# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/bartblaze/status/1228364607410130944
# Reference: https://twitter.com/GrujaRS/status/1294908674486525953
# Reference: https://github.com/StrangerealIntel/malware-notes/blob/master/Ransomware/Lockbit.md

lockbit-decryptor.com
lockbitkodidilol.onion
lockbitks2tvnmwk.onion

# Reference: https://www.virustotal.com/gui/ip-address/47.91.79.68/relations

lockbit-blog.com
lockbit-decryptor.top

# Reference: https://github.com/thetanz/ransomwatch/blob/main/docs/INDEX.md

lockbitapt.uz
lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion
yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion
zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

# Reference: https://www.ic3.gov/Media/News/2022/220204.pdf (# Lockbit 2.0)

http://139.60.160.200
http://168.100.11.72
http://174.138.62.35
http://185.182.193.120
http://185.215.113.39
http://193.162.143.218
http://193.38.235.234
http://45.227.255.190
http://88.80.147.102
http://93.190.139.223
http://93.190.143.101

# Reference: https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
# Reference: https://otx.alienvault.com/pulse/612606e65f3918cb8354bcd9/

bigblog.at
decoding.at

# Reference: https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
# Reference: https://otx.alienvault.com/pulse/626bc047f1a3ebc6be0a2856

45.32.108.54:443

# Reference: https://twitter.com/malwrhunterteam/status/1521942395679608834
# Reference: https://www.virustotal.com/gui/file/7cc0c4d1f3bc3c5e486077bd69c1aeedba27a085c5e6f67d7309f2aa79a0e5b9/detection

lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion

# Reference: https://www.virustotal.com/gui/file/604ea692ed8e041b45cf1961fb7439e269720de29f9052bf081b71767506a92e/detection

impersuasiblyredeliveranceunspleened.com
/v5/ehsq.php?amnf=

# Reference: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/
# Reference: https://otx.alienvault.com/pulse/62da7bf8750a63befc1fdc10

lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion
lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion

# Reference: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
# Reference: https://otx.alienvault.com/pulse/62e3bd0e3cb19a3fe6ea6e03
# Reference: https://www.virustotal.com/gui/file/5fa490668a9963e97d956f9a3b0c746b1d16eee9a73dfba875c9a3dc0e2c0d1b/detection
# Reference: https://www.virustotal.com/gui/file/5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4/detection

139.180.184.147:45532
openjdklab.xyz
info.openjdklab.xyz

# Reference: https://asec.ahnlab.com/en/39242/
# Reference: https://otx.alienvault.com/pulse/633dcf3971af0a0dae3243b7

ppaauuaa11232.cc

# Reference: https://twitter.com/DmitriyMelikov/status/1602239777029476354
# Reference: https://www.virustotal.com/gui/file/3b55624bf812c25712465543d5c0d687f523d3a93f6879817cef93dffef20888/detection
# Reference: https://www.virustotal.com/gui/file/e6ab1b1a253a608785f765d5961694215b39e58ca29e70c5cb3c1ba7a0a1100b/detection

http://195.201.101.146
/12341rgergg435g4tr.exe
/o19wzg.dotm

# Reference: https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel
# Reference: https://otx.alienvault.com/pulse/63ee2eedd11d67c4a0381cb1

iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion

# Reference: https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign
# Reference: https://otx.alienvault.com/pulse/6401fd791fe902ee4ade8711

lockbit3hc6syym13ki2ag5jskr6q5qa3spspjpmtfhh6fufut737zid.onion
lockbit3jx6je7tm6hhm6zzafgy6hpil3ur6jmc2a4ugan7xzztv6oqd.onion
lockbitdvbpfczc3yrs37kpp6avnrgr7yygi2f45qxvef2yqi36lpxyd.onion
lockbitov3afmxgknfhk2o5d4uqrhygd7ty3xqm56qd6zjlu6u43pgyd.onion
poliovocalist.com

# Reference: https://twitter.com/ViriBack/status/1688196757908324352
# Reference: https://app.any.run/tasks/f8631874-112f-4814-b254-8aeede48c829/

23.92.208.51:8080

# Reference: https://twitter.com/AlvieriD/status/1709558046169477536

lockbitnotexk2vnf2q2zwjefslhjsnk4u74vq4chxrqpjclfydk4ad.onion

# Reference: https://twitter.com/seguridadyredes/status/1717220865522245837

http://104.237.255.254
http://167.172.239.68
http://185.202.2.121
http://51.15.18.180
http://51.89.134.150
http://52.237.96.13
http://54.38.212.197
http://62.76.112.121
http://82.102.20.219
http://82.202.247.81
tinneatonenessnabobical.com

# Reference: https://twitter.com/MaxRogers5/status/1727115513468469715
# Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
# Reference: https://otx.alienvault.com/pulse/655de81a14bc690453688560

http://62.233.50.25
http://81.19.135.219
81.19.135.219:443
adobe-us-updatefiles.digital
unattended.techninline.net

# Reference: https://twitter.com/noexceptcpp/status/1734309296245026843
# Reference: https://twitter.com/noexceptcpp/status/1734309296245026843

http://142.171.8.34
http://173.82.106.20
/LockBit30.7z
/LockBit3Builder.7z

# Reference: https://twitter.com/banthisguy9349/status/1735226147154112676

http://142.171.8.34
/LockBit-Black-Builder

# Reference: https://twitter.com/malwrhunterteam/status/1737977329782059408
# Reference: https://www.virustotal.com/gui/file/33af82d0be509833db69893a043da367d7dae216f6b61d96e542ca4546805d7a/detection

lockbitapt280e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.onion
lockbitapt4917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2.onion.ly
lockbitapt4917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2.onion.lyy

# Reference: https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
# Reference: https://www.virustotal.com/gui/file/a7097aa81d7ded0ba011e056f16b50549801bf4001ad11f20e071b05e7172fac/detection
# Reference: https://www.virustotal.com/gui/file/855720fe77e8a762c59c77a5067ae8c6a6ad12e658073776529e8404ba16f5dd/detection
# Reference: https://www.virustotal.com/gui/file/2459b0ee1091a6e4232da6ae7fe587d81dd24e521f7fd1fc8c2a89c40f78740e/detection
# Reference: https://www.virustotal.com/gui/file/0161731f8500ac724469b01a5f8f2695279cbf05bcad4b3586b090e6a89fdc87/detection

81.17.29.165:443

# Reference: https://twitter.com/DmitriyMelikov/status/1740472757236998293
# Reference: https://www.virustotal.com/gui/file/f7729a917edefcaabe7545738fb1097ba83e99829dd7a4dc1b1c609da725a0b1/detection

neverlandserver.nn.pe
lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

# Reference: https://twitter.com/RakeshKrish12/status/1740634433873743965
# Reference: https://www.virustotal.com/gui/ip-address/77.222.57.185/relations

help8888.top

# Reference: https://twitter.com/doc_guard/status/1740748988897243421
# Reference: https://app.docguard.io/957baea98c48a7e8f620b6ad869113eacbc4f14c73e03bf5f9dbc75881e22aed/results/dashboard
# Reference: https://www.virustotal.com/gui/file/957baea98c48a7e8f620b6ad869113eacbc4f14c73e03bf5f9dbc75881e22aed/detection

viviendas8.com
