# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/silence-is-best/c2db#ursa-loader

/nj41.php

# Reference: https://app.any.run/tasks/20f85f4b-ffc8-4e15-841c-03ecc150c4a4/

http://45.132.242.89

# Reference: https://twitter.com/JAMESWT_MHT/status/1290523174136946688
# Reference: https://www.virustotal.com/gui/file/e84bd675169dd1ccc077454d08aad592dd97d6a188e841ad02a2e888bd7c1a48/detection

http://104.44.143.28

# Reference: https://twitter.com/luc4m/status/1291985996850925576

mageurox01.hopto.org

# Reference: https://app.any.run/tasks/09bfdbe7-e8d7-42d5-a1cd-fc29586bd74b/

/bd21.php

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/
# Reference: https://otx.alienvault.com/pulse/5f610cb62458e403adeca72d

http://191.235.99.13
http://51.143.39.80
http://66.70.237.175
http://51.222.39.128
http://51.81.104.17
http://104.44.143.28
/lp1a.php

# Reference: https://twitter.com/sirpedrotavares/status/1318924601162870785
# Reference: https://www.virustotal.com/gui/file/b29028058aa066a993379f424482b3da2ac0b799b71f2da529071616919c4ead/detection
# Reference: https://www.virustotal.com/gui/file/4219d9606f428e914a91edb807d48e4bd30387827e3704318b32bb9a103a7d27/detection
# Reference: https://www.virustotal.com/gui/file/773fd094f93cd9db61173a29bbec99a6293e1a64f181186f36685d6f01827a99/detection
# Reference: https://www.virustotal.com/gui/file/3a4fe7cb28eac0a6fdb2a4831fae4f705b4715af8570e97cf73d07f3f2f598d1/detection
# Reference: https://www.virustotal.com/gui/file/7695ea92f052ada409ec014319a03588606d49125bab96128715ff1a3811463d/detection
# Reference: https://www.virustotal.com/gui/file/c867e31b5dd19dae446f9a3ea0735acfde45f8e2c87b3b7d2d1ce317f10f1f08/detection

http://104.41.57.9
http://142.44.218.78
http://191.235.78.73

# Reference: https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/

http://104.41.57.9
http://104.44.143.28
http://13.58.123.122
http://142.44.218.78
http://144.217.32.24
http://191.235.78.73
http://191.235.99.13
http://191.239.122.4
http://40.70.86.161
http://45.132.242.89
http://51.143.39.80
http://51.222.39.127
http://51.222.39.128
http://51.81.104.17
http://52.91.227.152
http://54.233.78.131
http://54.39.33.188
http://66.70.237.175
http://87.98.137.173

# Reference: https://twitter.com/sirpedrotavares/status/1328012434087555072
# Reference: https://www.virustotal.com/gui/file/b2c2319b2b73ffc89e93508845eef2e544a7046d0c337b8973ba86558d4d5271/detection

http://40.65.223.174
http://40.84.210.148
http://70.37.106.179

# Reference: https://app.any.run/tasks/8b1d33f6-a637-4c0a-a315-95952d89796f/

http://149.56.76.254

# Reference: https://twitter.com/sirpedrotavares/status/1362034175696662530
# Reference: https://app.any.run/tasks/31a56984-5e8b-4bf9-98be-34b5ff3be475/

http://144.217.17.185
http://185.150.117.9
http://192.95.2.164

# Reference: https://twitter.com/pollo290987/status/1380418256285089793

http://51.79.9.85

# Reference: https://twitter.com/0_1_0_1_0_0_0_0/status/1395699114826928129

mcdonalds-cupon.s3.us-west-000.backblazeb2.com

# Reference: https://twitter.com/ffforward/status/1488837379314044932
# Reference: https://app.any.run/tasks/6ce19469-6f1f-42bc-9864-2e3a07fc6a6b/
# Reference: https://tria.ge/220202-jgyqwshgb6/behavioral1
# Reference: https://www.joesandbox.com/analysis/565971/0/html

http://149.248.55.205
149.248.55.205:49743
149.248.55.205:49744
contafop01.onthewifi.com
painelxxx2021a3.bounceme.net
/ghj672a.php
/ghj672136.rht45
/ghj672162.rht45
/ghj672am1.rht45

# Reference: https://www.virustotal.com/gui/file/0001d7fe1cb06a6f55f2852efbdc11333130642c511ce02a5504850deb3e2f5e/detection

http://66.206.13.2
208.115.109.53:8010
208.115.109.53:8030

# Reference: https://twitter.com/pollo290987/status/1569196919330570242
# Reference: https://pastebin.com/cg8tAe1F

11097.masterdaweb.net
magu.kozow.com

# Reference: https://twitter.com/StopMalvertisin/status/1584769822977851392

bola.com.au/images/hh/cfdi/do/it.php
highlineadsl.com/ddd/it.php

# Reference: https://twitter.com/1ZRR4H/status/1596279919838990337

document0.click
kh7jv.store
pagosdeclaraciones.shop
sgscommanager.shop
smart2nopagos.shop
websylvania.com

# Reference: https://twitter.com/1ZRR4H/status/1627085493023424512

facturas4.click

# Reference: https://twitter.com/1ZRR4H/status/1691389689796919297

http://172.86.68.194
172.86.68.194:445
chidoriland.com
/1r49ucc73/hs4q07q/it.php
/1r49ucc73/hs4q07q/
/1r49ucc73/
/hs4q07q/

# Reference: https://twitter.com/0xToxin/status/1722659950302769410

http://193.149.176.210
http://54.37.205.197

# Reference: https://twitter.com/0xToxin/status/1723709490485153960
# Reference: https://www.virustotal.com/gui/file/2d07d544e550a5e825107cfce42201a5a9e6e5d478a535fe57da86030c4ae624/detection

blackinfect.ddns.net

# Reference: https://twitter.com/pollo290987/status/1773110284095234083

ervimefacdigitataltrans.switzerlandnorth.cloudapp.azure.com

# Reference: https://x.com/pollo290987/status/1816977988489031947
# Reference: https://app.validin.com/detail?find=0b8c85495cec452651953b1c6f25d653dbcca569a2ac38236539ee4b6b2170c4&type=hash&ref_id=0a9184257b9#tab=host_pairs_v2

http://91.92.254.149
analistawebs.hair
analistawebs.yachts
coldshare.org
contpt.top
ns1.coldshare.org
ns2.coldshare.org

# Reference: https://x.com/pollo290987/status/1818099255052996692
# Reference: https://www.virustotal.com/gui/ip-address/38.60.224.167/relations
# Reference: https://www.virustotal.com/gui/file/0335e438ff586c75c5a0aded3dccf33d77a9d96e49c4eb4405ff59187ed341b1/detection

http://38.60.224.167
contmnet.site
contssd.zapto.org

# Reference: https://x.com/pollo290987/status/1818413633157910694
# Reference: https://www.virustotal.com/gui/file/0f0a34d2bb013fd0cf705a7808732343ffac6a2308f924275e377cbd105930b1/detection
# Reference: https://www.virustotal.com/gui/file/3a6d5c07b3ed6f1c24f589c3bd54a49842273d8050fb87bf7f33786bf0b2b1ae/detection

http://68.178.202.78
227.20.168.184.host.secureserver.net
78.202.178.68.host.secureserver.net
/asdtrg4grf.vbs
/veletricafds652fdacsw2azxx.php

# Reference: https://x.com/pollo290987/status/1820626182737412218
# Reference: https://www.virustotal.com/gui/ip-address/95.164.5.57/relations
# Reference: https://www.virustotal.com/gui/file/225341f69f153dcb90aea484f90149eaf7bb05c1ead55bde1cde2a568bed9848/detection

contgeraklf.com
contgera.zapto.org

# Reference: https://x.com/Merlax_/status/1860080823338487945

http://103.252.123.177
http://104.192.42.61
http://104.192.42.77
http://137.74.241.160
http://138.255.160.11
http://191.243.161.1
http://191.243.161.205
http://192.99.44.135
http://208.109.191.29
http://208.109.234.229
http://208.109.235.150
http://208.109.242.212
http://208.109.245.35
http://208.109.246.25
http://211.170.51.149
http://24.152.37.117
http://3.114.201.220
http://54.199.117.13
http://64.52.80.70
http://66.29.135.78
http://68.178.206.87
http://72.145.0.52
http://92.205.184.158
http://92.205.19.247
http://92.205.22.52
123.179.205.92.host.secureserver.net
147.32.167.72.host.secureserver.net
175.245.109.208.host.secureserver.net
183.29.205.92.host.secureserver.net
198.233.109.208.host.secureserver.net
216.76.148.132.host.secureserver.net
225.183.62.50.host.secureserver.net
23.179.205.92.host.secureserver.net
230.247.109.208.host.secureserver.net
01backpanther01.ddns.net
01direjuntox01.ddns.net
01mbaxjuntox01.ddns.net
01pantherback01.ddns.net
01s3wct01.ddns.net
01trpnoilahtiniep.servebeer.com
02backpanther02.ddnsking.com
02direjuntox02.ddnsking.com
02mbaxjuntox02.ddnsking.com
02pantherback02.ddnsking.com
02s3wct02.ddnsking.com
02trproebic.servegame.com
03backpanther03.3utilities.com
03direjuntox03.3utilities.com
03mbaxjuntox03.3utilities.com
03pantherback03.3utilities.com
03s3wct03.3utilities.com
03trpavurnaer.servehttp.com
04backpanther04.bounceme.net
04direjuntox04.bounceme.net
04mbaxjuntox04.bounceme.net
04pantherback04.bounceme.net
04s3wct04.bounceme.net
05backpanther05.freedynamicdns.net
05direjuntox05.freedynamicdns.net
05mbaxjuntox05.freedynamicdns.net
05pantherback05.freedynamicdns.net
05s3wct05.freedynamicdns.net
06backpanther06.freedynamicdns.org
06direjuntox06.freedynamicdns.org
06mbaxjuntox06.freedynamicdns.org
06pantherback06.freedynamicdns.org
06s3wct06.freedynamicdns.org
07backpanther07.gotdns.ch
07direjuntox07.gotdns.ch
07mbaxjuntox07.gotdns.ch
07pantherback07.gotdns.ch
07s3wct07.gotdns.ch
08backpanther08.hopto.org
08direjuntox08.hopto.org
08mbaxjuntox08.hopto.org
08pantherback08.hopto.org
08s3wct08.hopto.org
09backpanther09.myddns.me
09direjuntox09.myddns.me
09mbaxjuntox09.myddns.me
09pantherback09.myddns.me
09s3wct09.myddns.me
10backpanther10.myftp.biz
10direjuntox10.myftp.biz
10mbaxjuntox10.myftp.biz
10pantherback10.myftp.biz
10s3wct10.myftp.biz
11backpanther11.myftp.org
11direjuntox11.myftp.org
11mbaxjuntox11.myftp.org
11pantherback11.myftp.org
11s3wct11.myftp.org
11trpliuaum.viewdns.net
12backpanther12.ddns.net
12direjuntox12.ddns.net
12mbaxjuntox12.ddns.net
12pantherback12.ddns.net
12s3wct12.ddns.net
12trpsalas.redirectme.net
13backpanther13.ddnsking.com
13direjuntox13.ddnsking.com
13mbaxjuntox13.ddnsking.com
13pantherback13.ddnsking.com
13s3wct13.ddnsking.com
13trphteryukbelec.servebeer.com
14backpanther14.3utilities.com
14direjuntox14.3utilities.com
14mbaxjuntox14.3utilities.com
14pantherback14.3utilities.com
14s3wct14.3utilities.com
15backpanther15.bounceme.net
15direjuntox15.bounceme.net
15mbaxjuntox15.bounceme.net
15pantherback15.bounceme.net
15s3wct15.bounceme.net
16backpanther16.freedynamicdns.net
16direjuntox16.freedynamicdns.net
16mbaxjuntox16.freedynamicdns.net
16pantherback16.freedynamicdns.net
16s3wct16.freedynamicdns.net
17backpanther17.freedynamicdns.org
17direjuntox17.freedynamicdns.org
17mbaxjuntox17.freedynamicdns.org
17pantherback17.freedynamicdns.org
17s3wct17.freedynamicdns.org
18backpanther18.gotdns.ch
18direjuntox18.gotdns.ch
18mbaxjuntox18.gotdns.ch
18pantherback18.gotdns.ch
18s3wct18.gotdns.ch
19backpanther19.hopto.org
19direjuntox19.hopto.org
19mbaxjuntox19.hopto.org
19pantherback19.hopto.org
19s3wct19.hopto.org
1trpridnarsu.servegame.com
20backpanther20.myddns.me
20direjuntox20.myddns.me
20mbaxjuntox20.myddns.me
20pantherback20.myddns.me
20s3wct20.myddns.me
21backpanther21.myftp.biz
21direjuntox21.myftp.biz
21mbaxjuntox21.myftp.biz
21pantherback21.myftp.biz
21s3wct21.myftp.biz
21trpadeovnara.servehttp.com
22backpanther22.myftp.org
22direjuntox22.myftp.org
22mbaxjuntox22.myftp.org
22pantherback22.myftp.org
22s3wct22.myftp.org
22trpeblag.serveminecraft.net
23backpanther23.ddns.net
23direjuntox23.ddns.net
23mbaxjuntox23.ddns.net
23pantherback23.ddns.net
23s3wct23.ddns.net
247wtlxcr5b.myvnc.com
24backpanther24.ddnsking.com
24direjuntox24.ddnsking.com
24mbaxjuntox24.ddnsking.com
24pantherback24.ddnsking.com
24s3wct24.ddnsking.com
25backpanther25.3utilities.com
25direjuntox25.3utilities.com
25mbaxjuntox25.3utilities.com
25pantherback25.3utilities.com
25s3wct25.3utilities.com
26backpanther26.bounceme.net
26direjuntox26.bounceme.net
26mbaxjuntox26.bounceme.net
26pantherback26.bounceme.net
26s3wct26.bounceme.net
27backpanther27.freedynamicdns.net
27direjuntox27.freedynamicdns.net
27mbaxjuntox27.freedynamicdns.net
27pantherback27.freedynamicdns.net
27s3wct27.freedynamicdns.net
28backpanther28.freedynamicdns.org
28direjuntox28.freedynamicdns.org
28mbaxjuntox28.freedynamicdns.org
28pantherback28.freedynamicdns.org
28s3wct28.freedynamicdns.org
29backpanther29.gotdns.ch
29direjuntox29.gotdns.ch
29mbaxjuntox29.gotdns.ch
29pantherback29.gotdns.ch
29s3wct29.gotdns.ch
2trpnoisiuw.viewdns.net
30backpanther30.hopto.org
30direjuntox30.hopto.org
30mbaxjuntox30.hopto.org
30pantherback30.hopto.org
30s3wct30.hopto.org
31backpanther31.myddns.me
31direjuntox31.myddns.me
31mbaxjuntox31.myddns.me
31pantherback31.myddns.me
31s3wct31.myddns.me
31trpopuxgeleb.redirectme.net
3trprihtietoer.servebeer.com
41trpnepec.servegame.com
42trprodnada.servehttp.com
4trprodsalu.serveminecraft.net
51trpnoiaclig.viewdns.net
52trpnadaer.redirectme.net
5trpoheuxle.servebeer.com
61trpridakeyc.servegame.com
alamaudonweb.com
atsocarelepap.redirectme.net
bbgpw101up.gotdns.ch
bbgpw102up.ddnsking.com
bbgpw103up.gotdns.ch
bbgpw104up.ddnsking.com
bbgpw105up.gotdns.ch
bbgpw106up.ddnsking.com
bbgpw107up.gotdns.ch
bbgpw108up.ddnsking.com
bbgpw109up.gotdns.ch
bbgpw110up.ddnsking.com
bbgpw111up.gotdns.ch
bbgpw112up.ddnsking.com
bbgpw113up.gotdns.ch
bbgpw114up.ddnsking.com
bbgpw115up.gotdns.ch
bbgpw116up.ddnsking.com
bbgpw117up.gotdns.ch
bbgpw118up.ddnsking.com
bbgpw119up.gotdns.ch
bbgpw120up.ddnsking.com
bbgpw121up.gotdns.ch
bbgpw122up.ddnsking.com
bbgpw123up.gotdns.ch
bbgpw124up.ddnsking.com
bbgpw125up.gotdns.ch
bbgpw126up.ddnsking.com
bbgpw127up.gotdns.ch
bbgpw128up.ddnsking.com
bbgpw129up.gotdns.ch
bbgpw130up.ddnsking.com
bbgpw131up.gotdns.ch
danw01.ddns.net
danw01up.servequake.com
danw02up.viewdns.net
danw03up.servequake.com
danw04up.viewdns.net
danw05up.servequake.com
danw06up.viewdns.net
danw07up.servequake.com
danw08up.viewdns.net
danw09up.servequake.com
danw10up.viewdns.net
danw11up.servequake.com
danw12up.viewdns.net
danw13up.servequake.com
danw14up.viewdns.net
danw15up.servequake.com
danw16up.viewdns.net
danw17up.servequake.com
danw18up.viewdns.net
danw19up.servequake.com
danw20up.viewdns.net
danw21up.servequake.com
danw22up.viewdns.net
danw23up.servequake.com
danw24up.viewdns.net
danw25up.servequake.com
danw26up.viewdns.net
danw27up.servequake.com
danw28up.viewdns.net
danw29up.servequake.com
danw30up.viewdns.net
danw31up.servequake.com
inquisit55splash.zapto.org
jamresy01up.servequake.com
jamresy02up.viewdns.net
jamresy03up.servequake.com
jamresy04up.viewdns.net
jamresy05up.servequake.com
jamresy06up.viewdns.net
jamresy07up.servequake.com
jamresy08up.viewdns.net
jamresy09up.servequake.com
jamresy10up.viewdns.net
jamresy11up.servequake.com
jamresy12up.viewdns.net
jamresy13up.servequake.com
jamresy14up.viewdns.net
jamresy15up.servequake.com
jamresy16up.viewdns.net
jamresy17up.servequake.com
jamresy18up.viewdns.net
jamresy19up.servequake.com
jamresy20up.viewdns.net
jamresy21up.servequake.com
jamresy22up.viewdns.net
jamresy23up.servequake.com
jamresy24up.viewdns.net
jamresy25up.servequake.com
jamresy26up.viewdns.net
jamresy27up.servequake.com
jamresy28up.viewdns.net
jamresy29up.servequake.com
jamresy30up.viewdns.net
jamresy31up.servequake.com
levitynnatural.jetos.com
levytynatural.jetos.com
norcopop.serveminecraft.net
oiapmasomsirut.servebeer.com
pat2wx.webhop.me
pat2wx01up.servemp3.com
pat2wx02up.ddnsking.com
pat2wx03up.servemp3.com
pat2wx04up.ddnsking.com
pat2wx05up.servemp3.com
pat2wx06up.ddnsking.com
pat2wx07up.servemp3.com
pat2wx08up.ddnsking.com
pat2wx09up.servemp3.com
pat2wx10up.ddnsking.com
pat2wx11up.servemp3.com
pat2wx12up.ddnsking.com
pat2wx13up.servemp3.com
pat2wx14up.ddnsking.com
pat2wx15up.servemp3.com
pat2wx16up.ddnsking.com
pat2wx17up.servemp3.com
pat2wx18up.ddnsking.com
pat2wx19up.servemp3.com
pat2wx20up.ddnsking.com
pat2wx21up.servemp3.com
pat2wx22up.ddnsking.com
pat2wx23up.servemp3.com
pat2wx24up.ddnsking.com
pat2wx25up.servemp3.com
pat2wx26up.ddnsking.com
pat2wx27up.servemp3.com
pat2wx28up.ddnsking.com
pat2wx29up.servemp3.com
pat2wx30up.ddnsking.com
pat2wx31up.servemp3.com
plorext1247wtlxcr5b.bounceme.net
pmuplasoloc.servehttp.com
ptmx101up.servemp3.com
ptmx102up.ddnsking.com
ptmx103up.servemp3.com
ptmx104up.ddnsking.com
ptmx105up.servemp3.com
ptmx106up.ddnsking.com
ptmx107up.servemp3.com
ptmx108up.ddnsking.com
ptmx109up.servemp3.com
ptmx110up.ddnsking.com
ptmx111up.servemp3.com
ptmx112up.ddnsking.com
ptmx113up.servemp3.com
ptmx114up.ddnsking.com
ptmx115up.servemp3.com
ptmx116up.ddnsking.com
ptmx117up.servemp3.com
ptmx118up.ddnsking.com
ptmx119up.servemp3.com
ptmx120up.ddnsking.com
ptmx121up.servemp3.com
ptmx122up.ddnsking.com
ptmx123up.servemp3.com
ptmx124up.ddnsking.com
ptmx125up.servemp3.com
ptmx126up.ddnsking.com
ptmx127up.servemp3.com
ptmx128up.ddnsking.com
ptmx129up.servemp3.com
ptmx130up.ddnsking.com
ptmx131up.servemp3.com
ptmx201up.servemp3.com
ptmx202up.ddnsking.com
ptmx203up.servemp3.com
ptmx204up.ddnsking.com
ptmx205up.servemp3.com
ptmx206up.ddnsking.com
ptmx207up.servemp3.com
ptmx208up.ddnsking.com
ptmx209up.servemp3.com
ptmx210up.ddnsking.com
ptmx211up.servemp3.com
ptmx212up.ddnsking.com
ptmx213up.servemp3.com
ptmx214up.ddnsking.com
ptmx215up.servemp3.com
ptmx216up.ddnsking.com
ptmx217up.servemp3.com
ptmx218up.ddnsking.com
ptmx219up.servemp3.com
ptmx220up.ddnsking.com
ptmx221up.servemp3.com
ptmx222up.ddnsking.com
ptmx223up.servemp3.com
ptmx224up.ddnsking.com
ptmx225up.servemp3.com
ptmx226up.ddnsking.com
ptmx227up.servemp3.com
ptmx228up.ddnsking.com
ptmx229up.servemp3.com
ptmx230up.ddnsking.com
ptmx231up.servemp3.com
retnecbob.redirectme.net
retnecbob.servegame.com
riot44theendurable.zapto.org
s3wct4p1.viewdns.net
seguresnueva01.ddns.net
seguresnueva02.ddns.net
seguresnueva03.ddns.net
seguresnueva04.ddns.net
seguresnueva05.ddns.net
seguresnueva06.ddns.net
seguresnueva07.ddns.net
snegaivlautpac.redirectme.net
snugelbub.serveminecraft.net
snugpot.servebeer.com
stupendous22sec.zapto.org
teporcam.servegame.com
the11industrious.zapto.org
vmcnydf4125as.serveirc.com
wistfulpotatoes.com
wretched33kinder.zapto.org
xcpopabmas.viewdns.net
zalevitelosag.redirectme.net

# Generic

/aj31.php
/ak51.php
/bd21.php
/bd22.php
/bd23.php
/bk71.php
/h781.php
/h783.php
/ju61.php
/ju62.php
/faq3Gz2.php
/index2ErZ.php
/admin/faq3Gz2.php
