# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/fideliscyber/indicators/blob/master/Blogs/New%20URSNIF%20Targeting%20Italy%20and%20US/url.csv

creatortherefore.cn
goinumder.su
goyanok.at
hothegivforsuffer.cn
hulivam.at
justiceseasfriends.cn
lopertopgo.su
mid100.at
nexpoo.at
noopex.at
outaplaceshave.cn
pergozip.at
therepalon.su
trepeatedandequal.cn

# Reference: https://www.forcepoint.com/blog/security-labs/many-faces-ursnif-email-hijacking-mailslots-and-insecure-servers

14ca1s5asc45.com
9qwe8q9w7asqw.com
asd5qwdqwe4qwe.com
d4q9d4qw9d4qw9d.com
dq9wq1wdq9wd1.com
dqowndqwnd.net
eq9we1qw1qw8.com
fqw4q8w4d1qw8.com
g98d4qwd4asd.com
gtqw5dgqw84.com
hhhasdnqwesdasd.com
hhjfffjsahsdbqwe.com
jjasdkeqnqweqwe.com
kkjkajsdjasdqwec.com
kkmmnnbbjasdhe.com
mmmnasdjhqweqwe.com
oiwerdnferqrwe.com
ooaisdjqiweqwe.com
oooiasndqjwenda.com
oooiawneqweasd.com
oqk4123613123.net
oyiyuarogonase.net
popopoqweneqw.com
ppoadajsqwenqw.com
ppoasdqnwesad.com
pqwoeasodiqwejes232.com
q5q1wdq41dqwd.com
qiwjesijdqweqs.com
qw6e54qwe54wq.com
qw8e78qw7e.com
qwd1q6w1dq6wd1.com
qwd1qw8d4q1wd.com
qwdohqwnduasndwjd212.com
qwe1q9we1qwe51.com
qwekasdqw8412.net
qweoiqwndqw.net
qwojdaisd1231.net
qwqw1e4qwe14we.com
qwqweqw4e1qwe.com
qwundqwjnd.net
r9qweq19w1dq.com
rqw1qwr8qwr.com
rrrradkqwdojnqwd.com
sdf5wer4wer.com
sdjqiweqwnesd.com
t8q79q8wdqw1d.com
tr8q4qwe41ewe.com
tttiweqwneasdqwe.com
uuasdjqwehnasd.com
uurty87e8rt7rt.com
uuyyhsdhasdbee.com
wdojqnwdwd.net
wdq9d5q18wd.com
yyjqnwejqnweqweq.com

# Reference: https://www.f-secure.com/v-descs/trojan_w32_ursnif.shtml

bergesoma.com
polinodara.com

# Reference: https://www.cert-pa.it/news?id=10536

werwaarogonase.net
fhjjndiasnew.net
axewansdownew.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1045682605662851073

d792jssk19usnskdxnsw.com
29uwuwousuw8wuwyuwie.com
ye8283yeiw283929wu2.com
h2812932937292sjshskz.com

# Reference: https://twitter.com/luc4m/status/1045671697268051968

h2812932937292sjshskz.com

# Reference: https://twitter.com/avman1995/status/1047018001810300928

382oiso10si8sowppdoiwpc.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1047414713850781697

/MXE/files/
/TOL/files/

# Generic callback

/nerkom.php
/pagioiu88.php
/transaction.php2

# Reference: https://twitter.com/Bank_Security/status/1049640177361186818
# Reference: https://pastebin.com/mkMfAf9Z

app.kartop.at
doc.dicin.at
app.avitoon.at
doc.avitoon.at
ops.twidix.at
xx.go10og.at
api.kartop.at
m1.fofon.at
cdn.kartop.at
api.tylron.at
chat.twidix.at
api.kaonok.at
chat.jimden.at
mahono.cn
/huonasdh.php
/opanskot.php

# Reference: https://twitter.com/luc4m/status/1050806471603224576

/pagjfut54.php

# Reference: https://twitter.com/ViriBack/status/1051565888212791296

hdiwuey872629hsgs18702837.com
k37aos82skd9nal92kamcdla.com

# Reference: https://twitter.com/mgiovamo/status/1051771811438964736

load.testmykickstarter.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1052469234159239168

37iwdmx103qlsmx.com
againstitudents.com
ey271psx8127301.com
woatinkwoo.com
/levond.php

# Reference: https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware

nesocina.com
tapertoni.com
/Flux/tst/

# dork: "/Flux/tst/"

tenicoriv.com
onkoloper.com
nidersona.com
maxigozo.com
nasodirom.com

# Reference: https://twitter.com/Bank_Security/status/1055099888906702850
# Reference: https://pastebin.com/DYZhgSnH

kiki.33gourmetdelinyc.com
loads.smallworld-parties.com
load.kapswholesale.com
mino.aghapyfoodridgewood.com
nupp.810delicafe.com
nopp.ajisaijapanesenyc.com
pool.jfklandscape.com
/jogptfbuu

# Reference: https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/jp_ursnif_20161226

i56a4c1dlzcdsohkwr.biz
66ssywiogjvwljaopw.com
reebovnenewbne001.com
neneeeenqwenene188.com
ceeoerunw10.com
echo.listentree.com
pop.lawadviceonline.org
licensecanadian.ru
arewithoutwarranty.xyz
thenotwithsoldsuequiv.ru
goglosmmosss.com

# Reference: https://blog.yoroi.company/research/ursnif-long-live-the-steganography/

pereloplatka.host
roiboutique.ru
uusisnfbfaa.xyz
nolavalt.icu
sendertips.ru

# Reference: https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features

baderson.com
mopscat.com
gorsedog.com
pintodoc.com
ropitana.com
pirenaso.com
papirosn.com
delcapen.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1107662516824535041

/loq91/10x.php

# Reference: https://twitter.com/dvk01uk/status/1096445096306921472

/suoepwxpamxapxlamslxdo.php

# Reference: https://twitter.com/Racco42/status/1105504898525917184

/83939-2039.php
/89289_928_1.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1100698122563567616

/iwp01-2ksm/20918201.php

# Reference: https://twitter.com/avman1995/status/1094181713121558529

qfelicialew.city
mzg4958lc.com
gxuxwnszau.band
/xap_102b-AZ1/704e.php

# Reference: https://twitter.com/avman1995/status/1108760534894170113

insurancephotolive.xyz
nophotoinsecure.xyz
topolotonop.xyz

# Reference: https://twitter.com/avman1995/status/1108623779062861824

fnyah44.email
wrladoph.city
rsf58.city
subaldodd.email

# Reference: https://twitter.com/James_inthe_box/status/1109520290323693568

keepincomemoney.website

# Reference: https://blog.talosintelligence.com/2019/03/threat-roundup-0315-0322.html (Win.Malware.Ursnif-6896385-0)

kkariannekatrina.company
f61leeii.com
qmitchelkp.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1110470611137114112

/2poef1/j.php

# Reference: https://otx.alienvault.com/pulse/5c9a405e5645c8011c7030f3

blogger.scentasticyoga.com

# Reference: https://twitter.com/bomccss/status/1110997371188465664

sumeriun.com

# Reference: https://twitter.com/gorimpthon/status/1078159820371288064

thatconditions.online

# Reference: https://twitter.com/gorimpthon/status/1077498826934480896

theanyexppatent.online

# Reference: https://twitter.com/Sec_S_Owl/status/1084967201222717440

theincludingte.online

# Reference: https://twitter.com/58_158_177_102/status/1087514326607355904

freetoper.accountant

# Reference: https://twitter.com/AES256bit/status/1079582045439877121

tformlicensable.online

# Reference: https://twitter.com/gorimpthon/status/1078159820371288064

thatconditions.online

# Reference: https://twitter.com/gorimpthon/status/1077498826934480896

theanyexppatent.online

# Reference: https://twitter.com/AES256bit/status/1063113281441738752

cjwefomatt.com
dubbergergbb.com
ticrerfgiff.com

# Reference: https://twitter.com/bomccss/status/1103211371817197568

mopscat.com

# Reference: https://twitter.com/CybereasonJPSOC/status/940267086802063360

comanylimiteddocume.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1113063803753684995
# Reference: https://app.any.run/tasks/223464af-a7be-454b-8f8f-2a8819bde8c1

posakloska.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1113429156040196096
# Reference: https://app.any.run/tasks/22f1f4c3-0297-49a9-89a9-787eee944de9

adonis-medicine.at

# Reference: https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/

nuovalo.icu
nuovalo.site

# Reference: https://twitter.com/JAMESWT_MHT/status/1115926996582830081

/skoex/po2.php

# Reference: https://twitter.com/avman1995/status/1116271689057427456

lunchrappz.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1117694292359819265
# Reference: https://app.any.run/tasks/ca845868-1bba-47ac-8fc5-cf3ba9b86b80

eloiyus.site
nuovalo.icu

# Reference: https://twitter.com/JAMESWT_MHT/status/1117711355363168256
# Reference: https://app.any.run/tasks/f6198a2a-e3c2-48dd-b1ab-dcd723770fd1

itschoolegz.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1123206109421027329
# Reference: https://pastebin.com/NqSBZYCd

npou82vb.info
xjustusia37.xyz

# Reference: https://blog.talosintelligence.com/2019/05/threat-roundup-0426-to-0503.html (# Win.Malware.Ursnif-6957672-0)

ciemona.top
fqwalfredoesheridan.info
resolver1.opendns.com
vmelynaa.club
zwbaoeladiou.xyz

# Reference: https://twitter.com/bomccss/status/1125667764868247552

lidersonef.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1125746846335479808

b49ealsgrjf63w.info

# Reference: https://twitter.com/VirITeXplorer/status/1126015303312396288

sharktankdigestq.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1126044178327191558

velissimilio.site
zxcvsdffffdsv.icu

# Reference: https://twitter.com/VirITeXplorer/status/1126382269646741505

/3retyxo2m.php

# Reference: https://twitter.com/VirITeXplorer/status/1128936190311391233

jxfps21tjohnathon.xyz
ntyrique6024karlie.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1130797257375330304
# Reference: https://twitter.com/James_inthe_box/status/1130805489707520000
# Reference: https://pastebin.com/ZUKsE8FQ

r588uaacornell.info
tzdottopm.xyz
v22xscot.info

# Reference: https://twitter.com/SethKingHi/status/1131762896793268224

fbilly75.com
tcletuswi.top
vtaeladarius47.com

# Reference: https://twitter.com/sugimu_sec/status/1133293529025744896

newupdatindef.info

# Reference: https://twitter.com/JAMESWT_MHT/status/1133327173467672581

loaidifds.club

# Reference: https://twitter.com/SethKingHi/status/1133565099577266176

dohilda.club
m49crod.info
mshaun24sidney.top

# Reference: https://twitter.com/sugimu_sec/status/1133714003455168512

aliooird.us

# Reference: https://twitter.com/sugimu_sec/status/1133716946967416835

doliurt.icu

# Reference: https://twitter.com/VirITeXplorer/status/1134009733705359360

clarrywillow.top
rueu5334.info

# Reference: https://twitter.com/JAMESWT_MHT/status/1134039582729822209

office-365-cloud6-2.pw

# Reference: https://twitter.com/JAMESWT_MHT/status/1134373743634071557

sumvawe1s.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1134438287358271489

tericks90.info
/p109/mv.php?l=

# Reference: https://pastebin.com/8AkBCP3p

cannamariecordell.com
hchyna985.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1135815803880820742
# Reference: https://twitter.com/sugimu_sec/status/1135818200455626752

http://176.10.118.191
markeettit.club
markeettit.email
riehmconstruction.com
westseattlenailsalon.com

# Reference: https://twitter.com/58_158_177_102/status/1136164132279861248

paderson.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1136181780531294208

allspanawaystorage.net
extrastoragesandiego.com
searchstoragequote.com
usastoragenetwork.com

# Reference: https://twitter.com/VirITeXplorer/status/1136165811968716800

gopickupnow.com

# Reference: https://twitter.com/58_158_177_102/status/1136162140283236352

firedron.top

# Reference: https://twitter.com/VirITeXplorer/status/1136529259000995840

mmmtbsusanna.info
r52yoo.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1136542388510441472

vduncanoo.club

# Reference: https://twitter.com/Racco42/status/1136991881626341377

blockshain.info

# Reference: https://twitter.com/sugimu_sec/status/1137987552097366016

iqqoiuetyd.club
niloiuyrt.info

# Reference: https://twitter.com/bomccss/status/1138620211140030464

marcoplfind.at

# Reference: https://twitter.com/Bank_Security/status/1138680380242968576
# Reference: https://pastebin.com/ut0fw5Ry

filomilalno.club
fileneopolo.online
reziki.online
reziki.xyz

# Reference: https://twitter.com/VirITeXplorer/status/1138703768994758656

b64zwvi.top
mjoan95bn.info

# Reference: https://twitter.com/58_158_177_102/status/1140519789368098818

timenard.top
tupeska.top

# Reference: https://twitter.com/reecdeep/status/1140880338790617089

m6147keeganpw.info
/si2s81-19.php

# Reference: https://twitter.com/VirITeXplorer/status/1141597876432322560

dmurrayh52k.club
fconnieao.club

# Reference: https://twitter.com/sugimu_sec/status/1141618472612319232

iluuryeqa.info
ueba6ka.club

# Reference: https://twitter.com/JAMESWT_MHT/status/1141636986912018432

jyoe91alverta.top

# Reference: https://twitter.com/James_inthe_box/status/1141788413697253376

api.fiho.at
digital.audiobookjunkie.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1141969652656082944

uytr5e.imtbreds.com

# Reference: https://twitter.com/reecdeep/status/1142006559247097856

iluuryeqa.info

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0614-0621.html (# Win.Malware.Ursnif-6995948-1)

capoverso.info
cyberplay.at

# Reference: https://twitter.com/killamjr/status/1143138622289391616

zuvwax.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1143483784605708291

sdelaneyuaclotilde.club

# Reference: https://twitter.com/JAMESWT_MHT/status/1144155439598309376
# Reference: https://app.any.run/tasks/383c4c0a-e2f0-46d2-9688-27243cd17681/

n82burdette62.top

# Reference: https://twitter.com/reecdeep/status/1144156253075247104

fundoluyr.fund

# Reference: https://twitter.com/JAMESWT_MHT/status/1144154461759311872

mmontyireina.club
riul.xyz
s62mxcn.club

# Reference: https://twitter.com/sugimu_sec/status/1144180837526585344

48727711.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1145676603038605312

g69jylv.xyz
koe32dayton.com
woa79ewinfield.club

# Reference: https://twitter.com/VirITeXplorer/status/1145961294945771521

je28oy379.info

# Reference: https://twitter.com/p5yb34m/status/1146420354564280321

danforthdrugmart.ca
toolz22n5.info
