# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: TA866

# Reference: https://twitter.com/WhichbufferArda/status/1608089945985486852
# Reference: https://www.virustotal.com/gui/file/f8cf2f07b20419758fbeaa23abae285c917df9c4e94a5259679993f8e9f37cab/detection
# Reference: https://www.virustotal.com/gui/file/aebb1578371dbf62e37c8202d0a3b1e0ecbce8dd8ca3065ab26946e8449d60ae/detection

http://141.98.82.254
/blob/8gu4bf.la5z
/blob/is4mlw.suqp

# Reference: https://tria.ge/221227-ktbbsshg51/behavioral1

http://116.202.18.132
/blob/q3k6tk.xi8o

# Reference: https://twitter.com/AnFam17/status/1607477672057208835
# Reference: https://twitter.com/AnFam17/status/1607479956870950913
# Reference: https://www.joesandbox.com/analysis/733720/0/html
# Reference: https://www.virustotal.com/gui/file/00f6b0a064a86b2566643178456211043732edbde4f6a5e9f829791c10e47141/detection
# Reference: https://www.virustotal.com/gui/file/4f9ad8a74aca60bf0cf3750c876313acc1e70d74e07a52dfeb3cb3c21f545b7a/detection

http://185.145.245.124

# Reference: https://www.virustotal.com/gui/file/4f9ad8a74aca60bf0cf3750c876313acc1e70d74e07a52dfeb3cb3c21f545b7a/detection

http://85.208.136.26
/blob/5iqmtn.iq54

# Reference: https://twitter.com/malware_traffic/status/1608673979132436481
# Reference: https://app.any.run/tasks/ceef5e3f-1f42-473b-8c7d-4692dcd117f1/

http://162.33.178.106
noetpode.com
/blob/5mloob.qqvr

# Reference: https://twitter.com/malware_traffic/status/1610385687781449730
# Reference: https://www.malware-traffic-analysis.net/2023/01/03/index.html

noteepad.hasankahrimanoglu.com.tr
/gjntrrm/zznb2o.hgfq

# Reference: https://twitter.com/1ZRR4H/status/1610590795278712832
# Reference: https://twitter.com/1ZRR4H/status/1610590799112159232

http://45.82.176.11
45.82.176.11:443
anydesk-for-desktop.com
aromaindianrestaurantlounge.com
install-anydesk.com
istaller-zoom.com
zoom-for-desktop.com
/blob/hf00ob.u4zc

# Reference: https://twitter.com/ViriBack/status/1610999181459738624

http://165.232.186.202
http://212.23.222.49
http://65.109.161.133
http://79.137.206.68
http://95.214.53.95

# Reference: https://twitter.com/Merlax_/status/1610830108373270530
# Reference: https://pastebin.com/yPBahSAk

http://104.168.32.136
http://107.148.130.121
http://146.70.157.76
http://152.89.196.174
http://167.172.69.255
http://167.235.202.111
http://172.86.123.86
http://179.43.142.109
http://179.43.142.142
http://179.43.142.29
http://179.43.142.37
http://179.43.154.157
http://179.43.154.168
http://179.43.154.212
http://179.43.155.136
http://179.43.155.144
http://179.43.156.145
http://179.43.156.151
http://179.43.162.115
http://179.43.162.79
http://179.43.163.118
http://179.43.175.136
http://179.43.175.230
http://179.43.175.34
http://179.43.176.13
http://179.43.176.39
http://179.43.176.54
http://179.43.176.68
http://179.43.176.78
http://179.43.187.233
http://179.43.187.95
http://185.209.160.18
http://185.209.160.99
http://185.223.93.141
http://193.233.234.13
http://193.38.55.7
http://193.42.33.180
http://193.42.33.42
http://193.42.33.73
http://193.47.61.174
http://194.4.49.152
http://217.12.201.112
http://31.41.244.157
http://31.41.244.38
http://34.150.88.233
http://45.138.74.237
http://45.144.30.114
http://45.182.189.195
http://45.66.151.81
http://45.81.39.102
http://47.57.236.111
http://5.182.39.203
http://5.230.73.134
http://5.75.171.154
http://62.204.41.57
http://62.233.50.246
http://62.233.51.95
http://78.46.190.160
http://79.137.194.240
http://79.137.202.78
http://85.209.135.172
http://88.210.12.126
http://89.22.230.175
http://91.202.5.208
http://95.179.136.89
104.168.32.136:443
107.148.130.121:443
146.70.157.76:443
152.89.196.174:443
167.172.69.255:443
167.235.202.111:443
172.86.123.86:443
179.43.142.109:443
179.43.142.142:443
179.43.142.29:443
179.43.142.37:443
179.43.154.157:443
179.43.154.168:443
179.43.154.212:443
179.43.155.136:443
179.43.155.144:443
179.43.156.145:443
179.43.156.151:443
179.43.162.115:443
179.43.162.79:443
179.43.163.118:443
179.43.175.136:443
179.43.175.230:443
179.43.175.34:443
179.43.176.13:443
179.43.176.39:443
179.43.176.54:443
179.43.176.68:443
179.43.176.78:443
179.43.187.233:443
179.43.187.95:443
185.209.160.18:443
185.209.160.99:443
185.223.93.141:443
193.233.234.13:443
193.38.55.7:443
193.42.33.180:443
193.42.33.42:443
193.42.33.73:443
193.47.61.174:443
194.4.49.152:443
217.12.201.112:443
31.41.244.157:443
31.41.244.38:443
34.150.88.233:443
45.138.74.237:443
45.144.30.114:443
45.182.189.195:443
45.66.151.81:443
45.81.39.102:443
47.57.236.111:443
5.182.39.203:443
5.230.73.134:443
5.75.171.154:443
62.204.41.57:443
62.233.50.246:443
62.233.51.95:443
78.46.190.160:443
79.137.194.240:443
79.137.202.78:443
85.209.135.172:443
88.210.12.126:443
89.22.230.175:443
91.202.5.208:443
95.179.136.89:443

# Reference: https://twitter.com/ViriBack/status/1611091230779138072

http://116.202.18.132
http://141.98.82.254
http://179.43.154.212
http://179.43.163.118
http://194.4.49.152
elon-first.com
myada2x.com
myevent22.net
v1477680.hosted-by-vdsina.ru

# Reference: https://twitter.com/0xrb/status/1611241904917876737

http://192.30.243.151
http://216.250.255.148
http://216.250.255.149
http://5.44.251.17
http://5.44.251.20
http://82.115.223.169
http://85.192.49.170
116.202.18.132:443
141.98.82.254:443
162.33.178.106:443
165.232.186.202:443
192.30.243.151:443
193.56.146.6:443
212.23.222.49:443
216.250.255.148:443
216.250.255.149:443
5.44.251.17:443
5.44.251.20:443
65.109.161.133:443
79.137.206.68:443
82.115.223.169:443
85.192.49.170:443
95.214.53.95:443

# Reference: https://twitter.com/suyog41/status/1611326908041682952
# Reference: https://www.virustotal.com/gui/file/ae82c37e4a6ec833aa743244b942033dcdd10f163cc45af519fa693ce035a002/detection

/blob/oay66h.aw7p

# Reference: https://twitter.com/Merlax_/status/1611412523663912961

kukazanatena.co.ke
theabevalle.com

# Reference: https://twitter.com/idclickthat/status/1612268584020971520
# Reference: https://twitter.com/1ZRR4H/status/1612472092326346752

install-zoom.com
virtualbse.com

# Reference: https://twitter.com/1ZRR4H/status/1613275088098304002

bluestacks-install.com
zoom-meetings-download.com
zoom-meetings-install.com
zoomus-install.com

# Reference: https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

anydleslk-download.com
install-anydeslk.com
zoom-video-install.com
zoomvideo-install.com

# Reference: https://threatfox.abuse.ch/ioc/1068137/

textedit-notepad.com

# Reference: https://threatfox.abuse.ch/ioc/1068138/

http://164.90.172.224

# Reference: https://www.virustotal.com/gui/file/a2e9a2389faf04b67fbbd6fc71134860a145db7643d88ba312390493d5619302/detection

/blob/jb59sc.rk2g

# Reference: https://www.virustotal.com/gui/file/da16f2574eeab4267e24f416d625ed8ced553ed25bc51f22860ef565fa1c3f92/detection

http://31.41.244.16
/chachacha/ec3wm4.8xb6

# Reference: https://twitter.com/1ZRR4H/status/1614728368334716932
# Reference: https://twitter.com/1ZRR4H/status/1614728371644125187
# Reference: https://twitter.com/1ZRR4H/status/1614821592550326275

http://77.91.122.230
fargonding.store
hughtexeideas.store
mororead.store
rontr.store
montofagasta.store
rontreal.store
slavyanmar.store
toysbrasnovo.store
obs-project.festcommerzblog.com

# Reference: https://twitter.com/IronNetTR/status/1615757537273315365
# Reference: https://github.com/IronNetCybersecurity/IronNetTR/blob/main/ironradar/rhadamanthys/ironradar_1d_rhadamanthys_2022_1_18.csv

152.89.198.59:443
157.254.194.23:443
172.105.5.70:443
179.43.142.40:443
179.43.156.132:443
179.43.175.114:443
179.43.187.233:3306
185.209.160.43:443
185.225.74.144:443
185.225.74.200:443
185.81.68.104:443
memtromeds.com
moosdies.top

# Reference: https://twitter.com/DonPasci/status/1616428435550740482

sourcegimp.com
sourcsegimp.com
soursegimp.com

# Reference: https://www.virustotal.com/gui/file/c27d7174b52a423cdd51187de5c53bd0f3dfebbc76f92575864f3ba4abf2f012/detection

http://79.137.197.29
/rfbqtotg/Dpcejhz.bmp

# Reference: https://twitter.com/crep1x/status/1623394701456859137
# Reference: https://tria.ge/230208-kpd7wshc6t/behavioral2
# Reference: https://www.virustotal.com/gui/file/b2a3e00ad2ee588b552137c94d5f3a4611c2f40d0be23ef6b6b12227baa24ae4/detection
# Reference: https://www.virustotal.com/gui/file/9b6f87d991b04b9eb7c1b5e4bff6b2fff7c8b53156396c1e60ee9523ddd9ece9/detection
# Reference: https://www.virustotal.com/gui/file/04aca53d460d19c73283bcd131e56ccbd4384d5303400dc318d3371b2edba522/detection

http://109.206.243.168
http://144.76.33.241
http://179.43.154.216
http://179.43.154.219
http://78.47.79.11
http://91.215.85.157
193.149.180.103:3301
193.149.180.103:666
/dewight1/colibri.api
/update/nti4ta.3dhh
/nti4ta.3dhh

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/Rhadamanthys_Stealer_Panels_10_02_2023.txt

http://179.43.142.71
http://179.43.154.164
http://179.43.176.21
http://94.142.138.26
179.43.142.71:443
179.43.154.164:443
179.43.176.21:443
94.142.138.26:443

# Reference: https://twitter.com/nao_sec/status/1625691518509121537

http://79.137.204.54
/custints/g73lab.id9x

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/Rhadamanthys_Panel_scan_16-02-2023_01-03-32.txt

45.137.66.211:443

# Reference: https://twitter.com/BroadAnalysis/status/1630680889771323392
# Reference: https://www.virustotal.com/gui/file/001e6a0bc8566e594f377a33e4d108bba5821e407d38ddd745fe2477ae23a7ff/detection

http://191.101.14.159
/abctop/rfvnq4.co0l

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Aurora_Stealer/txt/Aurora_Panel_scan_02-03-2023_19-30-23.txt

179.43.142.172:443
195.3.223.120:443
195.3.223.218:443

# Reference: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
# Reference: https://otx.alienvault.com/pulse/63e3c458fe346cfc050d6880
# Reference: https://www.virustotal.com/gui/file/09c26bfe15d9ac65a9a4a73ccaf20c352d496feecb6a7fd3d5ce3b27d16faeea/detection

http://79.137.198.60
annemarieotey.com
anyfisolusi.com
black-socks.org
bluecentury.org
duinvest.info
duncan-technologies.net
enigma-soft.com
expresswebstores.com
fgpprlaw.com
footballmeta.com
gfcitservice.net
listfoo.org
mikefaw.com
otameyshan.com
peak-pjv.com
repossessionheadquarters.org
samsontech.mobi
shiptrax24.com
southfirstarea.com
styleselect.com
thebtcrevolution.com
virtualmediaoffice.com

# Reference: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques
# Reference: https://otx.alienvault.com/pulse/63f63a41659035a81b740554

/blob/vpuu9i.7b4x

# Reference: https://twitter.com/AuCyble/status/1632625549964361730
# Reference: https://www.virustotal.com/gui/ip-address/185.137.235.119/relations

chatgptsinstall.com
exchangecash.online
getchatgptapi.com
getchatgptapp.com
gpt-chat-app.org
gptchatdownload.com
gptchatdownloadpc.com
gptchatdownlod.com
hyperplayofficial.com
inkscapeapps.com
installchatgpt.me
installchatgpt.online
installchatgpt.org
installwebex.com
installwebex.online
lastpass-app.com
lastpassinstall.com
lastpassofficial.com
lastpassofficial.me
lhyperplay.com
metamask-apps.com
officialhyperplay.com
officialschatgpt.com
officialstargate.com
setupchatgpt.com
sketchup-tool.com
snapclhats.com
snapclnats.com
web-ex-app.com
webex-meetings.com
webex.icu
webexsign.com
webexsign.org

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_10-03-2023_23-22-36.txt

193.149.185.118:443
45.77.66.151:443

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_16-03-2023_19-43-54.txt

87.251.67.40:443
91.215.85.157:443

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_23-03-2023_19-17-12.txt

185.225.73.180:443

# Reference: https://www.virustotal.com/gui/file/90bfffe7bfde826f6204ef3546d139b6293d37ef59dbf2cc9d685eb6bb6c8d23/detection
# Reference: https://www.virustotal.com/gui/file/4130ce135fbfab00618f261a0397e88479d2f61e1ed0d09ebcde525439774f3e/detection

/ggkanor/0mv8dc.bqmu
/0mv8dc.bqmu

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/csv/Rhadamanthys_2023-04-13_16-24-28.csv

http://108.61.189.120

# Reference: https://twitter.com/crep1x/status/1649067627996672000
# Reference: https://www.virustotal.com/gui/file/58105a9ffb1d4675481d1c945d20630807f9dc2dc3d107a66f2d928125508226/detection

http://104.156.149.126

# Reference: https://twitter.com/g0njxa/status/1645559497987850241

/fredom/YTmeta.api

# Reference: https://github.com/Gi7w0rm/MalwareConfigLists/blob/main/Rhadamanthys/txt/Rhadamanthys_Panel_scan_27-04-2023_16-34-09.txt

http://179.43.142.172
http://185.225.73.180
http://45.77.66.151
179.43.142.172:443
185.225.73.180:443
45.77.66.151:443

# Reference: https://twitter.com/powershellcode/status/1678470714024939520

http://185.228.234.189
185.228.234.189:443

# Reference: https://twitter.com/g0njxa/status/1682332969451569153

rhadwikiwwzr6sfzygsr3qh7lwu5ghnaoupxwpsj2xuxjcgcebikh7id.onion
stealerskymtni3tiagmx3pqktjgkm2iigwj6e2touws773emrfjvoyd.onion
