736724533129263
# Reference: https://app.any.run/tasks/84a868ea-e8f3-436b-abe9-82b0226aac5d/

80.66.66.40:15647

# Reference: https://twitter.com/crep1x/status/1727970393237983640
# Reference: https://www.virustotal.com/gui/ip-address/45.67.228.133/relations

1subsmepjzqnvvukhd.fun
2hedonrxjakubcloudflare.fun
2lastofusupdatjakubcloudflare.fun
2subsmepjzqnvvukhd.fun
3hedonrxjakubcloudflare.fun
3ivgtdccwvbaaou.fun
3subsmepjzqnvvukhd.fun
4hedonrxjakubcloudflare.fun
5hedonrxjakubcloudflare.fun
5ivgtdccwvbaaou.fun
5subsmepjzqnvvukhd.fun
gleamgamestudios.fun
heckledunicornvb2.fun
skilleddevelopment.fun
theworkflowagency.fun
zodiaentertainment.fun

# Reference: https://twitter.com/1ZRR4H/status/1730731082734010780

slimankoomer.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/ (# 2024-01-03)

138.201.125.92:15647
145.239.99.234:15647
152.89.217.190:15647
152.89.217.215:15647
152.89.217.229:15647
193.33.195.42:15647
194.26.135.11:12432
194.26.135.180:15647
194.26.29.153:15648
2.57.149.77:15647
212.118.39.73:15649
213.109.202.229:15647
45.141.87.16:15647
45.141.87.215:15647
45.141.87.63:15648
45.92.179.244:15647
5.42.67.10:15647
85.209.11.243:15647
91.215.85.66:15647
95.216.24.238:15647

# Reference: https://www.virustotal.com/gui/file/fa0b3328dda7aa7e953780fc8b6be127f747fc778f0bd3f0a2e885402c1c481e/detection

http://194.147.35.251
http://5.75.214.104

# Reference: https://x.com/smica83/status/1813912637895549108
# Reference: https://tria.ge/240718-pea5psxgkp/behavioral1

213.109.202.15:15647
213.109.202.15:9000

# Reference: https://x.com/banthisguy9349/status/1822635735494664701

45.141.87.55:15647

# Reference: https://x.com/banthisguy9349/status/1822635735494664701
# Reference: https://www.virustotal.com/gui/file/0bb9e107a5f5f9ad838173ebf222107d37cc1f378fa10f46ad5b2914f19f8e72/detection

45.141.87.55:9000

# Reference: https://www.vmray.com/analyses/_mb/f1ecf2469a83/report/network.html

91.215.85.66:9000

# Reference: https://x.com/SquiblydooBlog/status/1836362042619396160
# Reference: https://tria.ge/240917-zv36javdrj/behavioral2
# Reference: https://www.virustotal.com/gui/file/ecf5e02e19345dc4f60e531139339b5a8a95dd393b0bbcb3b4e93a184585a53a/detection

http://188.34.184.47
http://65.109.218.88
http://89.23.96.126
188.34.184.47:443
45.141.86.82:9000
