# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.virustotal.com/gui/file/06e3abeed1bc98ed56d5587e9732c9d39ea41879c250dff68ce8815953fcf7ad/detection

196.217.98.188:8080
liouas.ddns.net

# Reference: https://www.virustotal.com/gui/file/ed91f9fee04d08dc613e56eedf98b8c56a6e1e6be8ff3f29360550a2ef98c886/detection

91.193.75.132:2343
2343.hopto.org

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2023-01-10%20XWorm%20IOCs
# Reference: https://www.virustotal.com/gui/file/a86d61c62ad71f43dc2ad27a876ddccffab8d038d1f8b70248f4d4586c64d1ea/detection

su1d.nerdpol.ovh

# Reference: https://twitter.com/c_APT_ure/status/1621579054888501249

147.185.221.223:30420

# Reference: https://www.virustotal.com/gui/file/e6bf87ec571628e096e6505ee87f617f594ed7664782bf4f82810be28028147b/detection
# Reference: https://www.virustotal.com/gui/file/e58026e101ae93162cbf114997a2a2c78a80adfb6e6469823dd0d90572cef140/detection

154.12.234.207:7000
207.244.236.205:7000
mywormtwon.ddns.net
wormxwar.ddns.net

# Reference: https://twitter.com/InQuest/status/1626758679843205120
# Reference: https://twitter.com/Gi7w0rm/status/1626763227643224064
# Reference: https://tria.ge/230218-b9ngmaad96/behavioral2

45.139.105.105:7000
stanthely2023.duckdns.org

# Reference: https://www.virustotal.com/gui/file/2b786b8895d814c5d825f4eac99b009eb6aa16f66f6e5191b023e4ebc99fda66/detection
# Reference: https://www.joesandbox.com/analysis/811606?idtype=analysisid#iocs

209.145.51.44:7000

# Reference: https://twitter.com/suyog41/status/1631191121660444674
# Reference: https://www.virustotal.com/gui/file/098c9ebce4811fd2bb86654911581f21eb473f7afd5d27f7c09db57d5bfc1b62/detection
# Reference: https://www.virustotal.com/gui/file/aca8bf1de89203e445270f3cc76b3eaf9190b57fa35ef0d4425528ee639366cb/detection

209.25.140.180:38979
209.25.141.180:38979
according-psp.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/a7c707d2409f0190693aa7a7223c2576262b5bcd9da42ff5c3b375826c32b222/detection

91.193.75.191:55443
vcmkpl.duckdns.org

# Reference: https://twitter.com/petrovic082/status/1638652084492070912
# Reference: https://app.any.run/tasks/500f883b-fe97-44e1-a87f-67101bd0c30c/

95.214.24.38:5000
updateccdata.duckdns.org
urlcallinghta6.blogspot.com

# Reference: https://twitter.com/ScumBots/status/1639388448967766016
# Reference: https://www.virustotal.com/gui/file/01407e324f0b8090467eded47a97acbdb3ef42d0f12820cd57b0bc5b87ffe510/detection

181.141.1.67:3737
wormsito.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3964d69f2a321257a8a745aa9583eaed3cb53c070f79eba3945f6506dda0a2cb/detection

31.220.76.124:2137

# Reference: https://twitter.com/phage_nz/status/1653173706951397376
# Reference: https://www.virustotal.com/gui/file/5814ab23cf46820a0f911fac078dbe77a521ee36722ae2ac313c54c04e0c5601/detection

141.98.6.220:7001

# Reference: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
# Reference: https://otx.alienvault.com/pulse/64624bf528c55e0976f2bf71

kbowlingslaw.com

# Reference: https://twitter.com/suyog41/status/1671102046324269059
# Reference: https://www.virustotal.com/gui/file/22af50c2e5d1f1efcf96e317c22af9bbf6f31705c7575454e6314eaf7d131929/detection
# Reference: https://www.virustotal.com/gui/file/6671bd81d7714bbfd2189dd1642ae4c3789c02e06c5afaad1e26c3632974b124/detection

167.94.81.75:63434

# Reference: https://www.virustotal.com/gui/file/128a56ddbecc3d569646730bdccce1c045479122061f4d0feb8ec24670374eb2/detection

213.152.161.240:58538
notaire8081.duckdns.org

# Reference: https://twitter.com/suyog41/status/1678763978925932544
# Reference: https://www.virustotal.com/gui/file/331549b24c0e2eefd56c4dc74806aeaeab706fee5ddb019763330c811b6fb9e0/detection

194.59.31.105:7398
85.208.139.131:222

# Reference: https://threatfox.abuse.ch/ioc/1139291/

173.249.196.39:7092

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/

149.102.231.91:5000
20.125.118.35:7000
3.69.115.178:14042
zoer12.dns.army

# Reference: https://twitter.com/JAMESWT_MHT/status/1683405358272839680

stores-anytime.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1685615126412414976

51.107.0.117:4954

# Reference: https://twitter.com/ScumBots/status/1685849690221199360
# Reference: https://www.virustotal.com/gui/file/72ab332da034bd819d83d26272974048b24de773a3440d641202872161b3e514/detection
# Reference: https://www.virustotal.com/gui/file/a4ea9aac544248e1346d88e3c93fbc6973419ff7ce5266c7cb00be39518f1f11/detection

173.0.60.172:7000
dapperdesigns.for-better.biz

# Reference: https://www.virustotal.com/gui/file/52634ade55558807042eae35e2777894e405e811102e980a2e2b25d151fde121/detection

167.235.75.225:8895
momentmoney79.duckdns.org

# Reference: https://www.virustotal.com/gui/file/f03e6bd8d447536298483d8b57996e966c2a26baea8caa12fbca52300151edae/detection

108.62.118.133:9734

# Reference: https://twitter.com/AnFam17/status/1687723698273595393
# Reference: https://www.virustotal.com/gui/file/2951cb766b89f9e3e65902fec634ed924168629f2dd3a178ba753e66ce4be73f/detection

http://173.249.39.21
173.249.39.21:5000

# Reference: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter

http://95.214.27.17
95.214.27.17:8972
churchxx.ddns.net
freshinxworm.ddns.net

# Reference: https://www.virustotal.com/gui/ip-address/179.13.3.110/relations

apploak.duckdns.org
datosinfomativos12.duckdns.org
desdetre.duckdns.org
estrenos12q.duckdns.org
fantasmas145.duckdns.org
misdominios2024.ddnsguru.com
misterios140.duckdns.org
mistersalsa12.duckdns.org
newera2011.duckdns.org
xwormejor12.duckdns.org

# Reference: https://www.virustotal.com/gui/file/3b5fc5f386c9dbbb93c2b1d5b33feaca132e9eb53744a495c75e76a6921c3ebc/detection

103.47.144.14:6644

# Reference: https://www.virustotal.com/gui/file/76e382de0ea4dbd364ac8d9878e0b419d6a8d3536de3b6ca36ee38d335e3446c/detection

209.25.140.212:48414
209.25.141.212:48414
209.25.142.212:48414
is-crawford.at.ply.gg

# Reference: https://twitter.com/Gi7w0rm/status/1694139192379334803
# Reference: https://tria.ge/230822-3m8ylahf9w/behavioral1

209.25.141.180:48892
209.25.141.181:40625
209.25.141.211:49826
209.25.141.223:45283
180.ip.ply.gg
miles-c.at.ply.gg
topics-junior.at.ply.gg

# Reference: https://twitter.com/suyog41/status/1694215167729598470
# Reference: https://www.virustotal.com/gui/file/dcc9780ce890c8caf79e5f3147cacd14b1f4e06c307e3bdfc8903ff2dfd90c19/detection

185.179.218.240:8081

# Reference: https://www.virustotal.com/gui/file/dc6f4ca2f9b7de5f3e7f9bb25dffd1d89043f1db95537908c0d59ae7e025d3d9/detection

83.143.112.45:7000

# Reference: https://twitter.com/petrovic082/status/1695718494451458242
# Reference: https://twitter.com/petrovic082/status/1695719606093054213
# Reference: https://app.any.run/tasks/3a32eeca-6c15-4100-b901-d8d92255f640/

88.229.76.29:8080

# Reference: https://www.virustotal.com/gui/file/0608af5ecb090af15ea0593e71b2f05d6594726915c91d92dd5e0dcebd60e492/detection

172.94.105.98:3000

# Reference: https://any.run/malware-trends/xworm

abom7md.duckdns.org
church-apr.gl.at.ply.gg
d7meyrat.ddns.net
https.myvnc.com
jajaovh.duckdns.org
kaught-53088.portmap.host
liveroman228-26531.portmap.host
please-co.gl.at.ply.gg
show-cottages.at.ply.gg
society-mastercard.at.playit.gg
test-theorem.gl.at.ply.gg
trial-pour.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/6e0df2a748927a28875f76eb917f71fe8ee2a9b2004c9b7d2742a654aae0238e/detection

34.227.114.203:7000
brasil.ddns.com.br

# Reference: https://www.virustotal.com/gui/file/888e076a0949bf1ab6297ebc9b089e8d1f926c7186b115dbbb44611f57b783c8/detection
# Reference: https://www.virustotal.com/gui/file/79750b3e59c64c381067d5dd07a174e746625b64f13cefe07671042676337185/detection

154.53.63.206:7000
freshwarsmi.ddns.net

# Reference: https://www.virustotal.com/gui/file/fbb2f988d97221e62771f56ed0d7bb172c5738d1bbde76164d0ca830ed59e8af/detection

207.244.242.177:7000
mikexwormxxxyy.ddns.net

# Reference: https://www.virustotal.com/gui/file/b706aac7ee3800adff6df6bcd2ad3164ae34f71ab47399c1811daa664fdec247/detection
# Reference: https://www.virustotal.com/gui/file/0886ade2d19b2cb43c370190df382d3686c2364b246fc466ccf775b60a62c6a0/detection

154.53.51.233:7000
89.117.72.232:7000
secoundxwormm.ddns.net

# Reference: https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4

randall010.camdvr.org

# Reference: https://www.virustotal.com/gui/file/67de54a5271a2354b492bbaf5bbead07cc1e24fd5efa94bdac2fc30f0475db1a/detection

41.216.188.29:7000

# Reference: https://www.virustotal.com/gui/file/9198c970d6b61c1f22b6e2e4065fd99e8fd107c3bb8162c8aef56559459e9ff1/detection

217.229.108.168:1

# Reference: https://www.virustotal.com/gui/file/01856345569ffabd2504f9b9d102014c0119184660b25cea2c55db4d67c8c349/detection

147.185.221.16:12379
electric-desert.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/ip-address/2.59.254.205/relations

hotexworm.duckdns.org
newxworm.duckdns.org
xwormfresh.duckdns.org
xwormpeople.duckdns.org

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-15)

http://154.61.71.51
101.99.92.134:9008
103.187.4.59:62400
104.129.24.110:55226
109.195.94.247:7000
13.48.68.245:4449
139.59.42.121:49258
142.132.227.161:7000
142.202.240.88:253
147.185.221.15:10177
147.185.221.16:15294
147.185.221.16:18244
147.185.221.16:39035
147.185.221.180:36603
147.185.221.180:4310
15.204.37.12:5008
152.67.162.194:10001
154.127.53.162:7007
16.16.96.108:4449
162.251.123.54:1337
168.119.98.142:4100
172.111.138.90:2221
172.31.27.185:7000
176.205.45.103:4782
185.169.1.59:42069
185.17.26.114:7000
185.179.219.117:5002
185.225.73.47:1111
185.225.73.47:2222
185.241.208.173:7000
193.161.193.99:35943
193.161.193.99:43625
193.42.33.22:5555
194.145.138.85:1604
194.145.138.88:1604
194.228.111.236:7000
194.87.151.125:7398
194.87.151.19:7077
199.66.93.150:1337
2.58.56.249:8000
20.0.32.252:7000
20.219.15.124:2239
20.25.157.149:1234
20.25.157.149:4567
20.56.93.201:1604
204.13.33.68:1338
206.189.139.209:20715
207.32.217.73:2048
208.115.223.202:12999
209.145.57.6:8081
209.25.140.223:18381
209.25.141.181:51957
209.25.141.181:52055
209.25.141.2:43784
212.154.51.245:90
23.227.198.214:7777
3.126.37.18:14586
3.7.61.252:2339
3.72.8.200:7000
44.201.221.153:7000
45.130.141.212:7000
45.145.166.131:666
45.61.130.7:1010
45.81.225.208:7000
45.88.67.75:3333
64.235.38.13:2911
66.94.101.239:8081
67.61.188.116:7777
67.61.188.116:8848
67.61.188.118:3232
77.248.111.83:2404
79.110.62.143:7000
81.161.229.202:6601
95.214.26.78:5566
95.214.27.226:7000
aid-poly.at.ply.gg
americanibombardano.ddns.net
amz-worm.ddns.net
an-encoding.at.ply.gg
ana1.con-ip.com
angmmox.con-ip.com
animals-sewing.at.ply.gg
apexcv.ddns.net
average-danish.at.ply.gg
awgaegsrgcs.duckdns.org
behind-him.at.ply.gg
big-stayed.at.ply.gg
box-byte.at.ply.gg
browser-bangladesh.at.ply.gg
bush-gain.at.ply.gg
caloi1920.ddns.net
channel-diane.at.ply.gg
comes-reasoning.at.ply.gg
common-pharmacies.craft.ply.gg
computers-directory.at.ply.gg
computers-ed.at.ply.gg
davizshadow.duckdns.org
default-official.at.ply.gg
dejvicek-52169.portmap.host
dejvicek-62577.portmap.io
deletedapo-46418.portmap.host
design-utilize.craft.ply.gg
display-trade.at.ply.gg
distance-key.at.ply.gg
documents-ultra.at.ply.gg
during-widespread.at.playit.gg
egleooogom.duckdns.org
either-puzzle.at.ply.gg
employees-spa.at.ply.gg
even-house.at.ply.gg
exops-31573.portmap.host
faculty-symbols.at.ply.gg
feel-herbal.at.ply.gg
flowers-ak.at.ply.gg
freed11231.duckdns.org
ftap-29332.portmap.host
german-sip.at.ply.gg
get-dig.at.ply.gg
gunitp.duckdns.org
h0x351.ddnsfree.com
harrypotta-35943.portmap.host
harrywilly.ddns.net
head-transit.at.ply.gg
herbet.ddns.com.br
history-periodically.at.ply.gg
hope-duck.at.ply.gg
house-induced.at.ply.gg
http202suspend-33946.portmap.host
ichbineinvogel2.duckdns.org
instruments-specials.at.ply.gg
jeanjaques.ddns.net
johnnew12.duckdns.org
johnny1234.duckdns.org
jxworm2ndport.duckdns.org
kids-abstract.at.ply.gg
killertype.ddns.net
leakportsnext.duckdns.org
license-donna.at.ply.gg
links-recovered.at.ply.gg
mary-classroom.at.ply.gg
master-flat.at.ply.gg
mean-garbage.at.ply.gg
members-path.at.ply.gg
microsoft2.ddns.net
models-issn.at.ply.gg
moonrdp1.duckdns.org
must-scores.at.ply.gg
mygame.serveftp.com
nabeelrats-21020.portmap.host
name-shadows.at.ply.gg
next-screening.at.ply.gg
no-sofa.at.ply.gg
opportunities-rendered.craft.ply.gg
option-trading.at.ply.gg
partner-enforcement.at.ply.gg
paul-positive.at.ply.gg
pavpaladmin9917.ddns.net
polki.anondns.net
pollofx-35076.portmap.host
port4000mobi.duckdns.org
property-gourmet.at.ply.gg
ready-somalia.at.ply.gg
related-regression.at.ply.gg
releases-connection.at.ply.gg
return-interpreted.at.ply.gg
safety-electronics.at.ply.gg
score-told.craft.ply.gg
sepatico.duckdns.org
share-divorce.at.ply.gg
share-scored.at.ply.gg
size-bills.at.ply.gg
slammer.cf
society-painted.at.ply.gg
spajkr.hopto.org
special-alpine.at.ply.gg
system-headed.at.ply.gg
there-carol.at.ply.gg
tienichxanh.vinaddns.com
title-weapons.at.ply.gg
top-ftp.at.ply.gg
unit-satisfactory.at.ply.gg
venom.giize.com
vfggfhd.servemp3.com
way-puppy.at.ply.gg
willbr77-52985.portmap.io
wniko1-39869.portmap.host
words-cells.at.ply.gg
xworms.ddns.net
xwrm.webredirect.org
y-enhancing.at.ply.gg
zlow11214.ddns.net

# Reference: https://twitter.com/James_inthe_box/status/1703779021694419195
# Reference: https://twitter.com/r3dbU7z/status/1703780891724841423
# Reference: https://www.virustotal.com/gui/file/96fa32da812662011588e77b75eb6bee3eb768f533533457c51f4d58ae8ee062/detection

194.180.49.181:443
194.180.49.181:7064
194.180.49.181:888
xm3.publicvm.com
xyoptotway.work.gd

# Reference: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/
# Reference: https://www.virustotal.com/gui/file/1073ff4689cb536805d2881988b72853b029040f446af5ced18d1bc08b2266e1/detection

3.66.38.117:13394
52.28.247.255:13394

# Reference: https://app.any.run/tasks/d3858744-f1b2-4a9b-8ef7-deccada2a160/

3.69.115.178:13394

# Reference: https://app.any.run/tasks/5fab7db5-267e-46f6-a374-0f42de1cb328/

147.185.221.16:15179

# Reference: https://twitter.com/Gi7w0rm/status/1706061724099457411
# Reference: https://www.virustotal.com/gui/file/9bd123cf9a41a9a9fd219fd8fcba7ba20543470d4b5c911ba07489b04fd74428/detection

79.110.62.151:1234

# Reference: https://tria.ge/230924-yzgbwsba28/behavioral1

2.59.254.205:7002

# Reference: https://tria.ge/230924-yzvjhsba39/behavioral1

79.110.62.151:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-09-25)

141.98.6.196:7020
154.53.51.233:8909
191.101.130.18:8252
23.106.215.7:7007
50.114.203.104:7909
81.67.181.238:9033
88.11.59.100:8888
chikes17.duckdns.org
copy-marco.gl.at.ply.gg
floptuytonroyem.sytes.net
garden-event.at.ply.gg
graxe239-61522.portmap.host
xvskill.duckdns.org
youtubevideos.ddns.net

# Reference: https://twitter.com/Gi7w0rm/status/1706063680171860137

aakata123.duckdns.org
aakatabit1915.duckdns.org
aiminent2.duckdns.org

# Reference: https://twitter.com/doc_guard/status/1707018037428101360
# Reference: https://www.virustotal.com/gui/file/7fa4e361cf073d65ccbc49dc937a622965977ef995a0c199a4b4aa5fddd57d17/detection

138.201.189.141:4444

# Reference: https://twitter.com/r3dbU7z/status/1709147111567004129
# Reference: https://www.virustotal.com/gui/file/bfb5afd83e4c4962336f10655e191e0efc2b9fe968af9f37f7d84c845a27a075/detection
# Reference: https://www.virustotal.com/gui/file/008922a9bcd25e1cbf52234ea926306bba3d646bfcd087d6fc6c6f58ab8ac54a/detection

20.229.184.215:443
20.229.184.215:65350

# Reference: https://twitter.com/suyog41/status/1709524284169978094
# Reference: https://www.virustotal.com/gui/file/5b53d803d2c3d82de79a732a2f1737c7726415b2b056f7f43e74638e1df3fd8b/detection
# Reference: https://www.virustotal.com/gui/file/9d79c20d80eb9ded90a7e7f2ebdcd057bc29409084af3ecdd63c6ed072f103b0/detection

186.6.93.202:4444
telebyt.com
windowsmanagerhost.ddns.net

# Reference: https://twitter.com/naumovax/status/1711777764615802979
# Reference: https://tria.ge/230930-vqpp5aff65/behavioral1

147.185.221.16:54013

# Reference: https://twitter.com/suyog41/status/1712768941536522411
# Reference: https://twitter.com/suyog41/status/1725447282856968625
# Reference: https://www.virustotal.com/gui/file/0083a052767c5e651c36ce419a582c2ba5d81c0776ef1de765626958b4686b45/detection
# Reference: https://www.virustotal.com/gui/file/d18c4cde9bc83592187f8a90e3f138c871a35cda49d4a0078ca9eac04cfc961e/detection

104.243.32.185:7000
45.141.215.230:7000
normanisback.com

# Reference: https://twitter.com/suyog41/status/1715222348423721054
# Reference: https://www.virustotal.com/gui/file/e9148a15c8d96c389aaae6fbb04b5cd1ee587e2ded6193d47532885b84abd984/detection

147.185.221.16:18915

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-10-30)

101.99.92.161:7000
103.114.106.183:47074
139.99.153.82:8181
147.185.221.16:45753
147.185.221.16:56343
147.185.221.16:57012
147.185.221.16:57076
157.254.223.19:8000
163.5.215.212:1337
163.5.215.212:8072
193.161.193.99:61360
20.197.231.178:7000
216.230.73.215:6789
51.81.216.78:1111
51.89.158.83:7000
66.94.97.98:7000
95.164.18.46:2608
brightle.ddns.net
frostycheats-30646.portmap.host
graxe239-61522.portmap.host
jameshde18.duckdns.org
mike09-55168.portmap.host
pool-roman.at.ply.gg
registered-dt.at.ply.gg
releases-photos.at.ply.gg
rules-views.at.ply.gg
serverwindor.duckdns.org
testarosa.duckdns.org
xmsh.publicvm.com

# Reference: https://cert.pl/en/posts/2023/10/deworming-the-xworm/
# Reference: https://otx.alienvault.com/pulse/653a78a1b9c42ecf2ba3a591

blackid-48194.portmap.host
single-boulevard.at.ply.gg

# Reference: https://twitter.com/g0njxa/status/1721444417586778207
# Reference: https://app.any.run/tasks/c276c263-7b85-459b-b93c-d278e845e171/

206.189.20.127:6234

# Reference: https://twitter.com/karol_paciorek/status/1723024066112557542
# Reference: https://tria.ge/231110-t3mkvsca78/behavioral1

54.90.216.100:7001

# Reference: https://twitter.com/suyog41/status/1724726595578159178
# Reference: https://www.virustotal.com/gui/file/46ac8d1dba7668319574d2f459a54d8b8eb5606c027e393308ab395b7b5aa746/detection

103.47.147.196:1500

# Reference: https://www.virustotal.com/gui/file/4ca23c140f02ad3f9a8d0df97e57a6282faf8aa85433efd3f7c07a5ba8868da7/detection

15.228.235.93:7000

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-20)

147.185.221.16:40164
147.185.221.16:49975
15.228.35.69:5000
172.177.19.106:7000
188.148.105.135:2112
35.220.199.19:7000
62.233.57.160:6789
2freshinxworm2.ddns.net
antilol2113-61842.portmap.host
case-defines.gl.at.ply.gg
dizzywizzy-61490.portmap.host
espadadz.ddns.net
f8terat.ddns.net
goheg99417-59409.portmap.host
juandice-60636.portmap.io
kriz-nas.ddnss.de
lead-selections.gl.at.ply.gg
m0ney7.ddns.net
media-specified.gl.at.ply.gg
menu-webcam.gl.at.ply.gg
notfishvr55-32209.portmap.host
okaa0-25007.portmap.host
okaa0-35095.portmap.host
partner-juice.gl.at.ply.gg
q-grounds.gl.at.ply.gg
raven123.ddnsgeek.com
reference-tokyo.at.ply.gg
tarekfr77-41254.portmap.host
tcxerr.duckdns.org

# Reference: https://www.virustotal.com/gui/file/145c1ede38b85b82e5072f2d9c0c65aa8eb479bd2cf90d99d7d375c0c2e7c4ea/detection
# Reference: https://www.virustotal.com/gui/file/4229b3925fbd80f2316493b19c1c7fd23898507284bae4754e76c79a096f2133/detection

194.147.140.215:7463
37.139.129.85:6742
91.192.100.39:6742
kayamer.kozow.com

# Reference: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/
# Reference: https://www.virustotal.com/gui/file/f58193da4f61b45e375f5aa2978b08908578b5151dc779dc4b566e6a941e802b/detection
# Reference: https://www.virustotal.com/gui/file/58d80cdaac096a9d8ba772a4e857a24db9c797d5b7913e54185c68e21c5526e6/detection

140.228.29.162:7900

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2023-11-21)

104.250.180.178:7061
147.185.221.17:24796
162.212.154.8:41589
185.183.34.34:7000
185.239.237.162:7000
194.15.216.233:4548
207.32.219.52:7771
216.107.136.195:7000
3.121.139.82:18925
3.121.139.82:5240
3.127.59.75:18925
3.127.59.75:5240
34.130.82.241:5010
46.183.221.28:7000
51.89.38.74:33966
52.28.112.211:18925
52.28.112.211:5240
52.91.10.228:7000
54.90.216.100:7000
65.0.80.77:7000
80.66.87.4:7000
87.172.204.140:7000
93.123.85.35:7000
2023navidad.duckdns.org
around-lite.gl.at.ply.gg
conditions-monthly.at.ply.gg
fgfdsnvisdnvijnsdvdssdsd.con-ip.com
frank4893.duckdns.org
house-rooms.gl.at.ply.gg
if-shuttle.gl.at.ply.gg
language-partnership.gl.at.ply.gg
newpossibility.duckdns.org
traffic-statewide.gl.at.ply.gg
viiper1337-29699.portmap.host
windowis11.com

# Reference: https://twitter.com/1ZRR4H/status/1729196411843985530
# Reference: https://www.virustotal.com/gui/file/850e60489a54f8a3307a124c19c80cfc46bc34b2b3b93bc74c2b764b667df09b/detection
# Reference: https://www.virustotal.com/gui/file/df501e6c611c658df919bbe959e54b1080da39511a7de35ab3b5146e32584728/detection

5.182.87.154:7000

# Reference: https://www.virustotal.com/gui/file/f1f72684f5813bd4a3932397edd7e2056c9d61421bf7e5248ae68f6e6d65d33d/detection

46.246.86.23:7000
rootfix.linkpc.net

# Reference: https://www.virustotal.com/gui/file/c861d69c8a9904c99ef947dcdca02995652fb6afbc8a0edb196921ac6f5dc14e/detection

212.237.116.158:7000

# Reference: https://www.virustotal.com/gui/file/33b2c62cad9fa6a203cca01285d1230bf92b38929b8f9ed07ec6187b2fe8fdf1/detection

212.237.116.163:7000

# Reference: https://twitter.com/1ZRR4H/status/1729713083004641491

46.246.80.17:7080
2023navidad.duckdns.org

# Reference: https://gist.github.com/silence-is-best/67adb7549211b3046f554044bcc5c151
# Reference: https://www.virustotal.com/gui/file/832d96e8996c618b21f649812a218c44d7fae08fa2081cdb34631cc2cdcbd6df/detection

194.107.126.61:1111

# Reference: https://www.virustotal.com/gui/file/976780197cc411fbed0105adc79a779e72ac2a802ca7f2a001334c0a37e046da/detection

46.246.84.13:7000

# Reference: https://www.virustotal.com/gui/file/eba007fec4ab29d205cf04ced605ec34b27dfa2733a5cccd50856bdf9ba66e42/detection

91.92.242.98:9
cpabuzus.duckdns.org

# Reference: https://twitter.com/karol_paciorek/status/1736689204279623733
# Reference: https://tria.ge/231218-lw7nfshhcn/
# Reference: https://www.virustotal.com/gui/file/9e5612cd0949cb21b3d12491294ebe173571c1a665014dbbce7f7ebb995d42d0/detection

http://45.88.77.20
45.88.77.20:7000

# Reference: https://twitter.com/SarlackLab/status/1737126329542123767
# Reference: https://www.virustotal.com/gui/file/fd478fb15b4976507f494e31f6cbe2a8d4d173026ae1bbcb4849685630cf9b19/detection
# Reference: https://www.virustotal.com/gui/file/f688fb7b4cf19a4760138e7625915815f4acc23732456a3540f76f39aed90417/detection

45.144.152.86:39001
45.144.152.86:44635
45.144.152.86:58001
78.135.67.111:56001
liveclouds.duckdns.org

# Reference: https://twitter.com/V3n0mStrike/status/1739854351022080487
# Reference: https://www.virustotal.com/gui/file/230a77727f9c8e701594ee34a22d5b2f7d8647295e749d3103d2322d8bce7eea/detection

http://31.172.83.170
31.172.83.170:7000

# Reference: https://www.virustotal.com/gui/file/5e1944524f2ae23724c8a9a593915266e18214a0038896f30ba37e1fd022caa2/detection

89.23.99.86:7000

# Reference: https://twitter.com/banthisguy9349/status/1744384627039518736

91.92.253.171:888

# Reference: https://twitter.com/netresec/status/1744378756641288517

147.185.221.17:36499

# Reference: https://twitter.com/ShilpeshTrivedi/status/1744695359144923604
# Reference: https://www.virustotal.com/gui/file/ca791046eaf207a1bb8631263bf12e41802255a7114c48086dccd4ad1152766e/detection

147.185.221.17:61779

# Reference: https://threatfox.abuse.ch/browse/malware/win.xworm/ (# 2024-01-10)
# Reference: https://www.virustotal.com/gui/ip-address/91.92.240.61/relations

91.92.240.61:7000
lyamore-metal.com
taiwantradeglobal.com
open.lyamore-metal.com
open.taiwantradeglobal.com
opendomain.lyamore-metal.com
opendomain.taiwantradeglobal.com
wealthyblessed.duckdns.org

# Reference: https://twitter.com/malwrhunterteam/status/1745582580718543343
# Reference: https://www.virustotal.com/gui/file/1ae50087f5c0b05a9ac41362a2e7ed3d3c82fecda835aa7e5fcc5b5da5f44903/detection

http://139.99.114.151
139.99.114.151:7777

# Reference: https://www.virustotal.com/gui/file/4bb0daf6ad46380eb905da9f586d108f9a9e7bd83c31d7903824ebe3abd65fb0/detection
# Reference: https://www.virustotal.com/gui/file/0893cfe208c34030552ccd250f5e185d42423f4ebb5311a13f68e5bd96a1cad7/detection

147.185.221.16:33203
canadian-perspectives.gl.at.ply.gg

# Reference: https://www.virustotal.com/gui/file/00a965b03bf3654df1c90725b114a8dfc49cdb522bf7a558d24f13e20e204fa9/detection

46.246.82.5:2525

# Reference: https://www.virustotal.com/gui/file/fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11/detection

191.233.27.50:5552
dzn.ddns.net

# Reference: https://www.virustotal.com/gui/file/0ccb60e63193c1bd24e82fee53094c54fdb1e3481601f1a6451dbf74a375185b/detection
# Reference: https://www.virustotal.com/gui/file/504bc01416f714ce0f77e87bae667573bee922c86708b2cadfaf7e4478673a30/detection

http://90.61.145.105
90.61.145.105:5485

# Reference: https://www.virustotal.com/gui/file/afb0a01f30aa1239f85e2eb465e374c49a274383caa52d3c8dd46c67b17be519/detection

91.92.253.187:7000

# Reference: https://www.virustotal.com/gui/file/7c7b4d01ce572fb5d63536aa53eff94be082e76127906d91c673bbb4e0d7b8e1/detection

94.156.65.113:8400
greatrackspace8400.duckdns.org

# Reference: https://www.virustotal.com/gui/file/4c291ba1cd60a0a9e4649067f2bcb3619bf8874b47f928ab7f2583b31d778678/detection

94.156.65.113:8300
restpeople8300.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ab5a62c5f4e883afff61be9b7020ba1aa9d52565dc310cee06488ad22ca8f68f/detection

91.92.251.144:7001
xwv5group7001.duckdns.org

# Reference: https://www.virustotal.com/gui/file/d86408c32b0b7f7b43930cb33b99e472db2db4c429d4273d3133d7b8ad29712e/detection

23.95.11.218:8100
94.156.65.114:8100

# Reference: https://www.virustotal.com/gui/file/3224658a2fbf2a7a1adece92d8d2fb9e136898efb17b5bbffcf0ac39bce4afbb/detection

188.70.3.112:6666
sys666.ddns.net

# Reference: https://www.virustotal.com/gui/file/0e948e3d83e22df165afac4da052b45297f719a33f86c4c194958f59dad75a28/detection

192.99.190.119:7000

# Generic

/XWorm%20V3.1/
/XWorm%20V3.1.7z
