# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf

154.48.241.199:15912
98.126.1.26:15912
98.126.1.27:15917
98.126.80.90:15912
98.126.80.91:15912

# Reference: https://www.virustotal.com/gui/file/942411f2fa054ec621023c6b9b4ad3b92372697da43eb38d2b661f80e19e6deb/behavior

/panel/mining/CPUMiner.files

# Reference: https://www.virustotal.com/gui/file/0ac003e6d8091544f7b055d7295ded55de94576729ab13925cde17eb2dd4ceab/detection

coin-pool.com
give-us-ltc.com

# Reference: https://www.virustotal.com/gui/file/c1d66b09938e5177a9406a8935f717cba888b06bc5ff74797e32c7b793d6a935/detection

give-us-btc.pw

# Reference: https://www.virustotal.com/gui/domain/give-us-btc.biz/relations
# Reference: https://www.virustotal.com/gui/file/8678f395fb9ae84d495c669f056f8226d9b3dca85040e65d35fa4511f1ce48b8/detection
# Reference: https://www.virustotal.com/gui/file/ecb40d340aee4666b7c3c2a0d1bbbcdcd9a92c578b15ba9dcce3bdabb3d528b6/detection
# Reference: https://www.virustotal.com/gui/file/e91b5ee9a6130afad7dfe64e024b8bffcaf39079b17937c78e6b262bf5fc7442/detection

162.211.228.130:3333
188.40.65.132:3333
213.239.198.109:3333
give-us-btc.biz

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

darxk.com

# Reference: https://www.virustotal.com/gui/file/405a51b74c7c4e26ae112189e5ef071d6279b5fece6e2af08985306fdd28e223/detection
# Reference: https://github.com/stamparm/maltrail/pull/14162

a0153884.xsph.ru

# Reference: https://www.virustotal.com/gui/file/8e205172f1b49fe661e165ed633fcedb898ad7956ad71ee08e7b6c794148e9f4/detection

a0154466.xsph.ru

# Reference: https://www.virustotal.com/gui/file/67cec0a185c606a2ef972ed0c95b4cfc8b8a2c2d032c55b6c2058669ea216149/detection

f0160735.xsph.ru

# Reference: https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/
# Reference: https://www.virustotal.com/gui/domain/update.aegis.aliyun.com/relations

update.aegis.aliyun.com

# Reference: https://www.virustotal.com/gui/file/9ca8870623b9a5dc238975dcde1049fa66c7dab326b16b57f2146580f667ddb5/detection

185.25.50.217:14811

# Reference: https://www.virustotal.com/gui/file/9ff4bb63bec0cf9a7870ed5d283ad35726eab6b11c82ddce9e861374566049ea/detection
# Reference: https://www.virustotal.com/gui/domain/itsupport.hldns.ru/relations

151.237.185.51:3333
185.60.133.214:3333
185.65.201.27:3333
188.64.170.220:3333
213.159.212.162:3333
37.252.7.150:3333
45.138.99.4:3333
46.249.59.91:3333
80.241.222.37:3333
82.146.50.128:3333
82.146.50.49:3333
82.202.167.202:3333
91.207.61.175:3333
95.181.178.66:3333
95.181.179.25:3333
itsupport.hldns.ru

# Reference: https://twitter.com/r3dbU7z/status/1358998466735833088

134.209.65.62:5001

# Reference: https://twitter.com/r3dbU7z/status/1362399595519766530
# Reference: https://www.virustotal.com/gui/file/4a7937ab8db988782c15ea79a707c454798189744efe9f7a3f7825f501345990/details
# Reference: https://www.virustotal.com/gui/file/a037c15659d91a7555fbd0ec17978c26f7974ea66909c8732629c4a1ec961f14/detection

194.5.249.224:8080
209.141.35.17:8080
212.114.52.24:8080
66.70.218.40:8080
xmr.givemexyz.in

# Reference: https://twitter.com/xuy1202/status/1367814695143366657
# Reference: https://twitter.com/redbad2/status/1390978401985449987

150.109.99.116:8000
miner.awayfar.top
fee.oldace.xyz
gw.oldace.xyz
miner.oldace.xyz
raylee.5166.info

# Reference: https://www.virustotal.com/gui/file/13345f418c210dee561872a5e21dc53b9f5a752110aca661647ac444ac4fa2cf/detection

f0490769.xsph.ru

# Reference: https://www.virustotal.com/gui/file/5f7b733e73ca432dce141e3cd3b07712a13b441d1cf4c09695e5ad07e917521a/detection

minertest.niex.cc

# Reference: https://securelist.com/ad-blocker-with-miner-included/101105/
# Reference: https://otx.alienvault.com/pulse/604a40993962cb029d4ee31a
# Reference: https://github.com/stamparm/maltrail/pull/15250

adshield.pro
netshieldkit.com
opendns.info
transmissionbt.org

# Reference: https://twitter.com/r3dbU7z/status/1370348745586540544

lingx.club

# Reference: https://twitter.com/r3dbU7z/status/1370460292577173513
# Reference: https://www.virustotal.com/gui/domain/miner.kek.gay/detection

miner.kek.gay

# Reference: https://www.virustotal.com/gui/file/60e6449b35fd1b91b0c700fc638a710b79ec8e3772617c5d60e6fcf2f314f726/detection

pool.bmnr.pw

# Reference: https://blog.netlab.360.com/necro-shi-yong-tor-dong-tai-yu-ming-dga-shuang-sha-windows-linux/

cloud-miner.de
ublock-referer.dev

# Reference: https://twitter.com/xuy1202/status/1372021764797079556

http://45.197.95.2

# Reference: https://www.virustotal.com/gui/file/1b4a9e2b766cbfe23c42dad7d1bf0ed73b7b10e940b936cb5b69ba07f84f8de5/detection

cw02993.tmweb.ru

# Reference: https://twitter.com/r3dbU7z/status/1375063266129555461

45.144.225.104:9999

# Reference: https://www.virustotal.com/gui/file/69cb2e279b941d04d2e06476915b5d03e92ad900b665175b4e667677de457a81/detection

552-39-1658.krebsonsecurity.top

# Reference: https://www.virustotal.com/gui/file/4031b4d52db424a876a9af14c665cd166858eae1382e223147e67e728dd99146/detection

552-39-1659.krebsonsecurity.top

# Reference: https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/
# Reference: https://otx.alienvault.com/pulse/6061ebaf97943b790e97e899
# Reference: https://www.virustotal.com/gui/file/5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb/detection

krebsonsecurity.top
brian.krebsonsecurity.top

# Reference: https://twitter.com/KorbenD_Intel/status/1379537565498363906
# Reference: https://twitter.com/James_inthe_box/status/1379538678356185088
# Reference: https://www.virustotal.com/gui/file/a7c8b4c917102a5578a504f9badea75602544d765dd0dacf31420e44cc7b7d4b/detection

999.accesscam.org

# Reference: https://twitter.com/xuy1202/status/1387414908199866369

bmst.pw

# Reference: https://twitter.com/xuy1202/status/1394882908704284672

http://192.227.185.106

# Reference: https://twitter.com/xuy1202/status/1396059012794224643

http://195.133.40.24
service-exec.net

# Reference: https://www.virustotal.com/gui/file/ceb3a7a521dc830a603037c455ff61e8849235f74db3b5a482ad5dcf0a1cdbc5/detection

http://209.141.40.190
194.5.249.24:8080

# Reference: https://twitter.com/r3dbU7z/status/1400841914933518340
# Reference: https://www.virustotal.com/gui/ip-address/172.93.96.59/relations
# Reference: https://www.virustotal.com/gui/file/ae891eb02906204edc9abcfaaf3031b275d0e6fad472f49ee07dc189300ce87a/detection

http://172.93.96.59
172.93.96.59:42350

# Reference: https://www.virustotal.com/gui/file/758ccdc9b720e0e849f2d9452f7c9c33bcf6789343f6de919f13bcc72a8ce00a/detection
# Reference: https://www.virustotal.com/gui/file/5848e6c2e0776a59d8882b9df7fcc9af144a5c8f8e04f5ff8a5ec308228a1d4d/detection

93.179.121.215:3333
betandwinornot.com
red1r2.xyz

# Reference: https://www.virustotal.com/gui/file/10432e31480b3e9f1e45dff5ed4b91a374b947cb4b86ce3a069ff74b7dbe9a22/detection

xmrv7.sfwewtryhrerwewqretr.com
xmrv7.weoqieqwuishdwuygqw.com

# Reference: https://www.virustotal.com/gui/file/324438a817b0b3838d7e59ea2f2ba21e2ccf3da6a3501844915991ee9a82937a/detection

swiftmining.win

# Reference: https://www.virustotal.com/gui/file/3193b300523363511736fd6c6dfe49441d389acc0b654f7df72f16e42e05d0a7/detection

ivansupermining.info

# Reference: https://blog.group-ib.com/prometheus-tds

honeyminer.live

# Reference: https://twitter.com/James_inthe_box/status/1423632214172991488
# Reference: https://www.virustotal.com/gui/file/4940200e009c811c47fe102fe47b20f32cf6b1abf309759b24b6a4f79a26b708/detection

185.195.233.157:57484
185.65.135.248:58899
sanctam.net
config.sanctam.net
/assets/txt/resource_url.php?type=xmrig
/resource_url.php?type=xmrig

# Reference: https://www.virustotal.com/gui/file/270abae022a66939cc7ddc2dec35cae33a9796adb6e36114e09a7e8954254f72/detection

185.62.189.66:8000
185.62.188.59:8000
relay.100chickens.me

# Reference: https://www.virustotal.com/gui/file/fa14c6a94b370a062658803d59cc516eb0e11655526e707f29c63576328f511e/detection

5.206.225.122:8000
relay.phatbois.biz

# Reference: https://www.virustotal.com/gui/domain/k2ygoods.ydns.eu/relations

k2ygoods.ydns.eu

# Reference: https://www.virustotal.com/gui/file/04e0b91e1f39a16f5b2814d473f5d5ba5945b26d5912ef99932e9093a52c5584/detection

killer5x.beget.tech

# Reference: https://www.virustotal.com/gui/file/3648a38a2c01f49a1d3f536c184c110665d32bc4cf331475e219a3f07aaddede/detection
# Reference: https://www.virustotal.com/gui/file/b79bc880122234796a52a80eb27446ddb6c68f5bbc86afaf947735847e6b587e/detection

carraq7r.beget.tech
excerptible-navigat.000webhostapp.com

# Reference: https://www.virustotal.com/gui/file/eab31e6869088065a7e82f3dcf0dbc96b80d962ce266c1be7cefa385827aa4a9/detection

wuntedj2.beget.tech

# Reference: https://www.virustotal.com/gui/file/4688539a79b4d7a680159419a23b3ee0802838f7f2d5598a6f61369c5ad1a50e/detection

top1chqu.beget.tech

# Reference: https://www.virustotal.com/gui/file/345dc95a2d9042a38497a6effa7e9125e59a0a475332a9d92124dc48062d7b03/detection

koskiahg.beget.tech

# Reference: https://www.virustotal.com/gui/file/5b1185beeadb639f323162915888ddec2b21d7c0def905cfccfb700668b57924/detection

darksmtf.beget.tech

# Reference: https://www.virustotal.com/gui/file/03e15c75c983fe3b555d48a31c77d1c09574980d805daeedab614d87bcb2f79e/detection

maxnem8g.beget.tech

# Reference: https://www.virustotal.com/gui/file/59f9e3d1e60698fa43b80699bead99271d8d2fbd3c3d99c4f7a11637a432d5b0/detection

btcminws.beget.tech

# Reference: https://www.virustotal.com/gui/file/f81f52daa847f5419d1643185db6e82891944373a848f0ec54c7ad31deb3eb21/detection

gabataiser.beget.tech

# Reference: https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/

190.144.115.54:443
45.77.76.158:25643

# Reference: https://www.virustotal.com/gui/file/6e4b708017992a4600a644660b82c1068becb1c1d1212a70a14bbe89c3b211fd/detection

http://195.201.124.214

# Reference: https://www.virustotal.com/gui/file/e9dfadacb0ec21e2c6c63e96401caae9a33c3e91d587bae63ea701bd2a067bd4/detection

teamviewer.myvnc.com

# Reference: https://twitter.com/r3dbU7z/status/1468869791633006599

http://104.192.82.138

# Reference: https://twitter.com/r3dbU7z/status/1469248862405767173
# Reference: https://www.virustotal.com/gui/ip-address/58.226.35.74/relations

http://58.226.35.74

# Reference: https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/

http://54.210.230.186
http://172.105.241.146
http://18.228.7.109
http://31.220.58.29
/wp-content/themes/twentysixteen/s.cmd

# Reference: https://twitter.com/tolisec/status/1473515063030034433

http://150.60.139.51
/wp-content/themes/twentyseventeen/s.cmd

# Reference: https://twitter.com/r3dbU7z/status/1474806398034796551
# Reference: https://twitter.com/r3dbU7z/status/1474810273047453701

106.53.115.114:443
116.62.203.85:443

# Reference: https://twitter.com/AffableKraut/status/1479487044808237061
# Reference: https://gist.github.com/krautface/58b8c2f58d1219065e26a48db6402c0b
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-November/030797.html
# Reference: https://www.virustotal.com/gui/file/2735862837aaaf77520131992bc3ee64c43a9984e436e5f3e6433706606b0734/detection

89.58.15.35:4444
binarybusiness.de
bitcoin-cashcard.com
bitcoin-cashcard.de
bitcoin-cashcard.eu
bitcoin-pocket.de
bitcoin-pocket.eu
cloud-miner.de
cloud-miner.eu
crypto-webminer.com
dontbeevils.de
donttbeevils.de
easyhash.de
eth-pocket.com
eth-pocket.de
ethereum-cashcard.com
ethereum-cashcard.de
ethereum-pocket.com
ethereum-pocket.de
ethtrader.de
evilsbedont.de
trustaproiam.de
trustiseverything.de
trustmeiamapro.de

# Reference: https://twitter.com/Max_Mal_/status/1486252809901248514
# Reference: https://twitter.com/Max_Mal_/status/1486252808424804378

http://141.85.161.18
http://195.154.187.240
http://72.46.52.135
http://80.71.158.96
51.222.121.180:82

# Reference: https://twitter.com/vinopaljiri/status/1487654354148634629
# Reference: https://www.virustotal.com/gui/domain/mine.gsbean.com/relations
# Reference: https://www.virustotal.com/gui/file/ba3283863eb1f129120e653e532e40bfa3bfe7fe0a384c1ffc25a44404813300/detection

116.202.251.12:8585
116.202.251.41:8585
116.202.251.42:8585
141.255.164.2:8585
46.4.156.44:8585
80.255.3.69:8585
80.255.3.74:8585
gsbean.com
mine.gsbean.com
miner.gsbean.com

# Reference: https://twitter.com/r3dbU7z/status/1487727533214912514
# Reference: https://www.virustotal.com/gui/file/e56eed035c9fab1b46d9c8d7fd3591796658ff6102f5d06bd73ab72edcdc5912/detection

211.84.240.57:19490
5.26.56.76:8081
guyeyuyu.com

# Reference: https://www.virustotal.com/gui/file/00b3d63475d5dd8b1e5eb8ba396bc61db475742bad57e330af15ecf84e06e749/detection

bnstarage.ru.swtest.ru

# Reference: https://www.virustotal.com/gui/file/f1a36f6e52b1a4968e0e4555065533220d163f4dc2c3855ff3280a4bc2c51de9/detection

dlxmrig.vaiwan.com

# Reference: https://www.virustotal.com/gui/file/69db3286b4570897e6ca734770592e1cb21f9903bc757208e075b7c51d8c1524/detection

150.129.234.203:82

# Reference: https://www.virustotal.com/gui/file/efcf15f7c1f9f6fe1ac868cc663ccdb9ed5cba441d2b53afb2ef84d284f204fb/detection

http://185.231.153.4

# Reference: https://www.virustotal.com/gui/file/3ccc53c4e0908ac1dc21a749f143774863a6604c04aa23f95433afd4d397f0e4/detection

104.131.13.127:11633
105.242.70.229:11633
135.181.105.21:11633
185.205.210.130:11633
43.252.75.246:11633

# Reference: https://www.virustotal.com/gui/file/0000b1219302efd9da56d67d180aa70f50651764fc125b5dcffc94add4f95c76/detection

3.120.98.217:8080

# Reference: https://www.virustotal.com/gui/file/2baba54bd1a2012c1fb1d6b56976ad6c6fa18c7eead791a49998179f8b15913c/detection

titcoin.isasecret.com
titcoin.slyip.com
titcoin.sytes.net

# Reference: https://www.virustotal.com/gui/file/60e3dde172b40ff64692a7107b7423f97bf733258adf1b69044ad0f7652ab571/detection

ballsfguyjhgf.000webhostapp.com

# Reference: https://www.virustotal.com/gui/domain/yvzgazds6d.com/relations
# Reference: https://www.virustotal.com/gui/file/006d2e9c9f5e4e0c619bf9d1e8bf1af67c52d5f7591e5771feadb58c4ee6c1c8/detection

yvzgazds6d.com

# Reference: https://twitter.com/1ZRR4H/status/1523758843414847488
# Reference: https://www.virustotal.com/gui/file/01a1a733afc3a36f53ae87f8667741a0fbd047526ceb929305f36bf39a0dce81/detection

http://199.247.0.216

# Reference: https://www.virustotal.com/gui/file/efe2755e1acc314f0e07c5e08de9957b012474450f89ef73c1ffe9cc3b5ed67c/detection
# Reference: https://www.virustotal.com/gui/file/7b58cf2671c6a7aad37094e8f560b268635e88467b2bebf7c2ea83256d105bf5/detection
# Reference: https://www.virustotal.com/gui/file/4091b3f789b2efe101cb6e1941bd0c613f9292fe750b5d6796e299b8477bbb46/detection

146.196.83.217:29324

# Reference: https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

http://113.185.0.244
http://185.157.160.214
103.64.13.51:8452

# Reference: https://www.virustotal.com/gui/file/430069f19ad4a8bc46ce8238e5d700813e50390bbf463c3bd7f3eb2f2a9af11b/detection

http://94.130.227.45

# Reference: https://www.virustotal.com/gui/file/f1059c896152b8eb36c63478a4069b050557c7da07653b0fd35e0a52327068c1/detection

91.211.89.94:3333
patron1.chickenkiller.com

# Reference: https://www.virustotal.com/gui/file/c53580ea73754a863e407da21103e586f6037cafc6bc2df8bd0f8ddd2a882ac7/detection

http://116.203.223.201

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
# Reference: https://otx.alienvault.com/pulse/6299eb63a8cedd5b3a7b83de

179.60.146.9:443
94.75.205.148:443

# Reference: https://www.virustotal.com/gui/file/9954c4b0efcb0e97d6045a2c4e0c3463d1d9d6fe207271751a292cfc1ecd5fed/detection
# Reference: https://www.virustotal.com/gui/file/5392cba0421021e6c6b8b7dd69000638019d5e262ed5791c87fabe692712e8b3/detection

167.71.195.90:4242
xmrzone.net

# Reference: https://twitter.com/samaritan_o/status/1546384948055138304
# Reference: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

101.102.225.236:4000
101.102.225.236:8080
74.119.239.234:4000
74.119.239.234:8080
mymst007.info
http.mymst007.info
mst.mymst007.info
mst2.mymst007.info

# Reference: https://twitter.com/petrovic082/status/1551943731858866182
# Reference: https://www.virustotal.com/gui/file/2f9ed37872c061eae91bde834e7af4bbf7df360b740b4e3a960350d68be819db/detection

pool.bmwebm.org
wm.bmwebm.org

# Reference: https://asec.ahnlab.com/en/37526/
# Reference: https://otx.alienvault.com/pulse/62f22183dafdbedf77a7e45a

scmm.netlify.app

# Reference: https://mobile.twitter.com/malwrhunterteam/status/1562886002880167936
# Reference: https://www.virustotal.com/gui/file/3770c35b96d937d2cda799713b36dbd8cd2b44a1dd8c44b3a9b7b24eb82046f5/detection

yhkdm4cefxmzjkdzqtejagxi5t7mmkzq6i4oym4pmkevvflc3kihk3id.onion

# Reference: https://twitter.com/malwrhunterteam/status/1564978499709984770
# Reference: https://twitter.com/malwrhunterteam/status/1564978899133538305
# Reference: https://www.virustotal.com/gui/file/45632e53ee2842145b341f38196504b076271fc477a0800dc6fd34d09652a0f9/detection
# Reference: https://www.virustotal.com/gui/file/5af4dc5d6f4cf81a23bd22c37fcf0ca2ceebffcd095c2affede33d01c0748451/detection

73whsrbvydiamobabrxbgmxh76d3qpp4mqbajtxpkgj4zae3h2y6doad.onion
yuid7lkv7h662me42y2nzpsyop46xov572hnfbhvifznjnwpmvi2prqd.onion

# Reference: https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/

intelserviceupdate.com
nitrokod.com
nvidiacenter.com

# Reference: https://www.virustotal.com/gui/file/35b1f430047720986cb15c3a4da6e608ddd0f915b0b360bdcc6fd881722b0c27/detection

chc1.ignorelist.com
chc2.ignorelist.com
chc3.ignorelist.com
chc4.ignorelist.com

# Reference: https://blog.cyble.com/2022/11/23/fake-msi-afterburner-sites-delivering-coin-miner/
# Reference: https://otx.alienvault.com/pulse/637f8c6c3feec05efb23b514

matrizauto.net

# Reference: https://www.virustotal.com/gui/file/4d956eb377c43410a276bc5beb5c46885f51152f80e5000b4148293a1e3c9a97/detection

sil5.com
/adm777/g.php

# Reference: https://blog.morphisec.com/proxyshellminer-campaign
# Reference: https://otx.alienvault.com/pulse/63ee553446d81209663d0797
# Reference: https://www.virustotal.com/gui/file/2bb26e1ad01d13c2c7675b8c5bae9aaa4eae12ebcc613a6f18f2d6f49654765e/detection
# Reference: https://www.virustotal.com/gui/file/62d198f9d1753c5b1ec4c6d197f0628857c7e2e05a570009e78b17a1cd4bfc77/detection

mail.itseasy.com/resources/files/
mail.ghmproperties.com/resources/files/
mail.shaferglazer.com/resources/files/

# Reference: https://www.virustotal.com/gui/file/2037befe04bacf6dff12e9a3fc533cc920aa2e9b7cdc1141d47aa9cee496e237/detection

http://91.198.22.70

# Reference: https://twitter.com/r3dbU7z/status/1628658194917490689

http://139.59.150.7
139.59.150.7:443
rxmxpzfkydkulhhqnuftbmf6d5q67jjchopmh4ofszfwwnmz4bqq2fid.tor2web.in

# Reference: https://twitter.com/g0njxa/status/1659563136737738754
# Reference: https://app.any.run/tasks/02488673-70ae-4475-ae50-100e6861c6d3/

51.81.168.158:8083
51.81.168.158:9999
papa1122.com

# Reference: https://twitter.com/SecureSh3ll/status/1663560017797332999

exanimate-tolerance.000webhostapp.com
exanimate-tolerance.us-east-1.route-1.000webhost.awex.io

# Reference: https://www.virustotal.com/gui/file/5f231555c13ea76ce311bd38dd17756cc6c071b09e44f5e12159e91694afd9a0/detection
# Reference: https://www.virustotal.com/gui/file/eeed7ce800a9714b65aaae4f1d61deb83d3f0cbcfd814372807b73c940d4bb8f/detection

devupdates.in

# Reference: https://www.virustotal.com/gui/file/d7e538f2706c6de8ebc8756d302b444334e9286b9dd35f7687c83f71af543062/detection

http://45.142.182.146

# Reference: https://www.virustotal.com/gui/file/3d2a5f279b1def8985566d2e2694158e1dd22718d1b65980dbd847218b48b391/detection

45.142.182.146:39001

# Reference: https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

/miner_sigg
/winminer
/winminer_sign

# Reference: https://twitter.com/g0njxa/status/1686073290845011969
# Reference: https://app.any.run/tasks/ae15896e-4668-4186-add5-7acee638ca86/

padnel2myajfeqniq.xyz

# Reference: https://www.virustotal.com/gui/file/eee03d3ec87cb61fb30aab3e3b9fb4a8e6c668f5c88db28e1882e2c76c67bcd6/detection

193.124.119.202:2244
paravozik.dynnamn.ru

# Reference: https://www.virustotal.com/gui/file/15442176aaf35ce26e2999d62d6d683679e5692324c4db75449104bce2f37171/detection

185.154.14.5:3333
pococo.cc

# Reference: https://twitter.com/karol_paciorek/status/1704047037577072654
# Reference: https://tria.ge/230919-jjm26sfe8t/behavioral2

89.175.24.90:8080

# Reference: https://www.virustotal.com/gui/file/00a4f27d146ce06557f889c1b4f689d094d6a8f8aa911410c4f9dbbb45539a31/detection

windowsupdatesupport.org
m.windowsupdatesupport.org
mail.windowsupdatesupport.org
ns1.windowsupdatesupport.org

# Reference: https://twitter.com/Jane_0sint/status/1738264140446339528
# Reference: https://www.virustotal.com/gui/file/b2823679fc85abd40d50cc1bec18ce4bc803fc78e2597a92c32dec4ff63ffcaf/detection
# Reference: https://www.virustotal.com/gui/file/3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4/detection

http://5.133.65.53
http://5.133.65.54
5.133.65.53:1444
5.133.65.53:443
5.133.65.53:5655
5.133.65.54:1444
5.133.65.55:1444
5.133.65.56:1444
77.247.243.43:5655
msupdate.info

# Reference: https://app.validin.com/axon?source=DNS&type=ip&find=45.132.1.1

trapminer.biz

# Reference: https://threatfox.abuse.ch/browse/tag/UNAM/ (# 2024-01-05)

http://122.169.64.215
http://158.247.198.75
http://185.117.3.110
http://194.33.191.246
http://195.3.223.172
http://2.58.113.172
http://2.58.113.220
http://51.195.35.200
http://54.36.127.183
http://85.209.176.126
http://85.209.176.178
http://91.92.254.72
102.50.247.129:443
130.162.178.229:443
14.225.8.224:8081
158.247.198.75:443
172.111.239.90:443
176.119.35.43:443
185.117.3.110:443
193.105.135.135:443
195.3.223.172:443
197.91.182.171:443
197.91.182.171:86
2.58.113.172:443
45.120.177.17:443
45.67.230.182:443
47.87.145.154:443
51.195.35.200:443
54.36.127.183:443
54.38.193.134:443
82.66.185.138:8080
85.209.176.178:443
95.214.24.45:443
144920-1-76bedd-01.services.oktawave.com
ads.thebestonline24.com
api.hostinguje.me
auth.xy0ke.pro
bankcashcredit.ru
beylikotomasyon.com
bixby.lat
bumbiz.xyz
caboshed-rations.000webhostapp.com
clarenssbodiker.ru
crypticgamings.com
data.shopvigil.com
demo.citichoice.ca
dsadw33fdsfs.buzz
fanklubziuta.pl
fortunagamez.com
frazedev.xyz
gfdwertwdd.xyz
ghostmain.site
host.jjzpanel.xyz
hotspot.mom
info.thebestonline24.com
jf832nfds90vxcj893422m.store
jjzpanel.xyz
kaspersky-secure.ru
klaster.pp.ua
krypto.itwu.pl
law.fan
mail.crypticgamings.com
mail.ok.adaklab.ir
mail.strongsteelhomes.com
main-node.incaves.fr
microsoftcom.gfdwertwdd.xyz
minehidden-gpu.ru
miner.sjzh.top
minerchenzhi888.top
minernumberone.org
moner0000f5rvt.site
mx.thebestonline24.com
newstroczvmonmy3ne1w.su
ok.adaklab.ir
owenkruse.click
panfsaafcxzelkfsha31523.xyz
paquerasfacilitadas.fun.g10corretora.com.br
px1.bankcashcredit.ru
rawrie.eu
rede.tphost.com.br
rex-exploits.ru
seanhenning-101.ddns.net
servermethod.net
sjzh.top
smartpanel.top
snsnuji.com
strongsteelhomes.com
swapme.fun
system.xnesa.in
telefonemusk.ru
thebestonline24.com
unam.farorsps.com
vps-228ceefa.vps.ovh.net
webpanel777.pl
willyman.org
windowsupdate.love-network.cc
xm.centralmarketingkur.com
xmr.r4nd0m.anondns.net
xmr.sjzh.top
xmrpool.shop
xy0ke.pro
zel.bio

# Reference: https://threatfox.abuse.ch/browse/tag/UNAM/ (# 2024-01-16)

http://103.54.57.251
http://122.169.90.181
http://141.98.7.8
http://188.120.232.53
http://193.222.96.183
http://217.196.107.29
http://24.199.71.49
http://64.23.168.181
http://91.194.135.254
http://91.92.243.55
http://94.156.71.78
102.50.247.129:84
103.54.57.251:443
193.222.96.183:443
195.242.218.22:443
2.58.113.172:4433
8.218.155.228:443
alexs404.fvds.ru
cdnupdateservice.com
controlpanel29.com
doobiefly.com
downhimse.com
gptchatpro.online
intro.su
mycontrolpanel29.com
nanasuuakiaa.host
panelbar.ct8.pl
panitor.xyz
shikkiy.fvds.ru

# Reference: https://tria.ge/240212-pz8lpsde6w/behavioral1

dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly

# Reference: https://twitter.com/karol_paciorek/status/1758506840822894993

45.200.14.77:88

# Reference: https://www.virustotal.com/gui/file/87f6e9f0e2b2251c6e4a1bc94b8f30c1d86e69955067f5cf989e457abfcf67d3/detection

154.12.33.4:33370
xmr.awuam.com

# Reference: https://www.virustotal.com/gui/file/cd47f987e36e2afd5d05802d768726a6a526500a13b1511c883f4136c8ac715f/detection
# Reference: https://www.virustotal.com/gui/file/d78a652f5bbf7f3c03a8628da604db23a7c901b5c6c6848852b4848079165cdb/detection

http://47.105.86.47
47.105.86.47:3306
47.105.86.47:54253
47.105.86.47:54254
hansenserver.top
db.hansenserver.top
remote.hansenserver.top
serverchain.hansenserver.top

# Reference: https://www.virustotal.com/gui/file/671cb459608e8db68aa48e8bd51aa4bcf1caa14fe014dcd82c36868c3b1d30b8/detection

http://91.92.242.200
91.92.242.200:62659

# Reference: https://www.virustotal.com/gui/file/fb22a89b757f26048ef0e1704b17dfcb4540dec9b0d57c8c234b331920bc809f/detection
# Reference: https://www.virustotal.com/gui/file/db51bbf76672c02bc0248d242efde621cf8809ed4c8a2ea4c2ca0176c7b07623/detection
# Reference: https://www.virustotal.com/gui/file/5353127308732b5a30d96259d0448c5bf92fba25ebc73bfea014f11cebb21990/detection

http://91.92.249.202
134.255.232.79:30123
91.92.249.202:21
91.92.249.202:62659

# Reference: https://www.virustotal.com/gui/ip-address/218.28.249.14/relations
# Reference: https://www.virustotal.com/gui/file/e770d014c39b16344d77732368134400386342c09058318f141cfd27decb667a/detection
# Reference: https://www.virustotal.com/gui/file/41cc2e29d9651a1b7590dbce59d3ee18c9749397536ef97b8d7e176d24ba33bc/detection

218.28.249.14:3335
218.28.249.14:8080
domain004.gleeze.com
gamepanel.gleeze.com
gamepanel2.theworkpc.com
test1000.ooguy.com
test1001.blogsite.xyz
test1003.accesscam.org

# Reference: https://www.virustotal.com/gui/file/78f6886ce0c49121a1f487bea1d75644ee389842bb45d3f230236bb99f77471e/detection
# Reference: https://www.virustotal.com/gui/file/293b7cf8bbdfaa4c997ef8914a7e7ba845be03206421e63bd07507450b651409/detection
# Reference: https://www.virustotal.com/gui/file/f40e7e35fcb6c546d49a041899fba78002a275fe35cc6de09f06aef8b785fe9c/detection

156.227.0.125:6363
166.88.209.25:110
166.88.209.25:17763
166.88.209.25:18080
166.88.209.25:6363
54.153.56.183:6363
94.63.34.213:6363

# Reference: https://www.virustotal.com/gui/file/ba75bf06d239cf48e35bd920c35da82f3b505bb6cd05d122d1f3dc5bda525083/detection

94.156.67.16:443
wmubot.ddns.net

# Reference: https://www.virustotal.com/gui/file/1bd1c442a4622499471978b49ade289e296bf01a56d01ef0348d4d362fcf995d/detection

108.61.215.239:23888
45.32.199.3:23888
45.32.203.114:23888
45.63.43.26:23888
45.76.115.89:23888

# Reference: https://x.com/1ZRR4H/status/1795960542579802421
# Reference: https://www.virustotal.com/gui/file/2e46c0360337ed9d666fdb522a8ee833e049b485b1a8f4a8aae77efae22e89ff/detection

webpanel.elementfx.com

# Reference: https://x.com/banthisguy9349/status/1799767765647270037
# Reference: https://urlhaus.abuse.ch/host/185.172.128.11/

http://185.172.128.11

# Reference: https://x.com/banthisguy9349/status/1801521988957036989

58.215.245.2:9000

# Reference: https://x.com/banthisguy9349/status/1801522550373048682

http://103.143.239.245

# Reference: https://app.validin.com/detail?find=%E2%9D%A4%EF%B8%8F%20EBANYTA%20ADMINKA%20%E2%9D%A4%EF%B8%8F&type=raw&ref_id=ff567c6609f#tab=host_pairs_v2

http://135.181.188.178
http://185.196.10.4
http://185.209.162.40
http://194.87.31.45
http://195.10.205.24
http://45.15.156.43
http://5.104.75.39
http://85.192.40.230
http://91.194.11.16
/zima.php?mine=XMR

# Reference: https://threatfox.abuse.ch/browse/tag/UNAM/ (# 2024-09-08)

http://141.144.255.144
http://144.76.150.194
http://149.202.52.184
http://154.201.74.240
http://185.196.9.62
http://192.52.166.186
http://193.233.193.8
http://198.50.242.157
http://2.45.246.57
http://211.42.242.253
http://212.87.213.208
http://37.116.229.171
http://37.220.83.212
http://5.42.103.163
198.50.242.157:8080
23.94.85.61:8080
1212937-cj74480.tw1.ru
168.119.120.21:443
45.14.244.199.sslip.io
6467.vfl.asia
7646.vfl.asia
api.degenen.webtm.ru
azxjhcoaas.xyz
cephubsearch.com
correos-1.cc
correos-1.top
correos-cll.cc
correospanama-gov.cc
correospanama-gov.shop
customeritems.com
eueue.icu
fcm1sx3iteasdfyn2ewds.zip
hub-mailer.com
huntersdb.000webhostapp.com
ios-evri.com
mail.webserverupdate.com
mail1.hub-mailer.com
mainnet-rpc.rupayx.com
mariona.duckdns.org
mydeliver-usps.com
mypackage-usps.com
myparcel-usps.com
mystifying-lewin.185-196-9-85.plesk.page
nnidethom.xyz
ns1.customeritems.com
ns2.customeritems.com
pandurate-chalks.000webhostapp.com
post-chi.cc
pp-portefeuille.com
protonematal-unifor.000webhostapp.com
safe-evri.com
safe-online-usps.com
safe-usps.com
security-usps.com
skinbaron.customeritems.com
usps-myparcel.com
usps-mypost.com
usps-online.com
usps-pt.com
usps-safe-online.com
usps-safeness.com
uspsonline-safe.com
vpn.kutsko.top
webserverupdate.com
website-af0f5d7d.bfj.bgd.mybluehost.me
wonderful-clarke.185-196-9-85.plesk.page

# Reference: https://threatfox.abuse.ch/browse/tag/UNAM/ (# 2024-09-09)

affilate-pirat.de
correos-1.shop
ki-mafia.info
ki.xxx9.info
mssecupdate.mooo.com
post-cch.shop
tanja-yaman.de

# Reference: https://www.virustotal.com/gui/file/2d5ab6c2da86c853d53837610cd149680523b8ea9677d78d571355fb8086fa2b/detection

185.208.158.206:1155
windowshealth.link

# Reference: https://x.com/banthisguy9349/status/1835325147185652147

http://185.208.158.206
http://194.59.31.31
http://5.180.45.105

# Reference: https://www.virustotal.com/gui/file/05a33e87dc5cc62570d362dedae9466ab145913354dd13a4fdf727cfd5bb43a1/detection

windowshealth.store

# Reference: https://x.com/cyberfeeddigest/status/1838471602138194424

http://195.10.205.253

# Reference: https://x.com/ShanHolo/status/1838472828590371276
# Reference: https://urlscan.io/result/01931d5a-8c80-43f1-8b1d-96ba487a3a01/related/

http://144.76.112.206
http://176.97.210.55
http://45.200.149.153
http://46.23.108.253
a0998542.xsph.ru
catherby.cloud
correos-ccl.shop
correos-gov.com
craxing.world
danzimmer.space
git.mse.to
mileminer.000webhostapp.com
mp.w0lfcr4ck3r.xyz
nohellodesk.store
painel.danzimmer.space
paulmaney.000webhostapp.com
projectcen.com
proxy-pol.depo.com.ru
scarwrld.xyz
serremotepanel.top
w0lfcr4ck3r.xyz

# Reference: https://x.com/cyberfeeddigest/status/1841717736075821151

http://176.124.205.162

# Reference: https://www.virustotal.com/gui/file/06192c659f0d3d30d5c9cae994e2d323408212c9b1c34b96005a87f50c467325/detection

87.106.181.185:8080
mys2005.xyz
fh.mys2005.xyz
supportxmr.mys2005.xyz

# Reference: https://www.virustotal.com/gui/file/2fecc6f4642c674a2e04c0bd7bf9582830396a25298b0748434a7202f1d1f7b5/detection

117.50.27.167:8080
117.50.27.167:9170
119.28.13.226:9170
13.248.169.48:8080
198.54.117.197:8080
198.54.117.198:8080
76.223.54.146:8080
ime.mys2005.xyz

# Reference: https://x.com/cyberfeeddigest/status/1849743768456495553
# Reference: https://www.virustotal.com/gui/file/0b684f6c900437e9ac6fd1463717d18c55befc2a2923563b7134dd209a46bb37/detection
# Reference: https://www.virustotal.com/gui/file/e3801874cc5d57f0f249ba6499d6c870e2a1ed6f695ada3389cbf19ed2c85d6e/detection
# Reference: https://www.virustotal.com/gui/file/8a99b284aef50ecd153cc7f2416ac0f3154b32d1e16a93217213ad31c84b138c/detection

cs40967.tw1.ru
reebokfm.beget.tech

# Reference: https://x.com/BushidoToken/status/1861102057475702795
# Reference: https://mrl.cert.gov.az/az/articles/view/125
# Reference: https://www.virustotal.com/gui/file/4d8b4804588694ae16f0d5ce61b1e75630657faf320123402c1f322c93fe2443/detection
# Reference: https://www.virustotal.com/gui/file/3957f5481027741d01680b1b66ee2c22fd19fc617e90c208df7155d665c97ab8/detection
# Reference: https://www.virustotal.com/gui/file/7b507813a343f38ac6806995b97a30f7402f18c035df41ce5f830c334d944e38/detection

188.116.21.204:5432
37.1.198.31:5432
37.252.14.127:5432
rootuniversal.com
rootunv.com
rootunvbot.com
rootunvdwl.com
runvrs.com

# Reference: https://x.com/redrabytes/status/1852239693082968496

http://109.71.253.48

# Reference: https://urlhaus.abuse.ch/browse.php?search=5d9fe2735d4399d98e6e6a792b1feb26d6f2d9a5d77944ecacb4b4837e5e5fca&page=1 (# 2024-11-14)

http://109.190.171.149
http://122.179.136.112
http://149.210.25.228
http://166.166.188.230
http://170.250.53.236
http://186.3.78.195
http://190.215.253.57
http://39.108.182.78
http://47.236.23.121
http://5.26.97.52
http://68.46.23.180
http://71.50.35.6
http://77.231.82.40
http://79.91.225.168
http://81.136.139.237
http://88.28.218.163
http://94.226.135.252
114.241.225.1:8085
117.50.95.62:9880
118.212.133.42:9000
119.32.29.121:8309
123.115.161.41:8085
123.118.191.172:8085
125.33.226.84:8085
125.33.228.251:8085
125.90.252.9:9998
183.30.202.249:82
183.30.202.253:82
183.30.204.170:81
193.162.43.35:6703
222.129.237.129:8085
222.130.139.27:8085
230.sub-166-166-188.myvzw.com
61.48.130.180:8085
lurenjiapd.cloud

# Reference: https://x.com/ShanHolo/status/1864379080767893647
# Reference: https://www.virustotal.com/gui/file/74f5142d25d34e880dda6a08ab8d0c48e10ee6136c00f67340d70c173cd94e98/detection
# Reference: https://www.virustotal.com/gui/file/55446938263345080699a93e9b91390df08fd52f9dfa9600450dcf1da41af2f5/detection
# Reference: https://www.virustotal.com/gui/file/17040c99384f5cc43f4a25d780d1e8664154cf94fac12b56891b3e638de183d3/detection

http://3.145.136.209

# Reference: https://x.com/JAMESWT_MHT/status/1868980175175901193
# Reference: https://www.virustotal.com/gui/file/656e9e591a579bea8fa21c5ecedb50ac885c0621c14942b3ada21a08fec0b3ba/detection

dacsanvinhchau.vn

# Reference: https://x.com/BlinkzSec/status/1874664444661514420

http://185.196.11.251
http://185.236.203.114
http://193.233.113.77
http://23.27.201.57
http://23.94.247.46
http://62.60.248.110
http://77.221.153.54
http://94.103.84.173
http://94.156.167.94
http://94.228.162.185
http://94.72.98.157
10.53.154.104.bc.googleusercontent.com
93.177.102.148:8080
avaliacaodobem.online
best-leaks.org
cryp-domedows.com
cyrpt.amidaaccountancy.com
dnsupdateservice.com
druginthepunto.shop
genghiskhanof21century.online
izoa.netsons.org
kapilapiii.com
ksmshop.fr
lojaprincipiaoficial.online
mail.izoa.netsons.org
mail.kapilapiii.com
maxxassets.com
mes-deofertasml.online
miner.2025ca.site
mustang666.ru
outlet-shoullder.site
pique3.pw
randomthing.online
satisfacao-stan.online
stealslegion.duckdns.org
sub7logistics.com
t1p9jbex8g.silentlegion.duckdns.org
ultimatesocial.shop
vmi2189079.contaboserver.net
xyxminerz.us

# Reference: https://x.com/techraj156/status/1876719610327650400
# Reference: https://x.com/StrikeReadyLabs/status/1876995728041443493
# Reference: https://www.virustotal.com/gui/file/4433c885cc64277717cb51bfb0dc59cd6ab4a621049e77505a0b562f97a6dde0/detection

http://93.115.172.41

# Reference: https://www.virustotal.com/gui/file/62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b/detection

93.115.172.41:1300

# Reference: https://x.com/malwrhunterteam/status/1897573392074596549
# Reference: https://www.virustotal.com/gui/file/0401191ca3f926ea9ad39af341c42a3fae5b8b21586c364f724d231b0fee3bf2/detection

http://104.194.222.187

# Reference: https://www.virustotal.com/gui/file/06458fcac0a608c8fb1e7d0dfdb5538373d0411d018b635de0503a53274a02db/detection

1gfqrj0m-8080.aue.devtunnels.ms

# Reference: https://x.com/skocherhan/status/1942049900335640592

202.107.235.202:8008

# Reference: https://www.virustotal.com/gui/file/1ce6091fe46ee36cb7ad9b77a6d51dea4c43efcea4cbf41ddd2aed415fb873e8/detection
# Reference: https://www.virustotal.com/gui/file/611d7bf8b90f38d50880efadad0edf0054e2e409c2723af581155f0cfeacf41c/detection
# Reference: https://www.virustotal.com/gui/file/dbb0ed494ec8bf4e987d3259bbb99af291ba5b0e78a1091d786cb27bf74f5097/detection

158.247.224.102:2335

# Generic

/bot/miner.php
/cpuminer-opt-linux.tar.gz
/honeyminer.exe
/pool_mine_example.cmd
/setup_xmr.sh
/xdi-performance.exe
/xmr.ino
/xmr.plg
/xmr64.exe
/xmr64.plg
/xmr64.zip
/xmrig.exe
/xmr.sh.sh
/xmrig.tar.gz
/xmrig.so
/xmrig-1.zip
/xmrig-2.zip
/xmrig-3.zip
/xmrig-4.zip
/xmrig-5.zip
/xmrig-6.zip
/xmrig-7.zip
/xmrig-8.zip
/xmrig-9.zip
/xmrigdaemon
/xmr/config.json
/xmr/xmrig.service
/xmr/xmrig
