# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: nuclear bot, nukebot, micro banking trojan, sarwent, tinynuke, mikubot

# Reference: https://twitter.com/VK_Intel/status/1018656000948260864

dingparighrewrec.win
refendisoked.win

# Reference: https://twitter.com/avman1995/status/1110785220993781763

m0pedx9.su

# Reference: https://twitter.com/P3pperP0tts/status/1177147328630861824

zalivy.ug

# Reference: https://twitter.com/abuse_ch/status/1183260666423119874
# Reference: https://www.virustotal.com/gui/file/afa54323cc65546ba777d8185da412641316377f7eeef9182a750a1385ba9b01/detection
# Reference: https://twitter.com/James_inthe_box/status/1162068269387276289
# Reference: https://app.any.run/tasks/6812075f-1785-494f-9624-eda8b19943c3/

shopstoregame.icu
shopstoregames.icu
shopstoregamese.com
shopstoregamese.icu
softfaremiks.icu

# Reference: https://twitter.com/James_inthe_box/status/1162068269387276289
# Reference: https://app.any.run/tasks/6812075f-1785-494f-9624-eda8b19943c3/

shopstoregame.com
shopstoregamesnews.com
startprojekt201907.com
startprojektnewswold.com
startprojekt.ru
stratbuks.icu

# Reference: http://tracker.viriback.com/dump.php (# 2019-11-4, TinyNuke)

5.188.60.99:8090

# Reference: https://twitter.com/P3pperP0tts/status/1226493807061094406
# Reference: https://app.any.run/tasks/69d6b92f-5acd-4e8d-82c1-b95f33af145c/

islacangrejo.fun
j2888hennene.site

# Reference: https://twitter.com/James_inthe_box/status/1226536619164889090
# Reference: https://app.any.run/tasks/de7f628a-4999-40fd-b664-8d26a2605613/

thoughtlibrary.top

# Reference: https://twitter.com/James_inthe_box/status/1228788661006659584

blognews-journal.com

# Reference: https://app.any.run/tasks/6812075f-1785-494f-9624-eda8b19943c3/

/adminpanel/add_bot.php

# Reference: https://twitter.com/malwarefr0gg0z/status/1260664478347096064
# Reference: https://app.any.run/tasks/056cfdee-7aa8-43ba-8b8e-b5e46f570b5e/

176.121.14.53:8888

# Reference: https://otx.alienvault.com/pulse/5ccbaedf1bcdec1f5fe8e096

plcbiz.info
support-stantion.ru
business-projekt.info
appartamentibologna.eu
hostbasesoft.com
webstatistika-country.ru
shopstoregame.com

# Reference: https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
# Reference: https://otx.alienvault.com/pulse/5ec7e449bc161ecb577d69f1

beurbn.com
blognews-joural.best
blognews-joural.com
blognews-joural.info
blognews-journal.com
rabbot.xyz
rubbolt.xyz
rubbot.xyz
seoanalyticsp34roj.xyz
seoanalyticspro32frghyj.xyz
seoanalyticsproewj.xyz
seoanalyticsproj.xyz
seoanalyticsprojrts.xyz
seoanalyticsptyrroj.xyz
shopstoregame.icu
shopstoregames.icu
shopstoregamese.com
shopstoregamese.icu
softfaremiks.icu
startprojekt.pro
startprojekt.pw
tebbolt.xyz
terobolt.xyz
treawot.xyz
vertuozoff.club
vertuozoff.xyz
vertuozofff.club
vertuozofff.com
vertuozofff.xyz
vertuozoffff.club
whatsmyhomeworthlondonontario.ca

# Reference: https://twitter.com/H_Miser/status/1291000691029401604

pat7qsfjjzqaspph.onion

# Reference: https://twitter.com/yvesago/status/1295985490802475009
# Reference: https://www.virustotal.com/gui/file/b53912aff3421ae6da708575e57bc00192ad294e10d5818fda4420f2036398f3/detection

bahrani.casa

# Reference: https://www.virustotal.com/gui/file/465fb52abb9c6916f86d33b823c00788043f02f87b5802cee0354b47946366d2/detection

jokenoiam.net
maldivosgrant.net

# Reference: https://www.virustotal.com/gui/file/3586ab8f467fea0a640c13702bd50065b9edf097fdcaaa5c8d162293ae333b5f/detection
# Reference: https://www.virustotal.com/gui/ip-address/84.38.183.181/relations

banudarog.com
baviuron.com
goldfinrh.com
goretron.com
kurengis.com
mesoplano.com
mesozoya.com
morenodorf.com
remitrager.com
ukbill37.com

# Reference: https://www.virustotal.com/gui/file/2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b/detection
# Reference: https://www.virustotal.com/gui/file/8b08dce793b966c76c6d4b14a013a0991caaa6a5df2d5256412b437d737ec95f/detection
# Reference: https://www.virustotal.com/gui/ip-address/84.38.183.181/relations

banestor.top
banisdor.top
banusle.top
blockchaim.top
bubendor.top
inerdong.top
menosita.top
menustore.top
morentok.top
mutarakis.top
nubertak.top
rmntl.top
sekhmetleaks.top
stablepointus.top
vidoluka.top

# Reference: https://www.virustotal.com/gui/file/e0def2780cfe72533a493069472395dd5a33fa3658de8fe8be50684a213e7a6c/detection

dnsass.com
topdrweb.com

# Reference: https://twitter.com/James_inthe_box/status/1307025445536239616
# Reference: https://www.virustotal.com/gui/file/f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4/detection
# Reference: https://www.virustotal.com/gui/file/1966471ded07c464c10fd76b8945445a3602edaa744193a7396517620d2037d8/detection

beta.wally02.org
izuw6rclbgl2lwsh.onion

# Reference: https://www.virustotal.com/gui/file/51ceaad80b541d7f405789a4faec88e97ec7c2490018dda8d0eba20cfc1431df/detection

46.17.96.50:6667

# Reference: https://www.virustotal.com/gui/file/d28ce2fdb999c3ab40b7232e88ea9999071b3dd956c16f8210731e13aa2aa84d/detection

46.17.96.50:7077
nyshopxawea.ml

# Reference: https://www.virustotal.com/gui/file/083b34874e8ca4b85a6c857e12508405300cc92f069baca6ec949abb4516af0b/detection

spartanpi.info

# Reference: https://www.virustotal.com/gui/file/4214d1d2584d6d14afa1764fae11dbacb905399ba8cff2b2a910caacea512015/detection

156.205.134.108:1234
aaa.system-ns.net

# Reference: https://www.virustotal.com/gui/file/e932b802b9e20b5bcee9d9d0fcff26ce2c6793b97326cd0418ef837bc77e275f/detection

185.215.113.18:3005
mideruv.top
nesolipa.top
vonatiz.top

# Reference: https://www.virustotal.com/gui/file/d9bbaaaa613c968c52f9b14f933b4c06cb4e86d0c16177a035f33227a43ffa4e/detection

atta2tata.monster
/door-get.php

# Reference: https://www.virustotal.com/gui/file/095322757c593cd4c7b32e2761a89d6485af463d08d5ef56adfa51bf335e4db5/detection

139.180.171.110:22809

# Reference: https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities
# Reference: https://otx.alienvault.com/pulse/61b75a09bdce253efac32ffe
# Reference: https://www.virustotal.com/gui/file/5ba482a11f1a99293a249c350c360cd0d8f1456dfcfd27bf0b4189511e4800d8/detection

baloobajojonako.fr
fizi4aqe7hpsts3r.onion

# Reference: https://www.virustotal.com/gui/file/c996807af96c3e94802677496de5a402f58245888ad800a86d81d62807f91397/detection

bethats.com

# Reference: https://twitter.com/ViriBack/status/1540328577425612802
# Reference: https://app.any.run/tasks/b9fee773-bad0-49f5-ae92-eba86d2194d4/ (# mikubot)

http://136.144.41.244

# Reference: https://www.virustotal.com/gui/domain/trevand.com/relations

trevand.com

# Reference: https://www.virustotal.com/gui/file/28a597244d88d094220f0a05a6c12cbf26edebcda9d777f507e6b5b53751863d/detection

77.105.147.140:14333

# Reference: https://www.virustotal.com/gui/file/a63494e9329156b9638ff18eaabfeac01f3d8fbc07f0d0836937e39083686b90/detection

179.13.5.158:2004
hvncand.duckdns.org

# Reference: https://twitter.com/ViriBack/status/1781674477446660139
# Reference: https://app.any.run/tasks/09f80415-3f8f-4b08-8edc-837ae3625e44/

http://81.19.141.173
faumai.ru

# Reference: https://www.virustotal.com/gui/file/f885bfd57370a545182177966a595c3f373830e6ead11d69b6f1c4cd0e5321fb/detection

185.132.134.200:6667

# Reference: https://www.virustotal.com/gui/file/8639850d8d5f841d3e23a927aabd1951fbe51ae98a7bacb31df5a08797bb6c77/detection

app-updater.app
/api/connect?hwid=

# Reference: https://www.virustotal.com/gui/file/d8785d3241bbb6c777964f7666c33850c5f9e186e8a9b59d9e99bb7387ac7aa6/detection
# Reference: https://www.virustotal.com/gui/file/9525ed3187e4de9cb24be2960283052556cf09149f6af37018e74916abb3e33d/detection

khfslwfduh.ru
yrewdvnkl.ru

# Generic

/gate/cmd_exec
/gate/connect?hwid=
/gate/connect?os=
/gate/powershell_exec
/gate/rdp_exec?command=
/gate/update_exec?command=
/gate/vnc_exec?command=
