# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.malware-traffic-analysis.net/2018/07/05/index.html

desjardinscourriel818654.pw

# Reference: https://app.any.run/tasks/9de1c3d6-745d-4b89-b653-f8f4414a40f1

desjardinsmail6as6545g.pw

# Reference: https://twitter.com/James_inthe_box/status/1099365566928760834
# Reference: https://pastebin.com/C5XYY221
# Reference: https://www.virustotal.com/gui/ip-address/77.83.174.70/relations

http://77.83.174.70
77.83.174.70:2077
thedokatrade.com
highnoon2.com
copylanco.com
glekrg.com

# Reference: https://twitter.com/James_inthe_box/status/1079757827030142976
# Reference: https://www.virustotal.com/gui/ip-address/5.45.73.63/relations

http://5.45.73.63
5.45.73.63:2131
donbwh.com

# Reference: https://twitter.com/BroadAnalysis/status/967357851520897024

http://94.242.198.167
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/JAMESWT_MHT/status/927523630778650627

bmwfastcar1337.com

# Reference: https://twitter.com/anyrun_app/status/912276794648272897
# Reference: https://app.any.run/tasks/f1a72d72-2e96-4d8b-9ad7-1f74e162d585

overwbuff.com
http://195.123.211.9
195.123.211.9:13378

# Reference: https://twitter.com/JAMESWT_MHT/status/906086386377379845

pudgenormpers.com

# Reference: https://twitter.com/VK_Intel/status/1135507293573931008
# Reference: https://www.virustotal.com/gui/file/11918aadc1e4942a1e458afab5c10971fb87d84b693b2c31f5497aa289fa20da/detection

176.119.30.142:8765

# Reference: https://twitter.com/VK_Intel/status/1143606935373172736

31.7.62.214:443

# Reference: https://twitter.com/JAMESWT_MHT/status/1166106371403763714

179.43.146.90:443

# Reference: https://twitter.com/James_inthe_box/status/1178692652700590085

http://179.43.159.246

# Reference: https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html
# Reference: https://otx.alienvault.com/pulse/5d9378b8f36a91c436c5f93c

track.amishbrand.com
gnf6.ruscacademy.in
backup.awarfaregaming.com
link.easycounter210.com

# Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian)

185.225.17.66:443

# Reference: https://twitter.com/P3pperP0tts/status/1188946654768091136

http://179.43.146.90

# Reference: https://pastebin.com/iqcg0Ys7

http://185.225.19.35

# Reference: http://broadanalysis4.rssing.com/chan-65366183/latest.php

http://91.243.80.120
http://94.242.198.167
179.43.191.122:2259
31.31.196.204:1488
94.242.198.167:1488
ebalodauna1488.com
printscreens.info

# Reference: https://twitter.com/tkanalyst/status/1196033182694379527

http://103.16.228.173

# Reference: https://twitter.com/VK_Intel/status/1196136022658207750
# Reference: https://www.virustotal.com/gui/ip-address/94.158.245.91/relations

94.158.245.91:1488
ololoev.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1199078758298206208

5.181.156.36:1321

# Reference: https://twitter.com/VK_Intel/status/1224647173872193538

gjuauyfhjha.cn
sasggegzui.cn

# Reference: https://twitter.com/JAMESWT_MHT/status/1222152295724593152

103.16.228.173:1488

# Reference: https://app.any.run/tasks/32eeb667-b66b-4dea-b343-ae43941f7b20/

micrdata.com
safuuf7774.pw
wobada.com

# Reference: https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
# Reference: https://github.com/pan-unit42/iocs/blob/master/NetSupportManager

http://185.163.45.88
http://94.158.245.182
94.158.245.182:443
unclebillswv.com/verisign.php
firstteamcareer.com/user.php
busyserviceinc.com/webdoc.php
edisonlee.net/maildir.phpq
newtontool.ca/wp-contents.php
brotherselectricco.com/host.php
innovativemasonry.net/hostgator-welcome.php
greenheartmed.org/captcha.php
ultraeventgroup.com/wp-element.php
jnachb.com/wp-comment.php
adroitpmps.com/wp-list.php
ledampenergy.net/wp-comment.php
hostfleek.com/backup.msi
alpinehandlingsystems.com/backup.msi
jintsung.cn
4ourkidsky.com

# Reference: https://twitter.com/killamjr/status/1234547286807584773

http://185.163.45.118

# Reference: https://twitter.com/malwrhunterteam/status/1236215722885464064
# Reference: https://www.virustotal.com/gui/file/870972fabfb6c59f1c3959cea9201d3c4d48756585970de869d063ec69983ab8/detection

http://23.227.207.138
23.227.207.138:12233
browserinstallup.com

# Reference: https://twitter.com/jcarndt/status/1241090163008307206
# Reference: https://app.any.run/tasks/b46069d5-ec22-481e-af2b-c14474978f79/

tardigradeventures.com

# Reference: https://www.virustotal.com/gui/file/1a08a65d4199f08d60644f2aee1182d87f29b36d38257239e5c80965ed65e0d1/detection
# Reference: https://twitter.com/olihough86/status/1243561290439839745
# Reference: https://app.any.run/tasks/aa3e41ee-b1c0-4333-939e-e4199c1daa56/

http://5.181.156.14
5.181.156.14:443
covidpreventandcure.com
komnop.com

# Reference: https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-the-covid-19-pandemic/ (# NetSupportManagerRAT)

covidpreventandcure.com
covidwhereandhow.xyz

# Reference: https://twitter.com/malwrhunterteam/status/1255849588788953088

62.173.145.56:2721
avheaven.icu
bssupport.duckdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1260492238758588419
# Reference: https://app.any.run/tasks/0b4ce298-496a-4b15-9e94-0fbbb616422e/

62.173.154.94:2145
avheaven.space
brassaffid.com

# Reference: https://twitter.com/jcarndt/status/1275108512046211074
# Reference: https://app.any.run/tasks/c9e195d3-227c-480a-8515-1cdadcf29485/

membersonlytraining.com

# Reference: https://app.any.run/tasks/cc3ac8a1-394f-4488-89e1-6107017b2360/

http://45.133.245.57

# Reference: https://twitter.com/JAMESWT_MHT/status/1285170628656615424
# Reference: https://bazaar.abuse.ch/sample/8ab3b9367304dccac78095808260417a46c0f37720051592b9a32ba3b030743d
# Reference: https://www.virustotal.com/gui/file/68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345/detection

http://62.173.138.41
62.173.138.41:2071
numienimfe2.com
ysanhumeg1.com

# Reference: https://www.virustotal.com/gui/file/72a908033a308ec5da4e384c2c6efb33405afc50688033849783267e6fb1bddc/detection

http://5.45.74.219

# Reference: https://www.virustotal.com/gui/file/86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b/detection

http://45.133.245.192

# Reference: https://twitter.com/malware_traffic/status/1321482374044069888

http://46.17.106.230
46.17.106.230:3543

# Reference: https://www.virustotal.com/gui/file/8781b76845a95237e38d007e1ce0c5743e3eb95717e13b85a6b2a963cf4c0d2d/detection
# Reference: https://www.virustotal.com/gui/file/5f7f2f6e7ed3cc8243fad060f0b64267ceb629456eab62215847419eb7f4494e/detection

192.169.6.95:3294
http://192.169.6.95
http://45.138.172.158

# Reference: https://twitter.com/cyb3rops/status/1372941834104807426
# Reference: https://github.com/blackorbird/APT_REPORT/blob/master/SunBurst/SilverFish_Solarwinds.pdf

mgdsoufjgh4hgba.xyz
nefvnvudygct4.xyz
huntaget.cn
moreeu.cn
moreofit.cn
torpoa.cn

# Reference: https://www.virustotal.com/gui/file/2add4e3f9acd88b53c97989b309bccdf35456c444d7b4436bd0b9b04f1d16cf4/detection

http://88.119.171.110
88.119.171.110:443

# Reference: https://www.virustotal.com/gui/file/672eebccfb00a9a4cc11fec4232eff3c87f7870d1cef4c647d364801cab814ca/detection

http://37.61.213.242
37.61.213.242:2549

# Reference: https://www.virustotal.com/gui/file/45ff625f17a1e9ad65dd94c376034148d6d8eee8a41b1209f566a907f5d6d6c7/detection

http://46.161.40.59
46.161.40.59:3085

# Reference: https://www.virustotal.com/gui/file/c8425cf994f02784d3f8eeb570b6ac1edc5876908b64b40b532e2534a84a19ad/detection

http://62.173.140.217
62.173.140.217:1337
coinduck.duckdns.org

# Reference: https://www.virustotal.com/gui/file/c5962e29f3f752f3fe8ae5cef5022fb819eb8dfad91ba81c9e1ccd44ac8d5fd5/detection

185.156.172.130:2549
fiseddaniret1.com
fiseddaniret2.com

# Reference: https://www.virustotal.com/gui/file/131586137654c8774dc2ba571834e7d20881c53e2e91421fe832159004954ab8/detection

http://1.254.1.1
http://192.64.119.126
visualmultiplicationsinc.club
worktwork3.xyz

# Reference: https://www.virustotal.com/gui/file/013928987cd0092ef2f5de55f2ae076ff67297ccd75bc6a2959eff4301591ddf/detection

findmemolite.com
dvqyswmvahrqd.cloudfront.net

# Reference: https://github.com/pr0xylife/NetSupportRAT/commit/8ce0fa44a9a9c899031dc3340f23aa601e3ffeaa

http://5.252.178.213
contentcdns.net

# Reference: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
# Reference: https://www.virustotal.com/gui/file/552f65f0ae7b001df20dc2875b136f55669daa09ba02d10d9b688a3511cbb4ca/detection
# Reference: https://www.virustotal.com/gui/file/ccc0204486cbf8b6db43711ddf8d847cfc15d5f713c60b53c461c4e4eeeb1a4f/detection
# Reference: https://www.virustotal.com/gui/file/617c331b65e0d26e1e64a04f06555891e719b578fd2bdc41065458176821f0c1/detection

http://149.28.68.114
http://194.180.158.173
http://45.76.172.113
http://45.77.87.77
http://5.252.178.213
http://87.120.8.141
aasdig8g7b448ugudf.cn
asaasdivu73774vbaa33.cn
businessaudit.tax
hlmequipment.com
mixerspring.cn
nsncasicuasyca831cs3vvz.cn
sjvuvja.com

# Reference: https://twitter.com/idclickthat/status/1550876054440509445
# Reference: https://www.virustotal.com/gui/file/4a6e542f77e622f7084e5b5bddab43ae4e80a07ade56e3063e3959fd03040dd0/detection

http://95.217.35.62
95.217.35.62:1337
pokemongo-nft.io

# Reference: https://github.com/0xToxin/Malware-IOCs/blob/main/Riskware/Riskware%20-%2008082022
# Reference: https://www.virustotal.com/gui/file/080fa496d57ca79f09b2717b384a3a34080bbfcef8a1198bbea1901e4b571991/detection

http://108.61.207.16
108.61.207.16:49760
telemetry-cdn-ny.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-08-16%20NetSupport%20RAT%20IOCs

http://23.88.96.2
asdbgbwi8ww.icu

# Reference: https://twitter.com/pollo290987/status/1561042448683618304

http://151.236.14.69
7nt.at

# Reference: https://twitter.com/0xToxin/status/1558007700180582400

duvje6egvuas.com
sdhbuh474jhguakfi3jgh3.cn

# Reference: https://github.com/executemalware/Malware-IOCs/commit/5db274edcb157e7d003c1201211674b6bc140fc2

http://78.47.32.144
asdjdoo3vsd.icu

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-08-22%20NetSupport%20RAT%20IOCs

http://167.235.67.199
ghev.top
tojh5roh4.top

# Reference: https://twitter.com/mojoesec/status/1561805273651617793

52226asdiobioboioie.com
jjdfu.fun

# Reference: https://twitter.com/phage_nz/status/1562229369669828608

aisdyhvuekmfa33.cn
dfuy.fun
iurb.top
sdfijiusgydygbugjsadifr.com

# Reference: https://twitter.com/pollo290987/status/1562535463251898369

asdbjhsdf63.cn
rijd.fun
sadvi8ejvas.icu
sdsdfnjdsfhis6g4fr.com

# Reference: https://tria.ge/220829-t7q4vacahl/behavioral2

adhkjdlkasd.icu
riut.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-09-08%20NetSupport%20RAT%20IOCs

ghvab.xyz

# Reference: https://twitter.com/pollo290987/status/1568312124799176704

http://103.153.183.74

# Reference: https://twitter.com/pollo290987/status/1570114932041043972

http://94.130.179.90
fbueg.top

# Reference: https://twitter.com/pollo290987/status/1572284261721591808

http://78.47.255.163
eruge.xyz

# Reference: https://twitter.com/pollo290987/status/1573375977178234881

http://88.198.178.95
fygba.fun

# Reference: https://twitter.com/pollo290987/status/1574770057460211712

http://78.47.81.171
gunbj.top

# Reference: https://twitter.com/nosecurething/status/1574939506566135809

fhb7dhb8z84ehg.xyz
rgkiboinas.men
sdgjoujhbsiuhdisd.com

# Reference: https://twitter.com/pollo290987/status/1576941098483998722

http://75.102.34.39

# Reference: https://twitter.com/pollo290987/status/1578047035793711110

http://23.88.52.251
db8ew.top

# Reference: https://twitter.com/pollo290987/status/1580579019543568385
# Reference: https://twitter.com/phage_nz/status/1592273345185468416
# Reference: https://tria.ge/221114-1cg11sab4z/behavioral1
# Reference: https://www.virustotal.com/gui/file/2a968ae38c10430c37a108f6919d0d5eb4e8e10415f927437a051e1fbd3ae7d4/detection
# Reference: https://www.virustotal.com/gui/file/157b4754d3cc372bb4b236c37036eb0729cff6bba01220f3d0cc1c9f340d68ea/detection

176.113.115.91:2145
31.41.244.112:2145
89.185.85.44:2145
89.208.103.208:2145
8ltd8.com
npinmclaugh11.com
npinmclaugh14.com

# Reference: https://www.virustotal.com/gui/file/05bb07f3dfae2584a5f6382f23ba58bbea9feeea01509c446a1c75e47a9dfa13/detection

http://140.82.15.232
140.82.15.232:2970

# Reference: https://www.virustotal.com/gui/file/498d6c9301e100f9b7752a6ee34b6873747efa876a9767f51c8eb8dd6a2ff63a/detection

http://116.202.22.58
sdfuubw.icu

# Reference: https://isc.sans.edu/diary/rss/29170
# Reference: https://otx.alienvault.com/pulse/6352a4f01abba547918c8a4d

http://176.124.216.159
176.124.216.159:5511

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-10-26%20NetSupport%20RAT%20IOCs

she32rn1.com

# Reference: https://www.virustotal.com/gui/file/bfa0f0a9d939eb766c9fd81be03e3b2cd4ed43b977832a21e73156a7201ff1ed/detection

http://193.106.191.152
185.158.251.35:4421
193.106.191.152:4421
dcejartints16.com
dcejartints17.com

# Reference: https://github.com/pan-unit42/tweets/blob/master/2022-12-28-IOCs-for-NetSupport-RAT-infection.txt

http://89.185.85.44

# Reference: https://www.virustotal.com/gui/file/058118f80fc1a977d07f012560d2ca6109709d20ba6a81e017f294f6e37f2f28/detection

151.236.14.69:2940
pinustamilbe10.com

# Reference: https://twitter.com/x3ph1/status/1612583145257275392
# Reference: https://twitter.com/x3ph1/status/1612636188212338690

gkdkr.icu
gubje.top
noinmsyvhruhjbi4hs.cn
sdvubjser.top

# Reference: https://www.virustotal.com/gui/file/e0f1dc2d0d42622578b3d4e609a5f428edcc41273c60640711f092570cda132c/detection

http://142.132.188.48
fasfybue.icu
rgkiboinas.men

# Reference: https://twitter.com/BroadAnalysis/status/1613255257789693953

http://94.158.244.38
52226asdiobioboioie.com

# Reference: https://www.virustotal.com/gui/file/12d2c229d192506c13f8dfbb5e9edb5b9b369a6e0b5ddc7cb2647d02d7fcdae5/detection

http://194.180.174.152
194.180.174.152:1203
pro1vin7ce.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-27%20GoogleAds_NetSupport%20RAT%20IOCs

http://185.161.210.23

# Reference: https://twitter.com/dlevyny7/status/1619081793344512000
# Reference: https://www.virustotal.com/gui/ip-address/185.161.210.23/relations
# Reference: https://www.virustotal.com/gui/file/8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6/detection

anydeks-access.com
mindamiedolis19.com

# Reference: https://twitter.com/1ZRR4H/status/1620141013686968320

http://176.124.216.31

# Reference: https://twitter.com/crep1x/status/1620542075082260480
# Reference: https://tria.ge/230131-z4s2xscd3t/behavioral2

any-desk-app.life
audacity-app-official.site
canva-app-official.site
handbrake-app-official.site
ledger-app-official.site
libreoffice-app-official.site
teamviewer-app-official.site
tronlink-official.site
dkimqwertyasd.com
harddrystamp.com

# Reference: https://twitter.com/Iamdeadlyz/status/1626286424713736194
# Reference: https://www.virustotal.com/gui/file/2bee969bf4dd2fc0e5b6de9f835a037b486fe6f599ec20485231710b06033837/detection
# Reference: https://www.virustotal.com/gui/file/84520291f6556c00cb44314d2994037e0b098bc97c73826c6b6d3e03564b243d/detection

http://89.107.10.44
89.107.10.44:9999
arponet.duckdns.org

# Reference: https://twitter.com/Iamdeadlyz/status/1626286411879190528

http://195.133.197.185
pokemoncards-nft.com

# Reference: https://twitter.com/AnFam17/status/1628995393143832576

94.158.244.118:1203

# Reference: https://twitter.com/nosecurething/status/1631005059302522900

dssdgihbiuieyygvkdsiy4.cn
gunhdr.top

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-03-09-v10262/351

gybvhxu.top
itugbjhb.xyz

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-03-23%20NetSupport%20RAT%20IOCs

http://116.203.241.111
dirjbrb.fun
dvjurtt.top
sdfojbeufibibsuu8u.cn

# Reference: https://twitter.com/JAMESWT_MHT/status/1641700979434217475

glorrytertyds1.com
glorrytertyds15.com
howcankfhns.com
ktalarisa18.com
ktalarisa19.com
plshaquntarav31.com
plshaquntarav32.com
uzurtela1.com
uzurtela42.com
xjmko311.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1641714810696998916

http://51.195.53.204
dcanalirder12.com
dcanalirder15.com
jalalymola11.com
jalalymola17.com
mindamiedolis20.com
whatulookingat.duckdns.org

# Reference: https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html
# Reference: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt
# Reference: https://otx.alienvault.com/pulse/6424417d4f7e34fdcc85af29

alle13net1.com
alle13net2.com
comes1.com
comes2.com
gattri1.com
gattri2.com
installer-xvpn-g.site
installer-xvpn-h.site
installer-xvpn-k.site
installer-xvpn-n.site
irbxvpn.site
irexvpn.site
irfxvpn.site
irhxvpn.site
irixvpn.site
irkxvpn.site
irqxvpn.site
irtxvpn.site
iruxvpn.site
irwxvpn.site
manigiajabae32.com
manigiajabae35.com
neskrab1.com
neskrab2.com
nesupcli.com
uhcoxvpn.site

# Reference: https://twitter.com/1ZRR4H/status/1643512391940952064
# Reference: https://www.virustotal.com/gui/ip-address/162.33.178.129/relations

http://91.107.198.110
gsdgtruhu45.cn
irejhg.fun
retbr.fun
tumnt.top

# Reference: https://www.virustotal.com/gui/file/12e68953eac99f92a4bad4dc8263fd21837a119ec3830569c3f6205b2bc4726c/detection

rtern.top

# Reference: https://www.virustotal.com/gui/file/12e68953eac99f92a4bad4dc8263fd21837a119ec3830569c3f6205b2bc4726c/detection

dfrgb.fun

# Reference: https://twitter.com/abuse_ch/status/1646397352469577728
# Reference: https://www.virustotal.com/gui/file/26cad4ec29bc07d7b2c32c94dbbef397391babf1c78cc533950b325aaf11bba8/detection

http://79.137.207.54
79.137.207.54:5222
balbalz1.com

# Reference: https://twitter.com/StopMalvertisin/status/1648223628067237890
# Reference: https://twitter.com/souiten/status/1648250631600373760
# Reference: https://www.virustotal.com/gui/file/e927e79de25207d548965e90ec87c26021b9549b5108ac0de99cc9c85556841b/detection

http://87.251.67.111
87.251.67.111:1935
glazgo141.com
glazgo142.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-04-17%20NetSupport%20RAT%20IOCs

http://23.88.125.55
erbieiv.top
rubjbz.fun
ssgdubuerx4.cn

# Reference: https://twitter.com/pollo290987/status/1653139934956363777
# Reference: https://twitter.com/pollo290987/status/1653486646774362112
# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-01%20NetSupport%20RAT%20IOCs
# Reference: https://www.virustotal.com/gui/file/e3d142307cbbf3d0d8eac76364993e52833d1ba7318a9ca93dc7f950c49e8ec5/detection

http://195.201.237.50
eduvu.top
erigb.top
sdjbizirebz.cn

# Reference: https://twitter.com/pollo290987/status/1653796442723475458

asdyg.fun
dsauvsiv.top

# Reference: https://twitter.com/pollo290987/status/1654206717251530753
# Reference: https://www.virustotal.com/gui/file/026d17e445821b1d208cb399f451f688f2ba1882a0596661c5d728213aa70e18/detection

http://193.233.232.218
http://89.22.237.94
89.22.237.94:5222
blahadfurtik.com
blahadfurtik2.com

# Reference: https://www.virustotal.com/gui/file/2ba36fbdb1ade985521f651d2fef8667b788658b87423297fddb88f70fbbd411/detection

http://79.137.203.68
79.137.203.68:5222
hdwarframebot.com

# Reference: https://twitter.com/pollo290987/status/1654357341314117633

dsauvsiv.top
erivhx.fun

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-04%20NetSupport%20RAT%20IOCs

dubhd.top

# Reference: https://twitter.com/pollo290987/status/1654540593756872706

http://45.138.74.89

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-08%20NetSupport%20IOCs
# Reference: https://www.virustotal.com/gui/file/9488e05b2be4ef6494ed61a15246de5a1b9e2e7a1673c660a35a162a4e29f339/detection

http://94.130.187.192
pruvb.fun

# Reference: https://twitter.com/pollo290987/status/1658540867840270337
# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-15%20NetSupport%20RAT%20IOCs

http://128.140.14.43
sdfhr.top
tryxe.fun
sasfyvuaseyzzs.cn

# Reference: https://gist.github.com/kirk-sayre-work/1a7ec92ab9018ffac71ee5826de9aba8

http://193.233.233.92
http://91.193.43.96

# Reference: https://twitter.com/JAMESWT_MHT/status/1658779419043942402
# Reference: https://www.virustotal.com/gui/file/d885b84d8d8059451a119b32d164280284d428350d2bfcfaf7b84f1b2223a42a/detection

176.124.198.7:5222
alnama.net/realty/license.php
itsupportadminguy.info/itsurjia/homeps.php
/itsurjia/homeps.php

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-18%20NetSupport%20RAT%20IOCs

rszee.top

# Reference: https://threatfox.abuse.ch/ioc/1119451/

77.105.146.153:5222

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-05-23%20NetSupport%20RAT%20IOCs

http://5.75.145.41
ergtu.top
reubhh.fun
sertte56gzxes.cn
/rt.php?i=NOT-A-RESEARCHER

# Reference: https://tria.ge/230526-gyq19sea99/behavioral11

91.215.85.180:5222

# Reference: https://twitter.com/JAMESWT_MHT/status/1662371119532318720
# Reference: https://tria.ge/230527-hj77nsba65/behavioral2
# Reference: https://www.virustotal.com/gui/file/faf9b23508c4445bf9017cacb3b4f08f39d0cd0cd48cc17156320abb6083d9c7/detection

http://188.227.59.169
http://80.66.88.143
80.66.88.143:1935
golden-scalen.com
xoomep1.com
xoomep2.com

# Reference: https://twitter.com/doc_guard/status/1668890440324579329
# Reference: https://www.virustotal.com/gui/file/7e9362b520bf227bfa1c152710b76b7ff83f41f4a7cae42bbb3cfa1473bb0edc/detection

http://91.107.213.253
sizie.fun

# Reference: https://www.virustotal.com/gui/file/0ab1ccca6453218c59fbff6aa2af85ec62a790bcf18426a86f12ba5fe9ed96b3/detection

asuxtp.fun

# Reference: https://www.virustotal.com/gui/file/2817e17cbaa3588d1f1d8fb8a371489693bbdea53a05a34fac71b41bf91e7081/detection

fyzyxe.top

# Reference: https://twitter.com/FirstWatchCyber/status/1678473223678074882
# Reference: https://www.virustotal.com/gui/ip-address/143.244.162.145/relations
# Reference: https://www.virustotal.com/gui/ip-address/157.90.249.226/relations

asfgze.fun
digibi.fun
regibd.fun
sdguzx.fun
ahmgbgjhdlmmlnf.top
cmbefalcljjblia.top
deediinlfifelek.top
ejhbmdagngcglaf.top
jenililhdcaegeg.top
kiknaijcgclkdnl.top
knifdjhlkchdaic.top
nbjhllilknbjldk.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-07-13%20AsyncRAT%20IOCs

prigze.top
zegfze.top

# Reference: https://gist.github.com/kirk-sayre-work/f9748c3cae156b56a0751679085b3f8e

bisiv.top
dubpv.top
eovze.fun
igsufb.top
izrvb.top
lvuse.top
lvvmze.top
sdifiv.top
tvfzie.top
vizhez.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-07-24%20AsyncRAT%20IOCs

rigjz.fun

# Reference: https://twitter.com/abuse_ch/status/1685911335719100416
# Reference: https://www.virustotal.com/gui/ip-address/176.111.174.101/relations
# Reference: https://twitter.com/JAMESWT_MHT/status/1685921789539389440
# Reference: https://twitter.com/JAMESWT_MHT/status/1685923203141582848
# Reference: https://www.virustotal.com/gui/file/37cb07ef75c90beb2af9df3faf02283c71ef48cbffce24bcd46049b38939d26b/detection
# Reference: https://www.virustotal.com/gui/file/5e6c05f47399616a63798cb40df75b90912f3dffa84b310ee26db960fc62522f/detection
# Reference: https://www.virustotal.com/gui/file/b75b778b3ca3698225351e0e36376be5da90ec890f4dcf5db970a1f08d8ed37c/detection

http://95.179.150.54
http://95.179.189.207
95.179.189.207:1313
95.179.150.54:1315
95.179.150.54:1414
archivde.xyz
luckyday0728.org
sambireact1.com
sambireact2.com
unclesrug31.com
unclesrug32.com
yeah07.online

# Reference: https://www.virustotal.com/gui/file/c395a71bfd66e923a94cbdc32e5257e51e43b3262bdbd2c75afb36fefed9f3b8/detection

http://94.158.247.27
94.158.247.27:5051
conluase62.com

# Reference: https://twitter.com/x3ph1/status/1686554084294152192

94.158.247.23:5050
magydostravel.com

# Reference: https://www.virustotal.com/gui/file/6318e4335b1098781e35d7464d20b7f92015e86f21c5aad3147e18d6bf9bba7d/detection

http://94.158.244.41

# Reference: https://www.virustotal.com/gui/file/18f2356888cd0909399b77211c732a3f808b06b4fd740e32c5e8105193296706/detection

http://91.215.85.176
91.215.85.176:5222
norominis1.com
norominis2.com

# Reference: https://bazaar.abuse.ch/sample/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/
# Reference: https://www.virustotal.com/gui/file/f5f167423d31cdd7e742d6ae85d6170f26203ec7496d4e098f9e16f40e864c0a/detection
# Reference: https://www.virustotal.com/gui/file/845087bb407b34d8003174a3b63b6c50c7ab4b13ef81636b8344740bb7a8559c/detection

http://185.225.75.33
185.225.75.33:443

# Reference: https://bazaar.abuse.ch/sample/933861b75227a3f4727b5872fa9da1b049e420632f8a9198987e8bfbaf7da9e6/
# Reference: https://www.virustotal.com/gui/file/5ffb5e9942492f15460e58660dd121b31d4065a133a6f8461554ea8af5c407aa/detection

http://45.15.158.212
45.15.158.212:1412
jokosampbulid1.com
jokosampbulid2.com

# Reference: https://twitter.com/malware_traffic/status/1691546307683352576
# Reference: https://www.virustotal.com/gui/file/de3d0a11dec2e3b4afce991a690024e96dca389f8a0a3c6a65b559c9f1c12d59/detection

http://94.156.6.111
94.156.6.111:443
xcelcareers.com

# Reference: https://twitter.com/1ZRR4H/status/1692484935947563405
# Reference: https://www.virustotal.com/gui/ip-address/64.52.80.202/relations

eyftze.top

# Reference: https://www.virustotal.com/gui/file/38669dd5ccced3c29f3eb6bad7a04fbdc2cc81ea6f7c76b03cf1c4fee6c5f3f0/detection

http://185.163.45.36
185.163.45.36:5051

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-22%20AsyncRAT%20IOCs

rigujze.fun

# Reference: https://www.virustotal.com/gui/file/00c9a25198c62d243549a458be44f24a71bc999bdb279fc6336ddedeccf637a1/detection
# Reference: https://threatfox.abuse.ch/ioc/1152573/

http://79.137.205.69
79.137.205.69:3725
falafelgoo1.com

# Reference: https://www.virustotal.com/gui/file/cf4b26813e325da0c821da65e1417bea0045f8349204518b58381609b6662803/detection
# Reference: https://www.virustotal.com/gui/file/8d0f88f0a641392f67dcba2a15d18dc3023bc3de35d6ed6e4664948ed928d36e/detection

http://94.158.244.56

# Reference: https://www.virustotal.com/gui/file/9f5feccfcce9d5a6af03e983c7fce6a38cf40fd0cfc518a612c696c572ba2fd5/detection

http://139.60.163.37
139.60.163.37:2940
pinustamilbe12.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-29%20AsyncRAT%20IOCs

easdiv.top

# Reference: https://twitter.com/0xToxin/status/1697254384932184572
# Reference: https://app.any.run/tasks/fc8794c8-ef16-4102-9be4-70b5745c08ab/

zpeifujz.top

# Reference: https://gist.github.com/kirk-sayre-work/f3ff9633cea04c7eed5f00962a6a666d

docusec.top
eividsy.top
euuvua3.top
fahzza.fun
fiauta.top
fuzuci.top
prizba.top
rubize.top
saifozi.fun
sdfuzien.top
secdoct.top
sevyr.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-08-31%20NetSupport%20RAT%20IOCs
# Reference: https://www.virustotal.com/gui/file/d4f6598a76b92b919bccac6394429a94e7e28da1a86d53e3cd5b204e9c9dc8a8/detection

http://5.252.177.126
http://5.252.178.51
5.252.177.126:443
5.252.178.51:443

# Reference: https://www.virustotal.com/gui/file/9101403bb729cabebd79206aad130293890154cd7a6fba3417471a645ea3ef25/detection
# Reference: https://www.virustotal.com/gui/file/1b74c1fcbe83096cd703bfe9343163894f3a0a83c3708edf97fac42c43ebee83/detection

http://5.42.82.229
http://79.137.205.69
5.42.82.229:3725
79.137.205.69:3725

# Reference: https://www.virustotal.com/gui/file/343d63ff67300da163c035fd16eeaf73ca0d8b472725be1cf501addbc205c487/detection

79.137.202.177:3725

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-09-05%20AsyncRAT%20IOCs

sdfuvy.top

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-09-07%20AsyncRAT%20IOCs

ehxevg.top

# Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-09-10)
# Reference: https://www.virustotal.com/gui/file/cc625f2839019ee79af16b580a5248ea119e1a69411cd7498e68d0fb93257f32/detection

http://5.39.110.142
http://5.79.72.218
http://91.92.242.229
5.39.110.142:1770
5.79.72.218:1770
91.92.242.229:443
pkvithtosh11.com
pkvithtosh17.com

# Reference: https://www.virustotal.com/gui/file/6a507c4b04ecd8052a518e77c2cadaf32b89018ae7bc7857b0b799c82c8fe23b/detection

http://185.163.46.93

# Reference: https://www.virustotal.com/gui/file/4a9f42167f399abfbb42a5ee4d52922eb3f7f1ce88d23824f01d13e50609b8b9/detection

http://94.158.245.150

# Reference: https://www.virustotal.com/gui/file/c38c08aa33317d483b8c3f2572189deffd054a8805d463ef2437d4e7aa458436/detection

http://95.216.186.137
95.216.186.137:2701
dmforinenam17.com
dmforinenam18.com

# Reference: https://www.virustotal.com/gui/file/1a011068e00ff24aaef338efc5d21f51abbf47cf1f1006b1b79c78bc84b1d3c6/detection

http://5.252.178.48
5.252.178.48:443

# Reference: https://threatfox.abuse.ch/ioc/1183943/

http://5.252.177.214
5.252.177.214:443

# Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-10-12)

http://5.252.177.111
5.252.177.111:443
sdjfnvnbbz.pw

# Reference: https://twitter.com/reecdeep/status/1715053326859895210
# Reference: https://www.virustotal.com/gui/file/c418c883f8d85ed6de3ca033f925c29bf5f5ef4926d62e04d61b6c015dbeb841/detection
# Reference: https://www.virustotal.com/gui/file/d4085ca36709f3b3a2d5a38cba70fbcd439dbc3be024c29829bfa10d8ef44f53/detection

orivzije.top

# Reference: https://twitter.com/x3ph1/status/1719115004530581756
# Reference: https://www.virustotal.com/gui/file/18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d/detection
# Reference: https://www.virustotal.com/gui/file/2725bdb19861c6bd2d4156040473da04abe32c8701e6a7d0cbeeca8425127c10/detection

http://185.163.47.243
185.163.47.243:443

# Reference: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
# Reference: https://www.virustotal.com/gui/file/b910500a9fce47fa4db13b2ad2aea72f20df4743a66b6099fb4b9a4d71912e50/detection

http://79.137.206.37
79.137.206.37:133
wsus-isv-internal.tech
wsus-isv-local.tech

# Reference: https://twitter.com/JAMESWT_MHT/status/1719446999420846529
# Reference: https://www.virustotal.com/gui/file/2a2d79f2b08ecfc76c536c2c9f17922f8272ada7ee318e359529a38d769973ac/detection
# Reference: https://www.virustotal.com/gui/file/f21aea9606f94eba27674cfb40a4aeccd5c73577a3997e4687accc63eaa2efa7/detection

sduyvzep.top
/m0t3hg0h8uyx
/wsjdfghd

# Reference: https://twitter.com/reecdeep/status/1720122106854166900
# Reference: https://app.any.run/tasks/5139943d-a620-4a3b-a062-264460825126/

lzlzy4e.top

# Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2023-11-07)

http://185.163.47.137
http://5.181.156.60
http://91.92.242.5
185.163.47.137:443
5.181.156.235:443
5.181.156.60:443
91.92.242.5:443
91.92.244.196:443
91.92.247.248:443

# Reference: https://www.virustotal.com/gui/file/48ff224a396a4583990cb16a88a555817bff10ffbd85597ad941c6d2f5e78dda/detection

speedsupport.duckdns.org

# Reference: https://twitter.com/JAMESWT_MHT/status/1727335614805078515
# Reference: https://www.virustotal.com/gui/file/3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b/detection

http://185.225.17.47
185.225.17.47:136
glaciecrw.cfd
huggertlow.top

# Reference: https://twitter.com/1ZRR4H/status/1731019006318985352
# Reference: https://www.virustotal.com/gui/file/0fdc3d43677d406fb68b434d25a5757f5981ecc19ec616f8ddcd9126ba548014/detection

46.149.74.125:1061
andater393.net
svanaten1.com
svanaten2.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-12-22%20AsyncRAT%20IOCs
# Reference: https://app.validin.com/axon?source=DNS&zone_filter=top&limit=100&type=ip&find=206.166.251.17

prozvegz.top
sossoshn.top
ruzivre.top

# Reference: https://www.virustotal.com/gui/file/01caca23428e0f6d56feda4b411d989f4b0c8ad4dd28664f5f2b7de428b76004/detection

http://194.38.21.53
194.38.21.53:1203

# Reference: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/ (# 2024-01-24)

136.244.108.223:1411
152.89.218.212:443
185.163.46.93:443
185.26.239.180:443
45.61.147.162:3301
45.67.230.205:443
5.181.156.45:443
91.92.245.80:443
94.158.244.56:443
94.158.245.150:443

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2024-01-23%20NetSupport%20RAT%20IOCs

hsdiagnostico.com

# Reference: https://twitter.com/1ZRR4H/status/1750170408463008120
# Reference: https://www.virustotal.com/gui/file/a04f3d2be0b51c4c302bc4b881ee6c6b507bc432272fc37d7c531060607e7932/detection

blawx.com/letter.php
defigmi.com/1/GetData.php
core-click.net
helasirasi.com
helasiras1i13.com

# Generic trails

/iplog/newg.php
/JSX/testpost.php
/fakeurl.htm
