# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Yellow Cockatoo RAT, Polazert, solarmarker

# Reference: https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf
# Reference: https://redcanary.com/blog/yellow-cockatoo/
# Reference: https://otx.alienvault.com/pulse/5faf00679c90b876019cc653
# Reference: https://otx.alienvault.com/pulse/5fcab7a1accb28c015a5717d

blackl1vesmatter.org
gogohid.com
mixblazerteam.com
spacetruck.biz
vincentolife.com

# Reference: https://www.virustotal.com/gui/file/dbba731937d435681ed98af6e42ab52d53af4f9ebe8db955a2b4b9ab63b4b06c/detection

5.254.118.226:80

# Reference: https://www.virustotal.com/gui/file/38508585ab7911fa8c6475b14086e11db6e829c541b392634bcc921ae6cdda35/detection

http://216.230.232.134

# Reference: https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
# Reference: https://www.virustotal.com/gui/file/e3680602deb66e1196bcffe531cdeeab32663efc62c5e16178a0f9f4df745007/detection
# Reference: https://www.virustotal.com/gui/file/8447b77cc4b708ed9f68d0d71dd79f5e66fe27fedd081dcc1339b6d35c387725/detection

http://37.120.237.251
http://45.42.201.248

# Reference: https://www.virustotal.com/gui/file/60c570bd5f5f0d8ea3760317f9becaa78a9be16b2fb2dc7399bf270ca855c0a1/detection

http://45.146.166.186

# Reference: https://twitter.com/th3_protoCOL/status/1488508291642626057
# Reference: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/

http://104.223.123.7
http://146.70.24.173
http://146.70.41.157
http://149.255.35.179
http://167.88.15.115
http://185.244.213.64
http://188.241.83.61
http://192.121.87.53
http://216.230.232.134
http://23.29.115.175
http://37.120.237.251
http://37.221.114.23
http://45.146.165.221
http://45.42.201.248
http://46.102.152.102
http://5.254.118.226
http://69.46.15.151
http://91.241.19.110
http://92.204.160.110
http://92.204.160.233
abocomteamsd.site
chargraman.ml
passesleeson.site
pdfdocdownloadspanel.site
sseiatca.site
triplegnuise.site

# Reference: http://lists.emergingthreats.net/pipermail/emerging-sigs/2021-November/030492.html

noelfpar.com

# Reference: https://www.virustotal.com/gui/file/e2ee962de73184eb406a9b403a87b4a8b2d8dc2a2b048977748a0273d1f90ab6/detection

http://146.70.88.119

# Reference: https://unit42.paloaltonetworks.com/solarmarker-malware/

http://146.70.101.97
http://146.70.53.153
http://37.120.247.199
http://37.221.113.115
http://84.252.95.225
http://89.44.9.108
http://92.204.160.101
http://92.204.160.114

# Reference: https://twitter.com/SquiblydooBlog/status/1515345814314373123
# Reference: https://www.virustotal.com/gui/file/8aaf2a9920c23cbccf4ee9686679ad605ed3943685e80855192cdaf27913d9b7/detection

http://86.106.20.155

# Reference: https://tria.ge/220421-q74hdsbaan

http://37.120.247.120

# Reference: https://www.virustotal.com/gui/file/c884f80accda415c39632e495f11e1d143649d0439d6eecd8a9d4851d041c444/detection

http://146.70.71.174

# Reference: https://tria.ge/220706-15rqxshffj/behavioral2

http://146.70.124.83

# Reference: https://twitter.com/embee_research/status/1546735163996254208

http://194.15.216.126

# Reference: https://twitter.com/SquiblydooBlog/status/1552736298024243201
# Reference: https://tria.ge/220728-vv9k4ahfc8/behavioral1

http://37.120.198.209

# Reference: https://twitter.com/embee_research/status/1567905607943950341

http://85.17.9.107

# Reference: https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2_FgRr3aN.pdf

http://176.113.115.125
http://45.135.232.131
http://45.155.204.139
digitalagencylks.com
hosthotelsshtus.com

# Reference: https://twitter.com/SquiblydooBlog/status/1574669745651163137
# Reference: https://tria.ge/220926-xqpq8schej/behavioral2

http://146.70.53.146

# Reference: https://twitter.com/SquiblydooBlog/status/1578083067893252108
# Reference: https://www.virustotal.com/gui/file/e0f268e1bff8974b728315707386b2b2fe70fa1701047976f0911bc2622e8de0/detection

http://176.223.140.177

# Reference: https://twitter.com/SquiblydooBlog/status/1588965633752199168
# Reference: https://tria.ge/221105-wcz5dabbgj/behavioral2

http://146.70.147.41

# Reference: https://twitter.com/luke92881/status/1591149451472941058
# Reference: https://app.any.run/tasks/eb4e5142-4d0d-4a2f-86b2-4228410922d8/

http://85.17.9.32

# Reference: https://twitter.com/SquiblydooBlog/status/1598942566170652673

http://78.135.73.155

# Reference: https://twitter.com/SquiblydooBlog/status/1604494175956869122
# Reference: https://www.virustotal.com/gui/file/d5d9368aa2419cdecd951091cddfc9227ab49fb554e53099378a2ef7aae5a012/detection

http://185.73.202.88
