# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bizzana, gussdoor, remote manipulator system, rms, rmska, remote utilities, RABased

# Note: https://malpedia.caad.fkie.fraunhofer.de/details/win.rms
# Note: https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

# Reference: https://twitter.com/James_inthe_box/status/1118968911590907904
# Reference: https://twitter.com/James_inthe_box/status/1121513004627927040

159.69.48.50:5655

# Reference: https://twitter.com/dave_daves/status/1130471755783573504
# Reference: https://app.any.run/tasks/f363c1d5-45ed-4b08-ab3c-54f1f5ac1636/

kentona.su
66.111.2.131:9030

# Reference: https://twitter.com/Bank_Security/status/1148471450422140929
# Reference: https://pastebin.com/0XNMhLP2
# Reference: https://blog.yoroi.company/research/ta505-is-expanding-its-operations/

217.12.201.159:5655

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/raby_mr/status/1184430613165572097
# Reference: https://app.any.run/tasks/90aaff29-18fe-4ad1-b385-a4e0d7f19564/
# Reference: https://twitter.com/nao_sec/status/1240581594999472128
# Reference: https://app.any.run/tasks/1cc1c195-5f71-4279-a8eb-336a10d2c354/
# Reference: https://twitter.com/smica83/status/1052107791673020416
# Reference: https://www.virustotal.com/gui/file/81d42d5332d586602b4014710ebbe7068aae024ee1922f3e9e8be4d36fe07397/detection
# Reference: https://www.virustotal.com/gui/file/a4523f84e035908af8cd1e1b5fb73847c08e532416bc961abc3c77ffa664b82b/detection
# Reference: https://www.virustotal.com/gui/file/fbe265d9d8dba77e1e0e9574dfbae513dcbf6dd7e492777431c52884bec1e394/detection
# Reference: https://app.any.run/tasks/7759fbd4-7b04-4a80-aa80-f56696ccb665/
# Reference: https://app.any.run/tasks/0e85e440-595e-43de-bf17-32bdbe2f185e/

109.234.156.180:563
109.234.156.180:5655
109.234.156.180:5656
109.234.156.181:563
109.234.156.181:5655
109.234.156.181:5656
rms-server.tektonit.ru
rut-server.tektonit.ru
rmansys.ru
wininit.xyz
svchost.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923
# Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/

79.134.225.73:3175
britianica.uk.com

# Reference: https://www.virustotal.com/gui/file/81315a77d8494695ba4453cd8f15278f214ad26373c69ef925b4711c4dda0bf6/detection

94.73.36.254:3175
biofaction.no-ip.biz

# Reference: https://www.virustotal.com/gui/file/0b96700873fba0b74c534ffcaee852b976f92de18b7ccd723dd464b56110ea06/detection

94.73.32.235:3175
enterbotvn.no-ip.info

# Reference: https://www.virustotal.com/gui/file/87a8d33209840bd40e858624cbd2952416118962b2c923b277a7796a3e4e9b02/detection

dr9.no-ip.info

# Reference: https://app.any.run/tasks/c6797f0b-722f-4f85-be9c-6957415b1c1d/
# Reference: https://www.virustotal.com/gui/file/cfcd9808e91122903281706de3d96d8249e282555d87a02c177cb705ac06fd2d/behavior/VirusTotal%20Jujubox

id.remoteutilities.com
server.remoteutilities.com
108.163.130.184:5655

# Reference: https://www.virustotal.com/gui/file/dda1fc31d4d4d37d544a3ff537863a909706b861dcaebb33c084d29f4ead488e/detection

185.121.166.28:9030
poulty55.chickenkiller.com

# Reference: https://www.virustotal.com/gui/file/78f90e9e2fa31727e50bf9c8358556f768cf8a8f847888ff8af8b920d4ddf33c/detection

194.5.98.50:9030

# Reference: https://www.virustotal.com/gui/file/e7183b9653a49d85ba53b786d844c609ee3328c973d463041f07a889a143aad0/detection

194.5.98.83:9030

# Reference: https://www.virustotal.com/gui/file/5adef384ca8b56ae3524fdde2c69c0ab25801f1fde94375696a646cef4fba2c5/detection

194.5.98.139:9030

# Reference: https://www.virustotal.com/gui/file/160a4f5e4fee2d948a2da1708418c398505fdcb2bf3804a323db2452599a4fcf/detection

184.75.209.165:9030

# Reference: https://www.virustotal.com/gui/file/4ea812dfa9ec344fecf52d0a47c6db58ef22f5fa1fa720cae96ace032438843d/detection

95.167.151.233:9030
sickly.jumpingcrab.com

# Reference: https://twitter.com/blackorbird/status/1222878160187838465 (# Wuhan)
# Reference: https://www.virustotal.com/gui/file/e6f0274fe4f0ebc7323ce86d6aceb991ae0242c8d514a1e241cbdfe88921e50d/relations

202.58.105.80:5073
9.wqkwc.cn

# Reference: https://app.any.run/tasks/54196a1e-3729-4d07-8518-c1f73a6b17ff/

wsus.eu
id.remoteutilities.com
108.163.130.184:5655
66.240.205.51:5655
23.235.252.66:5655

# Reference: https://www.virustotal.com/gui/file/9e5d3643ea41983e426f184949f4b77bc52d2951dcc57ab04466429192bc3396/detection

karensonjon.com

# Reference: https://twitter.com/fr3dhk/status/1319366605218959361
# Reference: https://app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/

wsusms.com

# Reference: https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf
# Reference: https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/
# Reference: https://otx.alienvault.com/pulse/5fa440244397a8c64412347d

dncars.ru
timkasprot.temp.swtest.ru
z-wavehome.ru

# Reference: https://www.virustotal.com/gui/file/6fa7f1a905e7b9fe6c6ebb0511b679527b3a136cf178a3627cc341418ec1ddbb/detection

23031.selcdn.ru

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/BackDoor.RMS/README.adoc
# Reference: https://otx.alienvault.com/pulse/5fd3e533f31a2aa08d9ac388
# Reference: https://www.virustotal.com/gui/file/75c23c42074c0cc6683e291579543941bb5207b69365c510386ba3fab3f37bcb/detection
# Reference: https://www.virustotal.com/gui/file/d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745/detection
# Reference: https://www.virustotal.com/gui/file/cb8b32697730d7142ef4de56c0b4cc718abce0c2ac87218744188ad3ce1587b2/detection
# Reference: https://www.virustotal.com/gui/file/800d4b5dfbdf742feb47cf580501d3f2d558c380c7619420160c4e33bd912732/detection
# Reference: https://www.virustotal.com/gui/file/89bfdabd25b0334a7444bcb67e1d1b42907e5d8107179c7f5f0bbca8eb4219e0/detection

111.90.140.23:5651
111.90.140.23:8080
176.107.179.100:8081
176.9.112.14:5651
176.9.112.14:8080
194.9.176.31:8081
194.9.176.33:8081
194.9.176.37:5651
194.9.176.38:5651
194.9.176.38:8081
194.9.176.38:81
194.9.176.39:8080
194.9.176.39:81
95.216.64.185:8080
95.216.64.186:8080
95.216.64.187:8080
95.216.64.187:8081
95.216.64.191:8080
95.216.64.198:8080
360mediashare.com
ateliemilano.ru
gedebeywater.com
kiat.by
mystorage-settings.ru
nordtexnika.az
office360.work
office360share.com
road258.website
road349.website
savalan.az
wsus.ga
wsusms.com

# Reference: https://www.virustotal.com/gui/file/d08912c79a47501ccd1a01b350721ff7a87bcaad0af7a0a6b2943f6d30bb7009/detection
# Reference: https://www.virustotal.com/gui/file/308a5f4df9a9f8a42471440d4e8d6787b6faa87b6faed943705ea69501d3ba7b/detection

70.38.38.43:5655
rutils.com
server.rutils.com

# Reference: https://twitter.com/ffforward/status/1361362720948424705
# Reference: https://bazaar.abuse.ch/sample/ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83/
# Reference: https://tria.ge/210215-g7bdp3nema/behavioral1

209.205.218.178:5655

# Reference: https://twitter.com/JAMESWT_MHT/status/1364130821897129985
# Reference: https://app.any.run/tasks/aa80eaeb-9160-47dd-9e7c-1b86e099919a/

185.220.102.6:5651
id70.internetid.ru
zen.hldns.ru

# Reference: https://www.virustotal.com/gui/ip-address/185.161.208.186/relations
# Reference: https://www.virustotal.com/gui/file/0264bbf56bf0f491cc105ab2a3fc7e3f3cc6198fc33dd0ea74b1794d8ededf14/detection
# Reference: https://www.virustotal.com/gui/file/d9912f37e0b60988891550546dea6dc47fbfaffeaea8ce3de2cf68f15b8de986/detection
# Reference: https://www.virustotal.com/gui/file/e7226d32ed09060417beb40743aa116d200f3890b948e19fd97609ca435e84e4/detection
# Reference: https://www.virustotal.com/gui/file/f18d414efd8aa6f1493d9cf39ac3c23d79bc04514fac7f31d64232feecf58cf3/detection

185.161.208.186:5651
185.161.208.186:5652
185.161.208.186:8080
185.161.208.186:81
185.161.208.186:8888

# Reference: https://www.virustotal.com/gui/file/506e4ff03ebad6388a05dcb9339f7c093a571ee8f7661199d635a03618828839/detection

wsus2.co

# Reference: https://www.virustotal.com/gui/file/23d7771c3ba57e2bd810fa4edc5a2361d50aae0a705e3f3a3861b594c8368e78/detection

139.28.38.254:5651
139.28.38.254:8081

# Reference: https://twitter.com/fr0s7_/status/1374297423460306949
# Reference: https://app.any.run/tasks/c113a0f8-522b-4c59-a9d3-5fe3334c3bb4/

195.2.76.196:5655

# Reference: https://www.virustotal.com/gui/file/96b07b96579eb0ca13277720ec47cfd69a906bc21a6a64f2c604ad5debb9a504/detection

109.234.156.178:5655
109.234.156.180:5655

# Reference: https://www.virustotal.com/gui/file/e35570c68177b9e60777d66173b44aaff73be8c1f6da479a3ca5c09e4f7d5c6b/detection

185.175.44.167:5655
5.167.2.130:5651
moderator.hldns.ru

# Reference: https://www.virustotal.com/gui/file/6dcb5e65d0ae4f1a44f8dd510c4e7495760b2b9da0d8456b27deeb09d082a9db/detection
# Reference: https://www.virustotal.com/gui/file/5cc3322ab838ef64d006c27d63ad5cae87bf8a22295aca47f7b085bc0c57861e/detection
# Reference: https://www.virustotal.com/gui/file/ead5d0dbfc34a43c568fc76e098d51ecbde11bc844738c39f4ee5dc3477a80ce/detection

145.239.23.207:5651
145.239.23.207:8080
176.9.145.100:5651
176.9.145.100:8080
176.9.145.100:81
178.210.76.171:5651
178.210.76.171:8080
185.231.68.230:5651
185.231.68.230:8080
185.231.68.230:81
194.156.99.64:5651
194.156.99.64:8080
195.24.68.15:5651
195.24.68.15:8080
rmssrv.ru

# Reference: https://www.virustotal.com/gui/file/7c2cef408add7b5eff1a11660aab7a4ed1752934d58672b3464bdc43e4adca50/detection

37.0.11.233:5655
37.120.137.248:27699
noscammersplz.freemyip.com
sm3ij38yffe3.freemyip.com

# Reference: https://cert.gov.ua/article/18163 (Ukrainian)
# Reference: https://www.virustotal.com/gui/file/0dd54c133d44ac94bde720140474010350e978a4be1edd1db5271d41b487ddfb/detection
# Reference: https://www.virustotal.com/gui/file/1abe583a7aae9f942dec8991efcea3a95296db197374aff625e591ba137d1754/detection

101.99.93.49:4899
101.99.93.49:5651
101.99.93.49:8080
rmssrv2.ru
rmssrv3.ru
rmssrv4.ru

# Reference: https://www.virustotal.com/gui/file/00229bd4544420c2b62192e15e48f342934379dad87450732de381c585d70f37/detection

193.111.2.245:5651
91.240.86.200:5651

# Reference: https://www.virustotal.com/gui/file/0047748191c2a37eebf6217d4c8426086c1bd8f3a5ad24b59b939c9f4f0bd6dc/detection

213.135.95.70:5651

# Reference: https://www.virustotal.com/gui/file/b7a5208917a1ba6daaf75b66517dcdea06ec91fa29b303be762f4b944c884857/detection

87.255.25.160:5655
87.255.25.160:8080
fbkw.ru
kekw.ru
s1.kekw.ru

# Reference: https://www.virustotal.com/gui/file/d0ce94f2c256f808b4b584da0448de139c7602bfc651c6e74161487cd9839147/detection
# Reference: https://www.virustotal.com/gui/file/68357016279f3fa9a8e8cd14dff54d058efd6415891009710ca9d3fb024a04b6/detection

94.199.106.182:5655
cum.fbkw.ru

# Reference: https://www.virustotal.com/gui/file/26ff0f66ad9ca0b5f45280b59415c623681820dbad6ae8b9dc53888424d664df/detection

18.222.44.201:5655
s0.kekw.tk

# Reference: https://cert.gov.ua/article/3863542 (# UAC-0096)

101.99.91.158:5651
101.99.91.167:5651
101.99.91.170:5651
101.99.91.179:5651
101.99.91.19:5651
101.99.91.76:5651
101.99.93.104:5651
101.99.93.109:8080
111.90.148.190:5651
111.90.148.194:5651
111.90.148.194:8080
111.90.148.197:8080
111.90.148.199:5651

# Reference: https://threatfox.abuse.ch/browse/malware/win.rms/

http://85.192.165.221
106.250.166.45:5683
106.250.166.45:5700
109.195.195.159:5655
109.234.156.179:5655
112.220.118.66:5655
128.204.191.131:5565
151.252.111.45:5655
152.168.39.243:5655
156.67.192.70:443
182.93.93.132:5655
185.106.123.200:5655
185.163.117.35:5655
185.175.44.167:563
185.251.25.64:5655
185.82.202.138:5655
192.70.196.65:5655
194.132.81.201:5655
194.169.163.42:5655
194.190.103.33:5655
194.212.26.172:5656
194.226.128.207:5655
194.87.186.40:5655
195.154.84.75:5655
196.40.180.218:5655
209.66.104.126:5655
213.252.246.63:5655
216.158.232.18:443
217.12.206.218:5655
37.58.60.5:5655
43.255.175.215:443
45.144.30.30:5655
45.82.71.172:5655
5.133.65.53:5655
50.240.232.117:5655
51.83.171.208:5655
51.83.171.223:5655
52.208.217.243:5655
54.188.107.146:5655
65.0.5.240:5655
66.208.244.253:5655
66.23.226.254:443
66.23.226.254:5655
77.161.25.182:5655
77.223.124.210:5655
77.223.124.211:5655
77.223.124.212:5655
77.247.243.43:5655
80.89.239.149:5655
80.95.202.4:5655
82.146.153.37:56550
83.220.53.151:5655
83.69.2.130:1812
85.143.112.188:5655
86.109.201.118:443
87.103.195.248:5655
87.75.248.145:5655
89.32.229.110:5655
89.46.65.213:5655
91.191.236.61:5655
91.230.210.144:777
94.142.128.2:5655
95.143.15.215:5655
95.213.205.82:5655
95.213.205.83:5655
96.85.25.29:5655

# Reference: https://twitter.com/Cyber0verload/status/1691063369921351680

185.144.28.175:5655
185.18.55.247:5655
194.9.71.106:5655
37.57.137.208:5655

# Reference: https://www.virustotal.com/gui/file/36e9cc2afe989974b0e5103674ac4eb8c0832711a4e6d38c4d7e411b4a21454f/detection

id71.remoteutilities.com

# Reference: https://www.virustotal.com/gui/file/898230b964515004655ef139b9158d7c494af778a643c6f9781072c1a73a5899/detection

213.59.132.218:5655

# Reference: https://threatfox.abuse.ch/ioc/1189951/

90.188.7.217:5655

# Reference: https://www.virustotal.com/gui/file/7f7e7ecc5777ca78874fa63b322b4f13558a702b110e8b52d564b8839dee96c6/detection

http://152.89.198.77
152.89.198.77:5655

# Reference: https://www.virustotal.com/gui/file/79da7ae818c5ce5521747b1295099ef2832d9f5defd41d84d45efe97feac1069/detection

http://45.87.154.158
45.87.154.158:5655

# Reference: https://www.virustotal.com/gui/file/158626f262dd76a8d945f595ffa1103031e1997d1d4cdff5fa6f5a4217e9d366/detection

176.9.64.70:5651
176.9.64.70:88
178.210.76.171:5651
185.231.68.230:5651
185.231.68.230:82

# Reference: https://www.virustotal.com/gui/file/f1558f18bec678e548796204e23e3d845b1d163d2ae45bfd733640f7ecd174d8/detection

176.9.64.70:8081
176.9.64.71:5651
176.9.64.72:5651
176.9.64.73:5651

# Reference: https://twitter.com/angel11VR/status/1745397925570564478
# Reference: https://pastebin.com/j8h6XpV7

188.127.224.64:5651
77.105.132.124:465
77.105.132.124:5651
77.105.132.70:465
77.105.132.70:5651

# Reference: https://cert.gov.ua/article/6277063 (# UAC-0050)

77.105.132.124:2404
77.105.132.124:2525
77.105.132.124:4899
77.105.132.124:5555
77.105.132.124:8080
77.105.132.70:2404
77.105.132.70:2525
77.105.132.70:4899
77.105.132.70:8080

# Reference: https://twitter.com/angel11VR/status/1749351271146922312
# Reference: https://twitter.com/Cyber0verload/status/1749354769674535202

109.107.182.200:5651
109.107.182.205:5651
109.107.182.207:5651
109.107.182.212:5651
109.107.182.232:5651
185.70.104.112:5651
185.70.104.90:5651
185.70.104.90:5655
185.70.104.99:5651
5.42.92.30:5651
5.42.92.31:5651
5.42.92.32:5651
5.42.92.37:5651
5.42.92.44:5651
8161.uk

# Reference: https://www.virustotal.com/gui/file/99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98/detection

109.234.156.182:5655

# Reference: https://threatfox.abuse.ch/browse/malware/win.rms/ (# 2024-09-09)

106.250.166.45:5711
106.250.166.45:5726
178.238.112.11:56555
90.188.254.248:5655
91.191.236.61:49847
91.199.147.204:5655

# Reference: https://www.virustotal.com/gui/file/5d27af8fb8639dc71deae128c9c8889de854d134e7887694280f54b4a2d501d8/detection

http://104.194.152.142

# Reference: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-01-IOCs-for-RMS-based-malware.txt

http://111.90.140.34
111.90.140.34:465
111.90.140.34:5651
111.90.140.34:8080
65.21.245.7:5651

# Reference: https://x.com/StrikeReadyLabs/status/1851251310454055183
# Reference: https://cert.gov.ua/article/6281202
# Reference: https://www.virustotal.com/gui/file/7d2f4e61bd5be745eb43d09e66674ae7f99b0da8ab4f939d0c853b0f9144c9ba/detection

http://111.90.140.76
111.90.140.76:465
111.90.140.76:5651
111.90.140.76:8080
65.21.245.7:5555
dpsu-gov-ua.com
tax-gov-ua.com
qaz.im/load/24A3zr/95a741c4-3e45-4232-80b5-2b63024e5417
qaz.im/load/2yEDdB/d5605a20-a710-4451-8960-a85b252de11a
qaz.im/load/92rksf/8bd23fcf-ac4e-4316-ac7a-cd868498bbb7
qaz.im/load/ADYRrD/14248bac-ac25-4ba4-a8f8-55adb7fabab5
qaz.im/load/E5t5Ak/ad6e5edf-6a3e-40ec-beb7-362a57bdd366
qaz.im/load/FF6z7H/c0c57bb4-7b11-48c2-8698-eac2bc0053bd
qaz.im/load/QtDiys/c8b17655-2350-46ff-9500-aa7cce7dded1
qaz.im/load/anzRbi/4625764e-e4ed-423f-ba72-5f554565bde5
qaz.im/load/bY2Qey/628078c0-0acb-4629-b789-88290052ccda
qaz.im/load/iRYee3/c30a179d-65c7-4b3a-8482-c5e520160803
qaz.im/load/tf26t3/6b836ab8-9521-4e23-ad46-8384461defee
qaz.im/load/zBAzNQ/e7ead79f-5754-49c2-b2a4-19577fb1a3bf
qaz.im/load/zFyFG3/1fe83bc0-a8d6-44f1-b2f2-f33e47de4d04
qaz.is/load/NY37ZQ/f341bee7-2fc1-4862-8b7c-65cab54c0b7c
qaz.is/load/fK7NR3/668d3238-49f0-4207-9478-4e8005840fbb
qaz.is/load/kftbyz/fa06a7ab-3e61-457b-97ef-e16d5f904765

# Reference: https://x.com/Cyberteam008/status/1869925324567584810
# Reference: https://www.virustotal.com/gui/file/f11c06f1fd567e26fb4ce9999749516b6e47ade4ee0b7b875a75a5cbfb74dc04/detection
# Reference: https://www.virustotal.com/gui/file/beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec/detection
# Reference: https://www.virustotal.com/gui/file/ba82fe356b21118d92b04a74ef8466a59f4802fd9b061f6e9a28e16cf7a5a8b3/detection

http://111.90.147.125
111.90.147.125:465
111.90.147.125:55555
111.90.147.125:5651
78.138.9.142:5651
78.138.9.142:8080

# Reference: https://threatfox.abuse.ch/browse/malware/win.rms/ (# 2025-01-02)

106.250.166.45:5721
151.237.170.179:5655
188.68.217.6:1812
93.183.78.36:63655

# Reference: https://x.com/skocherhan/status/1906535462212153506
# Reference: https://www.virustotal.com/gui/file/0b517963aa601f3ed63d70bf6c8dbc1fe00fe9607b49b4b930bc8a2d1a5cb80d/detection
# Reference: https://www.virustotal.com/gui/file/16435ef6e31ca21c40126acdc76b67ee8d689205d366b8f8ce58e1374011cc0e/detection

194.180.158.11:5655
floatnightlife.com
itspostwave.com

# Reference: https://www.virustotal.com/gui/file/8595d98ac51b43f0bb857e742204f0e2729497cfa48df985e018d4b9d16bc379/detection

185.215.113.105:5655
216.158.232.18:5655
64.20.61.146:5655

# Reference: https://www.virustotal.com/gui/file/8bfb0584840c73e2ccf82cff097c4ea2bd52c90b7ab8c0faa8f945226af263a1/detection

103.151.125.139:5655

# Reference: https://www.virustotal.com/gui/file/75b476bc8b54a1f8bca8a0e446d9233ab5f4a8f37e5084bcf9af8ffbde883920/detection

176.107.180.11:5651
176.107.180.55:5651
195.189.226.32:5651

# Generic trails

/utils/inet_id_notify.php
