# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: socks5systemz

# Reference: https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
# Reference: https://otx.alienvault.com/pulse/5d4431e60c6bf943f7f039aa

http://146.0.75.34
amnsns.com
calacs-laurentides.com
crypto-crypto.site
dsntu.top
elienne.net
gougounu.site
mmasl.com

# Reference: https://twitter.com/VK_Intel/status/1176927389328261121
# Reference: https://www.virustotal.com/gui/file/7976bfcea5c86a0b12266993b17176398d3eabe817f3c44f1a212bca9234698d/detection

fresher.at

# Reference: https://twitter.com/pancak3lullz/status/1334638629654814720

172.105.253.97:4001
http://172.105.253.97

# Reference: https://news.sophos.com/en-us/2020/12/16/systembc/
# Reference: https://otx.alienvault.com/pulse/5fe3992846c25c7182e066ed

advertrex20.xyz
advertsp74.xyz
asdasd08.com
asdasd08.xyz
decatos30.com
decatos30.xyz
gentexman37.xyz
mexstat128.com
sdadvert197.com
shopweb95.xyz

# Reference: https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
# Reference: https://otx.alienvault.com/pulse/601aedb7c7c215c1dc3bb6db/

alnujaifi-portal.com/ds/3101.gif
clinica-cristal.com/ds/3101.gif
eyeqoptical.ca/ds/3101.gif
gbhtrade.com.br/ds/3101.gif
newstimeurdu.com/ds/3101.gif
remacon.net/ds/3101.gif
skconstruction.info/ds/3101.gif
/ds/3101.gif

# Reference: https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/
# Reference: https://otx.alienvault.com/pulse/609abec825e7816948042cc0
# Reference: https://www.virustotal.com/gui/file/2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580/detection

23.227.202.22:4142
79.110.52.9:4142
193.29.104.187:443

# Reference: http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor

172.105.253.97:4001
80.85.84.79:4001

# Reference: https://www.virustotal.com/gui/file/114e10d27381de27f9442d15a57fd5a4afec3e287176cd793d7cd1689e96cf17/detection
# Reference: https://www.virustotal.com/gui/file/04eac372fbe81ab6bc47ea4d728323026a08324b5edc7aa62c9ebfc664eef824/detection

109.234.39.169:4001
adirtasolution.co.id

# Reference: https://www.virustotal.com/gui/file/5398d64f2fdfb55776a0ae2eec9d8702223356ff327a91e502eaa45f14d88632/detection

139.60.161.24:4658
192.53.123.202:4658

# Reference: https://www.virustotal.com/gui/file/00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555/detection

31.44.185.11:4001
31.44.185.6:4001
michaelstefensson.com

# Reference: https://twitter.com/0xrb/status/1509072321155579907

http://31.44.185.11
http://31.44.185.6

# Reference: https://asec.ahnlab.com/en/33600/
# Reference: https://otx.alienvault.com/pulse/625527f81b8187c8c082d7a4
# Reference: https://www.virustotal.com/gui/ip-address/194.67.92.180/relations

http://131.188.40.189
http://154.35.175.225
http://193.23.244.244
http://194.109.206.212
http://199.58.81.140
http://204.13.164.118
http://86.59.21.38
128.31.0.34:9131
128.31.0.39:9131
192.64.119.142:4044
194.67.92.180:40690
171.25.193.9:443
31.44.185.11:4001
31.44.185.6:4001
45.153.240.65:4044
45.32.132.182:4177
89.108.99.179:40690
96.30.196.207:4177
admex175x.xyz
dfhg72lymw7s3d7b.onion
mapfiles.info
pushsecs.info
servx278x.xyz
db1.mapfiles.info
db2.mapfiles.info
db1.pushsecs.info
db2.pushsecs.info

# Reference: https://twitter.com/0xrb/status/1516651127944941568
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1517368003389968384
# Reference: https://www.virustotal.com/gui/file/57eccf5d61a8ca0b2bea78e57df2c987ae07232f2e7ed43bb90314e73aeae543/detection

194.93.56.202:4001

# Reference: https://twitter.com/0xrb/status/1518499002681282560
# Reference: https://www.virustotal.com/gui/file/3f1e3e41c78f34a4012539afc1fa37eb88d12de49f12d688f40d86c8f4bbfe06/detection
# Reference: https://www.virustotal.com/gui/file/6aea048eb43309ce48f54eb1575c93d898ee8c3726dc6871a5e3a65d4f7810e9/detection

http://143.244.175.124
http://192.53.123.202
143.244.175.124:4225
192.53.123.202:4225

# Reference: https://twitter.com/0xrb/status/1519959623369113600
# Reference: https://www.virustotal.com/gui/file/fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d/detection

http://88.80.188.245
88.80.188.245:4170

# Reference: https://twitter.com/0xrb/status/1519956419197677568
# Reference: https://twitter.com/abuse_ch/status/1534791877202956289
# Reference: https://www.virustotal.com/gui/file/d0f3211e3a351e4f7384243f983a33a0b4e989b61fea1e1c098bb5c8241ae102/detection

45.11.57.142:1488
62.182.82.33:1488
usaf.army

# Reference: https://twitter.com/0xrb/status/1523630947790626819
# Reference: https://www.virustotal.com/gui/file/9d396abb34553871ffd2776aa0ca2997c83c047ce852b2cf328f374438380853/detection

104.200.67.101:4001
nadrmcrosftn.com

# Reference: https://twitter.com/0xrb/status/1524266350042304512
# Reference: https://www.virustotal.com/gui/file/d20def2014332b3391f52f726374f221dbbb06b748e02371d37cbe7ec53f1664/detection

46.30.189.212:4210
62.113.196.57:4210

# Reference: https://tria.ge/201201-159fq8bewa/behavioral1

179.43.178.96:4141

# Reference: https://tria.ge/201129-7zy2lhx2rs/behavioral1

31.44.184.186:4132

# Reference: https://tria.ge/201128-7s6f8xmqga/behavioral1

23.106.215.30:4044

# Reference: https://twitter.com/jaydinbas/status/1554857469326901249
# Reference: https://tria.ge/220803-sz7aesdffq

20.115.47.118:4245
20.157.93.87:4245

# Reference: https://twitter.com/0xrb/status/1572547656257511424
# Reference: https://www.virustotal.com/gui/file/873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376/detection

http://146.70.101.95
146.70.101.95:4001

# Reference: https://twitter.com/nosecurething/status/1574964679280951297
# Reference: https://www.virustotal.com/gui/ip-address/194.67.119.190/relations

cloudupdatesss.com

# Reference: https://twitter.com/0xrb/status/1577918892248162304
# Reference: https://www.virustotal.com/gui/file/4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763/detection

185.215.113.105:4001

# Reference: https://twitter.com/bofheaded/status/1584268766229454850
# Reference: https://www.virustotal.com/gui/file/605fa356dc438ac90419f85f0e903bd64f34125b6c52aeac3e58dd0056122650/detection
# Reference: https://www.virustotal.com/gui/file/01a5005f3ad75fd7073b3eaccbc3dfc7b5a3fe71653abd9e811b9da3d3edda76/detection
# Reference: https://www.virustotal.com/gui/file/04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761/detection

http://45.15.156.48
45.15.156.48:4254
45.15.156.48:8285

# Reference: https://www.virustotal.com/gui/file/fb10e32875d3c0c3a8fff27f74df07f2091cc9369d9f1021a437abb97e06d35f/detection

http://185.82.217.131
185.82.217.131:443

# Reference: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
# Reference: https://otx.alienvault.com/pulse/6359505e5a342ac921b5e94e
# Reference: https://www.virustotal.com/gui/file/e61b78e1e38008f7ef0aceb0a386175084f2c3d5cc360e133b6c02e87bb678bb/detection

http://185.82.219.201
185.82.219.201:443

# Reference: https://twitter.com/0xrb/status/1588045243236032512
# Reference: https://www.virustotal.com/gui/file/750cf12b5500d4837fa3acfbdbe75339c03d76b136ca200c5edf360e088c4db1/detection

45.182.189.231:443

# Reference: https://twitter.com/Merlax_/status/1582488153948323841

http://156.96.62.54
http://156.96.62.57
http://31.41.244.183
http://45.61.137.253
http://45.66.248.241
http://5.255.103.142
http://5.45.74.40

# Reference: https://www.virustotal.com/gui/file/c08def26508e296b96abad65537e8a265711b74e5e9856295143af848c3c6af9/detection

89.41.182.153:4001

# Reference: https://www.virustotal.com/gui/file/691de4b62a44a670c721c4015a854c157d73be1bf96e412133b0d1ea7124ae4e/detection

109.206.243.58:81
89.22.236.225:4193

# Reference: https://www.virustotal.com/gui/file/3cd56d548fd9c900601b6882a7450acf8d6cfce9fa505c16155b1e0b38696160/detection
# Reference: https://www.virustotal.com/gui/file/6db824ea5f4d66e385965fcdab37fe9e15a3212bc4ce0c3caf5b726736610e1f/detection
# Reference: https://www.virustotal.com/gui/file/7d752858a3e0f3f96cb0402c9daf0b39fd56e39f52f986a2cbe39872b258d35f/detection

5.45.76.16:4246
5.45.74.40:4246

# Reference: https://www.virustotal.com/gui/file/e270841232d0d3095f915ade9c899207a1da577bae4f83fdcc63ee14780e5304/detection

20.245.196.4:4001

# Reference: https://www.virustotal.com/gui/file/6c278ae9867cbc45cc7be476e60e455f525655e872b2a8231d36490262dbb7bb/detection

34.171.171.32:4248
46.23.109.147:4248
slavelever.info
slavelevereoewl.info

# Reference: https://www.virustotal.com/gui/file/c1f83eca657eb74769e9df053eb430c11cbcb123004179f2196fec6f45e48099/detection
# Reference: https://www.virustotal.com/gui/file/abb0274cd08aa1d818c2a3f3b3650a1f699aead09d435e63473dde45826cad43/detection

104.238.140.73:4177
149.28.72.85:4177

# Reference: https://twitter.com/bofheaded/status/1599036327294828545

http://104.238.140.73
http://149.28.72.85
http://20.245.196.4
http://46.23.109.147
http://5.45.76.16
http://89.22.236.225
http://89.41.182.153

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/321ff880be2af53ff3efab99a1e51e4ffad39e710f761188eab599c4a356cb7d/detection

hcwakentent.com
hcwakententx2.com

# Reference: https://www.virustotal.com/gui/file/8381178662754cf98d5a9a3ee9a8019874a4b2940f5e701f6c20bbc04275c286/detection

192.169.6.111:4175
67.198.232.34:4175
sadfsdfjj4838377aa.cc

# Reference: https://www.virustotal.com/gui/file/a18142eec089782245301e46c1cfd35a5b2b7b3ae51c69196077cbfc4d0d1ce5/detection

199.192.29.149:4035
jmlor.com
lisnm.com

# Reference: https://www.virustotal.com/gui/file/463fcd6210c8bdf47e79cb0a06c76333a40ecd4443b44642407074c82fccf404/detection

core-networking.com

# Reference: https://www.virustotal.com/gui/file/06ae0467cf443f36369f5e400a963aa57a7a26741d31ed187945fa31da7957fa/detection

142.4.5.169:4039
26asdcgd.com
26asdcgd.xyz

# Reference: https://www.virustotal.com/gui/file/0ce6da681584201acdb46a8a73395ffaf64db8944ad335511ec06a4f3bbdb73f/detection

194.58.112.174:4035
89.203.251.227:4035
bankshopstars.bar
bankshopstars.space
imana-chi.nl

# Reference: https://www.virustotal.com/gui/file/006716664383ab81ab3593dbe956c173b087bfcf1b94f53c710ba0557a8778b0/detection

195.2.73.159:4039
anarhi2402.com
anarhi2402.xyz

# Reference: https://www.virustotal.com/gui/file/23f400b92497928546a17a9fce1457b54096522b0bda372cbf750003aa6b073b/detection

asdasd05.com
asdasd05.xyz

# Reference: https://www.virustotal.com/gui/file/1142ce10f02a4a1fa3411db2b5e46f7e1b9e06792ee323c2a51b92ae5857c9f7/detection

142.4.7.183:4035
dasd13d.com
dasd13d.xyz
fb01ddd.com
fb01ddd.xyz

# Reference: https://www.virustotal.com/gui/file/1021deecef69ff06cb704b3cadae33fe7ffbf87f2b9daa670502569d2a387edf/detection

95.142.45.61:4039
dec15coma.com
dec15coma.xyz

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e/detection

scserv1.info
scserv2.info

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/file/5274078106ca260d04455bb46407cc2dd37ffa7b44eebe877dc3f7c1731e0e9f/detection

freesocksvpn.xyz
freevpnsocks.xyz

# Reference: https://www.virustotal.com/gui/file/b2d6b7c088ae1bde91bd043106a853c5b54bc1270e694847c2eafd8db0bdf29f/detection

51.91.209.190:4153
gambinos.space

# Reference: https://www.virustotal.com/gui/file/2420dca85bb446e3c494d9a0caf28ec24d448d4f562a1f47921514117ca9a426/detection

89.203.249.203:4035
gameblog18.xyz
gamelom20.com

# Reference: https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c

http://107.155.124.13
http://108.61.245.154
http://108.62.141.227
http://109.201.140.54
http://109.201.142.17
http://134.195.14.192
http://135.181.37.144
http://138.197.141.150
http://139.60.161.58
http://140.82.16.134
http://142.132.185.13
http://146.0.77.21
http://146.70.41.133
http://146.70.44.168
http://146.70.78.22
http://149.248.18.56
http://149.28.145.240
http://149.28.201.253
http://165.227.204.91
http://172.105.16.113
http://172.106.86.12
http://173.255.208.126
http://176.123.6.150
http://176.123.8.226
http://178.20.41.173
http://179.43.178.96
http://185.118.167.155
http://185.119.57.126
http://185.125.230.131
http://185.158.155.175
http://185.159.82.73
http://185.186.245.37
http://185.191.32.191
http://185.193.91.234
http://185.197.74.227
http://185.198.56.2
http://185.209.30.180
http://185.209.30.232
http://185.215.113.101
http://185.215.113.32
http://185.222.202.66
http://185.233.2.50
http://185.235.244.244
http://185.254.121.121
http://185.33.84.190
http://185.61.138.59
http://185.70.184.5
http://185.70.186.170
http://188.209.52.188
http://188.212.22.165
http://190.2.145.98
http://193.109.69.17
http://193.29.56.71
http://194.5.250.151
http://194.61.24.117
http://194.93.56.214
http://195.123.241.38
http://195.133.40.103
http://195.2.73.44
http://199.19.225.233
http://199.247.25.132
http://206.189.120.27
http://207.32.216.202
http://212.114.52.149
http://213.159.213.225
http://213.227.155.220
http://217.182.46.152
http://217.8.117.18
http://217.8.117.42
http://217.8.117.65
http://23.106.223.52
http://23.152.0.38
http://23.249.163.103
http://23.82.141.176
http://31.184.218.251
http://35.246.186.86
http://37.1.204.96
http://37.1.220.248
http://37.49.229.138
http://45.134.26.93
http://45.138.172.144
http://45.141.87.60
http://45.145.67.170
http://45.153.186.243
http://45.156.26.59
http://45.56.102.245
http://45.77.65.71
http://45.77.65.72
http://45.86.162.14
http://46.166.161.93
http://46.166.176.247
http://5.132.191.104
http://5.132.191.105
http://5.183.95.197
http://5.188.60.95
http://5.206.224.199
http://5.255.97.23
http://5.34.178.172
http://5.39.221.47
http://5.79.124.201
http://62.113.255.16
http://62.113.255.29
http://62.210.54.235
http://65.21.93.53
http://66.42.91.161
http://69.61.107.218
http://74.125.112.7
http://74.125.46.143
http://74.125.74.6
http://78.141.210.78
http://78.47.64.46
http://79.141.160.156
http://80.233.248.109
http://80.66.88.139
http://80.66.88.165
http://84.38.129.162
http://85.25.207.68
http://89.39.105.111
http://89.43.107.126
http://91.142.77.52
http://91.212.150.113
http://91.212.150.133
http://91.213.50.135
http://91.217.137.44
http://91.218.114.16
http://91.234.254.128
http://91.243.44.5
http://92.163.33.248
http://92.53.90.70
http://92.53.90.84
http://92.63.197.143
http://93.114.128.189
http://93.187.129.252
http://94.103.95.115
http://95.181.152.152
http://95.216.118.223
http://95.217.132.79
31337r.hk
3q5d4sgdxdxkkzhl.onion
4renewdmn.biz
63bwf6zdrgsmagpt.onion
adobeupd.host
aitchchewcdn.online
amendingnoum.xyz
annaklein.fun
annaweber.fun
arhi-lab.com
artkalyan.shop
avluboy.xyz
backpscpnl.xyz
bc.fgget.top
bitdesk.online
bljxlgj4h4yuxkju.onion
bmwsocksmozg.top
brabulco.ac.ug
buffalostores.cc
bullioncdn.com
carnessanjuanmedina.com
cashnet-server.com
cleanerwors.com
coinsdoctor.bit
coinupdater.bit
cp.nod32clients.com
criminal-records.life
data.servicestatus.one
dealsbestcoupons.com
dktigsgquxihyrik.onion
dwuhpii.bit
e6rldxwjc4jeb72c.onion
efydniaemviuxkfo.onion
fahrrados.de
farfisada.ga
fastconnectionbit.xyz
fgget.top
fhaaaggs.ml
fmk7kux2dsxowkks.onion
fragrant.digital
generalnetworking.net
gosigoji.bit
h4yk5u554epyhhen.onion
hfbplsny55xcsgbn.onion
infodialsxbz.com
jjj.rop.dev
jjj2.rop.dev
jlayxnzzin5y335h.onion
joiasbella.com.br
kvarttet.com
mainscpnl.xyz
maka.bit
maniodaris.com
masonksmith.me
masonksmith.tech
master-socks.cc
microsoftmirror.ac.ug
mobinetworks.xyz
mokkotapia.com
moscow11.icu
mydomain47267.xyz
mydomain47294.xyz
ncordercreatetest.com
ns1.vic.au.dns.opennic.glue
ns2.vic.au.dns.opennic.glue
ordercouldhost.com
polidestar.com
predatorhidden.xyz
proredirector.com
prorequestops.com
protoukt.com
proxybro.top
proxybum.xyz
proxyshmoxy.xyz
proxysteu5m36rdt.onion
qtrader.club
r55q2zj8sb89b33k.bit
rarlabarchiver.ru
reserveupdate.com
s.avluboy.xyz
s1.freesocksvpn.xyz
s1.freevpnsocks.xyz
s2.avluboy.xyz
sdkfjjkfasdjfiu435dzz.cc
shellcon.pro
socks5.eu
socks5.in
socks5v7v2snlwr7.onion
socksbswfjhofnbu.onion
srv1619541516.hosttoname.com
ssl.virtualpoolnet.com
sweetcloud.link
system.proredirector.com
systemhomeupdate.com
t6xhk2j3iychxc2n.onion
tbueguicsrwo64i7.onion
tdsstats.mooo.com
tik-tak-super-puper.xyz
tik-tak.club
verguliosar.com
vpnstart.chickenkiller.com
whatimnot.sc.ug
whatshoetowear.com
xxxxxxtnuhffpbep.onion
zghiexdgwfzi44b5.onion

# Reference: https://www.virustotal.com/gui/file/32cf4eecc1668f434411b8d87db27f4c9d49e2f749e44b48159e2f2a2823cdc2/detection

77.246.156.240:4153
dl-link.club
dl-link.network

# Reference: https://www.virustotal.com/gui/ip-address/34.171.171.32/relations
# Reference: https://www.virustotal.com/gui/ip-address/51.91.209.190/relations

admstat45.xyz
advertpage50.club
advertpush20.club
advertspace10.club
advertstar450.club
advertstar55.club
americalatina.club
bjkuipe.xyz
dasdasd28asd.com
devstudiakomp.com
dexblog90.club
fanblog79.xyz
fanstat18.club
femstat8.xyz
jiklasmsj.site
logstat17.club
mdadvertx17.xyz
pkspacex19.xyz
sasdcs28sd.xyz
spacestat7.xyz
spexblog17.xyz

# Reference: https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer
# Reference: https://www.virustotal.com/gui/file/b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074/detection

http://80.66.77.125
http://80.66.77.54
http://80.66.77.6
http://80.66.77.60
http://80.66.77.63
http://80.66.77.95
80.66.77.6:4001
80.66.77.60:4001
rafaeldutra.com

# Reference: https://twitter.com/Merlax_/status/1602757241580523520
# Reference: https://www.virustotal.com/gui/file/b17a48ba49a976f74de6ad6aaa02e89f5ddd32a0c29de705889bd7256d7d2bc7/detection
# Reference: https://www.virustotal.com/gui/file/b0976ba51a18f04b72f82746e6a640d486e9823dad8c4b4802c3a6e5f1e09bcc/detection

http://188.214.129.3
188.214.129.3:4223
188.214.129.3:443

# Reference: https://twitter.com/Gi7w0rm/status/1642543659445878784

http://45.138.74.200

# Reference: https://twitter.com/bofheaded/status/1654131522163859458

45.77.115.67:443

# Reference: https://twitter.com/bofheaded/status/1654131522163859458
# Reference: https://www.virustotal.com/gui/file/f90cac94e15dcd83102e845c4e1e10e244506615157f19b8dd816c1ce32fca1e/detection
# Reference: https://www.virustotal.com/gui/file/44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace/detection

194.40.243.240:3666
65.21.119.52:4277
nftday.art

# Reference: https://twitter.com/g0njxa/status/1667316477584711680

http://5.42.65.67

# Reference: https://twitter.com/Gi7w0rm/status/1685593899576733696
# Reference: https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/SystemBC/c2_collection_2020_to_2023.txt

104.144.69.123:4001
104.217.8.100:5050
107.155.124.13:4001
107.172.197.105:4016
107.175.150.179:4001
109.107.187.226:4001
109.205.214.4:443
135.125.248.50:443
137.74.151.42:4072
139.144.79.152:443
139.177.192.90:443
139.177.193.173:443
139.60.161.58:4125
141.255.166.149:4125
141.98.82.229:4001
144.76.223.74:443
144.76.235.89:8080
146.0.75.34:4083
146.70.101.80:4001
146.70.53.169:4163
146.70.53.169:4230
146.70.53.169:4241
146.70.53.169:4244
146.70.53.169:4249
146.70.53.169:4254
146.70.53.169:443
146.70.86.61:443
148.251.236.201:443
149.248.14.222:443
149.248.34.200:4001
149.28.10.250:4001
15.204.166.162:5757
152.89.247.66:4142
162.252.175.101:443
162.33.179.100:443
162.33.179.20:4001
172.104.63.157:4001
172.105.168.86:4241
172.105.196.152:4114
173.209.51.114:40218
173.254.204.89:4210
173.255.208.126:4170
175.155.158.185
176.124.205.5:4193
178.20.41.149:4001
178.20.41.173:4001
178.20.44.196:4127
178.79.162.163:4114
178.79.174.207:443
185.105.4.112:4062
185.125.230.131:4016
185.161.248.16:4440
185.173.39.49:4001
185.197.74.227:4053
185.198.56.2:4171
185.209.30.138:4127
185.209.30.180:4001
185.215.113.21:4230
185.215.113.32:4000
185.33.84.190:4124
185.61.138.99:4115
185.70.184.41:4001
185.73.124.17:4163
186.2.171.65:4001
188.127.224.46:4251
192.153.57.198:4001
192.155.111.215:4125
192.169.6.197:4210
192.248.166.56:443
192.53.123.202:4001
192.53.123.202:40218
192.53.123.202:4127
192.53.123.202:4142
192.53.123.202:4192
192.53.123.202:4199
192.53.123.202:4211
192.53.123.202:443
193.106.191.184:4250
193.106.191.185:4250
193.109.69.17:443
193.29.56.71:4210
194.180.174.9:4244
194.33.45.6:4001
194.36.177.46:4257
194.87.111.29:4289
194.87.111.29:4308
194.87.111.29:5757
194.93.56.207:4001
195.2.73.44:4001
195.2.76.80:4001
195.2.93.22:4193
207.148.10.113:443
207.32.216.202:4211
210.16.67.250:3000
212.8.244.5:4001
213.159.213.225:4062
217.182.46.152:4179
217.8.117.114:4062
217.8.117.24:4097
217.8.117.65:4001
23.137.249.215:4001
23.19.227.233:4142
23.95.44.228:53
31.222.238.58:4280
31.41.244.183:4257
31.44.184.201:4081
31.44.184.202:4081
35.198.166.27:4270
37.220.86.73:4001
45.138.74.200:4001
45.141.87.60:443
45.147.197.24:4001
45.15.156.213:4277
45.15.159.230:443
45.153.240.152:4001
45.156.26.59:4179
45.227.255.167:4001
45.32.181.136:443
45.66.249.84:443
45.77.101.240:443
45.77.195.73:443
45.79.237.92:4124
45.81.225.72:4001
45.86.162.219:4210
45.91.203.197:443
46.151.26.42:4193
46.166.161.93:443
5.101.78.2:4127
5.161.74.235:4001
5.183.95.197:4210
5.188.62.165:4125
5.2.78.113:4192
5.39.221.47:4001
5.42.65.67:4298
5.42.95.122:4308
5.45.73.25:4246
5.61.41.136:4236
5.61.41.225:4236
5.75.208.145:4294
62.113.114.61:4001
62.113.114.79:4001
62.113.255.11:4210
64.44.141.137:4001
65.109.48.216:4270
65.21.93.53:4173
69.46.15.147:4001
69.49.231.218:4001
78.141.210.78:443
78.46.206.251:4294
78.47.64.46:4000
78.47.64.46:4174
79.137.203.32:4289
80.89.234.122:4001
82.147.85.189:4001
85.239.54.190:443
85.25.207.68:4208
88.119.174.113:443
88.198.147.80:4174
89.185.85.249:443
89.22.225.242:4193
89.248.163.188:443
89.248.163.218:443
89.248.165.79:443
89.40.206.121:4001
91.103.252.57:4317
91.103.252.89:4317
91.209.70.71:4199
91.212.150.113:4199
92.53.90.70:4136
92.53.90.84:4136
93.115.25.139:443
93.115.25.41:443
93.115.28.138:443
94.158.247.29:4001
94.232.43.224:4163
95.161.131.6:4001
95.179.146.128:443
95.216.118.223:4173
95.217.228.125:4249
95.217.61.217:443
admex1955x.xyz
adstat277xm.xyz
adstat477d.xyz
advert127ds.xyz
advertserv7.world
advertx15.xyz
adxspace147.xyz
ar.undata.cc
ar1.undata.cc
backupboxsite.com
bernieforweeed.com
cryptotab.me
demstat377xm.xyz
demstat577d.xyz
devstudiakomp.xyz
filmsoneonline.com
grogol.co.id
inredrs5er.xyz
jbsland.com
localhost.exchange
mininglivepools.com
myprettysocks.com
n20b28tu.info
n20b28tu88.info
nice-kekgetnow.lol
nice-kekgetnow.xyz
onionnkfuzyzbu.xyz
onionnkfuzyzbu2.xyz
onlinefilmshome.com
oversizetights.com
pbmadu.com
pikabu.store
podisong.su
polkoirtyed.com
poolsforyour.com
portexcloud.xyz
reserve-domain.com
reverse11.com
reverse222.com
rupertok.su
s5s4txirgtrtin.com
servx2785x.xyz
spacex17.xyz
undata.cc
winstationsocks.com
winstationsocks.xyz
yourfam.net

# Reference: https://threatfox.abuse.ch/browse/malware/win.systembc/ (# 2023-09-04)

176.124.204.128:4269
185.106.93.188:4301
194.87.111.29:4301
37.1.214.251:4269
chinabar821994.com
kmstat355mx.xyz
kmstat95dx.xyz
mxstat215dm.xyz
mxstex725dm.xyz

# Reference: https://threatfox.abuse.ch/ioc/1149389/

discordcdn8839248.com

# Reference: https://www.virustotal.com/gui/ip-address/45.138.48.20/relations

kmsox815.xyz
moplex355.xyz
xemtex534.xyz

# Reference: https://twitter.com/Joseliyo_Jstnk/status/1709138968749437023
# Reference: https://www.virustotal.com/gui/file/10f34bae6b11a02a4ff7e6aa26d31d683318a0dabe3261dfaed2ad1eea5e57c4/detection

35.205.61.67:64443
5.44.251.90:64443
straightsboycott.com
ventafones.com

# Reference: https://threatfox.abuse.ch/ioc/1190888/

185.17.0.166:4001

# Reference: https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/
# Reference: https://otx.alienvault.com/pulse/654c05350c5576398d751ff0
# Reference: https://www.virustotal.com/gui/file/5ebfeda9b19bc19070bc0d8754fb4266dcfc7cc9b10766b7807187876af0a6aa/detection

194.87.111.29:4001
85.239.52.7:4001

# Reference: https://twitter.com/RexorVc0/status/1723961165305532675

zl0yy.ru

# Reference: https://twitter.com/JAMESWT_MHT/status/1725074182059274322
# Reference: https://cert-agid.gov.it/wp-content/uploads/2023/11/systembc_remcos_agenzia-entrate_16-11-2023.json
# Reference: https://app.any.run/tasks/7243e4f5-ddb2-410f-9898-6bdfc94d4d2f/
# Reference: https://www.virustotal.com/gui/file/2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84/detection

http://62.173.141.114
62.173.141.114:445
62.173.140.37:4001

# Reference: https://twitter.com/1ZRR4H/status/1729989615795290612
# Reference: https://www.virustotal.com/gui/file/492300a7101350cdd4dd8a2fbc62216532919cf3b35ba5016f7a54b81bc1d98f/detection

2.57.149.230:4357

# Reference: https://cert.gov.ua/article/6276584
# Reference: https://www.virustotal.com/gui/file/fd56aeec91d539792301ee45517c5a2b97e1e22880dcd8c9fb7da60e11cce35d/detection

217.12.206.218:4001
217.12.206.218:4444

# Reference: https://www.virustotal.com/gui/file/c863a947292209325b25dd6f3f336e40d305ebafe5af61539dab69eaf57d99a1/detection
# Reference: https://www.virustotal.com/gui/file/70f051b880fe4c1ba666269ebc42be586904c8147d42355dc33fd0ad82b0a03f/detection
# Reference: https://www.virustotal.com/gui/file/27c32fd16ebe37c5a8548bdcae5cb081bf84d4f0106a3f4bb868ea243b7955a6/detection

http://85.208.107.228
85.208.107.228:4001
85.208.107.228:4444

# Reference: https://twitter.com/malmoeb/status/1746450672201957875
# Reference: https://www.virustotal.com/gui/file/61f8fc5838fea490230c5929dd7a977ca7dd6c7364aa9815389ec92a69c32e11/detection
# Reference: https://www.virustotal.com/gui/file/12128a797b35e7a8c26ce9fffc5d20c78e48a7ed7d3115acefa02f269065dc73/detection

185.158.155.175:4201
185.233.2.50:4201

# Reference: https://twitter.com/k_sec/status/1755999190151299212
# Reference: https://www.virustotal.com/gui/file/3a92c2308cd6e0fffb9692a33e79ad076b7e921868b859fb01d1ebb6030a8e7f/detection

146.70.53.169:443
207.148.1.174:443

# Reference: https://twitter.com/naumovax/status/1775879362887233869
# Reference: https://app.any.run/tasks/79374120-c7d3-4874-8f45-25ddf6e21d7a/
# Reference: https://tria.ge/240402-yx89wscc4s/behavioral2
# Reference: https://www.virustotal.com/gui/file/674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c/detection

142.202.241.217:4018

# Reference: https://x.com/0xrb/status/1796071963716091990

wprogs.top

# Reference: https://www.virustotal.com/gui/file/6776b61af5431f1625fa6da8e0012c6b4ded65dde354b2450b4c3697721cde2b/detection

199.59.243.225:4001
leadsoftware.top

# Reference: https://x.com/lontze7/status/1796084549106991211

http://5.161.81.32
http://94.232.46.202

# Reference: https://x.com/0xrb/status/1796084841168986544
# Reference: https://www.virustotal.com/gui/file/45048877f5a11bf5d867ac5a8ab503356aeeb46e30a7c9e54e1e28004c288a34/detection

204.137.14.135:443

# Reference: https://x.com/banthisguy9349/status/1796082465628422384

http://180.131.145.92
unsubscribelist.click

# Reference: https://x.com/0xrb/status/1796094627814281727
# Reference: https://www.virustotal.com/gui/file/bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711/detection

212.162.153.199:4001
cobusabobus.cam

# Reference: https://x.com/0xrb/status/1796106233726058704
# Reference: https://www.virustotal.com/gui/file/658e79976035b1afea4273460f5699c9993190c062e0cf2afd1e9f1b3f60079c/detection
# Reference: https://www.virustotal.com/gui/file/17b0150b278bcb34adce3416efc5148b7c8c725b725351753273d9921c04cbd5/detection

64.176.194.7:443

# Reference: https://x.com/0xrb/status/1797502283087011990

185.43.220.45:4383

# Reference: https://x.com/0xrb/status/1801474908423393637
# Reference: https://www.virustotal.com/gui/file/c23e82f915371684e319f9323e1dd3f9a15b73b2e60bb95ed6c00648b646a0c4/detection

185.156.72.33:4001

# Reference: https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/
# Reference: https://www.virustotal.com/gui/file/cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2/detection

94.198.55.181:4337
94.198.51.247:4337

# Reference: https://urlhaus.abuse.ch/browse/tag/Socks5Systemz/ (# 2024-09-16)

http://176.113.115.95
http://185.61.148.235
http://193.187.174.58
http://46.19.143.153
http://51.159.29.96
http://91.92.243.139
51-159-29-96.cprapid.com
51-159-29-96.rev.poneytelecom.eu
avalmag.com
ayazprak.com
bestsup.su
crazyfigs.top
createclub.online
dofuly.info
fastbutters.com
fishoaks.net
foosaby.com
hitsturbo.com
holliestea.com
mellmark.com
newbond.su
olivergboxz.zone
spartabig.com
stockframe.site
sunaviat.com
topteamlife.com
act.fishoaks.net
asx.sunaviat.com
bop.fishoaks.net
clean.sunaviat.com
count.spartabig.com
craft.bestsup.su
createclub.online
def.bestsup.su
en.bestsup.su
fe.foosaby.com
flex.sunaviat.com
gig.fastbutters.com
hugo.topteamlife.com
joly.bestsup.su
joxy.ayazprak.com
lang.topteamlife.com
loop.topteamlife.com
mellmark.com
mix.avalmag.com
mobile.sunaviat.com
moon.spartabig.com
nemo.dofuly.info
nixen.bestsup.su
ok.spartabig.com
olivergboxz.zone
pay.ayazprak.com
per.fishoaks.net
power.crazyfigs.top
real.avalmag.com
root.newbond.su
sd-152609.dedibox.fr
self.holliestea.com
sell.spartabig.com
silco.ayazprak.com
sl.avalmag.com
sly.fishoaks.net
still.topteamlife.com
stockframe.site
stoon.hitsturbo.com
stop.sunaviat.com
storm.ayazprak.com
tiny.ayazprak.com
vi.fishoaks.net
wow.fishoaks.net
zen.topteamlife.com

# Reference: https://www.group-ib.com/blog/dragonforce-ransomware
# Reference: https://www.virustotal.com/gui/file/df903c620508011ca8eb2aaaf9712a526b31a12c800b856cd524ebb3fde854b2/detection

94.232.46.202:4321

# Reference: https://x.com/bofheaded/status/1839339125176197576
# Reference: https://www.virustotal.com/gui/file/0782b51fd33941784e737abf29a0b359b9d825cbb115e1187de4ac94fbed9d3e/detection
# Reference: https://www.virustotal.com/gui/file/2a7e13e904f8de0f4eebe3d364f7f1fdd09aa72b2c95db20393cfbb0eb77341d/detection

79.110.62.222:9268
79.110.62.233:4295

# Reference: https://www.virustotal.com/gui/file/47a1e1ea2e3ed3e1c031b8c262e298754d5fa8cd638db73b0ee7370c463cb2b4/detection

45.10.42.221:4193

# Reference: https://www.virustotal.com/gui/file/fbe4ae576b3df796776ce1b79459491a317059df0dcc9593f96432d31268f6e4/detection
# Reference: https://www.virustotal.com/gui/file/02a9df245fb042c5fb6a5aec7f6c4eeb0c9bbfaf1ed9f514dc3825160babeb8f/detection

152.89.198.73:4247
https-erkan.com
update-server-3681.com

# Reference: https://pastebin.com/ZDchtLkc

http://104.223.88.101
http://109.205.214.18
http://109.205.214.4
http://135.125.248.50
http://138.201.196.90
http://139.144.79.152
http://139.177.192.90
http://139.177.193.173
http://144.76.223.74
http://146.70.53.169
http://146.70.86.61
http://148.251.236.201
http://149.248.14.222
http://149.248.3.194
http://157.20.182.233
http://162.252.175.101
http://178.79.174.207
http://192.248.166.56
http://207.148.10.113
http://213.109.202.161
http://23.131.216.131
http://45.135.180.6
http://45.182.189.231
http://45.32.181.136
http://45.63.66.10
http://45.66.249.84
http://45.77.101.240
http://45.77.115.67
http://45.91.203.197
http://64.176.214.51
http://66.85.173.12
http://85.239.54.190
http://88.119.174.113
http://89.185.85.249
http://89.248.163.188
http://89.248.163.218
http://89.248.165.79
http://93.115.25.139
http://93.115.25.41
http://93.115.28.138
http://93.115.29.50
http://94.156.189.36
http://95.217.61.217
109.201.142.52:8080
135.181.164.236:4179
146.70.41.133:4000
146.70.41.133:4001
146.70.44.168:4000
146.70.44.168:4001
153.92.222.162:4001
172.93.179.28:4001
173.44.141.149:4001
178.208.75.191:4248
185.234.72.142:46578
185.236.232.20:445
185.43.220.45:4001
185.73.124.42:4001
190.2.145.98:4001
192.53.123.202:8080
193.233.21.140:4001
193.31.28.246:4044
194.61.24.117:4000
194.93.56.202:4000
2.57.149.230:4970
2.57.149.230:49705
212.114.52.163:4044
213.252.247.237:4248
34.171.171.32:4035
34.171.171.32:4044
45.131.66.83:4044
45.140.147.91:4001
45.147.231.86:4254
45.15.159.28:8080
46.30.41.57:4248
46.30.42.17:4207
46.36.219.154:4044
5.161.81.32:4001
5.199.174.179:4044
5.199.174.223:4044
5.45.127.115:4044
67.211.218.147:4001
69.10.60.115:4018
8.209.111.227:12814
89.105.201.43:4001
89.187.184.206:4299
94.156.69.109:4372
basicincomeonline.com

# Reference: https://x.com/banthisguy9349/status/1867498116896682227

http://188.119.66.185

# Reference: https://x.com/abuse_ch/status/1864620181458149638

188.119.66.185:443
45.155.249.212:443
91.211.249.30:443

# Reference: https://www.virustotal.com/gui/file/005c6b318c758f7e6f3177d07ef6e4e4b30ff2109e44534cd7b17340549d6e94/detection

http://185.156.72.65
diiaidd.info

# Reference: https://x.com/naumovax/status/1871196908531896445
# Reference: https://tria.ge/241214-blb4pasnav
# Reference: https://app.any.run/tasks/a450e0b3-378c-4c94-8146-6eda3f2ace5d

78.41.139.3:4000
78.41.139.3:4739
78.41.139.3:5152
78.41.139.3:5337
78.41.139.3:5338
78.41.139.3:5339
78.41.139.3:5348
wodresomdaymomentum.org

# Reference: https://x.com/anyrun_app/status/1884207667058463188
# Reference: https://app.any.run/tasks/e8a9d10a-85c8-41c1-8ac9-3dfed0844768/
# Reference: https://www.virustotal.com/gui/file/c340e3d3ae7f769b4e88204dd08aa0f7b0145dffafe164d8e09c39b5a6d0d7cb/detection
# Reference: https://www.virustotal.com/gui/file/de1091252ebf2ed617e300c40a2c56ccac8a3e1b5c7f0e87a1cc3636766abe51/detection
# Reference: https://www.virustotal.com/gui/file/e39086a052eb2a30199c4badd5954720a4da2beb14d750bb9a15749f52e1cd69/detection
# Reference: https://www.virustotal.com/gui/file/2a7e13e904f8de0f4eebe3d364f7f1fdd09aa72b2c95db20393cfbb0eb77341d/detection
# Reference: https://www.virustotal.com/gui/file/efd22b61285ff5f3ed5de899a2e2933f9c5d11c3107d6d6b7339a0c466703939/detection

79.110.62.198:4295
79.110.62.222:4295
79.110.62.222:9268
cluster.amazonaws.work

# Reference: https://www.virustotal.com/gui/file/162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6/detection
# Reference: https://www.virustotal.com/gui/file/059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23/detection

http://142.251.40.46
93.186.202.3:4000
93.186.202.3:5160
93.186.202.3:5986
towerbingobongoboom.com

# Reference: https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
# Reference: https://github.com/eset/malware-ioc/tree/master/ransomhub
# Reference: https://www.virustotal.com/gui/file/b627b7838d048f35a53d9837e8c594e1b7c75e891ebe38bce9c04666a21cc5e7/detection

45.32.210.151:443

# Reference: https://x.com/smica83/status/1911841542681018415
# Reference: https://www.virustotal.com/gui/file/7b31819347374fbc4deb3f015ee54386bfd9c516da02997e0f8ca99b735b04f6/detection

45.142.193.214:443

# Reference: https://www.virustotal.com/gui/file/2f8de92bc343bfbc2b7d85f0fb9d037af39389a3943180d2bd393eb90bc29dfe/detection

206.206.123.245:443

# Generic

/systembc/exec.vbs
/systembc/password.php
/systembc/post.php
/systembc/geoip
/systembc333/
/systembc333/geoip
