# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: 1xxbot, arechclient2, asatafar

# Reference: https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers

http://45.142.213.230

# Reference: https://twitter.com/P3pperP0tts/status/1197493278339469313
# Reference: https://twitter.com/P3pperP0tts/status/1196425019154403328
# Reference: https://app.any.run/tasks/efeb529d-fa5d-4adb-8527-7161080e722a/

51.15.22.167:228

# Reference: https://twitter.com/malwrhunterteam/status/1200742733805170688
# Reference: https://www.virustotal.com/gui/file/32aa5f556099e8fdf9c0f4c8f5695e5736a7cc208aacc548d623d329256d4130/detection

94.242.206.163:228

# Reference: https://twitter.com/malwrhunterteam/status/1205495402721685509

firestarter.co.ug

# Reference: https://app.any.run/tasks/4827acc3-173d-4f4f-b4ca-212e4814ba44/

93.190.142.138:228

# Reference: https://twitter.com/Arkbird_SOLG/status/1348288401049608193
# Reference: https://www.virustotal.com/gui/file/4b3411887671db0dd5e57c2187260bd79f2c5cd4279d24b96de9724f492ce3f7/detection
# Reference: https://www.virustotal.com/gui/file/3d74c37ade5a7082617acb0cb1697eb18c9a61f7099b04b76967140f3a8d03ec/detection

34.253.207.79:15647

# Reference: https://www.virustotal.com/gui/ip-address/54.194.254.16/relations
# Reference: https://twitter.com/James_inthe_box/status/1348264657736269828
# Reference: https://app.any.run/tasks/279edbe8-a2d6-4816-8602-311fa33fd34b/
# Reference: https://www.virustotal.com/gui/file/2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66/detection

54.194.254.16:15647

# Reference: https://twitter.com/abuse_ch/status/1348271030322790400
# Reference: https://bazaar.abuse.ch/sample/bf802ba3e523c502a27e0c9044bc699f0db17ebb00e5b3b9c152038a13c856ed/
# Reference: https://www.virustotal.com/gui/file/bf802ba3e523c502a27e0c9044bc699f0db17ebb00e5b3b9c152038a13c856ed/detection

80.209.229.192:15646

# Reference: https://www.virustotal.com/gui/file/a24bf6fa910c0fe011cdabd3c1203d735f8a28f27c646fe0ae5981bbb7304e41/detection

80.82.77.221:15647

# Reference: https://www.virustotal.com/gui/file/8d2c8fab417257c558a379fc384a5fdda844b73ca507944b90b0a101591c7fae/detection
# Reference: https://www.virustotal.com/gui/file/17a7129edcb8c2bb353c6fc365455b630912da13d3af096e9fb148647551f6b4/detection

147.78.67.95:15646
147.78.67.95:15647

# Reference: https://www.virustotal.com/gui/file/9f204e8a44750d83e2d892357db881a241e16fe82eff4fc16f0d9adecec430a3/detection

185.195.26.100:54766

# Reference: https://www.virustotal.com/gui/file/cb64e1065259e2c9e0fb663bdf4ad73a4abc514399ca86f4c3b745b61c6ab530/detection

185.82.202.143:15647

# Reference: https://www.virustotal.com/gui/file/665747baf4f8bba24765b2a486f7677b7e1f199335cace6db075f8f3dd68fcef/detection
# Reference: https://www.virustotal.com/gui/file/f12f3ad220342c60304834a7df1345521e16e13242566dbc76fc21242765fe23/detection

195.2.78.227:228
195.2.78.227:54766

# Reference: https://www.virustotal.com/gui/file/b7a16329d7ca5a5ff38f6d424b426f33a29e1fff8490016530a7433134b391f6/detection

135.181.86.99:15464

# Reference: https://www.virustotal.com/gui/file/98f7e638f8cd14879f5c9fb2071e4f53df9922cdd77a64b632fb06a197d9f9e6/detection

202.59.10.176:15646

# Reference: https://www.virustotal.com/gui/file/3ca1a97e6b3e8d9bae5a054a2c5014db99c4375cab6554e33fb4217bf34a1858/detection

86.106.93.111:15646

# Reference: https://www.virustotal.com/gui/file/71c3e512e148941ff0435c9a556d75cf8fe5621a85a6a2ea4f7a20cb6a0c6856/detection

185.165.153.51:5025

# Reference: https://tria.ge/220627-kta12aaaal/behavioral1

34.159.232.110:15647

# Reference: https://twitter.com/1ZRR4H/status/1615231876817362944
# Reference: https://twitter.com/1ZRR4H/status/1615428216684175360
# Reference: https://threatfox.abuse.ch/ioc/1068570/
# Reference: https://www.virustotal.com/gui/file/a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910/detection

http://77.73.133.83
34.107.35.186:15647
77.73.133.83:15647

# Reference: https://twitter.com/idclickthat/status/1626069576868933632

http://179.43.142.86
anydesk-infopage.com
pputty.us

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/

http://157.90.151.122
135.181.156.70:15647
138.201.120.172:15648
144.76.163.55:15648
144.76.195.220:15647
157.90.151.122:228
162.55.188.246:15647
167.235.134.14:15647
185.143.223.9:15648
185.173.36.156:228
185.197.75.191:15647
193.111.210.150:15647
34.107.84.7:15647
34.141.167.33:15647
34.141.198.105:15647
34.141.92.1:15647
34.142.80.219:15647
34.159.180.55:15649
34.159.68.86:15647
34.27.150.38:15649
34.27.176.144:15647
34.91.185.62:15649
35.198.132.51:15647
35.204.188.251:15649
35.226.102.12:15649
35.230.153.115:15647
35.234.159.213:15649
35.242.150.95:15649
35.246.173.61:15647
37.1.206.174:228
46.175.147.8:15647
5.75.147.135:15647
5.75.149.1:15645
5.75.149.1:15648
5.75.153.165:15647
62.182.156.148:15647
65.108.101.156:15647
77.232.36.56:228
77.232.39.39:228
77.232.42.253:228
77.246.107.149:15647
88.218.170.169:15647
89.248.165.23:5865
91.142.77.238:228
91.142.78.27:228
94.130.51.115:15648
95.143.190.57:15647
cloudinstalller73489.shop
ggimp.us

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/ (# 2023-08-01)
# Reference: https://www.virustotal.com/gui/ip-address/217.107.219.92/relations
# Reference: https://www.virustotal.com/gui/ip-address/81.177.139.152/relations
# Reference: https://www.virustotal.com/gui/ip-address/81.177.140.194/relations

cdn-dwnld.ru
994safeweb.store
alarmhealth623.store
linkpower994.online
newtorpan.ru
newtorpan.site
newzone623.store
next-traf623.site
shadowlink994.store

# Reference: https://twitter.com/g0njxa/status/1687801004534747136
# Reference: https://app.any.run/tasks/80b166cb-7a36-41ce-9f18-58344e7bc138/
# Reference: https://www.virustotal.com/gui/file/d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c/detections

95.143.190.57:15648

# Reference: https://twitter.com/1ZRR4H/status/1699923793077055821

195.201.198.179:15647

# Reference: https://threatfox.abuse.ch/ioc/1150242/

95.217.105.184:15647

# Reference: https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks
# Reference: https://otx.alienvault.com/pulse/653fe482a1235f71266181a8

manojsinghnegi.com/2.tar.gpg

# Reference: https://twitter.com/Jane_0sint/status/1723736724533129263
# Reference: https://app.any.run/tasks/84a868ea-e8f3-436b-abe9-82b0226aac5d/

80.66.66.40:15647

# Reference: https://twitter.com/crep1x/status/1727970393237983640
# Reference: https://www.virustotal.com/gui/ip-address/45.67.228.133/relations

1subsmepjzqnvvukhd.fun
2hedonrxjakubcloudflare.fun
2lastofusupdatjakubcloudflare.fun
2subsmepjzqnvvukhd.fun
3hedonrxjakubcloudflare.fun
3ivgtdccwvbaaou.fun
3subsmepjzqnvvukhd.fun
4hedonrxjakubcloudflare.fun
5hedonrxjakubcloudflare.fun
5ivgtdccwvbaaou.fun
5subsmepjzqnvvukhd.fun
gleamgamestudios.fun
heckledunicornvb2.fun
skilleddevelopment.fun
theworkflowagency.fun
zodiaentertainment.fun

# Reference: https://twitter.com/1ZRR4H/status/1730731082734010780

slimankoomer.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.sectop_rat/ (# 2024-01-03)

138.201.125.92:15647
145.239.99.234:15647
152.89.217.190:15647
152.89.217.215:15647
152.89.217.229:15647
176.9.66.115:15747
178.63.51.126:15648
193.233.112.219:15647
193.33.195.42:15647
194.26.135.11:12432
194.26.135.180:15647
194.26.29.100:15647
194.26.29.112:15647
194.26.29.153:15648
194.26.29.44:15647
2.57.149.77:15647
212.118.39.73:15649
213.109.202.15:15747
213.109.202.229:15647
213.109.202.96:15647
213.109.202.96:15747
213.109.202.97:15647
213.109.202.97:15747
213.109.202.98:15647
213.109.202.98:15747
45.141.86.82:15647
45.141.87.124:15647
45.141.87.124:9000
45.141.87.16:15647
45.141.87.215:15647
45.141.87.218:15647
45.141.87.50:15647
45.141.87.63:15648
45.88.104.78:15647
45.92.179.244:15647
5.42.67.10:15647
77.105.132.31:15647
78.153.130.239:15647
78.153.130.239:9000
85.209.11.243:15647
91.215.85.66:15647
94.181.229.249:15647
94.181.229.249:15747
95.216.24.238:15647

# Reference: https://www.virustotal.com/gui/file/fa0b3328dda7aa7e953780fc8b6be127f747fc778f0bd3f0a2e885402c1c481e/detection

http://194.147.35.251
http://5.75.214.104

# Reference: https://x.com/smica83/status/1813912637895549108
# Reference: https://tria.ge/240718-pea5psxgkp/behavioral1

213.109.202.15:15647
213.109.202.15:9000

# Reference: https://x.com/banthisguy9349/status/1822635735494664701

45.141.87.55:15647

# Reference: https://x.com/banthisguy9349/status/1822635735494664701
# Reference: https://www.virustotal.com/gui/file/0bb9e107a5f5f9ad838173ebf222107d37cc1f378fa10f46ad5b2914f19f8e72/detection

45.141.87.55:9000

# Reference: https://www.vmray.com/analyses/_mb/f1ecf2469a83/report/network.html

91.215.85.66:9000

# Reference: https://x.com/SquiblydooBlog/status/1836362042619396160
# Reference: https://tria.ge/240917-zv36javdrj/behavioral2
# Reference: https://www.virustotal.com/gui/file/ecf5e02e19345dc4f60e531139339b5a8a95dd393b0bbcb3b4e93a184585a53a/detection

http://188.34.184.47
http://65.109.218.88
http://89.23.96.126
188.34.184.47:443
45.141.86.82:9000

# Reference: https://x.com/malwrhunterteam/status/1860405590364672452
# Reference: https://www.virustotal.com/gui/file/fe40afb158e24c1896776fe3bdef33d2bb85ae67cf7b115f309d2535fc2a6afd/detection

185.147.124.236:15647
185.147.124.236:9000

# Reference: https://www.virustotal.com/gui/file/c44c68d187d1e8adc8da0eddfada509fb6d9b00452888740affe9a069d43ea35/detection
# Reference: https://www.virustotal.com/gui/file/aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf/detection

91.240.118.89:15647
91.240.118.89:9000

# Reference: https://x.com/banthisguy9349/status/1822635735494664701
# Reference: https://www.virustotal.com/gui/file/0bb9e107a5f5f9ad838173ebf222107d37cc1f378fa10f46ad5b2914f19f8e72/detection

/wbinjget?q=
/wbinjget

# Reference: https://x.com/malwrhunterteam/status/1862036608481989005
# Reference: https://www.virustotal.com/gui/file/d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c/detection

45.141.84.168:15647
45.141.84.168:9000

# Reference: https://x.com/banthisguy9349/status/1864688082559115552
# Reference: https://www.virustotal.com/gui/file/9fe2c00641ece18898267b3c6e4ee0cb82ffefbc270c0767c441c3f38b63a12a/detection
# Reference: https://www.virustotal.com/gui/file/06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437/detection

91.202.233.18:15647
91.202.233.18:9000

# Reference: https://x.com/JAMESWT_MHT/status/1867118417959956657
# Reference: https://www.virustotal.com/gui/file/224f45017a9dbb7db7fe2836771d8f4e77c9735499c20a19c832a91b156d7056/detection

healthclinic-stylemaven.com
pict.healthclinic-stylemaven.com

# Reference: https://x.com/JAMESWT_MHT/status/1868922347144855722
# Reference: https://www.virustotal.com/gui/file/26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902/detection
# Reference: https://www.virustotal.com/gui/file/45ab4ca2483759d89bc446e6797e86489eb08cfeb3f740440a83ff6d83eb5503/detection
# Reference: https://www.virustotal.com/gui/file/71e590840310d7eab4d8c339a094847523d368777cfda93fde87e0b25d9051f3/detection

docu-signer.com
