# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cleversoar

# Reference: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape
# Reference: https://www.virustotal.com/gui/ip-address/103.127.83.61/relations

51fapiaoyun.com
51faplao.com.cn
51yunfapiao.com.cn
51yunpiao.com
51yunpiao.com.cn
5lfapiao.cn
5lfapiao.com
appfapiao.cn
fapia0.com
fhyhdf.oss-cn-hangzhou.aliyuncs.com
zc1800.oss-cn-shenzhen.aliyuncs.com

# Reference: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

http://101.33.117.200
http://119.28.32.143
http://119.28.41.143
http://124.156.134.223
http://43.129.233.146
http://43.129.233.99
http://43.132.212.111
http://43.132.235.4
2024aasaf.oss-cn-hongkong.aliyuncs.com
2024fapiao.oss-cn-hongkong.aliyuncs.com
fpwenj.zhangyaodong5.com
abhjhs.com
bcgjhs.com
cxhshj.com
efyshs.com
gjhsgs.com
gjhsys.com
mbgjhs.com
scpgjhs.com
ysgjhs.com
wenjian2024.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-01-02)

http://34.1.142.70
103.199.100.97:8080
110.42.33.174:6666
116.198.232.205:8888
118.107.44.112:18091
118.107.44.219:19091
121.37.140.40:6666
124.156.117.13:7777
134.122.134.93:9090
134.122.155.90:9091
154.198.49.151:6666
154.201.87.51:11111
154.39.239.95:1445
154.82.113.139:63701
154.82.85.79:18091
154.83.31.183:6666
154.84.19.161:6666
154.84.22.13:6666
154.85.10.206:6666
156.224.26.111:6666
156.224.26.128:6666
156.224.26.96:6666
178.128.222.24:6666
18.167.52.240:6666
192.238.134.113:4433
198.44.170.193:18091
202.79.172.47:7259
206.238.198.14:18852
206.238.198.14:9091
209.97.169.148:6666
23.226.57.67:4433
23.235.165.54:6666
27.124.34.140:6666
43.128.141.78:443
43.154.172.193:49731
43.250.172.42:17091
8.212.101.195:1122
8.218.163.62:6666
8.218.163.85:9091

# Reference: https://x.com/virusbtn/status/1880202036400304622
# Reference: https://intezer.com/blog/malware-analysis/weaponized-software-targets-chinese/
# Reference: https://www.virustotal.com/gui/file/08dad42da5aba6ef48fca27c783f78f06ab9ea7a933420e4b6b21e12e550dd7d/detection

156.247.33.53:8081
156.247.33.53:9000

# Reference: https://x.com/dimitribest/status/1886800176771105027
# Reference: https://www.virustotal.com/gui/file/c704bbe9cf209c6c3c3b93bbca2671805aeba4c6ff384ff1bf3ef31fe4ef39e0/detection

http://107.151.238.126
http://154.201.68.101
http://154.201.68.118
http://154.201.68.119
http://154.201.68.4
http://154.201.68.46
http://154.201.68.57
http://154.201.68.62
http://154.201.68.63
http://154.201.68.76
http://154.201.68.78
http://43.251.102.141
http://43.251.102.196
154.201.68.57:6666
154.201.68.57:8888
8.138.101.153:1234
nginxui.cc
web.nginxui.cc

# Reference: https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/
# Reference: https://app.validin.com/detail?find=5a41105f47cc24c8674ede1a59850b74&type=hash&ref_id=574a0cb5159#tab=host_pairs (# 2025-02-22)
# Reference: https://www.virustotal.com/gui/file/29163c8afb477b27f700e1c5eac694a6cbb816a86c8eadbbbac6ba5c034a9c96/detection
# Reference: https://www.virustotal.com/gui/file/5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a/detection
# Reference: https://www.virustotal.com/gui/file/30111cde691ce2ebb29050c41aa388e70c88f3f68797b5efcae0aed16849c26b/detection
# Reference: https://www.virustotal.com/gui/file/d1d6e4a656bb155f33040a2d61309e42bebe3121d599dd204a0318c29790b3e0/detection
# Reference: https://www.virustotal.com/gui/file/a24371d3f10ab1001c52eaa18d5a8e50f85b7a9a77df80e2332a31130381c756/detection
# Reference: https://www.virustotal.com/gui/file/0babf502ec31bd5a03c856fc051726d217eca8730d4639900794f724f00a746c/detection
# Reference: https://www.virustotal.com/gui/file/311f2d4ef2598e4a193609c3cd47bf4ff5fb88907026946ecffe6b960d43d5b2/detection

http://8.217.244.40
8.217.244.40:443
103.183.3.10:17093
103.183.3.10:17094
103.183.3.10:18852
202.146.222.208:18852
202.146.222.208:9091
202.146.222.208:9092
afugics.com
afugige.com
afugiml.com
afugitw.com
afugizs.com
anizom.com
bodomsa.com
comdatez.com
cuznjkc.com
dhujgduv.com
dxjjcqsg.com
gyautxdl.com
hlpphpcf.com
iyxytmsk.com
karlost.club
nzkcop.com
oivmjzt.com
phfchuop.com
piugicb.com
piugijc.com
piuginn.com
piugire.com
piugitw.com
qaiovcc.com
rgjsrpbf.com
sopovkc.com
sqjtygeh.com
tnvklnqe.com
xnpvwbby.com
yudzmv.com
ziiiofon.com

# Reference: https://www.virustotal.com/gui/file/30111cde691ce2ebb29050c41aa388e70c88f3f68797b5efcae0aed16849c26b/detection
# Reference: https://www.virustotal.com/gui/file/5e1d7275b0abd484c15f186690db73c42e861311da3f5f048563636336933b4a/detection

www19daxcsdaf-1328031368.cos.ap-guangzhou.myqcloud.com
wwwchongqingget-1328031368.cos.ap-chongqing.myqcloud.com
wwwgetget-1328031368.cos.ap-guangzhou.myqcloud.com
wwwwgetmore-1328031368.cos.ap-chongqing.myqcloud.com

# Reference: https://www.virustotal.com/gui/file/6ed466a2a6eeb83d1ff32ba44180352cf0a9ccc72b47e5bd55c1750157c8dc4c/detection

wwwget11111-1328031368.cos.ap-chengdu.myqcloud.com
get22222222asfas-1328031368.cos.ap-chengdu.myqcloud.com

# Reference: https://threatfox.abuse.ch/browse/malware/win.valley_rat/ (# 2025-03-18)

http://211.159.148.197
1.15.156.66:7777
101.201.68.35:8080
103.101.178.170:448
103.215.212.130:6666
103.36.221.195:6661
103.40.253.231:2435
103.85.190.202:6688
103.97.176.68:8181
103.97.176.69:443
104.219.214.206:8008
107.148.47.186:433
110.92.64.105:27973
110.92.64.183:4433
111.173.106.115:25502
111.173.106.115:25512
111.173.106.115:25602
111.173.106.18:25507
111.180.203.230:25603
111.180.203.230:6666
111.231.5.58:3307
111.231.5.58:443
111.68.8.194:1218
112.213.116.91:18096
117.72.91.212:6666
121.62.16.160:25505
121.62.16.173:25505
121.62.23.192:25505
134.122.135.95:4433
134.122.155.39:15091
137.220.229.26:18091
137.220.229.61:9091
149.115.250.62:8088
15.197.64.127:443
150.138.72.39:3307
154.207.55.235:8765
154.23.176.39:4433
154.23.184.30:10443
154.23.186.124:6688
154.37.213.53:99
154.37.220.109:5858
154.38.118.126:6688
154.40.44.82:18211
154.44.8.39:443
154.82.85.107:15091
154.9.252.143:443
154.91.90.234:4433
156.224.26.29:8888
156.234.7.37:10443
156.234.7.37:4433
156.238.238.83:3883
156.251.17.243:17093
161.248.87.218:10443
171.35.163.120:88
192.140.163.10:6666
192.238.132.117:4433
192.238.134.52:4433
202.79.172.37:4433
202.95.22.2:4433
202.95.8.138:6666
202.95.8.53:6666
206.238.114.225:443
206.238.114.98:4433
206.238.220.50:4433
206.238.42.151:17091
211.159.148.197:443
23.235.165.5:443
27.124.21.211:4433
27.124.4.60:4433
27.124.42.200:6666
27.25.158.108:6666
38.181.20.23:9091
43.128.141.78:8888
43.226.125.44:9091
45.192.168.10:4433
45.192.168.4:4433
45.192.169.99:27972
45.192.208.132:7777
45.192.209.55:8849
45.204.194.212:4212
45.204.194.231:443
45.204.197.28:443
45.204.197.44:443
45.204.213.195:4677
45.207.211.42:6666
47.239.197.97:443
47.243.116.8:6666
47.76.197.205:4433
69.165.65.231:6661
8.217.85.20:9091
8.217.85.20:9092
91.208.240.194:4563
ddosme.twilight.zip
qq.ouyang7770.com

# Reference: https://x.com/anylink20240604/status/1904905991738810739
# Reference: https://www.rapid7.com/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/

8848.twilight.zip

# Reference: https://x.com/malwrhunterteam/status/1907109469139423416
# Reference: https://www.virustotal.com/gui/file/eefb11e7bb1c352d6ba64795e35ce958efa2c9c520621b9209c28e89adac5c0e/detection
# Reference: https://www.virustotal.com/gui/file/9e78f89ffa70b6426595e1007db89bc2bd9fd39600d659a347f4689c5a1e67ad/detection
# Reference: https://www.virustotal.com/gui/file/4f13d4a71a5c335c0f3cf15b31dcbdd42cf9298ceb63be0bf1846233150ecea7/detection

47.236.171.20:10000
47.236.171.20:20000

# Reference: https://x.com/malwrhunterteam/status/1912827057433612420
# Reference: https://www.virustotal.com/gui/file/46ab0ae94391dc299a352312f1aca5aac5965f0c4aee751d65dbe2f267cbe4b3/detection

fribblery.s3.ap-east-1.amazonaws.com

# Reference: https://x.com/1ZRR4H/status/1916077192095711571
# Reference: https://www.virustotal.com/gui/file/62f413c582ee9d7b169e31d3bb408472d22a847a5d073bddfc18f5f861ac817f/detection
# Reference: https://www.virustotal.com/gui/file/b71c1f32f0df9fe346faa312b3b9ef6a9abc415693f003691404340e478e7fc7/detection

103.68.181.217:1688
107.149.241.28:6000
svip8.org
vip7.org

# Reference: https://x.com/skocherhan/status/1925215619374317992
# Reference: https://www.virustotal.com/gui/file/9c0f551fa5e93c3f30c90d89f49d811296f84cdb17c45c005559125c275fb7b7/detection

43.248.173.193:10501
43.248.173.193:18852
pniu.fun
