# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bizzana, remote manipulator system, rms, rmska, remote utilities

# Note: https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

# Reference: https://twitter.com/James_inthe_box/status/1118968911590907904
# Reference: https://twitter.com/James_inthe_box/status/1121513004627927040

159.69.48.50:5655

# Reference: https://twitter.com/dave_daves/status/1130471755783573504
# Reference: https://app.any.run/tasks/f363c1d5-45ed-4b08-ab3c-54f1f5ac1636/

kentona.su
66.111.2.131:9030

# Reference: https://twitter.com/Bank_Security/status/1148471450422140929
# Reference: https://pastebin.com/0XNMhLP2
# Reference: https://blog.yoroi.company/research/ta505-is-expanding-its-operations/

217.12.201.159:5655

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/raby_mr/status/1184430613165572097
# Reference: https://app.any.run/tasks/90aaff29-18fe-4ad1-b385-a4e0d7f19564/
# Reference: https://twitter.com/nao_sec/status/1240581594999472128
# Reference: https://app.any.run/tasks/1cc1c195-5f71-4279-a8eb-336a10d2c354/
# Reference: https://twitter.com/smica83/status/1052107791673020416
# Reference: https://www.virustotal.com/gui/file/81d42d5332d586602b4014710ebbe7068aae024ee1922f3e9e8be4d36fe07397/detection
# Reference: https://www.virustotal.com/gui/file/a4523f84e035908af8cd1e1b5fb73847c08e532416bc961abc3c77ffa664b82b/detection
# Reference: https://app.any.run/tasks/7759fbd4-7b04-4a80-aa80-f56696ccb665/

109.234.156.180:563
109.234.156.180:5655
109.234.156.180:5656
109.234.156.181:563
109.234.156.181:5655
109.234.156.181:5656
rms-server.tektonit.ru
rmansys.ru
wininit.xyz
svchost.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1185131622263377923
# Reference: https://app.any.run/tasks/b79dcfcd-5b9b-404f-aaf6-a9ea55109284/

79.134.225.73:3175
britianica.uk.com

# Reference: https://www.virustotal.com/gui/file/81315a77d8494695ba4453cd8f15278f214ad26373c69ef925b4711c4dda0bf6/detection

94.73.36.254:3175
biofaction.no-ip.biz

# Reference: https://www.virustotal.com/gui/file/0b96700873fba0b74c534ffcaee852b976f92de18b7ccd723dd464b56110ea06/detection

94.73.32.235:3175
enterbotvn.no-ip.info

# Reference: https://www.virustotal.com/gui/file/87a8d33209840bd40e858624cbd2952416118962b2c923b277a7796a3e4e9b02/detection

dr9.no-ip.info

# Reference: https://app.any.run/tasks/c6797f0b-722f-4f85-be9c-6957415b1c1d/
# Reference: https://www.virustotal.com/gui/file/cfcd9808e91122903281706de3d96d8249e282555d87a02c177cb705ac06fd2d/behavior/VirusTotal%20Jujubox

id.remoteutilities.com
server.remoteutilities.com
108.163.130.184:5655

# Reference: https://www.virustotal.com/gui/file/dda1fc31d4d4d37d544a3ff537863a909706b861dcaebb33c084d29f4ead488e/detection

185.121.166.28:9030
poulty55.chickenkiller.com

# Reference: https://www.virustotal.com/gui/file/78f90e9e2fa31727e50bf9c8358556f768cf8a8f847888ff8af8b920d4ddf33c/detection

194.5.98.50:9030

# Reference: https://www.virustotal.com/gui/file/e7183b9653a49d85ba53b786d844c609ee3328c973d463041f07a889a143aad0/detection

194.5.98.83:9030

# Reference: https://www.virustotal.com/gui/file/5adef384ca8b56ae3524fdde2c69c0ab25801f1fde94375696a646cef4fba2c5/detection

194.5.98.139:9030

# Reference: https://www.virustotal.com/gui/file/160a4f5e4fee2d948a2da1708418c398505fdcb2bf3804a323db2452599a4fcf/detection

184.75.209.165:9030

# Reference: https://www.virustotal.com/gui/file/4ea812dfa9ec344fecf52d0a47c6db58ef22f5fa1fa720cae96ace032438843d/detection

95.167.151.233:9030
sickly.jumpingcrab.com

# Reference: https://twitter.com/blackorbird/status/1222878160187838465 (# Wuhan)
# Reference: https://www.virustotal.com/gui/file/e6f0274fe4f0ebc7323ce86d6aceb991ae0242c8d514a1e241cbdfe88921e50d/relations

202.58.105.80:5073
9.wqkwc.cn

# Reference: https://app.any.run/tasks/54196a1e-3729-4d07-8518-c1f73a6b17ff/

wsus.eu
id.remoteutilities.com
108.163.130.184:5655
66.240.205.51:5655
23.235.252.66:5655

# Reference: https://www.virustotal.com/gui/file/9e5d3643ea41983e426f184949f4b77bc52d2951dcc57ab04466429192bc3396/detection

karensonjon.com

# Reference: https://twitter.com/fr3dhk/status/1319366605218959361
# Reference: https://app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/

wsusms.com

# Reference: https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf
# Reference: https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/
# Reference: https://otx.alienvault.com/pulse/5fa440244397a8c64412347d

dncars.ru
timkasprot.temp.swtest.ru
z-wavehome.ru

# Reference: https://www.virustotal.com/gui/file/6fa7f1a905e7b9fe6c6ebb0511b679527b3a136cf178a3627cc341418ec1ddbb/detection

23031.selcdn.ru

# Reference: https://github.com/DoctorWebLtd/malware-iocs/blob/master/BackDoor.RMS/README.adoc
# Reference: https://otx.alienvault.com/pulse/5fd3e533f31a2aa08d9ac388
# Reference: https://www.virustotal.com/gui/file/75c23c42074c0cc6683e291579543941bb5207b69365c510386ba3fab3f37bcb/detection
# Reference: https://www.virustotal.com/gui/file/d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745/detection
# Reference: https://www.virustotal.com/gui/file/cb8b32697730d7142ef4de56c0b4cc718abce0c2ac87218744188ad3ce1587b2/detection
# Reference: https://www.virustotal.com/gui/file/800d4b5dfbdf742feb47cf580501d3f2d558c380c7619420160c4e33bd912732/detection
# Reference: https://www.virustotal.com/gui/file/89bfdabd25b0334a7444bcb67e1d1b42907e5d8107179c7f5f0bbca8eb4219e0/detection

111.90.140.23:5651
111.90.140.23:8080
176.107.179.100:8081
176.9.112.14:5651
176.9.112.14:8080
194.9.176.31:8081
194.9.176.33:8081
194.9.176.37:5651
194.9.176.38:5651
194.9.176.38:8081
194.9.176.38:81
194.9.176.39:8080
194.9.176.39:81
95.216.64.185:8080
95.216.64.186:8080
95.216.64.187:8080
95.216.64.187:8081
95.216.64.191:8080
95.216.64.198:8080
360mediashare.com
ateliemilano.ru
gedebeywater.com
kiat.by
mystorage-settings.ru
nordtexnika.az
office360.work
office360share.com
road258.website
road349.website
savalan.az
wsus.ga
wsusms.com

# Generic trails

/utils/inet_id_notify.php
