# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://twitter.com/James_inthe_box/status/1040718336173137920

host2.azaronline.com

# Reference: https://twitter.com/avman1995/status/1039929322612641792

mail.efx.net.nz

# Reference: https://twitter.com/James_inthe_box/status/1039878859007569920
# Reference: https://www.virustotal.com/#/ip-address/37.59.117.243

http://37.59.117.243

# Reference: https://twitter.com/avman1995/status/1040493935234371584

ftp://ftp.fasttradeco.com

# Reference: https://twitter.com/MalwareHunterBR/status/1016486687059402752

herosoup.org

# Reference: https://twitter.com/ViriBack/status/983011333506588672
# Reference: https://pastebin.com/nwWHHFe0

bobby.ziraat-helpdesk.com/login.php
chibu.ziraat-helpdesk.com/login.php
chisom.ziraat-helpdesk.com/login.php
dashi-dashi.ziraat-helpdesk.com/login.php
eizzy.haoldd.com/login.php
elb.haoldd.com/login.php
emy.agrillcs.com/login.php
ezeoma.agrillcs.com/login.php
figure.agrillcs.com/login.php
files.ziraat-helpdesk.com/login.php
free.agrillcs.com/login.php
jboy.agrillcs.com/login.php
jizzy.ziraat-helpdesk.com/login.php
joe.ziraat-helpdesk.com/login.php
haoldd.com/okilo/login.php
ike.agrillcs.com/login.php
isa.haoldd.com/login.php
kc.ziraat-helpdesk.com/login.php
kelvin.agrillcs.com/login.php
marchforward.usa.cc/WebPanel/login.php
marchforward.usa.cc/youngnascent/WebPanel/login.php
mi.haoldd.com/login.php
okey.haoldd.com/login.php
small-kelly.agrillcs.com/login.php
tonishl.ga/alifriend/WebPanel/login.php
tonishl.ga/jide/WebPanel/login.php
tonishl.ga/shanker/WebPanel/login.php
tonishl.ml/kc/WebPanel/login.php
tonishl.ml/nonso/WebPanel/login.php
tonishl.ml/sammy/WebPanel/login.php
yg.haoldd.com/login.php

# Reference: https://twitter.com/James_inthe_box/status/1046070749138735110

shahrproject.ir/wp--admin/

# Reference: https://twitter.com/James_inthe_box/status/1044198938847244289

moranhq.duckdns.org

# Reference: https://twitter.com/Jan0fficial/status/1047023512383311873

venividivici.host

# Reference: https://twitter.com/Jan0fficial/status/1047051546851254272

etvidanueva.com/photos/images/WebPanel/login.php
etvidanueva.com/photos/images/fulls/WebPanel/login.php

# Reference: https://twitter.com/Jan0fficial/status/1047053960689987584

allpeople.cc/WebPanel/

# Reference: https://twitter.com/James_inthe_box/status/1047495498867728384

hp-compoundlng.com/zuniga/zuniga.php

# Reference: https://twitter.com/avman1995/status/1046620646137102336

repoyochar2u.ddns.net
repoyochar2u.hopto.org

# Generic callback path

/zuniga.php

# Reference: https://twitter.com/Racco42/status/1055370151984537602

ftp.dolphins-gb.com

# Reference: https://twitter.com/casual_malware/status/1107441450415992832

rat8882018.bounceme.net

# Reference: https://twitter.com/ItsReallyNick/status/925754844706689024

regiusersme63.com
twendekazi.co.ke

# Reference: https://twitter.com/JAMESWT_MHT/status/1111231704847581185

server15.thcservers.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1117787548787597313
# Reference: https://app.any.run/tasks/a7f299b3-0b84-4403-a75f-7fb45700e14e

severeweatheralerts02.severeweatheralerts.net

# Reference: https://otx.alienvault.com/pulse/5cb636d8706621055e694e0a
# Reference: https://twitter.com/_cpresearch_/status/1118201474809462784

checkoutspace.com

# Reference: https://twitter.com/dvk01uk/status/1137669359273435138
# Reference: https://app.any.run/tasks/318a9aa9-8c2e-4d21-9a4c-aa023de19d74/

mail.trezaexim.com

# Reference: https://twitter.com/Lvanoel/status/1140500849904537600
# Reference: https://app.any.run/tasks/b4361590-d24e-4a4d-a273-5776ee377b08/

mail.jyotistrips.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1142020465063538689
# Reference: https://app.any.run/tasks/1f643b34-6d92-4bb6-88e1-2aa21e524d20/

mail.crypy.top

# Reference: https://twitter.com/killamjr/status/1143288308300013568

vr9519.club

# Reference: https://twitter.com/B1naryG/status/1143818690040860673
# Reference: https://app.any.run/tasks/3b4e7470-3144-47e3-8caf-ad069c4a5419/

algadeed-com.ga
mail.sweeddehacklord.us

# Reference: https://github.com/pan-unit42/iocs/edit/master/agenttesla/agenttesla_panels.txt

123.makologg.website
13020.vhost.myvirtualserver.de
13140.vhost.myvirtualserver.de
a-work.info
addmehosts.com
admin.downloadtip.club
agenttesla.com
agentteslapanel.site
airnicoltd.biz
appleconnect.online
blasternoon.ru
blockchian.us
bossbadoo123.000webhostapp.com
brunam90.me
cellularwizard.biz
china-smi.biz
classicfllters.com
cloud9files.net
coleweinman1.000webhostapp.com
combinaparts.com
comebackto.info
compassiwater.com
cp.gonerallying.com
csgoshuffle.trade
cyberfreakz.cf
daalkha.com
darkmat3r-v3nom.lawcost.com
davcandle.life
defaomfg.com
diplomaticcourier.net
dongabito.com
douglascellings.com
dovemessengers.com
dropped.cf
e-paymentonline.online
egoigwe.date
elihanss.ru
emailaccountsupdate.com
emybeks.diplomaticsecurityservicelondon.com
essentialsupdate.com
exam2quiz.com.ng
eyeover.it
fash2v.com
fbillion.essentialtechsolutions.com
frank.diplomaticsecurityservicelondon.com
franklinpanel.xyz
frankpanel.xyz
friendfinances.com
fundz1st.fav.al
futurarice.com
graficafolha.com.br
halifacxz.com
helofitsol.com
hiflowwing.com
hopewordnlos.info
hoplikes.com
hp.gonerallying.com
hugoslyltd.com
hummerenergyinc.com
hustle.paneltesla.net
ibouz.co.business
icoud.online
iiltd.xyz
januoey.com
jerelpacks.com
jpoffice2017.xyz
karmakintra.com
kf3nqetgl3p3qlvnl4ze.ru
kidertalerz.com
killatenderz.com
kolapharma.com
koloongroupinc.ru
lakhakaidea.com
libazo.com
magosnegt.net
maxibrainz.net
mctagents.ml
mgelectroncs.com
miloill.com
mitch.sudimex.ml
mnbvcxzus.com
mogosan.com
mqbearing.club
mrabengo.com
nckportugal.com
nellsonn.com
newseuro2015.org
nexuscoltd.com
notifuls.com
onlinesypoi.com
optifinecapes.us
panel.profitstakers.com
panelci.xyz
panelone.xyz
panelp.xyz
paneltesla.net
pansha.regworldmail.com
pegeng-ch.com
petush32.beget.tech
picasuminion.com
plasdic.com
pron.wonkarima.ru
robphish.xyz
rootjoy20.net
roperspump.com
saintahotel.com
secpolicy.info
senator1st.fav.al
sender.agenttesla.com
shalla.eyeofbangladesh.com
shingrela.com
signaturehealthcarltd.com
smartmanber.com
someshitejob.ru
sosignshome.com
steamstatus.pw
stlmre.xyz
suabepga.net
suchsuggestions.com
sweed-office.comie.ru
syncav.ms-sync.com
t1st.fav.al
t2st.fav.al
t3st.fav.al
t4st.fav.al
t5st.fav.al
tecomou1d.com
tesla.dailyawamitime.com
tesla.lawcost.com
teslalogs.club
toke.paneltesla.net
tokimecltd.ru
tomfill.xyz
trade-accounts.com
transfoffer.com
transstates.us
u-nyx.ru
ugo.diplomaticsecurityservicelondon.com
upgr-serv.com
vacanzaimmobiliare.it
vimeostream.com
viprecycleresourcesltd.com
vivaasindustry.com
weviio.com
wlttraco.com
womensmuseumca.org
wonkarima.ru
xbool.ru
xboolean.com
xz2dtd11bm97h36.host
yeubiope.com
you.paneltesla.net
yyyxyyxxyxxx.xyz
zjxhqd.com

# Reference: https://twitter.com/killamjr/status/1145131854984556545

spellsove.duckdns.org

# Reference: https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html

Oralbdentaltreatment.tk
aelna.com
aiaininsurance.com
aidanube.com
anernostat.com
blssleel.com
bwayachtng.com
cablsol.com
candqre.com
catalanoshpping.com
cawus-coskunsu.com
crosspoiimeri.com
dougiasbarwick.com
erieil.com
etqworld.com
evegreen-shipping.com
gufageneys.com
hybru.com
intermodaishipping.net
jltqroup.com
jyexports.com
kayneslnterconnection.com
kn-habour.com
leocouriercompany.com
lnnovalues.com
mglt-mea.com
mti-transt.com
profbuiiders.com
quycarp.com
regionaitradeinspections.com
repotc.com
rsaqencies.com
samhwansleel.com
serec.us
snapqata.com
spedaqinterfreight.com
sukrltiv.com
supe-lab.com
sweed-office.comie.ru
sweed-viki.ru
sweeddehacklord.us
sweedoffice-bosskobi.duckdns.org
sweedoffice-chuks.duckdns.org
sweedoffice-goodman.duckdns.org
sweedoffice-kc.duckdns.org
sweedoffice-olamide.duckdns.org
sweedoffice.duckdns.org
usarmy-mill.com
virdtech.com
willistoweswatson.com
wlttraco.com
worldjaquar.com
xlnya-cn.com
zarpac.us
zurieh.com

# Reference: https://twitter.com/stoerchl/status/1157237675302240257

serverstresstestgood.duckdns.org

# Reference: https://twitter.com/dvk01uk/status/1159391837553090560

server1.monovm.com

# Reference: https://any.run/report/3c240ee0a740b57daea65b81faa99b951731f23c694bb5b6964b553152ee8d6c/1561dcbd-2a96-469a-8822-7cf9d495441e

helsanaa.com

# Reference: https://app.any.run/tasks/ab36a3dc-063e-41ee-8077-dc501f4d1403/
# Reference: https://brica.de/alerts/alert/public/1263301/agenttesla-keylogger-and-binary-options-scam/

mail.tendertradeforex.co.uk

# Reference: https://app.any.run/tasks/c1c8ad7a-f1d0-4ddf-b1d7-648d8f097ef8/

smtp.odogwugroup.icu

# Reference: https://app.any.run/tasks/d4aff5ad-9b44-42f0-8165-74731e1114c4/

smtp.rexsativa.com

# Reference: https://app.any.run/tasks/df208288-e4f1-4efd-99ee-12c2e37905c4/

mail.interflow.com.pk
tfvn.com.vn

# Reference: https://app.any.run/tasks/8b18fd2b-2610-49b0-9dea-55b45742adc5/

smtp.iconic-qrp.com

# Reference: https://app.any.run/tasks/8b668f18-5854-43ef-a2af-f4e8ee9b9b55/

server1.monovm.com

# Reference: https://twitter.com/dvk01uk/status/1171723427138420738
# Reference: https://app.any.run/tasks/fef429fb-bec4-4368-9b3e-9e37866221c7/

94.199.200.64:587
mail.appliedfuturevison.com

# Reference: https://twitter.com/wwp96/status/1173611784743378944
# Reference: https://app.any.run/tasks/948a6bd8-0cfb-4a82-a3f9-1e631965900b/

workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com

Reference: https://app.any.run/tasks/43064ac6-b617-44c8-8942-bacf12288dfc/

smtp.uml-db.com

# Reference: https://app.any.run/tasks/7545bb05-60f9-4995-b6ee-e5b32a8783ec/

smtp.nifl.icu

# Reference: https://twitter.com/Lvanoel/status/1173838721201922048
# Reference: https://app.any.run/tasks/1b86cdd7-f235-4159-ab74-127bd0d0912a/

5.9.3.218:26
mail.siicegypt.com

# Reference: https://twitter.com/reecdeep/status/1174270764461244417
# Reference: https://app.any.run/tasks/f3372717-35fb-43fc-aa1e-073bc762c39e/

198.187.29.188:26
mail.cjcurrent.com

# Reference: https://twitter.com/wwp96/status/1176581010554793984
# Reference: https://app.any.run/tasks/ed1bc8c6-d83b-4dfd-9b6e-2b3ad128c83a/

198.187.29.4:587
server263.web-hosting.com

# Reference: https://twitter.com/wwp96/status/1178661072993173504

smtp.kobitek-tr.com

# Reference: https://www.virustotal.com/gui/url/752918f8cfbeff0e6bbb5f0c62edc1bedca657b5eb659ab07d610260e3b7a48d/details
# Reference: https://urlhaus.abuse.ch/url/235725/
# Reference: https://any.run/report/2ff7a5b19dbf914d2607623b255fc392b20e86a61109cac6de96cf214e88f963/2a188e52-c397-4805-b62a-faefe02c9d8f

wirelord.us

# Reference: https://precisionsec.com/threat-intelligence-feeds/agenttesla/

khotawa.com
xdzzs.com
demo.shopping.co.mz

# Reference: https://urlhaus.abuse.ch/url/236622/

decodes.in

# Reference: https://urlhaus.abuse.ch/url/236510/

cafe-milito.com

# Reference: https://urlhaus.abuse.ch/url/235644/

mpsoren.cc

# Reference: https://urlhaus.abuse.ch/url/235546/

alhaji.top

# Reference: https://twitter.com/0xFrost/status/1179459193662853120

smtp.alliadintl.com

# Reference: https://app.any.run/tasks/5434da4e-e090-4642-be8d-a0117eaeb143/

smtp.alfe-eng.net

# Reference: https://twitter.com/MrGlaive/status/987780707551469569
# Reference: https://www.virustotal.com/gui/file/281053cbe38ffb8634e33d8a42ab772fb334de9e0a94af370a2426e00a502d6b/detection

mail.crosspolimeri-com.ga

# Reference: https://twitter.com/wwp96/status/1188897624776216576
# Reference: https://www.virustotal.com/gui/ip-address/79.134.225.125/relations

olodofries.ddns.net
victoryinkings.ddns.net

# Reference: https://twitter.com/ViriBack/status/1189329887074619395
# Reference: https://app.any.run/tasks/4fb9044e-3ab4-4475-94d0-0070bef4acdc/

52.15.102.232:16654

# Reference: https://twitter.com/wwp96/status/1189564875040788480

smtp.krisorigin.top
