# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/itaitevet/status/1035250414038474752
# Reference: https://pastebin.com/XT20EyJA

3gihg5esw7lxg2wh.onion

# Reference: https://www.securityhome.eu/malware/malware.php?mal_id=8442588975b9c69bf696447.83703696

/neam.meow

# Reference: https://myonlinesecurity.co.uk/trickbot-still-being-delivered-by-fake-payroll-emails/

/super.orb

# Reference: https://twitter.com/James_inthe_box/status/1047239965216665600
# Reference: https://twitter.com/James_inthe_box/status/1047241977043898368

/cantbe.played

Reference: https://www.malware-traffic-analysis.net/2018/10/05/index.html

/novich.gas

# Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html

excel-office.com

# Reference: https://app.any.run/tasks/fe58bf2c-065f-4505-a644-6baeeb7ee4cf

/78237_8219_9.php

# Reference: https://twitter.com/Racco42/status/1107351502878842880

/001928_112.php

# Reference: https://twitter.com/Racco42/status/1106547527334154240

/47238348_8820.php

# Reference: https://twitter.com/Racco42/status/1106225615705948167

/99208_929_991.php

# Reference: https://twitter.com/Racco42/status/1106201029127880704

/92112893892.php

# Reference: https://twitter.com/Racco42/status/1102869794502705152

/CPQpqCOuKV.php

# Reference: https://twitter.com/Racco42/status/1102590512228388866

/930_08.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353

/logHbst.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1109027309015715840
# Reference: https://app.any.run/tasks/738cc560-f3c6-4534-893d-3ea28dd60671

/shh.sshh

# Reference: https://twitter.com/Racco42/status/1110461029354487809

/993098_2.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1111236459930046464
# Reference: https://app.any.run/tasks/ca7a8278-2535-4101-b5be-ea70e7362617

/tot445/

# Reference: https://twitter.com/0bfusCat/status/1036577317190021127

95.213.251.200:443
/tt0002

# Reference: https://twitter.com/avman1995/status/1115514722751848448

3dnext.ru/43434673.php

# Reference: https://twitter.com/K_N1kolenko/status/1094871503303262208

/corona.mor

# Reference: https://twitter.com/JAMESWT_MHT/status/1117105783240577026

/7738_0019.php

# Reference: https://twitter.com/K_N1kolenko/status/918370497590628353
# Reference: https://twitter.com/K_N1kolenko/status/916192356847751168
# Reference: https://twitter.com/K_N1kolenko/status/900259914874073088

/worming.png

# Reference: https://twitter.com/K_N1kolenko/status/916551437647335424

/worming2.png

# Reference: https://twitter.com/K_N1kolenko/status/1017305694331121665

5g4c3a6jkk734fs5.onion

# Reference: https://twitter.com/malware_traffic/status/1118299982069628929

201.184.231.34:8082
/sat43/

# Reference: https://twitter.com/Racco42/status/1118476901876674561

/43455_5514_12.php

# Reference: https://twitter.com/malware_traffic/status/1119021844416405504

/8377_8298_99.php

# Reference: https://twitter.com/pancak3lullz/status/1106677558224060416
# Reference: https://twitter.com/pancak3lullz/status/1102629658221314048

103.119.144.250:8082
75.183.130.158:8082
/lib427/
/tot427/

# Reference: https://twitter.com/Racco42/status/1121379098834755584

/99200277_0.php

# Reference: https://twitter.com/James_inthe_box/status/1126175073759481857
# Reference: https://pastebin.com/T5U4SHQU

181.209.88.26:449
185.222.202.42:443
185.222.202.43:443
95.213.252.153:443
192.227.232.63:443
192.227.232.65:443
104.200.67.163:443
185.243.115.149:443
200.122.209.78:449
200.54.14.61:449
181.143.17.66:449
177.105.235.17:449
181.143.102.30:449
190.0.20.114:449
190.151.25.178:449
201.184.69.50:449
190.109.165.197:449
125.209.82.158:449
80.173.224.81:449
76.107.90.235:449
181.129.136.226:449
191.103.219.138:449
202.63.242.48:449
181.176.191.5:449
190.117.66.194:449
186.226.188.105:449
143.255.141.137:449
190.151.10.114:449
181.115.236.26:449
190.196.32.42:449
181.48.203.10:449
177.105.237.93:449
181.129.20.250:449
186.159.2.153:449

# Reference: https://twitter.com/malware_traffic/status/1128019457966735360
# Reference: https://twitter.com/malware_traffic/status/1136682537005305858

186.159.1.217:8082

# Reference: https://twitter.com/Racco42/status/1128955163023171584

/1124_938_0029.php

# Reference: https://twitter.com/binitamshah/status/1137743683586052096
# Reference: https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
# Reference: https://pastebin.com/wZ3R0gCa
# Reference: https://pastebin.com/ghGtMBLH

125.209.82.158:449
136.25.2.43:449
138.186.62.222:449
143.255.141.137:449
162.209.124.166:80
167.99.206.127:80
177.105.235.17:449
177.105.237.93:449
177.183.194.194:449
177.92.249.187:449
179.189.234.157:449
181.112.221.246:449
181.115.156.218:80
181.115.236.26:449
181.129.136.226:449
181.129.160.10:8082
181.129.20.250:449
181.129.49.98:449
181.143.102.30:449
181.143.17.66:449
181.176.191.5:449
181.209.88.26:449
181.48.203.10:449
181.57.97.138:80
185.117.73.140:443
185.183.96.219:443
185.183.97.37:443
185.198.57.70:443
185.244.150.148:443
186.10.243.70:8082
186.159.1.217:8082
186.183.151.194:8082
186.226.188.105:449
186.248.163.198:449
186.42.186.202:449
187.17.201.237:449
187.61.106.223:449
187.61.107.140:449
187.65.49.88:449
187.8.169.10:449
187.95.123.179:449
187.95.32.18:449
190.0.20.114:449
190.109.165.197:449
190.117.66.194:449
190.151.10.114:449
190.151.25.178:449
190.152.125.162:80
190.196.32.42:449
190.215.52.165:449
191.103.219.138:449
191.103.252.29:80
191.241.233.195:449
191.242.178.210:449
191.36.157.164:449
192.210.152.190:443
194.5.250.130:443
195.123.240.31:443
199.247.24.9:80
2.184.90.173:449
200.107.59.130:449
200.110.72.134:449
200.122.209.78:449
200.21.51.30:80
200.35.47.199:80
200.35.56.81:449
200.54.14.61:449
200.83.49.141:449
201.148.247.21:449
201.184.69.50:449
201.56.193.18:449
202.63.242.48:449
209.45.30.2:449
216.189.145.231:443
31.47.55.106:449
36.91.93.114:80
37.255.200.157:449
5.190.90.5:449
75.183.130.158:8082
76.107.90.235:449
79.137.119.209:443
80.173.224.81:449
85.133.183.174:449
85.209.162.148:443
89.46.223.252:443
90.215.52.165:449
91.242.178.210:449
91.98.159.58:449
93.115.146.119:449
93.115.147.198:449
94.101.182.156:449
97.87.127.198:80

# Reference: https://twitter.com/James_inthe_box/status/1090234438833778690
# Reference: https://app.any.run/tasks/5a12dfe2-ba7a-4efe-8062-d710e7350c94/

37.140.199.69:17655
37.140.199.69:25087

# Reference: https://twitter.com/ararora4/status/1144982095325990913
# Reference: https://garwarner.blogspot.com/2019/06/trickbot-new-injects-new-host.html

aefaldnessliverhearted.com
onlylocaltrade.com
remirollerros.com
wellsfargostrade.com

# Reference: https://twitter.com/malware_traffic/status/1146086054207873024

170.238.117.187:8082

# Reference: https://twitter.com/ps66uk/status/1147193022830059521

mailchi.mp/d975f55661ef/4jzmygx2t9
mc.us16.list-manage.com
pasini.info

# Reference: https://twitter.com/seguridadyredes/status/1054112048559329282

http://185.92.74.85/index.php
98.177.188.224:49225
