# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: betruger

# Reference: https://twitter.com/AlvieriD/status/1754691984105607564
# Reference: https://twitter.com/noexceptcpp/status/1766195215453364634

ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion
ransomxifxwc5eyeopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion

# Reference: https://twitter.com/AlvieriD/status/1783261781487387003

ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaicg3pgpe5qcad.onion

# Reference: https://x.com/ShanHolo/status/1868575863446602029

adidasf50messi.com
paymentsconfirm.com

# Reference: https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html
# Reference: https://www.virustotal.com/gui/ip-address/193.106.175.107/relations

12301230.co
40031.co
abccba.co
adaytriana.co
almaliam.co
chloemario.co
danielamanuela.co
helenaasier.co
isabelmartin.co
laiamia.co
martaafrica.co
martinpol.co
ola007.co
samuelelena.co
santiagocarlos.co
terms2023.co
uno230.co
updated-2023.co
updated-terms.co
updatedterms2023.co
violetavera.co

# Reference: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/Ransomhub%20Group%20&%20New%20Betruger%20Backdoor%20%20Technical%20Malware%20Analysis%20Report.pdf
# Reference: https://github.com/ThreatMon/ThreatMon-Reports-IOC/blob/main/Ransomhub/Betruger/IOC/DOMAIN.txt
# Reference: https://github.com/ThreatMon/ThreatMon-Reports-IOC/blob/main/Ransomhub/Betruger/IOC/URL.txt
# Reference: https://www.virustotal.com/gui/file/c0fcf7096bccfe2252a2167a25d5b94b9fea7c8aa399f2f138f833400fcd0aff/detection
# Reference: https://www.virustotal.com/gui/file/ae7c31d4547dd293ba3fd3982b715c65d731ee07a9c1cc402234d8705c01dfca/detection
# Reference: https://www.virustotal.com/gui/file/7c53d20e882ba1b98320e76df6ff907b6a341c25e3de695657c8439a26afe09f/detection

504e1c95.host.njalla.net

# Reference: https://x.com/AlvieriD/status/1908486521151168554

ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion

# Reference: https://cybersecuritynews.com/ransomhub-ransomware-rdp-servers/
# Reference: https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

http://38.180.139.56
164.138.90.2:3389
185.190.24.33:3389
185.190.24.54:3389
38.180.139.56:443
5.181.86.158:3389
