# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: proyecto, xpertrat, xrat

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Xtrat-CC/detailed-analysis.aspx

cooempresas.ddns.net

# Reference: https://citizenlab.ca/2015/12/packrat-report/

taskmgr.serveftp.com
taskmgr.servehttp.com
wjwj.no-ip.org

# Reference: https://www.virustotal.com/en/file/d05b5f13bfa9082f9087dabc3c4d15471209b1dfe8b27272360558dba2c85d43/analysis/
# Reference: https://www.virustotal.com/en/file/15c4933b7b767d44c71bac0b7bf44d1bd9f3dd6bada45b35f5ebb8f22367842b/analysis/

updatechrome.duckdns.org

# Reference: https://twitter.com/Racco42/status/1054463077603786753

84.38.135.152:1148

# Reference: https://www.zscaler.com/blogs/research/backdoor-xtrat-continues-evade-detection
# Reference: https://www.hybrid-analysis.com/sample/e58117933d0b5312cc0f799b5f181482220f1e26f62f9eaa4f99ed50cd29b90c?environmentId=1
# Reference: https://totalhash.cymru.com/analysis/?20379ec605b8acadb2a1f4f064c6481171a4e0ce
# Reference: https://report.any.run/e46cbed7747902cbf1bc0f26dbc847549d4c626facea329f3e165117ff28ed7e/548daf6b-7cea-42b8-be21-4c3c08439cae
# Reference: https://urlquery.net/report/6bc41921-5f7d-48fa-8ec5-0fb500f3fa5f

/123456.functions
anaperez.ddns.net
pruebas.bounceme.net
analaloca.chickenkiller.com
dolev.ddns.net
uranio2.no-ip.biz
morter.zapto.org

# Reference: https://www.zscaler.com/blogs/research/backdoor-xtrat-continues-evade-detection

suportassisten.no-ip.info
laithmhrez.no-ip.info
papapa-1212.zapto.org
sarkawt122.no-ip.biz
outlook11551.no-ip.biz
cascarita1.no-ip.biz
cascarita2.no-ip.biz
cascarita3.no-ip.biz
windows.misconfused.org
uranio2.no-ip.biz
fungii.no-ip.org
mohammad2010.no-ip.biz
updating.serveexchange.com
spycronicjn.no-ip.org
allmyworkers.no-ip.biz
livejasminci.no-ip.biz

# Reference: http://www.malwaresigs.com/2013/01/17/xtreme-rat/

mrhacking.no-ip.info
almofatch.no-in.info
netera.no-ip.org
aln3imi00100.zapto.org
hackk-hackk.no-ip.biz
cinamarcina.no-ip.biz
reveng1.no-ip.biz
aymn161.no-ip.org
amin1111.no-ip.org
cagatay3162.zapto.org
ers.zapto.org
amgad.no-ip.biz
mrxm511.no-ip.org
hac.zapto.org
mahmodemos.no-ip.org
starnight2012.tzo.net
jv123.no-ip.org
kirkukboy.no-ip.biz
sosososo.no-ip.biz
hack4ps.no-ip.info
sa123re.no-ip.org
khalil02.no-ip.biz
wail.no-ip.biz

# Reference: https://twitter.com/Racco42/status/1132935875430670337

justgo.linkpc.net

# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0314.pdf

test.zzjzpt.com

# Reference: https://twitter.com/killamjr/status/1145804313886941191

185.227.82.38:7797

# Reference: https://twitter.com/killamjr/status/1147002097969164288
# Reference: https://app.any.run/tasks/c4a6d4c2-09ee-442d-bb54-00402d770c94/

91.193.75.252:119

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.XtremeRAT-7059357-1)

dnsduck4.duckdns.org
dnsduck6.duckdns.org
jb2168948.ddns.net
lospapa1.duckdns.org
lospatios1.duckdns.org
lospatios3.duckdns.org
nincasu.myvnc.com

# Reference: https://twitter.com/wwp96/status/1163454025477632000
# Reference: https://app.any.run/tasks/800f2255-a6af-445e-8db5-c162d95ea6cc/

79.134.225.102:7452
austine4.duckdns.org

# Reference: https://www.fortinet.com/blog/threat-research/fake-indian-income-tax-calculator-xrat-variant.html

xorc-49723.portmap.host

# Reference: https://twitter.com/struppigel/status/1173883825333706752
# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/
# Reference: https://documents.trendmicro.com/assets/Appendix_Spam_Campaign_Targets_Colombian_Entities_with_Custom_made_Proyecto_RAT_Uses_Email_Service_YOPmail_for_C&C.pdf
# Reference: https://www.virustotal.com/gui/file/f8bf2120bdec3da240bf4a56760ee42d045e42ec4ae1d261774ff13fc2cb7cc0/detection

ceosas.linkpc.net
confe.linkpc.net
medicosta.linkpc.net
medicosco.publicvm.com
perfect1.publicvm.com
