# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/gui/file/06e3abeed1bc98ed56d5587e9732c9d39ea41879c250dff68ce8815953fcf7ad/detection

196.217.98.188:8080
liouas.ddns.net

# Reference: https://www.virustotal.com/gui/file/ed91f9fee04d08dc613e56eedf98b8c56a6e1e6be8ff3f29360550a2ef98c886/detection

91.193.75.132:2343
2343.hopto.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-10%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/a86d61c62ad71f43dc2ad27a876ddccffab8d038d1f8b70248f4d4586c64d1ea/detection

su1d.nerdpol.ovh

# Reference: https://twitter.com/c_APT_ure/status/1621579054888501249

147.185.221.223:30420

# Reference: https://www.virustotal.com/gui/file/e6bf87ec571628e096e6505ee87f617f594ed7664782bf4f82810be28028147b/detection
# Reference: https://www.virustotal.com/gui/file/e58026e101ae93162cbf114997a2a2c78a80adfb6e6469823dd0d90572cef140/detection

154.12.234.207:7000
207.244.236.205:7000
mywormtwon.ddns.net
wormxwar.ddns.net

# Reference: https://twitter.com/InQuest/status/1626758679843205120
# Reference: https://twitter.com/Gi7w0rm/status/1626763227643224064
# Reference: https://tria.ge/230218-b9ngmaad96/behavioral2

45.139.105.105:7000
stanthely2023.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2b786b8895d814c5d825f4eac99b009eb6aa16f66f6e5191b023e4ebc99fda66/detection
# Reference: https://www.joesandbox.com/analysis/811606?idtype=analysisid#iocs

209.145.51.44:7000

# Reference: https://twitter.com/suyog41/status/1631191121660444674
# Reference: https://www.virustotal.com/gui/file/098c9ebce4811fd2bb86654911581f21eb473f7afd5d27f7c09db57d5bfc1b62/detection
# Reference: https://www.virustotal.com/gui/file/aca8bf1de89203e445270f3cc76b3eaf9190b57fa35ef0d4425528ee639366cb/detection

209.25.140.180:38979
209.25.141.180:38979
according-psp.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/a7c707d2409f0190693aa7a7223c2576262b5bcd9da42ff5c3b375826c32b222/detection

91.193.75.191:55443
vcmkpl.duckdns.org

# Reference: https://twitter.com/petrovic082/status/1638652084492070912
# Reference: https://app.any.run/tasks/500f883b-fe97-44e1-a87f-67101bd0c30c/

95.214.24.38:5000
updateccdata.duckdns.org
urlcallinghta6.blogspot.com

# Reference: https://twitter.com/ScumBots/status/1639388448967766016
# Reference: https://www.virustotal.com/gui/file/01407e324f0b8090467eded47a97acbdb3ef42d0f12820cd57b0bc5b87ffe510/detection

181.141.1.67:3737
wormsito.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3964d69f2a321257a8a745aa9583eaed3cb53c070f79eba3945f6506dda0a2cb/detection

31.220.76.124:2137

# Reference: https://twitter.com/phage_nz/status/1653173706951397376
# Reference: https://www.virustotal.com/gui/file/5814ab23cf46820a0f911fac078dbe77a521ee36722ae2ac313c54c04e0c5601/detection

141.98.6.220:7001

# Reference: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
# Reference: https://otx.alienvault.com/pulse/64624bf528c55e0976f2bf71

kbowlingslaw.com

# Reference: https://twitter.com/suyog41/status/1671102046324269059
# Reference: https://www.virustotal.com/gui/file/22af50c2e5d1f1efcf96e317c22af9bbf6f31705c7575454e6314eaf7d131929/detection
# Reference: https://www.virustotal.com/gui/file/6671bd81d7714bbfd2189dd1642ae4c3789c02e06c5afaad1e26c3632974b124/detection

167.94.81.75:63434

# Reference: https://www.virustotal.com/gui/file/128a56ddbecc3d569646730bdccce1c045479122061f4d0feb8ec24670374eb2/detection

213.152.161.240:58538
notaire8081.duckdns.org

# Reference: https://twitter.com/suyog41/status/1678763978925932544
# Reference: https://www.virustotal.com/gui/file/331549b24c0e2eefd56c4dc74806aeaeab706fee5ddb019763330c811b6fb9e0/detection

194.59.31.105:7398
85.208.139.131:222

# Reference: https://threatfox.abuse.ch/ioc/1139291/

173.249.196.39:7092

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/

149.102.231.91:5000
20.125.118.35:7000
3.69.115.178:14042
zoer12.dns.army

# Reference: https://twitter.com/JAMESWT_MHT/status/1683405358272839680

stores-anytime.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1685615126412414976

51.107.0.117:4954

# Reference: https://twitter.com/ScumBots/status/1685849690221199360
# Reference: https://www.virustotal.com/gui/file/72ab332da034bd819d83d26272974048b24de773a3440d641202872161b3e514/detection
# Reference: https://www.virustotal.com/gui/file/a4ea9aac544248e1346d88e3c93fbc6973419ff7ce5266c7cb00be39518f1f11/detection

173.0.60.172:7000
dapperdesigns.for-better.biz

# Reference: https://www.virustotal.com/gui/file/52634ade55558807042eae35e2777894e405e811102e980a2e2b25d151fde121/detection

167.235.75.225:8895
momentmoney79.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f03e6bd8d447536298483d8b57996e966c2a26baea8caa12fbca52300151edae/detection

108.62.118.133:9734

# Reference: https://twitter.com/AnFam17/status/1687723698273595393
# Reference: https://www.virustotal.com/gui/file/2951cb766b89f9e3e65902fec634ed924168629f2dd3a178ba753e66ce4be73f/detection

http://173.249.39.21
173.249.39.21:5000

# Reference: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter

http://95.214.27.17
154.53.51.50:7000
185.174.101.131:7000
185.174.101.90:7000
209.126.87.35:7000
31.220.99.254:7000
45.151.122.57:7000
82.197.65.12:7000
85.239.237.141:7000
89.117.73.168:7000
95.214.27.17:8972
churchxx.ddns.net
freshinxworm.ddns.net

# Reference: https://www.virustotal.com/gui/ip-address/179.13.3.110/relations

apploak.duckdns.org
datosinfomativos12.duckdns.org
desdetre.duckdns.org
estrenos12q.duckdns.org
fantasmas145.duckdns.org
misdominios2024.ddnsguru.com
misterios140.duckdns.org
mistersalsa12.duckdns.org
newera2011.duckdns.org
xwormejor12.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3b5fc5f386c9dbbb93c2b1d5b33feaca132e9eb53744a495c75e76a6921c3ebc/detection

103.47.144.14:6644

# Reference: https://www.virustotal.com/gui/file/76e382de0ea4dbd364ac8d9878e0b419d6a8d3536de3b6ca36ee38d335e3446c/detection

209.25.140.212:48414
209.25.141.212:48414
209.25.142.212:48414
is-crawford.at.ply.gg

# Reference: https://twitter.com/Gi7w0rm/status/1694139192379334803
# Reference: https://tria.ge/230822-3m8ylahf9w/behavioral1

209.25.141.180:48892
209.25.141.181:40625
209.25.141.211:49826
209.25.141.223:45283
180.ip.ply.gg
miles-c.at.ply.gg
topics-junior.at.ply.gg

# Reference: https://twitter.com/suyog41/status/1694215167729598470
# Reference: https://www.virustotal.com/gui/file/dcc9780ce890c8caf79e5f3147cacd14b1f4e06c307e3bdfc8903ff2dfd90c19/detection

185.179.218.240:8081

# Reference: https://www.virustotal.com/gui/file/dc6f4ca2f9b7de5f3e7f9bb25dffd1d89043f1db95537908c0d59ae7e025d3d9/detection

83.143.112.45:7000

# Reference: https://twitter.com/petrovic082/status/1695718494451458242
# Reference: https://twitter.com/petrovic082/status/1695719606093054213
# Reference: https://app.any.run/tasks/3a32eeca-6c15-4100-b901-d8d92255f640/

88.229.76.29:8080

# Reference: https://www.virustotal.com/gui/file/0608af5ecb090af15ea0593e71b2f05d6594726915c91d92dd5e0dcebd60e492/detection

172.94.105.98:3000

# Reference: https://any.run/malware-trends/xworm

abom7md.duckdns.org
church-apr.gl.at.ply.gg
d7meyrat.ddns.net
https.myvnc.com
jajaovh.duckdns.org
kaught-53088.portmap.host
liveroman228-26531.portmap.host
please-co.gl.at.ply.gg
show-cottages.at.ply.gg
society-mastercard.at.playit.gg
test-theorem.gl.at.ply.gg
trial-pour.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/6e0df2a748927a28875f76eb917f71fe8ee2a9b2004c9b7d2742a654aae0238e/detection

34.227.114.203:7000
brasil.ddns.com.br

# Reference: https://www.virustotal.com/gui/file/888e076a0949bf1ab6297ebc9b089e8d1f926c7186b115dbbb44611f57b783c8/detection
# Reference: https://www.virustotal.com/gui/file/79750b3e59c64c381067d5dd07a174e746625b64f13cefe07671042676337185/detection

154.53.63.206:7000
185.111.156.133:7000
freshwarsmi.ddns.net

# Reference: https://www.virustotal.com/gui/file/fbb2f988d97221e62771f56ed0d7bb172c5738d1bbde76164d0ca830ed59e8af/detection

207.244.242.177:7000
mikexwormxxxyy.ddns.net

# Reference: https://www.virustotal.com/gui/file/b706aac7ee3800adff6df6bcd2ad3164ae34f71ab47399c1811daa664fdec247/detection
# Reference: https://www.virustotal.com/gui/file/0886ade2d19b2cb43c370190df382d3686c2364b246fc466ccf775b60a62c6a0/detection

154.53.51.233:7000
89.117.72.232:7000
secoundxwormm.ddns.net

# Reference: https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

randall010.camdvr.org

# Reference: https://www.virustotal.com/gui/file/67de54a5271a2354b492bbaf5bbead07cc1e24fd5efa94bdac2fc30f0475db1a/detection

41.216.188.29:7000

# Reference: https://www.virustotal.com/gui/file/9198c970d6b61c1f22b6e2e4065fd99e8fd107c3bb8162c8aef56559459e9ff1/detection

217.229.108.168:1

# Reference: https://www.virustotal.com/gui/file/01856345569ffabd2504f9b9d102014c0119184660b25cea2c55db4d67c8c349/detection

147.185.221.16:12379
electric-desert.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/ip-address/2.59.254.205/relations

hotexworm.duckdns.org
newxworm.duckdns.org
xwormfresh.duckdns.org
xwormpeople.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-15)

http://154.61.71.51
101.99.92.134:9008
103.187.4.59:62400
104.129.24.110:55226
109.195.94.247:7000
13.48.68.245:4449
139.59.42.121:49258
142.132.227.161:7000
142.202.240.88:253
147.185.221.15:10177
147.185.221.16:15294
147.185.221.16:18244
147.185.221.16:39035
147.185.221.180:36603
147.185.221.180:4310
15.204.37.12:5008
152.67.162.194:10001
154.127.53.162:7007
16.16.96.108:4449
162.251.123.54:1337
168.119.98.142:4100
172.111.138.90:2221
172.31.27.185:7000
176.205.45.103:4782
185.169.1.59:42069
185.17.26.114:7000
185.179.219.117:5002
185.225.73.47:1111
185.225.73.47:2222
185.241.208.173:7000
193.161.193.99:35943
193.161.193.99:43625
193.42.33.22:5555
194.145.138.85:1604
194.145.138.88:1604
194.228.111.236:7000
194.87.151.125:7398
194.87.151.19:7077
199.66.93.150:1337
2.58.56.249:8000
20.0.32.252:7000
20.219.15.124:2239
20.25.157.149:1234
20.25.157.149:4567
20.56.93.201:1604
204.13.33.68:1338
206.189.139.209:20715
207.32.217.73:2048
208.115.223.202:12999
209.145.57.6:8081
209.25.140.223:18381
209.25.141.181:51957
209.25.141.181:52055
209.25.141.2:43784
212.154.51.245:90
23.227.198.214:7777
3.126.37.18:14586
3.7.61.252:2339
3.72.8.200:7000
44.201.221.153:7000
45.130.141.212:7000
45.145.166.131:666
45.61.130.7:1010
45.81.225.208:7000
45.88.67.75:3333
64.235.38.13:2911
66.94.101.239:8081
67.61.188.116:7777
67.61.188.116:8848
67.61.188.118:3232
77.248.111.83:2404
79.110.62.143:7000
81.161.229.202:6601
95.214.26.78:5566
95.214.27.226:7000
aid-poly.at.ply.gg
americanibombardano.ddns.net
amz-worm.ddns.net
an-encoding.at.ply.gg
ana1.con-ip.com
angmmox.con-ip.com
animals-sewing.at.ply.gg
apexcv.ddns.net
average-danish.at.ply.gg
awgaegsrgcs.duckdns.org
behind-him.at.ply.gg
big-stayed.at.ply.gg
box-byte.at.ply.gg
browser-bangladesh.at.ply.gg
bush-gain.at.ply.gg
caloi1920.ddns.net
channel-diane.at.ply.gg
comes-reasoning.at.ply.gg
common-pharmacies.craft.ply.gg
computers-directory.at.ply.gg
computers-ed.at.ply.gg
davizshadow.duckdns.org
default-official.at.ply.gg
dejvicek-52169.portmap.host
dejvicek-62577.portmap.io
deletedapo-46418.portmap.host
design-utilize.craft.ply.gg
display-trade.at.ply.gg
distance-key.at.ply.gg
documents-ultra.at.ply.gg
during-widespread.at.playit.gg
egleooogom.duckdns.org
either-puzzle.at.ply.gg
employees-spa.at.ply.gg
even-house.at.ply.gg
exops-31573.portmap.host
faculty-symbols.at.ply.gg
feel-herbal.at.ply.gg
flowers-ak.at.ply.gg
freed11231.duckdns.org
ftap-29332.portmap.host
german-sip.at.ply.gg
get-dig.at.ply.gg
gunitp.duckdns.org
h0x351.ddnsfree.com
harrypotta-35943.portmap.host
harrywilly.ddns.net
head-transit.at.ply.gg
herbet.ddns.com.br
history-periodically.at.ply.gg
hope-duck.at.ply.gg
house-induced.at.ply.gg
http202suspend-33946.portmap.host
ichbineinvogel2.duckdns.org
instruments-specials.at.ply.gg
jeanjaques.ddns.net
johnnew12.duckdns.org
johnny1234.duckdns.org
jxworm2ndport.duckdns.org
kids-abstract.at.ply.gg
killertype.ddns.net
leakportsnext.duckdns.org
license-donna.at.ply.gg
links-recovered.at.ply.gg
mary-classroom.at.ply.gg
master-flat.at.ply.gg
mean-garbage.at.ply.gg
members-path.at.ply.gg
microsoft2.ddns.net
models-issn.at.ply.gg
moonrdp1.duckdns.org
must-scores.at.ply.gg
mygame.serveftp.com
nabeelrats-21020.portmap.host
name-shadows.at.ply.gg
next-screening.at.ply.gg
no-sofa.at.ply.gg
opportunities-rendered.craft.ply.gg
option-trading.at.ply.gg
partner-enforcement.at.ply.gg
paul-positive.at.ply.gg
pavpaladmin9917.ddns.net
polki.anondns.net
pollofx-35076.portmap.host
port4000mobi.duckdns.org
property-gourmet.at.ply.gg
ready-somalia.at.ply.gg
related-regression.at.ply.gg
releases-connection.at.ply.gg
return-interpreted.at.ply.gg
safety-electronics.at.ply.gg
score-told.craft.ply.gg
sepatico.duckdns.org
share-divorce.at.ply.gg
share-scored.at.ply.gg
size-bills.at.ply.gg
slammer.cf
society-painted.at.ply.gg
spajkr.hopto.org
special-alpine.at.ply.gg
system-headed.at.ply.gg
there-carol.at.ply.gg
tienichxanh.vinaddns.com
title-weapons.at.ply.gg
top-ftp.at.ply.gg
unit-satisfactory.at.ply.gg
venom.giize.com
vfggfhd.servemp3.com
way-puppy.at.ply.gg
willbr77-52985.portmap.io
wniko1-39869.portmap.host
words-cells.at.ply.gg
xworms.ddns.net
xwrm.webredirect.org
y-enhancing.at.ply.gg
zlow11214.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1703779021694419195
# Reference: https://twitter.com/r3dbU7z/status/1703780891724841423
# Reference: https://www.virustotal.com/gui/file/96fa32da812662011588e77b75eb6bee3eb768f533533457c51f4d58ae8ee062/detection

194.180.49.181:443
194.180.49.181:7064
194.180.49.181:888
xm3.publicvm.com
xyoptotway.work.gd

# Reference: https://twitter.com/banthisguy9349/status/1783865107321155816
# Reference: https://www.virustotal.com/gui/file/b8bf4cf9e824badde4cbe7f3544c1102bfa926efd00cff2398a9d4ac17f80225/detection
# Reference: https://www.virustotal.com/gui/file/96fa32da812662011588e77b75eb6bee3eb768f533533457c51f4d58ae8ee062/detection
# Reference: https://www.virustotal.com/gui/file/8e99426fb98ad89057bd6af2bf2764fa080aaff3511fe72d96765e2f2b2f0411/detection
# Reference: https://www.virustotal.com/gui/file/75b4525f550304c38c76fcffc7362b57dccf049d69709b5dbef353bbb11c691b/detection
# Reference: https://www.virustotal.com/gui/file/01139ac5fafb901928078e69c4962a44a596310d96b12ffd68854bf1f94b021e/detection

194.180.49.181:7064
94.156.71.212:7064
91.92.249.198:443
91.92.249.198:7064
91.92.249.198:888
91.92.252.85:7064
94.156.66.40:7064

# Reference: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
# Reference: https://www.virustotal.com/gui/file/1073ff4689cb536805d2881988b72853b029040f446af5ced18d1bc08b2266e1/detection

3.66.38.117:13394
52.28.247.255:13394

# Reference: https://app.any.run/tasks/d3858744-f1b2-4a9b-8ef7-deccada2a160/

3.69.115.178:13394

# Reference: https://app.any.run/tasks/5fab7db5-267e-46f6-a374-0f42de1cb328/

147.185.221.16:15179

# Reference: https://twitter.com/Gi7w0rm/status/1706061724099457411
# Reference: https://www.virustotal.com/gui/file/9bd123cf9a41a9a9fd219fd8fcba7ba20543470d4b5c911ba07489b04fd74428/detection

79.110.62.151:1234

# Reference: https://tria.ge/230924-yzgbwsba28/behavioral1

2.59.254.205:7002

# Reference: https://tria.ge/230924-yzvjhsba39/behavioral1

79.110.62.151:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-25)

141.98.6.196:7020
154.53.51.233:8909
191.101.130.18:8252
23.106.215.7:7007
50.114.203.104:7909
81.67.181.238:9033
88.11.59.100:8888
chikes17.duckdns.org
copy-marco.gl.at.ply.gg
floptuytonroyem.sytes.net
garden-event.at.ply.gg
graxe239-61522.portmap.host
xvskill.duckdns.org
youtubevideos.ddns.net

# Reference: https://twitter.com/Gi7w0rm/status/1706063680171860137

aakata123.duckdns.org
aakatabit1915.duckdns.org
aiminent2.duckdns.org

# Reference: https://twitter.com/doc_guard/status/1707018037428101360
# Reference: https://www.virustotal.com/gui/file/7fa4e361cf073d65ccbc49dc937a622965977ef995a0c199a4b4aa5fddd57d17/detection

138.201.189.141:4444

# Reference: https://twitter.com/r3dbU7z/status/1709147111567004129
# Reference: https://www.virustotal.com/gui/file/bfb5afd83e4c4962336f10655e191e0efc2b9fe968af9f37f7d84c845a27a075/detection
# Reference: https://www.virustotal.com/gui/file/008922a9bcd25e1cbf52234ea926306bba3d646bfcd087d6fc6c6f58ab8ac54a/detection

20.229.184.215:443
20.229.184.215:65350

# Reference: https://twitter.com/suyog41/status/1709524284169978094
# Reference: https://www.virustotal.com/gui/file/5b53d803d2c3d82de79a732a2f1737c7726415b2b056f7f43e74638e1df3fd8b/detection
# Reference: https://www.virustotal.com/gui/file/9d79c20d80eb9ded90a7e7f2ebdcd057bc29409084af3ecdd63c6ed072f103b0/detection

186.6.93.202:4444
telebyt.com
windowsmanagerhost.ddns.net

# Reference: https://twitter.com/naumovax/status/1711777764615802979
# Reference: https://tria.ge/230930-vqpp5aff65/behavioral1

147.185.221.16:54013

# Reference: https://twitter.com/suyog41/status/1712768941536522411
# Reference: https://twitter.com/suyog41/status/1725447282856968625
# Reference: https://www.virustotal.com/gui/file/0083a052767c5e651c36ce419a582c2ba5d81c0776ef1de765626958b4686b45/detection
# Reference: https://www.virustotal.com/gui/file/d18c4cde9bc83592187f8a90e3f138c871a35cda49d4a0078ca9eac04cfc961e/detection

104.243.32.185:7000
45.141.215.230:7000
normanisback.com

# Reference: https://twitter.com/suyog41/status/1715222348423721054
# Reference: https://www.virustotal.com/gui/file/e9148a15c8d96c389aaae6fbb04b5cd1ee587e2ded6193d47532885b84abd984/detection

147.185.221.16:18915

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-10-30)

101.99.92.161:7000
103.114.106.183:47074
139.99.153.82:8181
147.185.221.16:45753
147.185.221.16:56343
147.185.221.16:57012
147.185.221.16:57076
157.254.223.19:8000
163.5.215.212:1337
163.5.215.212:8072
193.161.193.99:61360
20.197.231.178:7000
216.230.73.215:6789
51.81.216.78:1111
51.89.158.83:7000
66.94.97.98:7000
95.164.18.46:2608
brightle.ddns.net
frostycheats-30646.portmap.host
graxe239-61522.portmap.host
jameshde18.duckdns.org
mike09-55168.portmap.host
pool-roman.at.ply.gg
registered-dt.at.ply.gg
releases-photos.at.ply.gg
rules-views.at.ply.gg
serverwindor.duckdns.org
testarosa.duckdns.org
xmsh.publicvm.com

# Reference: https://cert.pl/en/posts/2023/10/deworming-the-xworm/
# Reference: https://otx.alienvault.com/pulse/653a78a1b9c42ecf2ba3a591

blackid-48194.portmap.host
single-boulevard.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1721444417586778207
# Reference: https://app.any.run/tasks/c276c263-7b85-459b-b93c-d278e845e171/

206.189.20.127:6234

# Reference: https://twitter.com/karol_paciorek/status/1723024066112557542
# Reference: https://tria.ge/231110-t3mkvsca78/behavioral1

54.90.216.100:7001

# Reference: https://twitter.com/suyog41/status/1724726595578159178
# Reference: https://www.virustotal.com/gui/file/46ac8d1dba7668319574d2f459a54d8b8eb5606c027e393308ab395b7b5aa746/detection

103.47.147.196:1500

# Reference: https://www.virustotal.com/gui/file/4ca23c140f02ad3f9a8d0df97e57a6282faf8aa85433efd3f7c07a5ba8868da7/detection

15.228.235.93:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-20)

147.185.221.16:40164
147.185.221.16:49975
15.228.35.69:5000
172.177.19.106:7000
188.148.105.135:2112
35.220.199.19:7000
62.233.57.160:6789
2freshinxworm2.ddns.net
antilol2113-61842.portmap.host
case-defines.gl.at.ply.gg
dizzywizzy-61490.portmap.host
espadadz.ddns.net
f8terat.ddns.net
goheg99417-59409.portmap.host
juandice-60636.portmap.io
kriz-nas.ddnss.de
lead-selections.gl.at.ply.gg
m0ney7.ddns.net
media-specified.gl.at.ply.gg
menu-webcam.gl.at.ply.gg
notfishvr55-32209.portmap.host
okaa0-25007.portmap.host
okaa0-35095.portmap.host
partner-juice.gl.at.ply.gg
q-grounds.gl.at.ply.gg
raven123.ddnsgeek.com
reference-tokyo.at.ply.gg
tarekfr77-41254.portmap.host
tcxerr.duckdns.org

# Reference: https://www.virustotal.com/gui/file/145c1ede38b85b82e5072f2d9c0c65aa8eb479bd2cf90d99d7d375c0c2e7c4ea/detection
# Reference: https://www.virustotal.com/gui/file/4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133/detection

194.147.140.215:7463
37.139.129.85:6742
91.192.100.39:6742
kayamer.kozow.com

# Reference: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/
# Reference: https://www.virustotal.com/gui/file/f58193da4f61b45e375f5aa2978b08908578b5151dc779dc4b566e6a941e802b/detection
# Reference: https://www.virustotal.com/gui/file/58d80cdaac096a9d8ba772a4e857a24db9c797d5b7913e54185c68e21c5526e6/detection

140.228.29.162:7900

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-21)

104.250.180.178:7061
147.185.221.17:24796
162.212.154.8:41589
185.183.34.34:7000
185.239.237.162:7000
194.15.216.233:4548
207.32.219.52:7771
216.107.136.195:7000
3.121.139.82:18925
3.121.139.82:5240
3.127.59.75:18925
3.127.59.75:5240
34.130.82.241:5010
46.183.221.28:7000
51.89.38.74:33966
52.28.112.211:18925
52.28.112.211:5240
52.91.10.228:7000
54.90.216.100:7000
65.0.80.77:7000
80.66.87.4:7000
87.172.204.140:7000
93.123.85.35:7000
2023navidad.duckdns.org
around-lite.gl.at.ply.gg
conditions-monthly.at.ply.gg
fgfdsnvisdnvijnsdvdssdsd.con-ip.com
frank4893.duckdns.org
house-rooms.gl.at.ply.gg
if-shuttle.gl.at.ply.gg
language-partnership.gl.at.ply.gg
newpossibility.duckdns.org
traffic-statewide.gl.at.ply.gg
viiper1337-29699.portmap.host
windowis11.com

# Reference: https://twitter.com/1ZRR4H/status/1729196411843985530
# Reference: https://www.virustotal.com/gui/file/850e60489a54f8a3307a124c19c80cfc46bc34b2b3b93bc74c2b764b667df09b/detection
# Reference: https://www.virustotal.com/gui/file/df501e6c611c658df919bbe959e54b1080da39511a7de35ab3b5146e32584728/detection

5.182.87.154:7000

# Reference: https://www.virustotal.com/gui/file/f1f72684f5813bd4a3932397edd7e2056c9d61421bf7e5248ae68f6e6d65d33d/detection

46.246.86.23:7000
rootfix.linkpc.net

# Reference: https://www.virustotal.com/gui/file/c861d69c8a9904c99ef947dcdca02995652fb6afbc8a0edb196921ac6f5dc14e/detection

212.237.116.158:7000

# Reference: https://www.virustotal.com/gui/file/33b2c62cad9fa6a203cca01285d1230bf92b38929b8f9ed07ec6187b2fe8fdf1/detection

212.237.116.163:7000

# Reference: https://twitter.com/1ZRR4H/status/1729713083004641491

46.246.80.17:7080
2023navidad.duckdns.org

# Reference: https://gist.github.com/silence-is-best/67adb7549211b3046f554044bcc5c151
# Reference: https://www.virustotal.com/gui/file/832d96e8996c618b21f649812a218c44d7fae08fa2081cdb34631cc2cdcbd6df/detection

194.107.126.61:1111

# Reference: https://www.virustotal.com/gui/file/976780197cc411fbed0105adc79a779e72ac2a802ca7f2a001334c0a37e046da/detection

46.246.84.13:7000

# Reference: https://www.virustotal.com/gui/file/eba007fec4ab29d205cf04ced605ec34b27dfa2733a5cccd50856bdf9ba66e42/detection

91.92.242.98:9
cpabuzus.duckdns.org

# Reference: https://twitter.com/karol_paciorek/status/1736689204279623733
# Reference: https://tria.ge/231218-lw7nfshhcn/
# Reference: https://www.virustotal.com/gui/file/9e5612cd0949cb21b3d12491294ebe173571c1a665014dbbce7f7ebb995d42d0/detection

http://45.88.77.20
45.88.77.20:7000

# Reference: https://twitter.com/SarlackLab/status/1737126329542123767
# Reference: https://www.virustotal.com/gui/file/fd478fb15b4976507f494e31f6cbe2a8d4d173026ae1bbcb4849685630cf9b19/detection
# Reference: https://www.virustotal.com/gui/file/f688fb7b4cf19a4760138e7625915815f4acc23732456a3540f76f39aed90417/detection

45.144.152.86:39001
45.144.152.86:44635
45.144.152.86:58001
78.135.67.111:56001
liveclouds.duckdns.org

# Reference: https://twitter.com/V3n0mStrike/status/1739854351022080487
# Reference: https://www.virustotal.com/gui/file/230a77727f9c8e701594ee34a22d5b2f7d8647295e749d3103d2322d8bce7eea/detection

http://31.172.83.170
31.172.83.170:7000

# Reference: https://www.virustotal.com/gui/file/5e1944524f2ae23724c8a9a593915266e18214a0038896f30ba37e1fd022caa2/detection

89.23.99.86:7000

# Reference: https://twitter.com/banthisguy9349/status/1744384627039518736
# Reference: https://twitter.com/banthisguy9349/status/1754145829076533416
# Reference: https://www.virustotal.com/gui/file/2df04f5f739f5b0daf925fe8553dfe2b58267be0e735d683ce834101f91b5e38/detection

http://91.92.253.171
91.92.253.171:443
91.92.253.171:888

# Reference: https://twitter.com/netresec/status/1744378756641288517

147.185.221.17:36499

# Reference: https://twitter.com/ShilpeshTrivedi/status/1744695359144923604
# Reference: https://www.virustotal.com/gui/file/ca791046eaf207a1bb8631263bf12e41802255a7114c48086dccd4ad1152766e/detection

147.185.221.17:61779

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-01-10)
# Reference: https://www.virustotal.com/gui/ip-address/91.92.240.61/relations

91.92.240.61:7000
lyamore-metal.com
taiwantradeglobal.com
open.lyamore-metal.com
open.taiwantradeglobal.com
opendomain.lyamore-metal.com
opendomain.taiwantradeglobal.com
wealthyblessed.duckdns.org

# Reference: https://twitter.com/malwrhunterteam/status/1745582580718543343
# Reference: https://www.virustotal.com/gui/file/1ae50087f5c0b05a9ac41362a2e7ed3d3c82fecda835aa7e5fcc5b5da5f44903/detection

http://139.99.114.151
139.99.114.151:7777

# Reference: https://www.virustotal.com/gui/file/4bb0daf6ad46380eb905da9f586d108f9a9e7bd83c31d7903824ebe3abd65fb0/detection
# Reference: https://www.virustotal.com/gui/file/0893cfe208c34030552ccd250f5e185d42423f4ebb5311a13f68e5bd96a1cad7/detection

147.185.221.16:33203
canadian-perspectives.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/00a965b03bf3654df1c90725b114a8dfc49cdb522bf7a558d24f13e20e204fa9/detection

46.246.82.5:2525

# Reference: https://www.virustotal.com/gui/file/fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11/detection

191.233.27.50:5552
dzn.ddns.net

# Reference: https://www.virustotal.com/gui/file/0ccb60e63193c1bd24e82fee53094c54fdb1e3481601f1a6451dbf74a375185b/detection
# Reference: https://www.virustotal.com/gui/file/504bc01416f714ce0f77e87bae667573bee922c86708b2cadfaf7e4478673a30/detection

http://90.61.145.105
90.61.145.105:5485

# Reference: https://www.virustotal.com/gui/file/afb0a01f30aa1239f85e2eb465e374c49a274383caa52d3c8dd46c67b17be519/detection

91.92.253.187:7000

# Reference: https://www.virustotal.com/gui/file/7c7b4d01ce572fb5d63536aa53eff94be082e76127906d91c673bbb4e0d7b8e1/detection

94.156.65.113:8400
greatrackspace8400.duckdns.org

# Reference: https://www.virustotal.com/gui/file/4c291ba1cd60a0a9e4649067f2bcb3619bf8874b47f928ab7f2583b31d778678/detection

94.156.65.113:8300
restpeople8300.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ab5a62c5f4e883afff61be9b7020ba1aa9d52565dc310cee06488ad22ca8f68f/detection

91.92.251.144:7001
xwv5group7001.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d86408c32b0b7f7b43930cb33b99e472db2db4c429d4273d3133d7b8ad29712e/detection

23.95.11.218:8100
94.156.65.114:8100

# Reference: https://www.virustotal.com/gui/file/3224658a2fbf2a7a1adece92d8d2fb9e136898efb17b5bbffcf0ac39bce4afbb/detection

188.70.3.112:6666
sys666.ddns.net

# Reference: https://www.virustotal.com/gui/file/0e948e3d83e22df165afac4da052b45297f719a33f86c4c194958f59dad75a28/detection

192.99.190.119:7000

# Reference: https://twitter.com/K_N1kolenko/status/1752932027324637338

154.179.242.6:5552
196.154.211.81:5552
windowshelp.zapto.org

# Reference: https://twitter.com/Cyber0verload/status/1754913588748116080
# Reference: https://www.virustotal.com/gui/file/04095081ef5314ab278d6a89310224f4fb8b6c5579850f8a21446787373380aa/detection
# Reference: https://www.virustotal.com/gui/file/ca3eb918501c15e45c872627555cb04e033e11d43e0f0a31b41c493b9246bd69/detection
# Reference: https://www.virustotal.com/gui/file/949f78a60cbfc76dd8eb75e2d18203d565a14bdab35c2329e0acaccc84dcc57c/detection
# Reference: https://www.virustotal.com/gui/file/03ad54bf6d1c95613a1c05f492161ced8e5592b71105c9bc685b5b85798cb4db/detection

147.185.221.18:6104
a0917004.xsph.ru

# Reference: https://www.virustotal.com/gui/file/02a5c3519f2f01bfa8efc1908e3191c6ec100732481b639260764147862e437a/detection

65.0.50.125:22811

# Reference: https://www.virustotal.com/gui/file/1e83b42f7ffd019c8c56991b8625f25e0ee94f2034c447b701482839400c7cfd/detection

74.222.9.95:7000

# Reference: https://twitter.com/karol_paciorek/status/1755187835110400393
# Reference: https://www.virustotal.com/gui/file/9d2bde48e2ac646c62ca1455cde6d5c2242be0cb67a9904f81e0851743491ba2/detection

45.88.186.197:7008
45.88.186.197:8000
me-work.com

# Reference: https://www.virustotal.com/gui/file/4d64bbdbca232e9efbf8770386ed39562691793c678856d6e0c0fb1dc4af5219/detection

159.89.100.67:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-02-12)

194.147.140.138:9090
janxworm9090.duckdns.org

# Reference: https://www.virustotal.com/gui/file/57f4c5126700392a7d6e6fa24d8c8f1c9efcf960e3019a84237ae1b54f9e9c69/detection

worknow.con-ip.com

# Reference: https://twitter.com/malwrhunterteam/status/1758829170384089446
# Reference: https://www.virustotal.com/gui/file/848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c/detection
# Reference: https://www.virustotal.com/gui/file/54f8cd32f62f341e893ddeda8d8ef2a91e7a087e0070fec77d07bd6a15dbe65c/detection

194.49.94.135:8080
45.61.139.51:8080
internal-liveapps.online

# Reference: https://www.virustotal.com/gui/ip-address/46.246.4.4/relations
# Reference: https://www.virustotal.com/gui/file/136a96a2413e45ad1cbfca37d510e22a9d252ad439a9435dcee29a8d053ba45d/detection

178.73.192.20:7000
188.126.90.14:7000
188.126.90.7:7000
46.246.12.24:7000
46.246.14.18:7000
46.246.14.5:7000
46.246.4.4:7000
46.246.4.6:7000
46.246.6.6:7000
46.246.84.12:7000
46.246.86.6:7000
62.201.242.201:7000
daddy.zapto.org
puerto2514.duckdns.org

# Reference: https://www.virustotal.com/gui/file/cbb2fa94f392846a09688fed1779cc8de202df22a1164add9834ea5ad25834d9/detection

178.73.218.9:5581
dfasdfasdgs.duckdns.org

# Reference: https://twitter.com/suyog41/status/1760989736490172735
# Reference: https://www.virustotal.com/gui/file/4f3b18db37af50fa8967dacfa9541e93d6f5a410ea940f2712ce86cfae13dd2b/detection

196.112.44.196:5555
drcamelston.sytes.net

# Reference: https://www.virustotal.com/gui/file/e9a7cae8d9cd49819e5365230f4e42848e3943ace5f160f5df4e48bcda249fea/detection

102.101.187.102:5555

# Reference: https://www.virustotal.com/gui/file/7ef2ec455625ed3cadf84defc1f8c6ad4e50ff570a8bc9399c183f1fb6db64ae/detection

196.112.147.229:5555

# Reference: https://tria.ge/240224-k7w6esfe55/behavioral2

45.128.96.133:7000

# Reference: https://www.virustotal.com/gui/file/0bbc93c764351e6d0179d5bfefba7e8e097df0eae1e6f2fea8869ad5ecb83358/detection

46.246.12.66:7000

# Reference: https://twitter.com/ScumBots/status/1761543361326874669
# Reference: https://www.virustotal.com/gui/file/3313a1b94dc054adbeb337332d60a54dbd9267216dffc2952a39c1cada45671c/detection

191.55.79.182:5553
nodetect.duckdns.org

# Reference: https://www.virustotal.com/gui/file/be01d0557c67f4a8de2b8c991bbb8239a2220f4815426fe8d3bb1b1e4af6dd54/detection
# Reference: https://www.virustotal.com/gui/file/567da51c564af8d8abe7576e19c0d8bd6c453fecf6988f01b6f31b8da208b849/detection

190.28.142.225:7000
xwormsssreload.duckdns.org

# Reference: https://twitter.com/suyog41/status/1763499809099682186
# Reference: https://www.virustotal.com/gui/file/1d515bccf06b6b7304860f705fe43a8f33f24a33a65617934ceb500f1440d207/detection

104.219.238.14:7000

# Reference: https://www.virustotal.com/gui/file/787e491b12bff499e46beb4433b144d9020da9bb26ef3bdd4e4bad21c99b8090/detection
# Reference: https://www.virustotal.com/gui/file/a68f76c530a51ddd6e3c6983f202054ae462530ab40fdd16ea44eff9af02d3c5/detection

http://107.175.3.10
107.175.3.10:443
/shellcodeAny_20240229085449462.bin
/shellcodeAny_20240229163131845.bin

# Reference: https://www.virustotal.com/gui/file/5ce080055262bb21798a99e83d370fab41b809ebd8d59bc083bdac2a49b2427e/detection

147.185.221.18:35608
points-detect.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/444338339260d884070de53554543785acc3c9772e92c5af1dff96e60e67c195/detection
# Reference: https://www.virustotal.com/gui/file/9cbb0cf0e3c4896cd1916dd4330e77e6a66be46f0c631328414f89e0456f064b/detection

37.120.141.139:1111
37.120.141.139:1604
scamkiller.duckdns.org

# Reference: https://twitter.com/1ZRR4H/status/1766223253360574957

91.134.150.150:7000

# Reference: https://www.virustotal.com/gui/ip-address/12.202.180.134/relations

xwonsmolpsnsm.duckdns.org
xwortom.duckdns.org
xwrm966.duckdns.org
xwrmmomment.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f506b4b1d861d9919dd3238d63ea3020fb05f42534e91a4e534bb5c248c291db/detection

102.89.41.40:7000
45.137.22.150:7000
fat221.ddns.net

# Reference: https://www.virustotal.com/gui/file/633a9be5fea8c29f5743e8309af533055ad2b398b69ba25368c82c4eb6c0e790/detection

51.195.192.51:7000

# Reference: https://www.virustotal.com/gui/file/9ec956dc7b5b323efc45b533cdb4b7017efc4bef05c341b18a0f90c0ea7df35f/detection

http://45.141.215.126
45.128.96.122:2449
45.128.96.122:5554

# Reference: https://malwarelab.eu/posts/stego-xworm/
# Reference: https://www.virustotal.com/gui/file/e30fd7cd7ff6ac140dfa8ed25e0a73d59b70564002099bf01570d59b17935b25/detection
# Reference: https://www.virustotal.com/gui/file/c148ccd6f7623a64d985d3bcc8e882879164b190211ba99661d26152c0dbc4dd/detection
# Reference: https://www.virustotal.com/gui/file/4a3ec6f4f6b79baeabd7d0c4a9f4e043693fa72062573e252d53b70ce3d929a4/detection
# Reference: https://www.virustotal.com/gui/file/15c1414b51b35a77c12be6119cde8c473eb4d5dd2a317f24bc1fa4e7a023e56d/detection

34.216.89.67:7000
34.216.89.67:7001
salif2201021.duckdns.org
xwormchina1203.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ef644fcc2d9242631532474fee0d9bd7bf9d6f99fe099c95bdf00a5e117c011f/detection
# Reference: https://www.virustotal.com/gui/file/b56417ee728862c29f994e54f301fa0ac49237a2c3d9b5fbe88c4cfffbae52df/detection
# Reference: https://www.virustotal.com/gui/file/8a06ced3eb15f9e942b8e1359e04b50d2b0d83c4b688bf1d19ac25da0c898557/detection

109.131.125.140:8832
2.9.241.66:5123
85.201.185.117:8832
91.196.220.193:8832
xworm.ddns.net

# Reference: https://www.virustotal.com/gui/file/d452b6cbc3d6319242e1d0a8985e0ac4c1fc255b6a6a1209bd3f95ad393183b2/detection
# Reference: https://www.virustotal.com/gui/file/a6c51f3a262b88e994175a3c667923fa1f5f260aeef1044c34f31175308c5de1/detection

xworm.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-03-24)

http://194.147.140.138
107.175.3.10:7536
171.247.47.66:4444
171.247.57.232:4444
91.92.242.57:8989
fvia.id.vn
marxrwo9090.duckdns.org

# Reference: https://www.virustotal.com/gui/file/e6f7963c726231571294a06e1e8b1f03b87684cad8383bb194b957fc685685c2/detection
# Reference: https://www.virustotal.com/gui/file/dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614/detection

157.254.223.19:8081

# Reference: https://www.virustotal.com/gui/file/f11530348170183d1b09956284353c00b1bd7db111fbfc8faead8d17ba4dc626/detection
# Reference: https://www.virustotal.com/gui/file/bc7ff6e9fd8cc3ab6d0da0f02818629237bcd64cc8ed86a924d0325f0445a078/detection
# Reference: https://www.virustotal.com/gui/file/f11530348170183d1b09956284353c00b1bd7db111fbfc8faead8d17ba4dc626/detection

194.147.140.138:3615
persianremote.world
besty2023.sytes.net

# Reference: https://www.virustotal.com/gui/ip-address/194.147.140.138/relations

febxworm39090.duckdns.org
janmidd9300.duckdns.org
marxrwonew9090.duckdns.org

# Reference: https://twitter.com/suyog41/status/1772864180376191428
# Reference: https://www.virustotal.com/gui/file/d23c351c8e05de555878912735b555169864cf1b41c28d0bb065ec0ede32faaf/detection

172.94.125.164:2220
google-updater.duckdns.org

# Reference: https://twitter.com/r3dbU7z/status/1773480693487538583

rentcentral.online

# Reference: https://twitter.com/karol_paciorek/status/1775152923271405876
# Reference: https://tria.ge/240402-p8r1baag33/behavioral2

209.126.87.35:7000
209.126.87.35:8888

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-04-04%20XWorm%20IOCs

91.92.243.33:7000
dcxwq1.duckdns.org
reality-lauderdale-strengthen-condos.trycloudflare.com

# Reference: https://twitter.com/ShanHolo/status/1776550047120789901
# Reference: https://www.virustotal.com/gui/file/e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8/detection

http://210.246.215.36
210.246.215.36:5814

# Reference: https://twitter.com/ShanHolo/status/1774753351671906527
# Reference: https://www.virustotal.com/gui/file/9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b/detection

http://210.246.215.82
210.246.215.82:7000

# Reference: https://www.virustotal.com/gui/file/a1a8aa4165535f8af330c983f7bc4259bccac718288b59d10d21693f73d049a6/detection
# Reference: https://www.virustotal.com/gui/file/a13c9eeea3360eb429202e74b78c1664e2a14ef9182a9f9ff8399a91983be731/detection
# Reference: https://www.virustotal.com/gui/file/96cdff86a5e3d8aa60574a0a8a4fd01ebdd8d88b4ffc6fb0c34f1f01f2e56095/detection
# Reference: https://www.virustotal.com/gui/file/49c7cacd2736a505c370064f1c1ae2b6c8938385592c6c6da55a4c2354944135/detection

185.36.188.52:8896
28.140.73.191:8896
93.123.39.28:8896
xwormmom53.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8bb96eab6ecce497a8df95bd2ea9b22c3f304f4d46b5c7f9064f1f953170f196/detection

147.185.221.16:41934

# Reference: https://www.virustotal.com/gui/file/8048406056b1a1a91b56725c1c0b89e3b8060bf5a45861484a73728d222ccbc2/detection

192.99.152.153:7001
xwormv5.duckdns.org

# Reference: https://www.virustotal.com/gui/file/574bbc258f00e8ef099184a763b7f03075218c56ebfcd90f0319250cb8cd82ae/detection

209.25.140.181:26193
kids-abstract.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/e80426f5e4fa58d66cb1658b470e5c46bb35524379ff192dda7eb7c87d66a27d/detection

137.184.94.195:7000

# Reference: https://www.virustotal.com/gui/file/3b97b6b5f8b17918239a303a735c9098e47ff49ec04fbb25f62d870e8ebd2183/detection

45.138.16.125:7000

# Reference: https://www.virustotal.com/gui/file/60bb0aae72a9ba2fdb141b497da0e4671c92a6a1bd825c72a8a8c2df4de08fbb/detection

146.190.57.132:7000

# Reference: https://www.virustotal.com/gui/file/bc1b38d36be44ff0b3f853d4cbfadc275bcf0898a9ca41607887b7d1eb2c124d/detection

20.197.229.216:26099
craxsr4t.duckdns.org

# Reference: https://www.virustotal.com/gui/file/8f9ac4eafd35f7b9f8e3fdbe1e9cce3b8ea6e5447b631949920dea27c86def1e/detection
# Reference: https://www.virustotal.com/gui/file/68c23de8564b113bf324bf9ba438a57cf4070a895134cbe28bdf0896efd9a5b1/detection
# Reference: https://www.virustotal.com/gui/file/4dc4cf85bff980888e41079167fe3290b766cdac49f9f93db655b6363315133d/detection

194.147.140.186:4004
myhost1.hopto.org

# Reference: https://www.virustotal.com/gui/file/d76e889cf2575622ca27fcb43a4bfd4df2dba3cfdd3175c28abdef00d541eaa3/detection
# Reference: https://www.virustotal.com/gui/file/84c6c519c17da179b5d9d969a57a67e710168b83323e7afe2a9dcda50979d9db/detection

91.92.253.147:7000
freed12.duckdns.org

# Reference: https://www.virustotal.com/gui/file/6045030af3412c4670b042c08f7fbf0e31b670e679724388b9192fb512a1e705/detection

179.13.0.175:7000
warzones12.duckdns.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-04-16%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/bcfe8808e2702a5700a63b1e003e7c08a1039edcf9d9cd734b5e1937746a1af7/detection

12.221.146.138:8450
45.146.255.167:8500
aprilxrwo8450.duckdns.org
phv18mar8500.duckdns.org
phvnc8500.duckdns.org

# Reference: https://www.virustotal.com/gui/file/02a0598aeaf2d468baa017e649143581ae98be80c87bb0df6c38f44b593c0672/detection

78.137.82.251:7000

# Reference: https://www.virustotal.com/gui/file/a44c1de14da3e559ba63a470f5dfea8e9da7fd990ca33b9c57344d05eb293bd0/detection
# Reference: https://www.virustotal.com/gui/file/2e8bdb5b1d2d3c44e9d057075b629e31b630e704bed2e0f7ce0399b59fd31525/detection

185.249.197.248:9090
45.141.215.40:9090
google-api.webredirect.org

# Reference: https://twitter.com/1ZRR4H/status/1785825977035010503
# Reference: https://www.virustotal.com/gui/file/7657626481f9276d3ecd83ba73795bbb175af0c3738648bbb37613f8d52f0285/detection

45.88.90.74:1600

# Reference: https://twitter.com/karol_paciorek/status/1788556707620159734
# Reference: https://www.virustotal.com/gui/file/29841f038da6a26dac5df28f23b4adcb080f5b0a2312bf996c8073940849eef6/detection
# Reference: https://www.virustotal.com/gui/file/4eedc7ed6ade620eef8eb160d18518afc9c59eb262baf8a9fdbe758fb611b6f0/detection

45.61.150.201:1111
45.61.150.201:7000
45.88.186.125:1111
45.88.186.125:7000

# Reference: https://www.virustotal.com/gui/file/200bba6a058d55a892191225f864289198495df95c6e97dd841fe1d5d1e7673d/detection

141.11.109.151:7000

# Reference: https://www.virustotal.com/gui/file/d7e658f9bea1d189bcd15e7e424b4b9e0c21e3ac61d6c4ac9937bf3d734383ea/detection

147.185.221.19:30502
includes-wilderness.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/bad5a4831a6ad23cefc0d207321fe07f2c74604313383d699fc750315b9dfeff/detection

147.185.221.19:45948
3.125.102.39:19677
marketdedamoroza.webhop.me
points-garcia.gl.at.ply.gg

# Reference: https://x.com/banthisguy9349/status/1795455659539902790

http://94.156.68.22
94.156.68.22:443

# Reference: https://cert-agid.gov.it/wp-content/uploads/2024/05/xworm_30-05-2024.json
# Reference: https://www.virustotal.com/gui/file/1a2e2e6fc6083d5f8e031e75d630f8b11812290542d6bea152d8d809680c3585/detection

134.255.233.93:7001
wall5tghf6fdg.api.opensourcesaas.org

# Reference: https://www.virustotal.com/gui/file/74dc2e2a9e6852c12f03dbaecd247fc525103374aa172e5c730abc272c69660b/detection

24.152.38.50:7500
translate99.duckdns.org

# Reference: https://x.com/karol_paciorek/status/1797594552758411301

12.202.180.134:8890
12.202.180.134:8896
57.128.129.21:8080
57.128.129.21:9222
xgmn934.duckdns.org
xvern429.duckdns.org

# Reference: https://x.com/1ZRR4H/status/1799205178194719228
# Reference: https://www.virustotal.com/gui/file/f2807e8e6061fd27347c9e4f94e84ae4db0f67b4afe89f013fb69419e8d56745/detection

hai1723sad-22118.portmap.host

# Reference: https://www.virustotal.com/gui/file/d533b3ac98afdd129d7302dbb9612ddcedecef05a5cf498f37fb18d116794792/detection

193.161.193.99:36059
aveer-36059.portmap.host

# Reference: https://www.virustotal.com/gui/file/365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77/detection

82.102.27.171:43831
yoda2024.sytes.net

# Reference: https://x.com/jcarndt/status/1800157970850078973
# Reference: https://www.virustotal.com/gui/file/528ddad4f68d4a7fc60157dea40eb1e3ad82231171bede0aa1b0e79b1a4c5031/detection

154.127.53.157:7000
89.117.145.5:7000
mayfixworm.ddns.net
stocks-army-malta-false.trycloudflare.com

# Reference: https://x.com/karol_paciorek/status/1802255896355000653
# Reference: https://www.virustotal.com/gui/ip-address/57.128.129.21/relations
# Reference: https://www.virustotal.com/gui/file/ef0c1ad56a105d2c20a1aa2eac9b49d483bfea41c301dcf314ada596969888f6/detection

12.202.180.114:8896
57.128.129.21:7332
ceeaapaint.xyz
josiekkatrstrunk.xyz
wickedasylum.tech
vxsrwrm.duckdns.org

# Reference: https://www.virustotal.com/gui/file/83037ad76ddddabca05efe07e731d65c5d9069ad889e46306b753cbc7561fa59/detection

200.9.155.204:7000

# Reference: https://www.virustotal.com/gui/file/b628182a47f7fd2c29c17862402dd36811524b58538996a2523d59920ffb6de8/detection

157.20.182.172:7000

# Reference: https://www.virustotal.com/gui/ip-address/12.187.175.72/relations
# Reference: https://www.virustotal.com/gui/file/bea7affbaaa5a7eb9616b48216450d1bec20fd5f43f4af3507017b4c5cdfd003/detection
# Reference: https://www.virustotal.com/gui/file/53c9ad3c72873bff784a6a47834f9e988b90366b541424eb19fcafea5cb17ff2/detection
# Reference: https://www.virustotal.com/gui/file/c000765aba0f4e91e28f24235c67f5c55474beeefc2146e77a69d59eb7d7ad6a/detection

12.187.175.72:8292
12.187.175.72:8520
12.187.175.72:9390
jkdvvs.duckdns.org
ncmomenthv.duckdns.org
rvxwrm5.duckdns.org
todfg.duckdns.org
ujhn.duckdns.org
welxwrm.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-07-06)
# Reference: https://www.virustotal.com/gui/file/04a275ef1616f3f88d3b9904c7a4c97213fed00d9a11e813e62cd03408b4e4a2/detection

http://89.213.177.81
104.194.9.116:7000
147.185.221.17:14348
178.215.236.251:717
194.110.172.149:7705
194.48.251.9:8895
194.48.251.9:8896
195.2.75.12:7000
41.199.23.195:7000
45.74.8.236:5355
52.12.114.120:38977
57.128.155.22:8895
89.213.177.81:7000
91.92.252.220:7000
aprijs7250.duckdns.org
aprilxrwonew8450.duckdns.org
diditaxi.kro.kr
football-emily.gl.at.ply.gg
hvaprinew850.duckdns.org
june9402xw.duckdns.org
maynewxw9402.duckdns.org
mayxw9402.duckdns.org
proxy17.rt3.io
proxy22.rt3.io
reco8100may.duckdns.org
rem8000jun.duckdns.org
saveclinetsforme68465454711991.publicvm.com
surgical-farming-ca.com
xmay8000.duckdns.org
xwormay8450.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3d5261b4d6b3c10a9a9e12fc65df89a794fdb65bb34699a7b794a114e5196135/detection

47.243.102.139:6667
91.208.240.157:881
al17.tk
guanlix.cn

# Reference: https://x.com/K_N1kolenko/status/1817827071936143534

103.54.153.156:5500
108.165.233.22:7000
147.185.221.18:9954
154.198.49.151:4456
185.254.97.15:1337
193.161.193.99:26586
217.164.105.143:1
45.83.246.140:30120
88.0.172.65:1603
91.92.242.131:7000
94.141.120.222:7000

# Reference: https://x.com/K_N1kolenko/status/1818172197325684795

103.245.237.11:8888
154.84.153.4:28976
188.212.101.97:3434

# Reference: https://x.com/ShanHolo/status/1818541500348707022
# Reference: https://tria.ge/240715-kmwn6axfpr

147.185.221.21:14154
schools-copper.gl.at.ply.gg

# Reference: https://x.com/K_N1kolenko/status/1818884432918450400

192.3.182.92:7006
195.2.78.105:7000
198.44.168.230:7000
51.77.223.168:7000

# Reference: https://x.com/K_N1kolenko/status/1819307047856316456

157.254.223.219:7000
85.209.133.150:6677

# Reference: https://www.virustotal.com/gui/file/2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce/detection

43.142.10.246:7000

# Reference: https://x.com/K_N1kolenko/status/1820417274169241928

154.197.69.148:8812
154.197.69.157:1433
154.197.69.161:5000

# Reference: https://x.com/K_N1kolenko/status/1820726909396754906

141.11.158.226:7000
194.59.30.23:6333

# Reference: https://x.com/karol_paciorek/status/1820759162348781734

51.89.199.99:9070
51.89.199.99:9270
momojojo.store
robshippings.cloud
trackingshipmentt.xyz
trackmyshipeng.site
trackmyshipwng.site
transformation-cage-keyboards-rural.trycloudflare.com

# Reference: https://x.com/K_N1kolenko/status/1821454155724038587

147.185.221.20:18563
185.252.232.158:7812
193.233.255.65:7000
194.59.30.91:4040
72.129.242.185:1177
89.213.177.108:7000
91.188.254.203:4449
92.38.186.26:7000

# Reference: https://x.com/r3dbU7z/status/1822608072822358145
# Reference: https://www.virustotal.com/gui/file/2e8c08abc070d55f30338ad1f69d6f9946fa7d31d069c3b4bc37b97053b569f5/detection
# Reference: https://www.virustotal.com/gui/file/a50376b1375f041a534a74ea0cecd6429b4e26747059a4a4c72ef91bb04d7080/detection

198.244.206.37:7000

# Reference: https://x.com/K_N1kolenko/status/1822947285514228151

136.175.8.54:7000
2.58.56.88:7000
45.138.16.57:1337
45.141.26.156:7000
67.215.224.135:3540
80.76.49.28:1111
95.98.144.201:2404

# Reference: https://www.virustotal.com/gui/file/b26f4df5de6919f4e1a54f1e51d2a743a0db3d3adb0bbf79f367d2f86135b67c/detection

46.246.6.65:7000

# Reference: https://www.virustotal.com/gui/file/f6c46140c960efda590ddd29f58558f51ac8b82b9c5ee07fb4e2d8614533b28d/detection

185.24.62.224:7000

# Reference: https://www.virustotal.com/gui/file/109495bf6873147f8f7dc7db0a2ce86e10306d391c62b7937b176c5094a9a421/detection

178.73.192.70:7000

# Reference: https://x.com/K_N1kolenko/status/1823622598346830071

157.66.26.208:8848
94.156.248.32:6543

# Reference: https://x.com/K_N1kolenko/status/1824332904651989003

37.1.208.55:7000
83.38.30.219:1603
91.92.242.138:7007

# Reference: https://www.virustotal.com/gui/file/d8b11b8b437f83a1ad55c954b4a80081abfaf3c29cbc922d57b76bc20745111a/detection

103.47.147.21:1500

# Reference: https://www.virustotal.com/gui/file/0ecbfa4d7167aaf8639c280e69334a850252f53d900fb389047ca5e9d2f48e01/detection
# Reference: https://www.virustotal.com/gui/file/bdd871d07948cf37690d3febde3c64abfaaacb87190284f793b39f610654850d/detection
# Reference: https://www.virustotal.com/gui/file/fee2f77cc601ffe34c72438c8649916d6ff6985e82bfcc3b6e68458323a1209d/detection

172.111.150.133:1500
197.210.54.182:1500
197.210.78.173:2000
cyberdon1.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d36b328b0a8e92ee2413c88c54d4a1ac3cfe53dfbb4e738d23e5e925c04b52a1/detection

83.147.54.51:6677
serverss293x1.servegame.com

# Reference: https://x.com/RacWatchin8872/status/1829090911701111123
# Reference: https://www.virustotal.com/gui/file/95931b4531f538137929756d736735981e7d7bcf4d43a750fb1bb01c76b3219f/detection

191.96.207.180:50000
vecotr.viewdns.net

# Reference: https://www.virustotal.com/gui/file/07147233a30756c587b1ccc49da745fdff43b3682b72ad2c48ab54af442f2f68/detection
# Reference: https://www.virustotal.com/gui/file/eeaca254b1c2d447e14e492a81f0690b0cfcf50d15e2ad2664cff512ef2049a6/detection

103.77.240.73:7000
artemis.community

# Reference: https://any.run/malware-trends/xworm/

22.ip.gl.ply.gg
airlineagancy.casacam.net
c0mer.publicvm.com
exonic-hacks.com
grand-herbal.gl.at.ply.gg
manufacturer-rank.gl.at.ply.gg
microsoft-pro.zapto.org
momekxwrm.duckdns.org
national-models.gl.at.ply.gg
on-weighted.gl.at.ply.gg
version-try.gl.at.ply.gg
wide-bolt.gl.at.ply.gg
xwor3july.duckdns.org
xwram1.duckdns.org
xwrmmone.duckdns.org
xwrmsistem.duckdns.org
yolomesho.work.gd

# Reference: https://x.com/K_N1kolenko/status/1830542757888201204

103.54.153.49:7000
104.128.56.200:7000
143.198.208.124:1234
146.190.29.250:7812
154.197.69.165:7000
154.216.17.147:6677
158.220.102.17:5048
178.215.236.228:7000
193.233.112.215:7000
195.26.240.251:7000
207.32.218.15:537
212.87.213.208:7000
27.147.169.101:7070
45.156.30.9:1604
45.43.11.150:7000
45.59.112.248:7000
80.76.49.176:7000
80.76.49.178:7000
83.38.28.117:1603
92.42.46.224:7250

# Reference: https://x.com/ShanHolo/status/1831331301065891895
# Reference: https://www.virustotal.com/gui/file/0b142a5773fcd9ae5cbb967f748e8da9a89e74aa50a0e1cd52f3aaa313bc749d/detection
# Reference: https://www.virustotal.com/gui/file/4d53c18f9c35747419cc289b1da6998457cb6ff5aeaddc1e5e474586b739b1c7/detection

http://45.141.26.197
45.141.26.197:443
45.141.26.197:7000

# Reference: https://x.com/K_N1kolenko/status/1831975535389622601

156.238.224.69:8080
163.5.160.229:1234
188.212.101.246:8000
69.10.45.181:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-09-08)

147.185.221.22:21310
185.196.9.46:2404
185.196.9.46:3333
193.161.193.99:63770
194.156.79.149:7000
2.45.246.38:6666
45.141.26.234:7000
79.110.49.123:80
79.110.49.169:18455
88.168.211.65:6004
89.213.177.100:7000
89.213.177.177:2233
89.213.177.93:7000
89.31.122.114:1488
91.92.241.104:4444
94.141.120.29:443
a-temple.gl.at.ply.gg
accessories-retrieve.gl.at.ply.gg
agency-lottery.gl.at.ply.gg
answers-rehabilitation.gl.at.ply.gg
aozepaokojfksdjfsk.ddns.net
apple-return.gl.at.ply.gg
application-motivation.gl.at.ply.gg
apply-ciao.gl.at.ply.gg
approach-stability.gl.at.ply.gg
article-ram.gl.at.ply.gg
arts-below.gl.at.ply.gg
availability-addition.gl.at.ply.gg
away-andrea.gl.at.ply.gg
baby-contracts.gl.at.ply.gg
been-adopt.gl.at.ply.gg
browse-brokers.gl.at.ply.gg
call-closest.gl.at.ply.gg
cars-controllers.gl.at.ply.gg
cd-characterized.gl.at.ply.gg
church-insight.gl.at.ply.gg
collection-belief.gl.at.ply.gg
comeback.ddnsgeek.com
court-petersburg.gl.at.ply.gg
dvd-ons.gl.at.ply.gg
elaablibeh.ddnsgeek.com
else-treatment.gl.at.ply.gg
field-retain.gl.at.ply.gg
filter-ec.gl.at.ply.gg
first-suffering.gl.at.ply.gg
florida-satisfied.gl.at.ply.gg
form-fly.gl.at.ply.gg
fund-personnel.gl.at.ply.gg
garden-tight.gl.at.ply.gg
george-continental.gl.at.ply.gg
grand-navigator.gl.at.ply.gg
hair-ment.gl.at.ply.gg
he-tower.gl.at.ply.gg
hill-java.gl.at.ply.gg
individual-katrina.gl.at.ply.gg
ireland-mercury.gl.at.ply.gg
italy-exhibitions.gl.at.ply.gg
item-suggesting.gl.at.ply.gg
japanese-longer.gl.at.ply.gg
joined-kenya.gl.at.ply.gg
korkos.now-dns.net
la-michael.gl.at.ply.gg
leading-sexuality.gl.at.ply.gg
locations-ff.gl.at.ply.gg
loss-gb.gl.at.ply.gg
lot-neon.gl.at.ply.gg
meet-ellis.gl.at.ply.gg
mini-jungle.at.ply.gg
mode-clusters.gl.at.ply.gg
model-monitors.gl.at.ply.gg
network-info.gl.at.ply.gg
never-villas.gl.at.ply.gg
numbers-fragrance.gl.at.ply.gg
offers-perspectives.gl.at.ply.gg
onlinesupportforroad.com
or-fail.gl.at.ply.gg
order-detail.gl.at.ply.gg
original-internal.gl.at.ply.gg
outside-sand.gl.at.ply.gg
owlcraft.playit.gg
pack-they.gl.at.ply.gg
paris-disciplinary.gl.at.ply.gg
paris-went.gl.at.ply.gg
proxzymosh.playit.gg
remove-coordination.gl.at.ply.gg
republic-mexican.gl.at.ply.gg
research-variations.gl.at.ply.gg
reviews-row.gl.at.ply.gg
richard-environmental.gl.at.ply.gg
right-learned.gl.at.ply.gg
running-locks.gl.at.ply.gg
sample-sperm.gl.at.ply.gg
score-thin.gl.at.ply.gg
security-sudan.gl.at.ply.gg
session-chief.gl.at.ply.gg
software-tradition.gl.at.ply.gg
spring-inner.gl.at.ply.gg
stage-von.gl.at.ply.gg
status-stack.gl.at.ply.gg
stop-identifying.gl.at.ply.gg
stop-largely.gl.at.ply.gg
summary-athletic.gl.at.ply.gg
super-nearest.gl.at.ply.gg
t-abc.gl.at.ply.gg
taraji111.duckdns.org
they-side.gl.at.ply.gg
third-cheque.gl.at.ply.gg
tr3.localto.net
uk1.localto.net
union-reviews.gl.at.ply.gg
very-aug.gl.at.ply.gg
w-killing.gl.at.ply.gg
watch-contests.gl.at.ply.gg
watch-ship.at.ply.gg
week-media.gl.at.ply.gg
where-dip.gl.at.ply.gg
which-anxiety.gl.at.ply.gg
would-between.gl.at.ply.gg
x5wo9402sep.duckdns.org
zip-connection.gl.at.ply.gg

# Reference: https://x.com/K_N1kolenko/status/1833028273778876876

147.50.240.203:7000
195.2.84.224:7000
202.55.134.194:6868
37.221.93.67:4545
77.232.132.25:4449
77.90.185.49:7000
82.147.88.10:7000

# Reference: https://www.virustotal.com/gui/file/e4b3a8461ef21d6e9e1dab285baa528f2d744eb643ed2b3dbcf870be4b6cc7e6/detection
# Reference: https://www.virustotal.com/gui/file/862e931d6a407871edd4077f6c633056554a9227782fb7c8a993c10d35037728/detection

213.142.151.240:2323

# Reference: https://x.com/karol_paciorek/status/1834532649236349137

216.173.64.63:4646
remember-humidity-floppy-choosing.trycloudflare.com

# Reference: https://x.com/K_N1kolenko/status/1834511338527195226

13.51.47.41:7772
139.99.25.159:6869
185.84.160.182:7000
91.108.240.63:7000

# Reference: https://x.com/K_N1kolenko/status/1838196091075908080

103.253.73.222:400
45.76.68.94:7000

# Reference: https://x.com/malwrhunterteam/status/1838518514644136030
# Reference: https://tria.ge/240924-l3x3lazgnl/behavioral2
# Reference: https://www.virustotal.com/gui/file/416a2a9c374574f8fcb7f90e775069e7d4606c0155f964886096e41f45d16548/detection

2.56.245.123:3501
bulletrdp.ru

# Reference: https://x.com/malwrhunterteam/status/1838877554867912765
# Reference: https://www.virustotal.com/gui/file/3658f44acb4d331fa89ab43d782bee2a97a48b2f425cad29939ee472c74bc62f/detection
# Reference: https://www.virustotal.com/gui/file/002045c91ab51c5715559c2bced3ccd8e699e130c6b3c5e668f29295690b7084/detection

135.224.23.113:5555
52.252.190.167:56001
rdoge.pro

# Reference: https://x.com/K_N1kolenko/status/1839226352571965501

103.182.103.206:24184
103.218.0.61:7000
103.77.246.154:5555
135.125.21.87:7000
154.12.30.42:7000
154.216.17.202:2324
45.137.22.114:7000

# Reference: https://www.virustotal.com/gui/file/b0f67744cfbcd7fdb2faa1e907b1637405ad47b1bea55a67466660d1d8d6ff1b/detection

45.94.31.88:7000

# Reference: https://www.netskope.com/blog/netskope-threat-labs-uncovers-new-xworms-stealthy-techniques
# Reference: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Malware/XWorm/IOCs

89.116.164.56:7000
ziadonfire.work.gd

# Reference: https://www.virustotal.com/gui/file/3b2b055027ab684ff8477eb80090e9c1bbaf7ad07059ecdf73b2d5a0eca8530c/detection

45.156.30.9:1604

# Generic

/XWorm%20V3.1/
/XWorm%20V3.1.7z
/XWorm%20V5.4rar
/Xworm-V5.6/
