# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/silence-is-best/c2db#ursa-loader

/nj41.php

# Reference: https://app.any.run/tasks/20f85f4b-ffc8-4e15-841c-03ecc150c4a4/

http://45.132.242.89

# Reference: https://twitter.com/JAMESWT_MHT/status/1290523174136946688
# Reference: https://www.virustotal.com/gui/file/e84bd675169dd1ccc077454d08aad592dd97d6a188e841ad02a2e888bd7c1a48/detection

http://104.44.143.28

# Reference: https://twitter.com/luc4m/status/1291985996850925576

mageurox01.hopto.org

# Reference: https://app.any.run/tasks/09bfdbe7-e8d7-42d5-a1cd-fc29586bd74b/

/bd21.php

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/
# Reference: https://otx.alienvault.com/pulse/5f610cb62458e403adeca72d

http://191.235.99.13
http://51.143.39.80
http://66.70.237.175
http://51.222.39.128
http://51.81.104.17
http://104.44.143.28
/lp1a.php

# Reference: https://twitter.com/sirpedrotavares/status/1318924601162870785
# Reference: https://www.virustotal.com/gui/file/b29028058aa066a993379f424482b3da2ac0b799b71f2da529071616919c4ead/detection
# Reference: https://www.virustotal.com/gui/file/4219d9606f428e914a91edb807d48e4bd30387827e3704318b32bb9a103a7d27/detection
# Reference: https://www.virustotal.com/gui/file/773fd094f93cd9db61173a29bbec99a6293e1a64f181186f36685d6f01827a99/detection
# Reference: https://www.virustotal.com/gui/file/3a4fe7cb28eac0a6fdb2a4831fae4f705b4715af8570e97cf73d07f3f2f598d1/detection
# Reference: https://www.virustotal.com/gui/file/7695ea92f052ada409ec014319a03588606d49125bab96128715ff1a3811463d/detection
# Reference: https://www.virustotal.com/gui/file/c867e31b5dd19dae446f9a3ea0735acfde45f8e2c87b3b7d2d1ce317f10f1f08/detection

http://104.41.57.9
http://142.44.218.78
http://191.235.78.73

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/

http://104.41.57.9
http://104.44.143.28
http://13.58.123.122
http://142.44.218.78
http://144.217.32.24
http://191.235.78.73
http://191.235.99.13
http://191.239.122.4
http://40.70.86.161
http://45.132.242.89
http://51.143.39.80
http://51.222.39.127
http://51.222.39.128
http://51.81.104.17
http://52.91.227.152
http://54.233.78.131
http://54.39.33.188
http://66.70.237.175
http://87.98.137.173

# Reference: https://twitter.com/sirpedrotavares/status/1328012434087555072
# Reference: https://www.virustotal.com/gui/file/b2c2319b2b73ffc89e93508845eef2e544a7046d0c337b8973ba86558d4d5271/detection

http://40.65.223.174
http://40.84.210.148
http://70.37.106.179

# Reference: https://app.any.run/tasks/8b1d33f6-a637-4c0a-a315-95952d89796f/

http://149.56.76.254

# Reference: https://twitter.com/sirpedrotavares/status/1362034175696662530
# Reference: https://app.any.run/tasks/31a56984-5e8b-4bf9-98be-34b5ff3be475/

http://144.217.17.185
http://185.150.117.9
http://192.95.2.164

# Reference: https://twitter.com/pollo290987/status/1380418256285089793

http://51.79.9.85

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1395699114826928129

mcdonalds-cupon.s3.us-west-000.backblazeb2.com

# Reference: https://twitter.com/ffforward/status/1488837379314044932
# Reference: https://app.any.run/tasks/6ce19469-6f1f-42bc-9864-2e3a07fc6a6b/
# Reference: https://tria.ge/220202-jgyqwshgb6/behavioral1
# Reference: https://www.joesandbox.com/analysis/565971/0/html

http://149.248.55.205
149.248.55.205:49743
149.248.55.205:49744
contafop01.onthewifi.com
painelxxx2021a3.bounceme.net
/ghj672a.php
/ghj672136.rht45
/ghj672162.rht45
/ghj672am1.rht45

# Reference: https://www.virustotal.com/gui/file/0001d7fe1cb06a6f55f2852efbdc11333130642c511ce02a5504850deb3e2f5e/detection

http://66.206.13.2
208.115.109.53:8010
208.115.109.53:8030

# Reference: https://twitter.com/pollo290987/status/1569196919330570242
# Reference: https://pastebin.com/cg8tAe1F

11097.masterdaweb.net
magu.kozow.com

# Reference: https://twitter.com/StopMalvertisin/status/1584769822977851392

bola.com.au/images/hh/cfdi/do/it.php
highlineadsl.com/ddd/it.php

# Reference: https://twitter.com/1ZRR4H/status/1596279919838990337

document0.click
kh7jv.store
pagosdeclaraciones.shop
sgscommanager.shop
smart2nopagos.shop
websylvania.com

# Reference: https://twitter.com/1ZRR4H/status/1627085493023424512

facturas4.click

# Reference: https://twitter.com/1ZRR4H/status/1691389689796919297

http://172.86.68.194
172.86.68.194:445
chidoriland.com
/1r49ucc73/hs4q07q/it.php
/1r49ucc73/hs4q07q/
/1r49ucc73/
/hs4q07q/

# Reference: https://twitter.com/0xToxin/status/1722659950302769410

http://193.149.176.210
http://54.37.205.197

# Reference: https://twitter.com/0xToxin/status/1723709490485153960
# Reference: https://www.virustotal.com/gui/file/2d07d544e550a5e825107cfce42201a5a9e6e5d478a535fe57da86030c4ae624/detection

blackinfect.ddns.net

# Reference: https://twitter.com/pollo290987/status/1773110284095234083

ervimefacdigitataltrans.switzerlandnorth.cloudapp.azure.com

# Reference: https://x.com/pollo290987/status/1816977988489031947
# Reference: https://app.validin.com/detail?find=0b8c85495cec452651953b1c6f25d653dbcca569a2ac38236539ee4b6b2170c4&type=hash&ref_id=0a9184257b9#tab=host_pairs_v2

http://91.92.254.149
analistawebs.hair
analistawebs.yachts
coldshare.org
contpt.top
ns1.coldshare.org
ns2.coldshare.org

# Reference: https://x.com/pollo290987/status/1818099255052996692
# Reference: https://www.virustotal.com/gui/ip-address/38.60.224.167/relations
# Reference: https://www.virustotal.com/gui/file/0335e438ff586c75c5a0aded3dccf33d77a9d96e49c4eb4405ff59187ed341b1/detection

http://38.60.224.167
contmnet.site
contssd.zapto.org

# Reference: https://x.com/pollo290987/status/1818413633157910694
# Reference: https://www.virustotal.com/gui/file/0f0a34d2bb013fd0cf705a7808732343ffac6a2308f924275e377cbd105930b1/detection
# Reference: https://www.virustotal.com/gui/file/3a6d5c07b3ed6f1c24f589c3bd54a49842273d8050fb87bf7f33786bf0b2b1ae/detection

http://68.178.202.78
227.20.168.184.host.secureserver.net
78.202.178.68.host.secureserver.net
/asdtrg4grf.vbs
/veletricafds652fdacsw2azxx.php

# Reference: https://x.com/pollo290987/status/1820626182737412218
# Reference: https://www.virustotal.com/gui/ip-address/95.164.5.57/relations
# Reference: https://www.virustotal.com/gui/file/225341f69f153dcb90aea484f90149eaf7bb05c1ead55bde1cde2a568bed9848/detection

contgeraklf.com
contgera.zapto.org

# Generic

/aj31.php
/ak51.php
/bd21.php
/bd22.php
/bd23.php
/bk71.php
/h781.php
/h783.php
/ju61.php
/ju62.php
/faq3Gz2.php
/index2ErZ.php
/admin/faq3Gz2.php
