# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/Artilllerie/status/1115258738368294913

/rnm226.php
/rnm238.php

# Reference: https://twitter.com/malware_traffic/status/732996960953622528

/xtrfgdb7.php

# Reference: https://twitter.com/malware_traffic/status/723237083851022337

/ckjvgphz.php

# Reference: https://twitter.com/teoseller/status/648537487397289984

/ajuno.php

# Reference: https://twitter.com/malware_traffic/status/1138999824613687298

http://80.85.155.70
work.a-poster.info

# Reference: https://twitter.com/VK_Intel/status/1139926661162512384
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-14-tofsee-spambot-modules.notes.vk.txt

/pchfv.php
144.76.199.2:416
144.76.199.43:416
176.111.49.43:416
46.4.52.109:416
85.25.119.25:416

# Reference: https://blog.talosintelligence.com/2019/08/threat-roundup-0726-0802.html (# Win.Malware.Tofsee-7090196-1)

gordinka.xyz

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-1018-1025.html (# Win.Malware.Tofsee-7349716-1)

nekfad.xyz
ponedobla.bit

# Reference: https://www.virustotal.com/gui/file/4de062a251b1b38575f8e815823b27f05e8a8eba69aec44b89bfa5a88155c747/detection

/vbyjqfw.php
/dhmuswvy.php
/bvmrgqc.php
/codfxpwuq.php
/psfyclat.php
/qxxrym.php
/frwxpvpm.php
/rusehw.php
/hmrlyx.php
/ckhadxg.php
/sslkzbml.php
/mwwqjy.php
/hrlaguph.php

# Reference: https://www.virustotal.com/gui/ip-address/51.91.31.87/relations
# Reference: https://www.virustotal.com/gui/file/b0a8c4f50a4fbddd68c67fd25f04c72c8bc82164c4cc1c63773b48d51194173b/detection
# Reference: https://www.virustotal.com/gui/file/8294d7ef6650dda837626df88d3af1f4ae21440ee5a85e3cdf9222baacea5583/detection

51.91.31.87:13333

# Reference: https://www.virustotal.com/gui/file/0de56d003ad4b2ec2b3baefc186761c0d6e7ecc957cee322b337d8317ccfdeab/detection

93.171.200.64:35000

# Reference: https://www.virustotal.com/gui/ip-address/45.128.204.56/relations

45.128.204.56:8087

# Reference: https://www.virustotal.com/gui/file/71ac7ffe233607924e6475dc2537d28a1647e78fd0e2d85f3af8760e87009e06/detection

176.9.114.177:416
188.165.238.150:416
46.28.66.2:416
78.31.67.23:416
93.179.69.109:416

# Reference: https://www.virustotal.com/gui/file/c77be7705adde8882fe9b8d2ae1120ffc978ce8993c39a1b908a595c34a44f62/detection

176.9.114.177:419
188.165.238.150:419
46.28.66.2:419
46.4.52.109:419
78.31.67.23:419
93.179.69.109:419

# Reference: https://www.virustotal.com/gui/file/401defb46887dfb03a9359ebbb257f228204b5bdbc669e1f6e48a2390ffe7737/detection

176.9.114.177:418
188.165.238.150:418
46.28.66.2:418
46.4.52.109:418
78.31.67.23:418
93.179.69.109:418

# Reference: https://www.virustotal.com/gui/file/abfe24e0c4203696a78fce0947d0badb0add61798317346d6d68942330c7ad16/detection

176.9.114.177:420
188.165.238.150:420
46.28.66.2:420
46.4.52.109:420
78.31.67.23:420
93.179.69.109:420

# Reference: 	https://blog.talosintelligence.com/2020/02/threat-roundup-0214-0221.html (# Win.Packed.Tofsee-7586819-1)

bestladies.cn
bestdates.cn
bestgirlsdates.cn
sex-finder4you1.com

# Reference: https://www.virustotal.com/gui/file/29ddb2d3b572e9d87505f655c114f35acb083d726c73c1e4ee3a796302960f3c/detection

43.231.4.7:443
85.114.134.88:486
sex-finder4you4.com

# Reference: https://www.virustotal.com/gui/file/ea9a07e2c8c8bae733c472099b4a8819ecb035d978ae10fb12de0162192ec241/detection

85.114.134.88:487

# Reference: https://www.virustotal.com/gui/file/94b9e7576fdb55902edf135d96a5d0bf48886753d4e236fc9ae77e53b5ccea36/detection

176.9.114.177:423
188.165.238.150:423
46.28.66.2:423
46.4.52.109:423
78.31.67.23:423
93.179.69.109:423

# Reference: https://www.virustotal.com/gui/ip-address/176.119.28.112/relations
# Reference: https://www.virustotal.com/gui/file/37f4c5a020461568f4870b7f55be47911575fe3ea45e8ed893f5dd47134ce5cf/detection

176.119.28.112:3333

# Reference: https://www.virustotal.com/gui/file/31cc99bdafbb1cca9fbc8ed4e909cc087471eb3ecb3343c1d5e5ee2467398032/detection

32ggswww2.info
jssbwtgssq.com
rwsb3tsgw.xyz
vyefb543.ru

# Reference: https://www.virustotal.com/gui/file/56742b2b280832be53db097ffc3cf69947588f367627151198938d683ed0afee/detection

45.126.183.208:8087

# Reference: https://www.virustotal.com/gui/file/46d510e878697c063192b6ae34af6f61e1324e94fd8dd8d4d32f1cf4966824aa/detection

176.9.114.177:417
188.165.238.150:417
46.28.66.2:417
46.4.52.109:417
78.31.67.23:417
85.114.134.88:481
93.179.69.109:417

# Reference: https://www.virustotal.com/gui/file/79aa41afc62c74ad0bad77400a6bf8a950128b1762cbf18d4ae83fc8de2a61b5/detection

144.76.173.210:5595

# Reference: https://www.virustotal.com/gui/file/9ad58966c6dbcada05cd1d7b802af1b3643c91bb62921e834d5440d14bc5ca9c/detection

176.9.114.177:430
188.165.238.150:430
46.28.66.2:430
46.4.52.109:430
78.31.67.23:430
85.114.134.88:486
93.179.69.109:430

# Reference: https://www.virustotal.com/gui/file/1dbb73d845e92a993ca73be56c987d38b7fd2921eb0fca86d8d6be3fab3a6b76/detection

185.180.196.91:25000
45.126.183.208:8087
95.181.178.17:486
144.76.199.2:422
144.76.199.43:422
176.111.49.43:422
46.4.52.109:422
85.25.119.25:422

# Reference: https://www.virustotal.com/gui/file/600a779ace9a420685a0e2b38d5302391f5732a509d691a4563d0e9d570d1cbd/detection

85.114.134.88:481
176.9.114.177:425
188.165.238.150:425
46.28.66.2:425
46.4.52.109:425
78.31.67.23:425
93.179.69.109:425

# Reference: https://www.virustotal.com/gui/file/d513c313d237d4ac514e27766b0140f18cd82f2ddef16533364457164bb6a2dc/detection

45.153.203.33:5050

# Reference: https://www.virustotal.com/gui/file/56d637b03d20f84e27caba2da1f147ff022e22f659aa26fe8e6be2cceb3cb47c/detection

fakecontact.top
heniav.xyz

# Reference: https://www.virustotal.com/gui/file/a8fd30b03500b24c3f28f24919bbad05355c837271fb4c49f6fc495afe11b9b1/detection

212.22.87.191:484

# Reference: https://www.virustotal.com/gui/domain/mx0a-0021cb01.pphosted.com/relations

mx0a-0021cb01.pphosted.com

# Reference: https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/
# Reference: https://otx.alienvault.com/pulse/60a41a33d66b2282cdb15e2e

darkteam.store

# Reference: https://www.virustotal.com/gui/file/74c27d013f304005b5703dadd2d1e306b8995c5c840dc20ee2d01ea1ada2de80/detection

85.114.134.88:484

# Reference: https://www.virustotal.com/gui/file/befe9a15cfe1b2a5acd3e6935f57f1b2bd81c5b4a0a51ef58093b0c2077c952a/detection

lazystax.ru

# Reference: https://www.virustotal.com/gui/file/7157b3add71ff5e921770e829c78bf836f6864eaad12638e87007bf871c57f87/behavior/C2AE

dzydzya.biz
59.188.74.26:465
111.121.193.242:465
103.248.137.133:465
115.230.124.76:465

# Reference: https://www.virustotal.com/gui/file/411b47fa6cf20ae9f60368d9f5dd84300f4a607150c8788c8c22839631b55667/behavior/VirusTotal%20Jujubox

defeatwax.ru
193.56.146.244:480

# Reference: https://www.virustotal.com/gui/file/90f5f64f6d058a648703f5fd4875dc890ddadaa237c22e9c31fa8b2d987bab2d/behavior/C2AE

lakeflex.ru
quadoil.ru

# Reference: https://www.virustotal.com/gui/file/0229a33928016fcbd60d19563894ed028f0947f6b470c17948c05a7a26a29e9b/behavior/C2AE

refabyd.info

# Reference: https://www.virustotal.com/gui/file/bda39f9370c5cac9ccfb4bad309a6dabb92c7431aa5af0cac4cb91ac7c88443b/detection

144.76.199.2:416
144.76.199.2:417
144.76.199.2:429
144.76.199.43:416
144.76.199.43:417
144.76.199.43:429
176.111.49.43:416
176.111.49.43:417
176.111.49.43:429
185.254.190.218:484
46.4.52.109:416
46.4.52.109:417
46.4.52.109:429
5.9.32.166:481
85.25.119.25:416
85.25.119.25:417
85.25.119.25:429
93.189.41.62:8080

# Reference: https://www.virustotal.com/gui/file/55d5a5ece238cfa4e0d999c5ba0b871dbe7664ed28ebb5c5e885f6d60ddaa8d1/detection

mubrikych.top
oxxyfix.xyz

# Reference: https://www.virustotal.com/gui/file/ae56e7d113a619aba4b7a8e204bda7f345d7ea9bb9000e2a1b3288042958518c/detection

85.114.134.88:480

# Reference: https://www.virustotal.com/gui/file/70e5635f2da4c99855a33aad3a86c8124bdda23b3e1d99775d434db866fdc650/detection

185.7.214.171:431
185.7.214.210:431
185.7.214.212:431
185.7.214.213:487
45.9.20.178:431
45.9.20.179:431
45.9.20.187:431

# Reference: https://github.com/ti-research-io/ti/blob/main/DGA/Tofsee/DGALIST-Tofsee.txt

dulduld.ch
dumduma.biz
duqduqg.biz
dutdutg.ch
duuduuf.ch
duvduvc.ch
dvbdvbc.biz
dvfdvfe.biz
dvgdvgi.ch
dvhdvha.biz
dvhdvhf.ch
dvjdvjh.ch
dwadwag.ch
dwidwid.biz
dwmdwmd.biz
dwmdwmf.biz
dwmdwmj.ch
dwndwnc.biz
dwndwnc.ch
dwndwnd.biz
dwndwnd.ch
dwndwne.ch
dwodwoa.biz
dwodwob.ch
dwodwoh.ch
dwpdwpc.biz
dwpdwpd.ch
dwpdwph.ch
dwrdwrb.ch
dwrdwrc.ch
dwsdwsb.ch
dwtdwtb.biz
dwtdwtg.biz
dwtdwtj.ch
dwudwua.ch
dwudwuj.ch
dwvdwva.ch
dwvdwvg.biz
dwvdwvi.biz
dwvdwvj.biz
dwwdwwb.ch
dwxdwxb.ch
dwxdwxc.ch
dwxdwxe.ch
dwxdwxj.ch
dwydwya.ch
dwydwyf.ch
dwydwyg.biz
dwydwyj.biz
dwzdwzc.ch
dwzdwze.biz
dwzdwzf.ch
dwzdwzj.biz
dxadxaa.biz
dxadxag.biz
dxadxag.ch
dxbdxbe.biz
dxbdxbf.biz
dxbdxbg.biz
dxbdxbh.ch
dxcdxcc.ch
dxcdxcd.biz
dxddxde.ch
dxddxdg.biz
dxedxed.ch
dxedxei.ch
dxedxej.biz
dxfdxfb.biz
dxfdxfc.biz
dxfdxfd.biz
dxfdxfi.biz
dxgdxgb.biz
dxgdxgd.biz
dxgdxgh.ch
dxgdxgj.biz
dxhdxhb.biz
dxhdxhj.biz
dxidxic.biz
dxidxic.ch
dxidxie.biz
dxidxih.ch
dxjdxja.biz
dxjdxja.ch
dxjdxjg.biz
dxjdxjg.ch
dxjdxjh.biz
dxkdxkd.biz
dxkdxkf.ch
dxkdxki.biz
dxldxld.ch
dxmdxme.biz
dxndxnb.ch
dxndxnc.biz
dxndxnc.ch
dxndxnd.biz
dxndxnh.ch
dxndxnj.ch
dxodxob.biz
dxodxod.biz
dxodxoe.biz
dxpdxpc.ch
dxpdxpe.biz
dxpdxph.ch
dxqdxqc.ch
dxrdxrg.biz
dxsdxsc.biz
dxsdxsh.ch
dxsdxsj.biz
dxtdxtc.biz
dxtdxti.ch
dxudxuc.biz
dxudxui.ch
dxvdxvi.ch
dxwdxwd.ch
dxwdxwh.ch
dxwdxwi.biz
dxxdxxa.ch
dxxdxxb.ch
dxxdxxf.biz
dxxdxxi.ch
dxydxyc.ch
dxydxyg.biz
dxydxyj.ch
dxzdxzg.biz
dxzdxzh.biz
dxzdxzj.biz
dyadyae.biz
dyadyaf.ch
dyadyai.ch
dybdybc.biz
dybdybh.ch
dybdybi.ch
dybdybj.biz
dycdyca.ch
dycdycc.ch
dycdycg.biz
dycdycg.ch
dyddyda.biz
dyddydc.ch
dyddydh.ch
dyedyei.biz
dyfdyfd.ch
dyfdyfg.biz
dyfdyfj.ch
dygdygb.biz
dyhdyhi.biz
dyhdyhi.ch
dyidyic.biz
dyidyig.ch
dyjdyjb.ch
dyjdyje.ch
dyjdyjh.ch
dyjdyji.ch
dykdykb.biz
dykdykd.biz
dykdykg.biz
dyldyld.biz
dyldyld.ch
dyldyle.ch
dymdyma.biz
dymdymd.biz
dyndynh.biz
dyndyni.biz
dyodyoa.biz
dyodyoa.ch
dyodyob.biz
dypdypa.biz
dypdypc.ch
dypdypi.ch
dyqdyqa.ch
dyqdyqd.biz
dyqdyqg.biz
dyqdyqh.biz
dyqdyqi.ch
dyrdyra.biz
dyrdyrb.biz
dyrdyrd.ch
dyrdyre.biz
dyrdyrg.biz
dyrdyrh.biz
dyrdyri.ch
dysdysa.biz
dysdysa.ch
dysdysb.ch
dysdysd.ch
dysdyse.ch
dysdysg.biz
dysdysg.ch
dysdysi.ch
dysdysj.biz
dytdyth.biz
dyudyub.biz
dyudyue.biz
dyudyuf.ch
dyudyuh.biz
dyvdyvh.biz
dywdywc.ch
dywdywd.biz
dywdywe.biz
dywdywh.biz
dyxdyxj.ch
dyzdyzf.ch
dzadzah.biz
dzadzaj.ch
dzbdzbe.biz
dzcdzcj.ch
dzddzda.biz
dzddzdc.ch
dzddzde.biz
dzedzea.ch
dzedzeb.biz
dzedzef.biz
dzedzeh.biz
eaieaia.biz
eaieaia.ch
eaieaib.biz
eaieaib.ch
eaieaic.biz
eaieaic.ch
eaieaid.biz
eaieaid.ch
eaieaie.biz
eaieaie.ch
eaieaif.biz
eaieaif.ch
eaieaig.biz
eaieaig.ch
eaieaih.biz
eaieaih.ch
eaieaii.biz
eaieaii.ch
eaieaij.biz
eaieaij.ch
eajeaja.biz
eajeaja.ch
eajeajb.biz
eajeajb.ch
eajeajc.biz
eajeajc.ch
eajeajd.biz
eajeajd.ch
eajeaje.biz
eajeaje.ch
eajeajf.biz
eajeajf.ch
eajeajg.biz
eajeajg.ch
eajeajh.biz
eajeajh.ch
eajeaji.biz
eajeaji.ch
eajeajj.biz
eajeajj.ch

# Reference: https://www.virustotal.com/gui/file/6aad2d92bb7afdb29d2aebd19ed518120a975353c46ea3db1a5c2c8a1d675646/detection

144.76.199.43:423
144.76.199.2:423
176.111.49.43:423
46.4.52.109:423
85.25.119.25:423

# Reference: https://www.virustotal.com/gui/file/05343a42626ec21c12c2e642814860efe16284278e6fd595d2efcae0647b4c0d/detection

185.215.113.71:416
185.244.41.146:416
185.7.214.171:416
185.7.214.210:416
185.7.214.212:416
91.243.44.11:416

# Reference: https://www.virustotal.com/gui/file/5a962e6116bde82aa809719f0b1872fa7b1d6a477cc915528ee5d06cea4c1b75/detection

185.7.214.171:429
185.7.214.210:429
185.7.214.212:429
45.9.20.187:429
45.9.20.178:429
45.9.20.179:429
193.56.146.146:485

# Reference: https://www.virustotal.com/gui/file/f4b9f542dfee6f40bb239c0d47296672c37d15521322b78e53daa9d7d399eebf/detection

185.215.113.71:421
185.244.41.156:421
185.7.214.171:421
185.7.214.210:421
185.7.214.212:421
185.7.214.51:485
91.243.33.4:421
763655-cs37094.tmweb.ru

# Reference: https://www.virustotal.com/gui/file/a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333/detection

185.215.113.71:425
185.244.41.156:425
185.7.214.171:425
185.7.214.210:425
185.7.214.212:425
185.7.214.51:481
91.243.33.4:425

# Reference: https://www.virustotal.com/gui/file/bff743d7d127f7ebb99f8f4560682c6428ffec0fe04e5c74ef7e987e54069b5b/detection

185.253.219.200:424
193.56.146.41:424
193.56.146.42:424
193.56.146.43:424
193.56.146.188:480
51.158.144.223:424
91.219.63.95:424

# Reference: https://www.virustotal.com/gui/file/2e56f46ade294f995ba0b40cb333193d967b4239547e7b4ea4b9b6bd896df394/detection

192.162.246.7:422
193.56.146.40:486
193.56.146.41:422
193.56.146.42:422
193.56.146.43:422
95.216.195.92:422

# Reference: https://www.virustotal.com/gui/file/5e0c288cbbfcf3d42a11b380eae2eb7d2cc9d4406ea09515f7512318df701221/detection

185.244.41.146:430
185.215.113.71:430
185.7.214.51:486
185.7.214.171:430
185.7.214.210:430
185.7.214.212:430
91.243.33.3:430

# Reference: https://www.virustotal.com/gui/file/8137f7ea287ebfce0b9663ba126fd0e117e15d566c59412abc8929566f8cfb9d/detection

148.251.137.62:10281

# Reference: https://www.virustotal.com/gui/file/10015424deb6bd49a26cb72e2ce8386f943dd2862b6bd2c33859e8ac9de4598d/detection

144.76.199.2:423
144.76.199.2:426
144.76.199.43:423
144.76.199.43:426
176.111.49.43:423
176.111.49.43:426
46.4.52.109:423
46.4.52.109:426
85.25.119.25:423
85.25.119.25:426
91.203.5.169:8087
94.23.27.38:482

# Reference: https://www.virustotal.com/gui/file/469e4aa1e6b4a0f29376943c9971946004292629f8a79820075bcb967c502aeb/detection

103.93.124.134:8087
95.181.178.17:480

# Reference: https://www.virustotal.com/gui/file/68e6fa2b60b3156318e1ff86510c56ce5d3e79936d9f4483980f8a509cd05b87/detection

193.56.146.188:484

# Reference: https://www.virustotal.com/gui/file/059b66dbf14b0ca82b30eb2799e29d0ce354a869a97c47cf5488d626ce3f7b87/detection

144.76.199.2:427
144.76.199.43:427
176.111.49.43:427
46.4.52.109:427
85.25.119.25:427
95.181.178.17:483

# Reference: https://www.virustotal.com/gui/file/79f5e36118066944dee611871702de84cf23d51af939837f5e86c4e384ad8db9/detection

144.76.199.2:428
144.76.199.43:428
176.111.49.43:428
46.4.52.109:428
78.31.67.189:484
85.25.119.25:428

# Reference: https://www.virustotal.com/gui/file/868dc7b2ec8a701555cea7f0707e26b5f4393b9d81b2c4f7884f9a4e271c3cd4/detection

144.76.199.2:420
176.111.49.43:420
190.2.131.101:420
46.4.52.109:420
85.25.119.25:420
93.179.68.4:420

# Reference: https://www.virustotal.com/gui/file/8a95fcea2d9784112668258efcce0a1c32152c829daa769d75ed4a8396ff0924/detection

144.76.199.2:429
144.76.199.43:429
176.111.49.43:429
46.4.52.109:429
85.25.119.25:429
95.181.178.17:485

# Reference: https://www.virustotal.com/gui/file/a9a6c638dce713e776dca8e1831f0483e7172957e24326211d30b39d415534a0/detection

185.7.214.171:423
185.7.214.210:423
185.7.214.212:423
45.9.20.178:423
45.9.20.179:423
45.9.20.187:423
