# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery

list131.ignorelist.com

# Reference: https://twitter.com/guelfoweb/status/1105493553030053888
# Reference: https://twitter.com/JaromirHorejsi/status/1105447086361923584

schoolfurniturecompany.com

# Reference: https://twitter.com/x42x5a/status/1111247631223791617

tsesser.duckdns.org

# Reference: https://twitter.com/pollo290987/status/1113335382878425088

fada101.servehttp.com

# Reference: https://twitter.com/James_inthe_box/status/1113423296211562497

91.192.100.8:47583

# Reference: https://twitter.com/Racco42/status/1115259915877146625

maxcoopart80.ddns.net

# Reference: https://twitter.com/x42x5a/status/1116608057268527105
# Reference: https://app.any.run/tasks/e89ec46a-0637-4b24-9802-08cc19459bef

185.140.53.17:2888

# Reference: https://twitter.com/James_inthe_box/status/1118904407792345090

mydnssbox.gleeze.com

# Reference: https://reaqta.com/2019/04/ave_maria-malware-part1/

maxibrainz.warzonedns.com
91.192.100.61:2580

# Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ (# AveMaria)

tain.warzonedns.com
noreply377.ddns.net
server.mtcc.me
doddyfire.dyndns.org
toekie.ddns.net
warmaha.warzonedns.com
185.162.131.97:222

# Reference: https://twitter.com/Racco42/status/1130511314537918465

mailsle001.duckdns.org
mazzet990.duckdns.org

# Reference: https://twitter.com/Lvanoel/status/1131441015922057217
# Reference: https://app.any.run/tasks/b00d980c-615c-433a-b549-36253786f9cb/

145.239.202.109:1013
145.239.202.109:1018

# Reference: https://twitter.com/Racco42/status/1132911306472919040

hiswar45.warzonedns.com

# Reference: https://twitter.com/abuse_ch/status/1145697917161934856

fuckoffesetdetectmysleep.com

# Reference: https://twitter.com/HerbieZimmerman/status/1151196743201173507

respainc.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1151953182869741568

masterprof.warzonedns.com

# Reference: https://twitter.com/James_inthe_box/status/1156163867744935938

dephantomz.duckdns.org

# Reference: https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/

anglekeys.warzonedns.com

# Reference: https://twitter.com/ps66uk/status/1159446703185047552

95.168.191.77:1436
dd122.duckdns.org

# Reference: https://twitter.com/anyrun_app/status/1159700318478897152
# Reference: https://app.any.run/tasks/b89006cd-dba0-4bc3-8a16-002f4ccc416b/

37.120.159.243:21204
aidsweden.serveblog.net

# Reference: https://twitter.com/James_inthe_box/status/1161273917689880576

millionways.duckdns.org

# Reference: https://twitter.com/Lvanoel/status/1161511143174823936
# Reference: https://app.any.run/tasks/bf09de69-e3b4-41d6-9d1e-d4875f9bca16/

79.134.225.39:2134
ndubaba45.warzonedns.com

# Reference: https://twitter.com/killamjr/status/1163429097273516032

wealthyblessed.warzonedns.com

# Reference: https://twitter.com/tkanalyst/status/1167210316406484992
# Reference: https://app.any.run/tasks/bf11ba41-b5bf-4fed-8769-eebdf6b50760/

185.70.184.34:3367

# Reference: https://www.virustotal.com/gui/file/544b299edea483bae81f71b7225aaa835ab025bcb6bd79b2d4ea9e2fe015c28f/behavior/Tencent%20HABO

wealthyme.warzonedns.com

# Reference: https://www.virustotal.com/gui/file/25a549daef7a464b48239af1d40f8aebba64dbadcbda0e99ce66b501aab7e36f/behavior/VirusTotal%20Jujubox

ebase.duckdns.org

# Reference: https://www.virustotal.com/gui/file/ece090a78dd15d62d2135e97df60c4aadd91a47febfa871394155bf367fde6fd/behavior/VirusTotal%20Jujubox

warzo.duckdns.org

# Reference: https://www.virustotal.com/gui/file/7c76424b56e4a678617fa9020a57c8342947ad883f747344f14520dee6f124a9/behavior/Dr.Web%20vxCube

levelup.publicvm.com

# Reference: https://www.virustotal.com/gui/file/da626882f225ded5ba58cefb4585de0c5a42f8e5fc9eb5b7762ef297187bf3fc/behavior/Lastline

helloworld.ddnsking.com

# Reference: https://www.virustotal.com/gui/file/2fdb79ca19e2ff06973e49b53ae627adfdf34a6f166f167fbceebb6c1cd60da3/behavior/Lastline

millionways.duckdns.org

# Reference: https://www.virustotal.com/gui/file/e8c68dd2e6fc0c1cacb27461dff68dcf16a8aa41af9e84b38b0cad8457789a6f/behavior/Lastline

amariceo.duckdns.org

# Reference: https://www.virustotal.com/gui/file/733a272f202c9917b877be278df24368daa6de101a2b804ccb45b48c6119c6fa/behavior/Lastline

eclass47.duckdns.org

# Reference: https://twitter.com/wwp96/status/1170333909982285824
# Reference: https://app.any.run/tasks/32422cdd-19d0-40cf-87d9-cb08e706405a/

185.165.153.12:1033
jsbcdns.warzonedns.com

# Reference: https://twitter.com/wwp96/status/1171410401885589509
# Reference: https://app.any.run/tasks/9e8d008e-653e-4af0-bfa4-ac05910853d4/

79.134.225.107:6703
naval.duckdns.org

# Reference: https://twitter.com/w3ndige/status/1179711138981957633
# Reference: https://app.any.run/tasks/a5a9e2f9-45bc-4760-8fad-3683d76aaf56/

94.237.114.17:59221
linuxpro1.warzonedns.com

# Reference: https://twitter.com/killamjr/status/1189750151155474432
# Reference: https://app.any.run/tasks/abcdb43f-c221-4ffe-9598-c7d6a2301395/
# Reference: https://www.virustotal.com/gui/file/80c027aea4017e2a6ef61cb5d2da2f5cd5c47a6bb082f3172be668fa85f3b3ef/detection

142.44.161.51:5371

# Reference: https://pastebin.com/29uSdMAk
# Reference: https://www.virustotal.com/gui/file/a75dad61090b4575f360310d59647560ce9faaff047ad7513fde736ea90aec4e/detection
# Reference: https://www.virustotal.com/gui/file/546dcac6a5fc155afcc19a4b74effff13414636362129cdbe73d47e994dc39b4/detection
# Reference: https://www.virustotal.com/gui/file/a2bf4a9a1d776cf793a97d0b6fc37b63dcb55f7e4793070df5cc265f59e06f97/detection

185.165.153.46:83

# Reference: https://pastebin.com/29uSdMAk
# Reference: https://www.virustotal.com/gui/file/c3b48986b1377673856f5500f9c79ec3de25c51c10e44e09e9385ce779dd0f6b/detection
# Reference: https://www.virustotal.com/gui/file/a11b7ef1b9ae4b05deec96035b8173d79861f3c661a66cb08ec5b7cb7993981a/detection

173.254.223.68:5005
37.49.225.237:5009
79.134.225.21:2244
favour.ddnsgeek.com
