# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

briancobert.com

# Reference: http://cybercrime-tracker.net/index.php?search=AZORult

00v.xyz
0131.ga
4max.xyz
accqweqweazo.com
ad.icab.pk
aimnawnt.beget.tech
akingu.bit.md-98.webhostbox.net
alexblog24.p-host.in
among3919.com
andreimolchanov.siteme.org
art4.xyz
asdfz.ru
azorneutrino.com
banckofamerica.info
benchadcrd.nl
bitcoalko.com
bitscoinsme.com
blackexploitz.net
bmagikleak.website
bucscrup.ru
cc33782.tmweb.ru
ch.baskpower.com
coinbitbot.ru
cresbuy.ga
crypto-e.org
cryptopiabot.cc
cryptopiasupport.co
cryptotrust.today.md-35.webhostbox.net
defaultbrowser.xyz
donperenion.com
doueven.click
druvan.xyz
elowpuki.com
elysium-inc.pro
elysium-ltd.pro
ernazar.tk
eualube.com
fde4.tk
fdsv.ml
feamleys.com
flash-piayer-update.com.md-90.webhostbox.net
fsdf.ga
gmx7.com
gob.grantflaskparty.com
gohithatsandrof.win
grantflaskparty.com
hallojab.co.ua
hellojab.com
hhamay.website
holidey.pw
hondobakr.top
hotbest-apps.com
iddqdp.pw
imbaxqxq.org
inc0de.gq
kalakhomes.club
kamyn9ka.com
keyar12f.beget.tech
l2fog.ru
lelllnn.com
lers.xyz
levonside.space
loveyouneed.pw
mcgau2.bit.md-100.webhostbox.net
methodist.sch.id
mike.rivalserver.com
mix1456465.com.cp-47.webhostbox.net
mobwerpingthis.com
mopw.men
mybigfish.stream
myxamop.com
needmorelogs.club
nervozn.tk
nimerstat.ru
ninjatrader.life
npromo.world
ogabosworld.com
ortaksistem.com
panamera.site
pchel8.tk
poloniex.spb.ru
pornhospital.net
port.so.tl
preramet123.name
ps4akk.ru
qers.xyz
rar-lab.ru
rotkit.tk
sads.ml
scat01.tk
scat.cf
sepprod.com
sharfik.club
sinutinu.com
skyroot.ru
solimetalspa.com
sondomax.co
sskyokker256.bit.md-89.webhostbox.net
sslwmi.top
sumocloud.club
svchost.pw
sysplugins.com
taskdata.gq
trimasjaya.com
ubmwuyq.com
ultimaspots.co.uk
usa-bank.info.md-91.webhostbox.net
videocommercialsforyou.com
videopopups.com
vm239011.had.su
vsd1.net
wattmeter.win
www.alkratrad.com
www.antonskoritskii.com
www.asdasdq.com
www.azghost888.com
www.benchadcrd.nl
www.cryptopiasupport.co
www.elowpuki.com
www.ghost888abc.com
www.gopety.cc
www.grandmasson.pw
www.rar-lab.ru
x7x.xyz
zevs3.xyz
zevs5.xyz

# Reference: https://twitter.com/SevenLayerJedi/status/950761083509313536

macpay.pw

# Reference: https://twitter.com/James_inthe_box/status/1039250061065039873

microsoft-update-server.bit
securityupdateserver4.com

# Reference: https://twitter.com/ViriBack/status/983011333506588672
# Reference: https://pastebin.com/nwWHHFe0

fdos.tk
genri.ga
gfcv.tk
gfsd.ga
grlo.tk
qpzm.gq
suka1.tk
vfsv.tk

# Reference: https://cert.gov.ua/news/44
# Reference: https://www.virustotal.com/#/ip-address/192.198.87.130
# Reference: https://www.virustotal.com/#/ip-address/185.193.38.78

http://185.193.38.78/
cashouts.tk
vitani.tk

# Reference: https://twitter.com/JAMESWT_MHT/status/1046755632299352064

columbusfunnybone.com/images/drop.php

# Reference: https://twitter.com/ViriBack/status/1050032466164154368

bigchlen.tk

# Reference: https://www.malware-traffic-analysis.net/2018/10/12/index.html

bitdotz.top

# Reference: https://twitter.com/avman1995/status/1052426452187185153

qe.igg.biz/gate.php

# Reference: https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/

certipin.top
infolocalip.com
tohertgopening.com

# Reference: https://twitter.com/james_inthe_box/status/1022866075493355520

kenkelord.gq

# Reference: https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

s63.bit

# Reference: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

/java/java9356/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106558836171632642

/027-xcv-j/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106551689132138497

llkty.gq/8s/index.php

# Reference: https://twitter.com/James_inthe_box/status/1105124840501989378
# Reference: https://twitter.com/James_inthe_box/status/1110196027338817538

/simbi/index.php

# Reference: https://twitter.com/VK_Intel/status/1108604579938131968

google-analutics.com

# Reference: https://twitter.com/Racco42/status/1103435627343822848

directdns.duckdns.org
httsdomainset.ddns.net

# Reference: https://twitter.com/Racco42/status/1101131815216168961

myprepaidfiles.ddns.net
directdns.cc

# Reference: https://twitter.com/Racco42/status/1095444880749481986

maxmini.duckdns.org
newconnect.duckdns.org

# Reference: https://securelist.ru/azorult-analysis-history/93645/ (Russian)
# Reference: https://securelist.com/azorult-analysis-history/89922/ (English)

daticho.ac.ug
ravor.ac.ug

# Reference: https://twitter.com/luc4m/status/1107680285834006528

gsutekardookay.com

# Reference: https://twitter.com/luc4m/status/1078691595111878657

sherkseafoods.com

# Reference: https://twitter.com/ps66uk/status/1108295117826387969

/cz/cjin3/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109120289604931584

/azrt/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109835474493829120
# Reference: https://pastebin.com/tvn8EMyS

ymad.ug/1/index.php

# Reference: https://twitter.com/ViriBack/status/1069965350442283009
# Reference: https://pastebin.com/PTkLE0se

/panel632541/admin.php
/io213b5obo/admin.php

# Reference: https://twitter.com/albertzsigovits/status/1110124808572948482

a.helps.site
azmarterroos.com
hellacademy.com
horseliker.ac.ug
justflux.org/webupl.php
parnakol.ug
stelfeshor.ru
zelner.info

# Reference: https://twitter.com/albertzsigovits/status/1110124941356212224

dragonfire.ac.ug
frupidgi.cn
hostname.vip
roninan.ac.ug
tembumgo.pw

# Reference: https://twitter.com/James_inthe_box/status/1110915814725550080

http://78.142.29.208/real/index.php

# Reference: https://twitter.com/Racco42/status/1111189949712420864

armasglass.com/oni/index.php

# Reference: https://twitter.com/James_inthe_box/status/1111666754604789760

recordsforsmssent.xyz/jeff/index.php

# Reference: https://twitter.com/x42x5a/status/1112693567103868928

http://92.63.192.72/index.php

# Reference: https://twitter.com/James_inthe_box/status/1113510502439616513

0x234.com/index.php

# Reference: https://twitter.com/thlnk3r/status/1113658517544550401

gamingserversplus.life/index.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/takerk734/status/1113851637292920832

/Qw2XbN3/index.php

# Reference: https://twitter.com/angel11VR/status/1115343202167533568
# Reference: https://pastebin.com/0bX17LaY

cubaworts.gq

# Reference: https://twitter.com/x42x5a/status/1115651159388246016

cryptofaze.com

# Reference: https://twitter.com/VK_Intel/status/982346117298843649

balepinos.com

# Reference: https://twitter.com/LEICHAO_init/status/1118910795675521030

lestonline.gq

# Reference: https://twitter.com/pancak3lullz/status/1085591305269460992

/robb/index.php

# Reference: https://twitter.com/OttoScav/status/1080485559787835392

freetalksa.xyz

# Reference: https://twitter.com/James_inthe_box/status/1121047649459642369

mintyoctopus.com

# Reference: https://twitter.com/avman1995/status/1120893763977658369
# Reference: https://app.any.run/tasks/80464c35-e9f8-44ed-a346-50bf0642cec9

http://95.179.189.49/CC/index.php

# Reference: https://twitter.com/x42x5a/status/1121094286613852162

klyaksa.xyz

# Reference: https://twitter.com/x42x5a/status/1121523221432500225

asahi-tankar.com

# Reference: https://twitter.com/x42x5a/status/1121702655464751104

huanopkey.site

# Reference: https://twitter.com/Racco42/status/1122797588120592384
# Reference: https://app.any.run/tasks/ae52cc1b-f2d5-4d6d-a93c-8c15dff0132f

geu.life
millanplaners.duckdns.org

# Reference: https://twitter.com/Racco42/status/1123953925831446529

izone.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1124625622913806336

lusectech.eu

# Reference: https://twitter.com/x42x5a/status/1125467728406548481

istats.club

# Reference: https://twitter.com/JAMESWT_MHT/status/1126092095465381888

formigations.world

# Reference: https://twitter.com/James_inthe_box/status/1126182590153515009

prolificwealth.ml/wp-content/mee/32/index.php

# Reference: https://twitter.com/James_inthe_box/status/1126846840060571648

/nedu/32/index.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1128675913728700416

dawanepondi.com

# Reference: https://twitter.com/ViriBack/status/1128826571010260994

doomaal.ac.ug

# Reference: https://twitter.com/James_inthe_box/status/1129460760076115969

http://77.222.55.225/index.php

# Reference: https://twitter.com/x42x5a/status/1130816960315498496

mikmuncen.ac.id

# Reference: https://twitter.com/P3pperP0tts/status/1131607738457513989

evaglobal.eu

# Reference: https://twitter.com/nao_sec/status/1132588323262742528
# Reference: https://app.any.run/tasks/27aec731-68a6-4bdf-9feb-55c413acd9f0/

getsee-soft.xyz

# Reference: https://twitter.com/P3pperP0tts/status/1133520317341753347

arispedservices.eu

# Reference: https://twitter.com/SethKingHi/status/1133564418355163136

aramkaaz14.temp.swtest.ru
bigsuper.rocks
bloomsolutions.top
i2kq82kd.cn
lary-pages.com
narcos.3utilities.com
qepxc.ga
witatto.co

# Reference: https://twitter.com/jorgemieres/status/1130863029573312512

privacytool.ru

# Reference: https://twitter.com/James_inthe_box/status/1134149799601553408

begurtyut.info

# Reference: https://twitter.com/James_inthe_box/status/1134464016095383552

veegoo.com.sg

# Reference: https://twitter.com/ViriBack/status/1134662952898965504
# Reference: https://pastebin.com/pkZ0TBnc

arispedservices.eu
binnatto.de
binatech.eu
kmgroup.pw
yogh.eu
lexaalkash.temp.swtest.ru

# Reference: https://twitter.com/JAMESWT_MHT/status/1135515112121540609
# Reference: https://app.any.run/tasks/a470917e-fb77-4f53-945a-109804624e8b/

http://185.79.156.18/jam/index.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1136204624342503425
# Reference: https://www.virustotal.com/gui/domain/tmweb.ru/relations

ca19545.tmweb.ru
ca27080.tmweb.ru
ca29782.tmweb.ru
cc00650.tmweb.ru
cc24068.tmweb.ru
cc88732.tmweb.ru
cc93567.tmweb.ru
cc97560.tmweb.ru
cd42295.tmweb.ru
cd57063.tmweb.ru
cd95703.tmweb.ru
ce14132.tmweb.ru
ce18074.tmweb.ru
ce26564.tmweb.ru
ce42745.tmweb.ru
cf25899.tmweb.ru
cf85889.tmweb.ru
cg23464.tmweb.ru
cg40289.tmweb.ru
cg99817.tmweb.ru
ch90258.tmweb.ru
ci04646.tmweb.ru
cj07982.tmweb.ru
cj23314.tmweb.ru
cj39647.tmweb.ru
cj55728.tmweb.ru
cj59734.tmweb.ru
cj79836.tmweb.ru
cj94933.tmweb.ru
cl90808.tmweb.ru
cl98133.tmweb.ru
cm14352.tmweb.ru
cm32079.tmweb.ru
cm39908.tmweb.ru
cm80604.tmweb.ru
cn29906.tmweb.ru
cn38429.tmweb.ru
cn61485.tmweb.ru
cn68345.tmweb.ru
co22360.tmweb.ru
co62058.tmweb.ru
cq05122.tmweb.ru
cq72964.tmweb.ru
cq73879.tmweb.ru
cq94470.tmweb.ru
cq97365.tmweb.ru
cr14365.tmweb.ru
cs02254.tmweb.ru
cs07652.tmweb.ru
cs14356.tmweb.ru
cs18047.tmweb.ru
cs31873.tmweb.ru
cs40872.tmweb.ru
ct30918.tmweb.ru
ct73529.tmweb.ru
ct74358.tmweb.ru
ct78836.tmweb.ru
cu01450.tmweb.ru
cu17877.tmweb.ru
cv03281.tmweb.ru
cv31598.tmweb.ru
cv51755.tmweb.ru
cv61405.tmweb.ru
cw00402.tmweb.ru
cw70094.tmweb.ru
cw73215.tmweb.ru
cy24975.tmweb.ru
cy46481.tmweb.ru
cy56085.tmweb.ru
cy91219.tmweb.ru
cy93501.tmweb.ru
cm41880.tmweb.ru
cn41269.tmweb.ru
ct56883.tmweb.ru
cu24804.tmweb.ru
cv06897.tmweb.ru
cw40829.tmweb.ru
cx35521.tmweb.ru
cx63854.tmweb.ru
cy63392.tmweb.ru
cc12978.tmweb.ru
ce11471.tmweb.ru

# Reference: https://twitter.com/Racco42/status/1136602289953746944

visionscape.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1139630548626751488

http://185.62.190.23/index.php

# Reference: https://twitter.com/DbgShell/status/1142257921889316870
# Reference: https://www.virustotal.com/gui/file/72288ab34ee508d0f65e7ebf884b21e94ee191e96de5931dd68288fcc8bfcf7f/detection

dotbit.me/a/

# Reference: https://twitter.com/malware_traffic/status/1143662206099365890
# Reference: https://app.any.run/tasks/4365c9b9-7ea6-4d90-897c-8302410c9234/
# Reference: https://twitter.com/JAMESWT_MHT/status/1144239446759563265
# Reference: https://app.any.run/tasks/61f4998e-27bf-4429-80c6-e23c694e6c65/

http://51.15.241.96/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php
http://51.15.231.96/4/3AFDF4A3-33B5-4028-B8B8-E66616F1CBA7/index.php

# Reference: https://twitter.com/James_inthe_box/status/1144227200209580032

lusecproducts.top

# Reference: https://twitter.com/Paladin3161/status/1144341515428196352
# Reference: https://pastebin.com/i6Gfxs0q

http://185.164.72.241/wogor/index.php

# Reference: https://twitter.com/P3pperP0tts/status/1144868292525461504

stanendybiz.top

# Reference: https://app.any.run/tasks/dee05de9-4286-45b5-8b0d-7291e09f6c16/

cq83317.tmweb.ru
vh64.timeweb.ru

# Reference: https://twitter.com/malware_traffic/status/1145749834923696129

lucknowww.top

# Reference: https://twitter.com/MisterCh0c/status/1145598683997724673

69.kl.com.ua

# Reference: https://twitter.com/P3pperP0tts/status/1146398222904152066

http://92.63.192.127/index.php

# Reference: https://twitter.com/benkow_/status/1147442492046020608

brain.ac.ug
jopa.ac.ug
nobrain.ac.ug
