BushidoUK/Malicious Hostnames.txt

## Malicious Hostnames.txt
WIN-QQ80VPAFRNH
84.252.95.225 - SolarMarker
37.120.237.251 - SolarMarker
217.138.205.170 - Ursnif
185.236.202.184 - Pegasus, NSO Group

DESKTOP-2NFCDE2
94.142.138.32 - Aurora Stealer
45.15.156.250 - Aurora Stealer
45.15.156.40 - Raccoon Stealer
91.109.178.9 - njRAT

DESKTOP-93VHU8M
108.177.235.131 - Cobalt Strike / Log4j
108.177.235.51 - Tor Exit Node
142.234.157.197 - Cobalt Strike
172.241.27.244 - Cobalt Strike
213.227.154.37 - Poste Italiane Spoofed Domains Registered through Reg[.]ru
142.234.157.172 - DoppelPaymer
23.106.122.13 - Follina Vulnerability (CVE-2022-30190) Attack Using "Antimicrobial Film Request" File (AhnLab)
23.106.160.185 - UNC1878 / Wizard Spider
23.106.160.61 - WizardSpider/EXOTIC LILY
23.106.160.86 - WizardSpider/EXOTIC LILY
23.82.19.130 - WizardSpider/EXOTIC LILY
23.82.140.136 - WizardSpider/EXOTIC LILY
108.177.235.212 - WizardSpider/EXOTIC LILY
213.227.154.175 - Sky-CNC (APT-C-48)

WIN-4K804V6ADVQ
45.11.19.47 - Iranian APTs
23.106.215.76 - Iranian APTs (APT34)
108.62.141.247 - Iranian APTs (DNSpionage)
212.114.52.20 - Indian APTs (Donot)
160.20.147.219 - Lazarus (naversecurityteam[.]com)
23.106.215.179 - Cobalt Strike
160.20.147.113 - Cobalt Strike
23.19.58.43 - BlackBasta
172.93.181.93 - BumbleBee
45.138.172.51 - WizardSpider/Ryuk

WIN-OQJUIMC71B6
185.125.204.135 - WizardSpider/Ryuk/Log4j https://gist.github.com/MichaelKoczwara/f07ba36db360119b2999e0c28b92a08c
45.147.231.168 - AveMaria https://github.com/stamparm/maltrail/blob/master/trails/static/malware/avemaria.txt
45.147.231.113 - IcedID/Log4j https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/

WIN-344VU98D3RU
45.67.231.170 - WizardSpider/Trickbot
45.67.231.50 - Tor Exit Node/Redline https://blog.talosintelligence.com/threat-roundup-0212-0219/
5.182.39.75 - Redline https://twitter.com/TrackerC2Bot/status/1618851723765743617?s=20

WIN-25FFVSIPLS1
69.46.15.173 - Cobalt Strike https://twitter.com/drb_ra/status/1540783091467157506?s=20

Where they were orginally sighted before:

WIN-799RI0TSTOF
https://thedfirreport.com/2021/12/13/diavol-ransomware/
https://www.intrinsec.com/egregor-prolock/

WIN-4K804V6ADVQ
DESKTOP-LHC2KTF
DESKTOP-93VHU8M
https://www.intrinsec.com/egregor-prolock/

WIN-OQJUIMC71B6
https://twitter.com/BushidoToken/status/1525204342944550918
https://twitter.com/teamcymru_S2/status/1525148703690047492

WIN-344VU98D3RU
WIN-25FFVSIPLS1
https://twitter.com/teamcymru_S2/status/1525148703690047492

Look for new ones:
https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22HIVELOCITY%2C+Inc.%22
https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22Leaseweb+USA%2C+Inc.%22
	WIN-QQ80VPAFRNH
	84.252.95.225 - SolarMarker
	37.120.237.251 - SolarMarker
	217.138.205.170 - Ursnif
	185.236.202.184 - Pegasus, NSO Group

	DESKTOP-2NFCDE2
	94.142.138.32 - Aurora Stealer
	45.15.156.250 - Aurora Stealer
	45.15.156.40 - Raccoon Stealer
	91.109.178.9 - njRAT

	DESKTOP-93VHU8M
	108.177.235.131 - Cobalt Strike / Log4j
	108.177.235.51 - Tor Exit Node
	142.234.157.197 - Cobalt Strike
	172.241.27.244 - Cobalt Strike
	213.227.154.37 - Poste Italiane Spoofed Domains Registered through Reg[.]ru
	142.234.157.172 - DoppelPaymer
	23.106.122.13 - Follina Vulnerability (CVE-2022-30190) Attack Using "Antimicrobial Film Request" File (AhnLab)
	23.106.160.185 - UNC1878 / Wizard Spider
	23.106.160.61 - WizardSpider/EXOTIC LILY
	23.106.160.86 - WizardSpider/EXOTIC LILY
	23.82.19.130 - WizardSpider/EXOTIC LILY
	23.82.140.136 - WizardSpider/EXOTIC LILY
	108.177.235.212 - WizardSpider/EXOTIC LILY
	213.227.154.175 - Sky-CNC (APT-C-48)

	WIN-4K804V6ADVQ
	45.11.19.47 - Iranian APTs
	23.106.215.76 - Iranian APTs (APT34)
	108.62.141.247 - Iranian APTs (DNSpionage)
	212.114.52.20 - Indian APTs (Donot)
	160.20.147.219 - Lazarus (naversecurityteam[.]com)
	23.106.215.179 - Cobalt Strike
	160.20.147.113 - Cobalt Strike
	23.19.58.43 - BlackBasta
	172.93.181.93 - BumbleBee
	45.138.172.51 - WizardSpider/Ryuk

	WIN-OQJUIMC71B6
	185.125.204.135 - WizardSpider/Ryuk/Log4j https://gist.github.com/MichaelKoczwara/f07ba36db360119b2999e0c28b92a08c
	45.147.231.168 - AveMaria https://github.com/stamparm/maltrail/blob/master/trails/static/malware/avemaria.txt
	45.147.231.113 - IcedID/Log4j https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/

	WIN-344VU98D3RU
	45.67.231.170 - WizardSpider/Trickbot
	45.67.231.50 - Tor Exit Node/Redline https://blog.talosintelligence.com/threat-roundup-0212-0219/
	5.182.39.75 - Redline https://twitter.com/TrackerC2Bot/status/1618851723765743617?s=20

	WIN-25FFVSIPLS1
	69.46.15.173 - Cobalt Strike https://twitter.com/drb_ra/status/1540783091467157506?s=20

	Where they were orginally sighted before:

	WIN-799RI0TSTOF
	https://thedfirreport.com/2021/12/13/diavol-ransomware/
	https://www.intrinsec.com/egregor-prolock/

	WIN-4K804V6ADVQ
	DESKTOP-LHC2KTF
	DESKTOP-93VHU8M
	https://www.intrinsec.com/egregor-prolock/

	WIN-OQJUIMC71B6
	https://twitter.com/BushidoToken/status/1525204342944550918
	https://twitter.com/teamcymru_S2/status/1525148703690047492

	WIN-344VU98D3RU
	WIN-25FFVSIPLS1
	https://twitter.com/teamcymru_S2/status/1525148703690047492

	Look for new ones:
	https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22HIVELOCITY%2C+Inc.%22
	https://www.shodan.io/search?query=product%3A%22WinRM%22+org%3A%22Leaseweb+USA%2C+Inc.%22