# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/MaelSecurity/status/1039752010713718785

endbars.co
readact.co

# Reference: https://twitter.com/K_N1kolenko/status/1109030275395342336
# Reference: https://twitter.com/PhishFindR/status/1184743844962803712

kaosjdoaaf6.pw
kadosjdoafa.pw
kadosjdoaaf6.pw
hostyourhe.xyz
offerswides.xyz
/fk/f2.php
/hc/f2.php

# Reference: https://twitter.com/0x1xday/status/1115541156434202624

deluxemattress.ca

# Reference: https://twitter.com/K_N1kolenko/status/1098500517272137728

cba.demdex.uk.com
hegorevent.online
/googleads

# Reference: https://twitter.com/K_N1kolenko/status/1097488279279226881

businesmol.pw
hegorevent.club

# Reference: https://twitter.com/K_N1kolenko/status/1095997980614770688

unilear.pw
158.95.73.22:443
185.92.222.238:443
212.11.167.110:443
64.34.94.27:443
134.90.213.11:443
72.125.213.163:443
192.71.249.51:443

# Reference: https://twitter.com/malware_traffic/status/1119331956217585664

business4good.eu

# Reference: https://twitter.com/devnullek/status/1097871459752599552

driverssoftware.info
messagesupport.info
softwaresearch.info
traderssoftware.info

# Reference: https://twitter.com/James_inthe_box/status/1122156673299173377

frezyderm-orders.gr/sites/all/notused/not/ponto.php

# Reference: https://twitter.com/devnullek/status/1123208253566005248
# Reference: https://app.any.run/tasks/a86516d1-07c3-4417-b4ad-bd8ce026acee

piosnoksld.info
zaratoons.info
212.73.150.207:443

# Reference: https://twitter.com/0xE9FBFFFFFF/status/1140946344137416704

fiuiert.xyz
lulipcxulci.info
statusnim.info

# Reference: https://otx.alienvault.com/pulse/5d0b9cbf63180da44379580a
# Reference: https://research.checkpoint.com/danabot-demands-a-ransom-payment/

braksiolsa.top
brekwinarew.site
brukaisloap.club
brukiloapos.xyz
bruksialopws.icu
goskilindad.site
gousikolka.space
guksuoiew.top
gustemiaksa.icu
gustokiloe.xyz
jklfsdkfjhwefjosdf.top
jklfsdkfjhwefjosdf.xyz
kadosjdoaaf6.pw
kadosjdoaf6.pw
kadosjdoafa.pw
kadosjdoiafa.pw
kaosjdoaaf6.pw
kaosutdoaaf.pw
kaosutdoaaf6.pw
kdguwoewpew.pw
kdosjdoiafa.pw
kduwouewpew.pw
kipokahynr.top
kipokahynr.xyz
lidaskiheg.site
lidaskiheg.space
lindakiski.top
lnet4-data.com
mon-sta.com
muabolksae.club
muoklaiow.xyz
nautorern.xyz
net4-data.com
okjauwbueiws.top
okjauwbueiws.xyz
oneuisopeweh.icu
onueilsndsuywe.xyz
sfjskdjfwoiewwegroup.tech
thegiksjoute.online
thenautorern.tech

# Reference: https://twitter.com/Bank_Security/status/1146296727349157888
# Reference: https://pastebin.com/QyYHnKMH

derikaosos.info
sinoposdssf.info
statusnim.info
tefidnsops.info

# Reference: https://twitter.com/w3ndige/status/1164148967413878788
# Reference: https://app.any.run/tasks/5b6c027d-dc71-4d67-9dff-9343e8095969/

http://74.118.138.146
109.202.103.170:8733
213.152.161.229:8733
114.26.195.117:443
146.229.67.12:443
154.94.158.126:443
5.188.86.20:443
66.165.187.11:443
gazgrsrto.xyz

# Reference: https://research.checkpoint.com/danabot-demands-a-ransom-payment/

encrypter.webfoxsecurity.com

braksiolsa.top
brekwinarew.site
brukaisloap.club
brukiloapos.xyz
bruksialopws.icu
goskilindad.site
gousikolka.space
guksuoiew.top
gustemiaksa.icu
gustokiloe.xyz
jklfsdkfjhwefjosdf.top
jklfsdkfjhwefjosdf.xyz
kadosjdoaaf6.pw
kadosjdoaf6.pw
kadosjdoafa.pw
kadosjdoiafa.pw
kaosjdoaaf6.pw
kaosutdoaaf.pw
kaosutdoaaf6.pw
kdguwoewpew.pw
kdosjdoiafa.pw
kduwouewpew.pw
kipokahynr.top
kipokahynr.xyz
lidaskiheg.site
lidaskiheg.space
lindakiski.top
lnet4-data.com
maintrump.org
mon-sta.com
muabolksae.club
muoklaiow.xyz
nautorern.xyz
net4-data.com
okjauwbueiws.top
okjauwbueiws.xyz
oneuisopeweh.icu
onueilsndsuywe.xyz
sfjskdjfwoiewwegroup.tech
thegiksjoute.online
thenautorern.tech

# Reference: https://www.virustotal.com/gui/file/baa1a65fc9c1e7e68cd39efd486275b306c5f25a440bc06f9c0adfbd7ede22b6/detection
# Reference: https://app.any.run/tasks/5a323554-ea21-4a2d-a1d6-adff379b8ef9/
# Reference: https://twitter.com/Artilllerie/status/1168539710769303552

149.154.159.213:443
151.236.14.84:443
168.248.43.207:443
172.237.125.185:443
184.98.44.103:443
195.123.246.209:443

# Reference: https://twitter.com/ostinjohn/status/1169603418211737601
# Reference: https://app.any.run/tasks/5d945c76-26aa-45bb-8c6d-07cf2a635bdd/

139.113.48.33:443
149.154.159.213:443
149.53.185.172:443
187.198.70.207:443
195.123.246.209:443
2.255.189.191:443
222.175.52.161:443
58.58.210.181:443
81.63.70.192:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1174239640011845638
# Reference: https://app.any.run/tasks/63239269-d5a9-478c-8314-6d67cae2c786/

fepolomokmmas.xyz
mustve.site
seioooi.xyz

# Reference: https://twitter.com/Mesiagh/status/1184533873545359360

bluewaters.space
djeudnsj.xyz
eroutks.co
euiobol.xyz
gontaseesl.website
gontaseonar.site
gontaseopa.site
gontaseopa.website
heuirnst.space
heuirnst.website
jeudnsjkd.xyz
jeudnsju.xyz
jeuisjr.xyz
joskaejw.club
loperatys.site
loreteo.xyz
loretoi.xyz
ujaioep.site
ujaioep.website

# Reference: https://app.any.run/tasks/9c77ec66-4d42-48be-ae11-2c97a9d2e528/

avgsupport.info
esetsupport.info

# Reference: https://twitter.com/w3ndige/status/1189301539535556614

everythingtogeta.xyz

# Reference: https://any.run/malware-trends/danabot (Note: as seen on 2019-12-04)

qxq.ddns.net
thuocnam.tk

# Reference: https://twitter.com/VK_Intel/status/1020236244020867072

http://176.119.1.112
farzona.co
/injj/777.php

# Reference: https://twitter.com/0xFrost/status/1205187802629070853
# Reference: https://www.virustotal.com/gui/file/995378f5a47357f7dc2dab638263cf42ab67f800b82df29d23ab29bb985cd80d/detection

digidimag.com

# Reference: https://twitter.com/K_N1kolenko/status/1209733370013519872

145.249.107.168:443
145.249.107.201:443
145.249.107.78:443
199.247.16.30:443
209.250.243.55:443
luxurylive.org

# Reference: https://twitter.com/Racco42/status/1217763274537754625
# Reference: https://twitter.com/Racco42/status/1217764284383596545

64.188.22.122:443
64.188.22.153:443
64.188.22.154:443
64.188.22.33:443
64.188.23.155:443

# Reference: https://www.virustotal.com/gui/ip-address/89.144.25.174/relations
# Reference: https://www.virustotal.com/gui/file/d37ed2e77d73875a20605a198986b008eb8b4c8bcfb84783b7b0f329ec1a5384/detection

113.102.102.121:443
186.174.47.177:443
89.144.25.243:443

# Reference: https://twitter.com/K_N1kolenko/status/1237322223586852865
# Reference: https://pastebin.com/2HbabLQa

formaulist.com

# Reference: https://twitter.com/K_N1kolenko/status/1240553870633336833
# Reference: https://www.virustotal.com/gui/ip-address/195.123.225.167/relations

digidonaud.com
finburgers.com

# Reference: https://twitter.com/K_N1kolenko/status/1209733370013519872

signin.luxurylive.org

# Reference: https://twitter.com/casual_malware/status/1239687496692387841
# Reference: https://app.any.run/tasks/0473bb63-11bc-4b98-864d-df00082d60cb/
# Reference: https://twitter.com/malwrhunterteam/status/1239628249136758786
# Reference: https://urlhaus.abuse.ch/host/corona-virus-map.net/

corona-virus-map.net
corona-map-data.com
202.195.34.6:443
/map1.jnlp
/map.jar
/mapdata.jar

# Reference: https://twitter.com/luc4m/status/1245750938465378304
# Reference: https://app.any.run/tasks/0f31129d-a473-4cd7-92fa-1ea817950f9e/

123.236.244.164:443
129.255.179.202:443
177.40.161.5:443
185.181.8.49:443
187.237.21.167:443
27.109.5.166:443
28.63.88.50:443
64.188.12.140:443
64.188.19.39:443
78.103.173.2:443

# Reference: https://twitter.com/w3ndige/status/1258128183527956487
# Reference: https://app.any.run/tasks/9448b002-1b67-48f5-beb7-f4ee357abb46/

172.81.129.196:443
192.236.179.73:443
192.99.219.207:443
23.82.140.201:443
45.147.228.92:443
51.255.134.130:443
54.38.22.65:443

# Reference: https://www.virustotal.com/gui/file/adc20c4626d99f2a35d7d58043b9b57946b21485ece1356e223d0b661824d9de/detection

sfsdfpizdatrtu.space

# Reference: https://app.any.run/tasks/e54dcc1c-ff39-41e4-a164-15d15c94414b/

2.56.213.39:443
5.61.56.192:443
5.61.58.130:443

# Reference: https://twitter.com/reecdeep/status/1261206870037008385

post-990094.at
172.81.129.196:443
192.236.179.73:443
192.99.219.207:443
23.82.140.201:443
45.147.228.92:443
51.255.134.130:443
54.38.22.65:443

# Reference: https://app.any.run/tasks/91d61bf3-e8a8-4df6-9c4f-ed087b0563e6/

post-990094.at

# Reference: https://twitter.com/w3ndige/status/1262652047884779521

belayedd.at

# Reference: https://app.any.run/tasks/93bccdd5-3204-4daf-aa30-26cf49722e45/

http://137.74.64.245
45.153.240.84:443

# Reference: https://app.any.run/tasks/3590ee62-eae7-4d2b-802c-2d02281ed82c/

45.153.240.84:443
192.236.161.25:443
93.115.21.108:443
173.234.155.181:443
2.56.212.137:443

# Reference: https://urlscan.io/result/13a9e931-a88e-43ec-8744-ee00294a7d98/
# Reference: https://www.virustotal.com/gui/ip-address/47.90.210.107/relations

impresscop.xyz

# Reference: https://twitter.com/killamjr/status/1351893396726624256
# Reference: https://app.any.run/tasks/177367bc-5d4c-498b-b54f-332e0548e39f/

47.254.174.158:1024

# Reference: https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot
# Reference: https://otx.alienvault.com/pulse/60108cc47e31884e434c0258
# Reference: https://www.virustotal.com/gui/file/c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d/detection

104.144.64.163:443
108.62.141.152:443

# Reference: https://twitter.com/wwp96/status/1365401963974828033
# Reference: https://twitter.com/wwp96/status/1365402205432541189
# Reference: https://app.any.run/tasks/aefe1a14-684e-4dae-bacf-52876bd4f630/

192.161.48.5:443
arizonacruz.com

# Reference: https://www.virustotal.com/gui/file/36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe/detection
# Reference: https://tria.ge/210211-8wd7dd262x

104.168.156.222:443
134.119.186.199:443
172.93.201.39:443
192.236.192.241:443

# Reference: https://www.virustotal.com/gui/ip-address/34.90.236.200/relations
# Reference: https://www.virustotal.com/gui/ip-address/8.208.88.231/relations

breasuala32.top
breasuala57.top
breasuala63.top
breasualb24.top
breasualb27.top
breasualc17.top
breasuald52.top
breasuald74.top
breasuale31.top
breasualf37.top
breasualf62.top
breasualf64.top
breasualg54.top
breasualg72.top
breasuali12.top
breasuali45.top
breasuall73.top
breasualm44.top
breasualn34.top
breasualp22.top
breasualq11.top
breasualr41.top
breasuals42.top
breasualt15.top
breasualt47.top
breasualt51.top
breasualu35.top
breasualu67.top
breasualu71.top
breasualv14.top
breasualw21.top
breasualx77.top
breasualy25.top
breasualy61.top
cotraresa09.top
cotraresd11.top
cotraresf12.top
cotraresi07.top
cotraresm01.top
cotraresp08.top
cotraresq02.top
cotraresr04.top
cotraress10.top
cotrarest05.top
cotraresu06.top
cotraresw03.top
eressedb36.top
ewsjasea09.top
ewsjasei07.top
ewsjasep08.top
ewsjases10.top
fhjweheed74.top
fhjweheee75.top
fhjweheef62.top
fhjweheef64.top
fhjweheeg72.top
fhjweheeh13.top
fhjweheej23.top
fhjweheek33.top
fhjweheel43.top
fhjweheeu67.top
fhjweheeu71.top
fhjweheew65.top
fhjweheex77.top
fhjweheey61.top
lorearsb24.top
lorearsi12.top
lorearsp22.top
lorearsq11.top
lorearst15.top
lorearsv14.top
lorearsy25.top
luspaserg13.xyz
luspaserh14.xyz
luspaserj15.xyz
morfagrtem01.top
morteisati07.top
morteisatm01.top
morteisatq02.top
morteisatr04.top
morteisatt05.top
morteisatu06.top
morteisatw03.top
morteqabi07.top
morteqabu06.top
petroscm01.top
petroscq02.top
petroscw03.top
seetsaysaw03.top

# Reference: https://www.virustotal.com/gui/file/67f34083ebd237d33065f1f31f1cf09d9b6a051b97bc7db08d5237139f081e80/detection

torinboo.com

# Reference: https://tria.ge/210412-tsf6alc8ka

192.3.26.107:443
23.106.123.141:443
23.106.123.185:443
23.81.246.201:443

# Reference: https://twitter.com/ESETresearch/status/1420734522581295106
# Reference: https://twitter.com/ESETresearch/status/1420734529468256261

142.11.206.50:443
142.11.244.124:443
152.89.247.31:443
173.254.204.95:443
192.52.166.169:443
192.52.166.92:443
192.52.167.44:443
192.52.167.45:443
23.254.201.233:443
37.220.31.27:443
45.146.164.24:443
coinsupport.ml

# Reference: https://twitter.com/MBThreatIntel/status/1425952093936947205

bonusesfound.ml

# Reference: https://twitter.com/ffforward/status/1461417895129501701

34.125.68.94:443
34.129.21.53:443
34.72.122.178:443
kittencloud.top
parrotcloud.top
rabbitcloud.top
turtlecloud.top
puppycloud.top

# Reference: https://twitter.com/1ZRR4H/status/1456355831470071809

185.106.123.228:443
185.117.90.36:443
192.119.110.73:443
192.236.192.201:443
192.236.147.206:443
193.42.36.59:443
193.56.146.53:443
citationsherbe.at
pastorcryptograph.at
/3/sdd.dll

# Reference: https://tria.ge/220106-qkhmeabcd2

142.11.244.223:443
192.119.110.4:443
192.236.194.72:443

# Reference: https://www.virustotal.com/gui/file/03cb517c97a50b60f46329dedde33f7580062db8531fbceb159928d573490b26/detection

185.45.193.50:443
193.34.166.247:443
92.204.160.54:443

# Reference: https://www.virustotal.com/gui/file/08a5e977a2e5b6041adcc87e2ee4bf6858da93b39ce0abe498dbf24e122c991d/detection

185.238.168.174:443
185.238.168.83:443
2.56.213.39:443
5.61.58.130:443
93.115.20.183:443
93.115.20.189:443

# Reference: https://twitter.com/th3_protoCOL/status/1503731559718797312

cyst.online
goldfishcloud.top
mousecloud.top
qmap.club
moneyunclaimed.net
unclaimed2.com
unclaimedfinders.com
unclaimedexperts.com
unclaimedhq.com

# Reference: https://twitter.com/Abjuri5t/status/1521352577677512712

192.236.147.212:443
192.236.154.150:443
192.236.160.249:443
192.236.176.108:443

# Reference: https://tria.ge/210101-gnf7dwq5wx

104.144.64.163:443
108.62.141.152:443
23.106.123.249:443
23.226.132.92:443

# Reference: https://tria.ge/201203-p9cfx4whpa

104.227.34.227:443
23.254.118.230:443
23.254.215.116:443
51.195.73.129:443

# Reference: https://twitter.com/abuse_ch/status/1545677016665673728
# Reference: https://bazaar.abuse.ch/sample/68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04/

26.18.10.2:5662
58.50.42.34:13886
60.52.44.36:14400
aquaprodive.com/images/main/index.php

# Reference: https://tria.ge/220709-jnnt9sfee9

139.60.163.160:443
139.60.163.37:443
5.39.222.5:443
5.39.222.7:443

# Reference: https://tria.ge/220716-we61psebel

142.44.224.16:443
192.236.146.203:443
192.3.26.107:443
193.34.167.88:443

# Reference: https://tria.ge/220728-v24y7aachk/behavioral1

aktualizieren-wolke.de

# Reference: https://www.virustotal.com/gui/file/3d9270024568518b9ff1f4ce9759338a3ac7b3ee8829256285e1e9b6334d39b8/detection
# Reference: https://www.virustotal.com/gui/file/ae6388c4444a409c22290c69b36fc683ca22945b92adbefe6413553136be4304/detection

139.60.163.159:443
139.60.163.160:443
139.60.163.161:443
139.60.163.37:443

# Reference: https://twitter.com/TrackerC2Bot/status/1603379298148171782

109.205.214.18:443

# Reference: https://twitter.com/TrackerC2Bot/status/1604961099656450048

13.53.234.226:443
134.122.53.241:443
167.114.188.34:443
172.86.120.215:443
176.126.113.94:443
181.63.44.194:443

# Reference: https://twitter.com/TrackerC2Bot/status/1605270548518412310

182.79.116.126:443
187.172.230.151:443

# Reference: https://twitter.com/TrackerC2Bot/status/1604961103280328723
# Reference: https://www.virustotal.com/gui/file/00ca19356b887112f25a9107aee67bd741860545ba11951192b74fdcf77fec08/detection

185.243.114.28:443
192.236.192.238:443
23.106.124.171:443
35.182.95.170:443
45.77.40.71:443
54.250.13.251:443
66.85.147.23:443
68.48.87.153:443
79.124.78.236:443
95.179.168.37:443

# Reference: https://twitter.com/TrackerC2Bot/status/1608893796497952771

192.236.161.79:443

# Reference: https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/
# Reference: https://otx.alienvault.com/pulse/642ec73594ef9d46722639a6

http://194.135.33.96
g3n3sis.org
g3n3sis.pro
genesis.market
ifpstools.net
ng3n3sis.org
ng3n3sis.pro
tchk-1.com
you-rabbit.com

# Reference: https://twitter.com/x3ph1/status/1682140863919529984
# Reference: https://www.virustotal.com/gui/ip-address/47.253.165.1/relations

akongo.top
alatangana.top
amadioha.top
anansi.top
anyanwu.top
arebati.top
autographok.top
bobobmdola.top
danmur07.top
danwza05.top
esrservice.top
fakaka9.top
hadouken.top
kiikala.top
koumbasara.top
kyvihm01.top
lewru.top
libanza.top
liozke07.top
lotuko.top
lugbara.top
lusunzi.top
maasai.top
mbundu.top
naagara.top
njambe.top
okabzq10.top
okadoc09.top
shougouji.top
taolea.top
ym2668.top
back10.amadioha.top
back12.amadioha.top
back14.amadioha.top
back2.amadioha.top
back4.amadioha.top
back6.amadioha.top
back8.amadioha.top
cp1.anansi.top
cp2.anansi.top
cp3.anansi.top
cp4.anansi.top
cp5.anansi.top
cp6.anansi.top
cp7.anansi.top
cp8.anansi.top
cp9.anansi.top
fff11.alatangana.top
fff22.alatangana.top
fff33.alatangana.top
fff44.alatangana.top
fff55.alatangana.top
fff66.alatangana.top
fff77.alatangana.top
lp1.libanza.top
lp2.libanza.top
lp3.libanza.top
lp4.libanza.top
lp5.libanza.top
lp6.libanza.top
lp7.libanza.top
qz1.njambe.top
qz11.njambe.top
qz13.njambe.top
qz3.njambe.top
qz5.njambe.top
qz7.njambe.top
qz9.njambe.top
zero1.arebati.top
zero2.arebati.top
zero3.arebati.top
zero4.arebati.top
zero5.arebati.top
zero6.arebati.top
zero7.arebati.top
zzz1.akongo.top
zzz2.akongo.top
zzz3.akongo.top
zzz4.akongo.top
zzz5.akongo.top
zzz6.akongo.top
zzz7.akongo.top

# Reference: https://github.com/pan-unit42/tweets/blob/master/2023-08-03-IOCs-for-malicious-ad-to-Danabot.txt

167.88.166.193:443
45.61.169.91:443

# Reference: https://twitter.com/TrackerC2Bot/status/1694412382053777472

159.89.114.62:443
23.254.144.209:443
23.254.227.74:443
38.68.50.179:443

# Reference: https://twitter.com/TrackerC2Bot/status/1696134033564946581

142.11.192.232:443
192.236.194.86:443

# Reference: https://twitter.com/TrackerC2Bot/status/1702293715987955777

172.86.121.218:443
172.86.97.119:443
173.214.169.17:443
213.252.245.80:443
195.123.224.82:443
45.61.160.115:443
91.212.166.96:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.danabot/

103.144.139.105:443
104.168.148.6:443
104.168.167.51:443
104.234.11.33:443
104.234.147.45:443
106.137.226.19:443
117.83.162.13:54068
125.67.68.19:54068
134.119.186.198:443
142.11.242.31:443
142.167.76.43:443
149.255.35.125:443
155.120.247.148:443
157.64.238.1:443
164.109.193.8:54068
167.114.188.38:443
172.93.201.242:443
178.209.51.211:443
179.43.133.35:443
185.112.83.26:443
185.62.58.191:443
185.62.58.85:443
188.191.106.71:443
192.236.146.173:443
192.236.146.39:443
192.236.160.244:443
192.236.161.4:443
192.236.199.175:443
192.236.236.83:443
192.3.26.98:443
195.123.220.45:443
215.212.21.6:443
23.106.122.14:443
23.254.129.180:443
23.254.133.7:443
23.254.134.53:443
23.254.164.106:443
23.254.201.147:443
23.254.217.192:443
23.254.226.136:443
23.254.228.176:443
34.105.203.100:443
34.247.234.201:443
34.90.104.246:443
34.95.4.102:443
35.194.193.144:443
35.199.103.5:443
35.199.99.16:443
35.220.142.90:443
35.220.149.58:443
35.228.162.70:443
35.236.67.31:443
37.120.222.107:443
44.202.197.21:443
45.147.228.212:443
45.147.231.150:443
45.147.231.218:443
5.9.224.217:443
51.178.195.151:443
51.222.39.81:443
51.77.7.204:443
59.37.192.38:443
64.188.23.70:443
66.85.185.120:443
67.248.84.113:443
68.158.26.25:443
75.56.111.148:443
84.141.50.190:443
84.19.37.39:443
86.105.252.18:443
89.144.25.104:443
89.44.9.132:443
89.45.4.126:443

# Reference: https://www.esentire.com/blog/danabots-latest-move-deploying-icedid
# Reference: https://www.virustotal.com/gui/file/c1c3344231922b4de253dd4000af8bf60a501379978c8dd06c19a596f91b4b53/deection

77.91.73.187:443

# Reference: https://twitter.com/crep1x/status/1737745977006493906
# Reference: https://gist.github.com/qbourgue/e88db6f25bb218ac2e157aee17b791c1
# Reference: https://www.virustotal.com/gui/file/18ccf5be5d8fbe4a40bb0dd60caa5181eb5500cdfbfb68ead58389e198963866/detection

185.225.69.230:433
185.225.69.33:443
adavanced-ip-scaner.com
adavanced-ip-scanner.com
adevancd-lp-scanner.com
adevanced-ip-scans.com
adevanced-lp-scaners.com
adevanced-lp-scanner.net
adevanced-lp-scanners.com
adsvancd-lp-scanner.net
adsvanced-ip-scanner.com
advancd-ip-scanner.com
advancd-ip-scanner.net
advancd-lp-scanner.net
advanced-ip-scan.net
advanced-ip-scanned.com
advanced-ip-scanning.com
advanced-ip-scanning.net
advanced-ipscan.com
advanced-ipscanning.com
advanced-lp-scan.com
advanced-lp-scaners.com
advanced-lp-scaners.net
advanced-lp-scanned.com
advanced-lp-scanned.net
advanced-lp-scanner.com
advanced-lp-scanners.com
advanced-port-scanner.net
advancede-ip-scanner.com
advancedes-ip-scan.com
advancedes-ip-scan.net
advancedes-ip-scanner.com
advancedes-ip-scanner.net
advancedes-lp-scan.net
advancedes-lp-scanner.com
advancedes-lp-scanner.net
advancedip-scanner.net
advancedlpscanner.com
advanceds-ip-scan.net
advanceds-ip-scanner.net
advanceds-lp-scanner.net
advnced-ip-scan.com
advnced-ip-scanner.com
advnced-lp-scanner.com
inductiveautomatlon.com
inductiveoutomation.com
inductlveautomation.com
mycaase.com
mycaase.net
oldsfaq.com
technorobo-life.com

# Reference: https://twitter.com/TrackerC2Bot/status/1751306740140749216

192.210.198.12:443
35.226.27.224:443
37.220.31.94:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1757694806950600780
# Reference: https://twitter.com/reecdeep/status/1757727745784557971
# Reference: https://app.any.run/tasks/a059217b-52e4-450a-882a-9b7720a2b401/
# Reference: https://www.virustotal.com/gui/file/f56efb5cda932a1c94e1e44b9e38f27a48f451053cb7faca4259194f954ffd4c/detection

195.133.88.98:443
31.41.244.38:443
91.201.67.85:443
soundata.top
content.servepics.com
portfolio.serveirc.com
y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt

34.168.202.91:443
torontoclub.vip

# Reference: https://cert-agid.gov.it/wp-content/uploads/2024/06/danabot_18-06-2024.json

83.147.53.197:8080
/GWBI7H74fhGgtebteb5GSR

# Reference: https://x.com/drb_ra/status/1803405190550241398

94.131.115.191:15643

# Reference: https://x.com/drb_ra/status/1803405233885753345

45.77.80.158:443

# Reference: https://x.com/drb_ra/status/1803405271831634278

77.221.149.178:443

# Reference: https://x.com/drb_ra/status/1803405311543333098

116.203.252.168:443

# Reference: https://x.com/drb_ra/status/1803405356212593127

185.208.158.50:443

# Reference: https://x.com/drb_ra/status/1803405405680234795

45.55.36.222:443

# Reference: https://x.com/drb_ra/status/1803405447140933976

34.83.108.106:443

# Reference: https://x.com/drb_ra/status/1803405490048696411

5.161.245.54:443

# Reference: https://x.com/drb_ra/status/1803405530502778888

104.194.143.5:443

# Reference: https://x.com/drb_ra/status/1803405571334262837

34.16.215.110:443

# Reference: https://x.com/drb_ra/status/1803405613411574214

34.130.217.52:443

# Reference: https://x.com/drb_ra/status/1803405666561753160

34.130.221.34:443

# Reference: https://x.com/drb_ra/status/1803405707925934094

5.9.247.137:443

# Reference: https://x.com/drb_ra/status/1803405746379334009

47.74.9.201:443

# Reference: https://x.com/drb_ra/status/1803405784446890146

69.49.244.37:443

# Reference: https://x.com/drb_ra/status/1803405823005118862

194.26.29.140:15643

# Reference: https://www.virustotal.com/gui/file/6e5734f8092ec78656bc19f257fe24497d0e13f6f0461a01892f5eabcd5b0145/detection

45.80.158.189:4522
46.30.45.192:4522
85.208.108.134:4522
91.92.246.63:4522
95.142.39.217:4522

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv

34.74.68.6:443
46.29.238.20:443
62.173.139.182:5442
77.105.164.39:443
85.208.108.134:443

# Reference: https://x.com/JAMESWT_MHT/status/1816097789253656680
# Reference: https://app.any.run/tasks/70fe0874-7862-4781-9e74-0e9fd1c49ccc/
# Reference: https://www.virustotal.com/gui/file/8456047c641f95d59a831bb7c219adc9ef8d367cc602519e3e4c7dd920923a05/detection

104.194.148.11:443
83.147.53.197:8080

# Reference: https://x.com/JAMESWT_MHT/status/1826419270344917346

176.117.68.38:443
176.117.68.39:443
45.80.158.189:443
91.92.242.111:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-08-24)

193.233.232.101:443
206.166.251.28:443
213.139.205.128:443
34.65.62.210:443
64.7.198.80:443
64.94.85.129:443
85.206.172.101:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-09-22)

193.108.170.9:443
193.124.185.23:443
34.22.169.101:443
46.226.163.80:443
5.8.18.3:443
89.45.4.113:443
94.232.249.93:443

# Reference: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering

ambcrrm.com
idessit.com

# Reference: https://x.com/malwrhunterteam/status/1840837177736933646
# Reference: https://www.virustotal.com/gui/file/8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d/detection

23.95.182.47:443

# Reference: https://tria.ge/241003-hk54pstdpa/behavioral2
# Reference: https://x.com/crep1x/status/1841745779024601382

193.26.115.235:443
adobe-crack-download.xyz
adobecrackdownload.com
crack.desktop.ac
cracked-software-download-pc.xyz
cracked-software-for-pc.xyz
cracked-software.xyz
cracked-sofware-for-pc.xyz
cracksoftwaresdownload.com
desktopsofts.xyz
digitalassetkit.net
fbmypages.com
pc-softs.com
pc-software-free-crack.pro
pc-software.xyz
playrankers.com
software-download-free.xyz

# Reference: https://x.com/wbmmfq/status/1844147146439917827
# Reference: https://x.com/wbmmfq/status/1844232795251671524
# Reference: https://x.com/RussianPanda9xx/status/1844237143201247293
# Reference: https://www.virustotal.com/gui/ip-address/8.208.31.151/relations
# Reference: https://www.virustotal.com/gui/file/2ea15356ff7e548c47a4dac924038c869d843d79a5df1e8d8974b2163e0517f2/detection

asset-finder.com
eagleoneventures.biz
gettingyourcash.com
moneyunclaimed.org
openfinder.org
peoplelookup.org
pokewoke.ru
relentlessauditors.com
skshopse.com
thetreasurybox.org
unclaimedfundswellsfunding.org
usarecovery.org
yourunclaimedmoney.net

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-10-13)

38.180.64.16:443
81.19.140.64:443
91.214.78.123:443
93.123.109.71:443
94.156.104.145:443
94.156.69.180:443

# Reference: https://x.com/crep1x/status/1847308968239980904
# Reference: https://tria.ge/241018-tc5zhsxejl/behavioral2

http://185.245.106.32
http://185.245.107.13
http://185.245.107.222
http://185.245.107.42
89.110.103.241:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-30day.csv (# 2024-11-10)

2.58.15.230:443
34.116.184.225:443
34.139.241.56:443
34.48.98.228:443
37.1.195.23:443
38.180.154.196:443
45.76.11.247:443
77.105.164.13:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-01-02)

195.26.225.249:443
23.137.105.248:443
23.137.105.249:443
23.137.105.250:443
23.137.105.251:443
23.137.105.90:443
34.118.110.116:443
34.23.93.44:443
34.57.220.2:443
34.74.148.6:443
35.227.50.145:443
5.175.237.102:443
52.47.90.144:443
91.202.233.142:443
91.242.163.235:443
91.242.163.37:443
91.242.163.44:443

# Reference: https://x.com/DaveLikesMalwre/status/1880989843464864191
# Reference: https://x.com/JAMESWT_MHT/status/1881242149607588183

issueguest495039.world
issueguest495139.world
issueguest495839.com
reportguest4893921.world
reportguest4895921.world
roomsattende99291.com

# Reference: https://x.com/JAMESWT_MHT/status/1881370512854761826
# Reference: https://x.com/abuse_ch/status/1881387772491284770

178.253.55.80:443
31.177.108.229:443
88.151.192.8:443
feedbackinnguest999214.world

# Reference: https://x.com/JAMESWT_MHT/status/1882822815881302026
# Reference: https://www.virustotal.com/gui/file/22a71266e793655dfb09a10d327d1c0358b6e40a39507e6cbe53e38590e06e87/detection

http://185.102.115.7
atndsrmsrdf094312.world
atndsrmsrdf09437812.world

# Reference: https://x.com/JAMESWT_MHT/status/1881255895470055481
# Reference: https://x.com/JAMESWT_MHT/status/1883780543797723223

5.253.59.205:7777
pamer-pulse.com
booking.pamer-pulse.com

# Reference: https://x.com/lyratol/status/1884679249161847056
# Reference: https://www.virustotal.com/gui/ip-address/89.23.102.187/relations
# Reference: https://app.validin.com/detail?find=Verify%20Your%20Request&type=raw#tab=host_pairs (# 2025-01-29)

http://89.23.102.187
89.23.102.187:443
confirm-reservation-hotel-en.com
booking-verification-capha.com
booking-accept-reserv-en.com
confirm-reserve-booking-en.com
elfenguesthouse.com
aprove-resrvation-25413.com
confirm-reserve-lang-english.com
confirm-booking-language-en.com
arbitr22651-bookng.com
vinted-germany.com

# Reference: https://x.com/JAMESWT_MHT/status/1889211730313584873

87.121.221.124:443
rprtinfogst.world
rprtinfog6st.world
rprtinfog6sy.world

# Reference: https://x.com/JAMESWT_MHT/status/1899485203485139353
# Reference: https://www.virustotal.com/gui/file/45984ae78d18332ecb33fe3371e5eb556c0db86f1d3ba8a835b72cd61a7eeecf/detection

http://194.147.131.20
185.39.207.8:433
81.19.140.67:433
89.23.107.240:7777
booking.complaintguest2.com

# Reference: https://x.com/JAMESWT_MHT/status/1901148230357831945
# Reference: https://app.any.run/tasks/591c5f2d-9a3b-4c13-b664-0043fc6a1ff9
# Reference: https://www.virustotal.com/gui/file/6ee3bcd1b27190e268f0333aae309ea9e67a53662666e88ebdf66968e6d38640/detection

150.241.69.74:443
77.239.101.139:443
77.239.99.248:443
77.91.76.17:443
greenindustry.pl
reportguest1719.world
reportguest1883.world
reportguest412594521818.world
reportguest414895.world
reportguest4883.world
reportguest4895.world
reportguest489586.world
reportguest489594521818.world
reportguest4896.world
reportguest829.world
reportguestt4895.world

# Reference: https://x.com/RacWatchin8872/status/1901964602348323083

booking-caphuman-089096111.com
booking-human-id90024054.com
booking-march-lang-en515.com
booking-march45683.com
booking.partner-04240144.com
bookingmarch-en-lang.com
februaryconfr-21563.com
parner-id-1004991.com
parner-id-104951451.com
parner-id-12345501.com
parner-id-1381834.com
partner-04240124.com
partner-0424014.com
partner-04240144.com
partner-04240154.com
partner-0424214.com
partner-04245154.com
partner-40215.com
partner-40241.com
partner-402415.com
partner-40245.com
partner-40415.com
partner-420140.com
partner-42415.com
partner-424504.com
partner-442104.com
partner-624024.com
partner-id891489.com

# Reference: https://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii
# Reference: https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/DanaBot_IOCs_txt

104.196.51.105:443
107.173.160.166:443
135.181.170.163:443
135.181.242.179:443
139.60.163.90:443
144.172.100.208:443
156.253.227.5:443
157.180.65.252:443
157.180.74.97:443
162.33.179.34:443
172.86.75.229:443
178.156.170.132:443
179.43.176.41:443
179.43.176.42:443
179.43.176.43:443
18.190.98.5:443
185.121.235.211:443
185.177.59.56:443
185.196.10.20:443
185.196.9.52:443
185.223.93.118:443
185.224.0.250:443
185.245.106.72:443
194.116.216.91:443
195.123.233.68:443
196.251.116.36:443
199.119.138.187:443
207.2.121.127:443
31.192.232.25:443
34.105.72.108:443
34.116.133.212:443
34.116.180.216:443
34.116.198.48:443
34.116.244.43:443
34.118.10.254:443
34.118.16.29:443
34.118.40.214:443
34.125.168.110:443
34.130.116.207:443
34.130.224.21:443
34.140.42.147:443
34.16.220.58:443
34.168.100.35:443
34.168.187.206:443
34.168.234.77:443
34.19.29.163:443
34.29.35.65:443
34.34.145.103:443
34.42.157.111:443
34.42.9.169:443
34.48.81.140:443
34.56.177.4:443
34.57.182.92:443
34.57.33.248:443
34.65.116.208:443
34.65.7.118:443
34.70.131.114:443
34.77.245.191:443
34.79.127.126:443
34.82.57.80:443
34.83.67.185:443
35.190.211.57:443
35.205.12.222:443
35.229.99.118:443
35.231.160.6:443
35.233.138.23:443
35.233.192.131:443
35.233.235.44:443
35.237.124.176:443
35.237.63.108:443
35.237.63.217:443
35.237.76.147:443
35.239.217.63:443
35.240.29.231:443
35.245.242.1:443
45.134.174.235:443
45.137.116.57:443
45.145.7.97:443
45.61.136.125:443
45.61.136.204:443
45.61.136.240:443
46.105.141.51:443
47.253.151.139:443
47.254.159.244:443
47.254.81.3:443
5.149.255.208:443
5.34.179.193:443
5.34.179.197:443
77.238.249.183:443
77.73.129.134:443
81.19.137.119:443
82.24.200.28:443
85.209.134.250:443
85.209.153.112:443
86.54.42.5:443
89.116.64.46:443
89.23.105.6:443
92.246.136.182:443
94.131.109.182:443
94.131.115.254:443
94.232.249.215:443
95.217.65.166:443
98.159.108.137:443
98.159.108.138:443

# Reference: https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
# Reference: https://github.com/eset/malware-ioc/tree/master/danabot

149.154.157.106:443
176.119.1.100:443
176.119.1.120:443
176.119.1.176:443
176.119.1.99:443
176.223.133.15:443
185.254.121.44:443
188.68.208.77:443
192.71.249.50:443
31.214.157.12:443
47.74.130.165:443
5.8.55.205:443

# Reference: https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/unverified/IPPortC2s-90day.csv (# 2025-06-14)

101.99.92.124:443
104.194.132.90:443
136.0.8.169:443
138.124.89.202:443
185.14.31.210:443
185.255.133.88:443
185.95.159.158:443
193.243.147.99:443
35.243.192.63:443
38.146.25.235:443
45.137.81.202:443
45.91.94.218:443
62.60.148.72:443
62.60.226.159:443
62.60.248.190:443
77.105.161.234:443
78.111.89.86:443
91.84.105.30:443
91.84.106.171:443
94.154.35.99:443
95.164.55.3:443
