# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

http://212.109.198.22

# Reference: https://twitter.com/VK_Intel/status/1170955066355998721

http://188.225.38.30

# Reference: https://twitter.com/david_jursa/status/1171034657137319936

afgorc.xyz
djhjqg.xyz
drtest.xyz
yjomnb.xyz

# Reference: https://twitter.com/nao_sec/status/1171443035055390722

cuwygawipu.tk

# Reference: https://twitter.com/sans_isc/status/1172383709992931328
# Reference: https://isc.sans.edu/diary/25318

dhq.xyz
gtglax.xyz
mqtryi.xyz
ootsfq.xyz
yfmxng.xyz

# Reference: https://twitter.com/nao_sec/status/1173228978997354496

atztds17.world

# Reference: https://twitter.com/tkanalyst/status/1195867354338455552
# Reference: https://www.virustotal.com/gui/ip-address/94.130.90.228/relations

http://188.225.84.132
atztds25.world

# Reference: https://twitter.com/BroadAnalysis/status/804164835650965504
# Reference: https://broadanalysis.com/2016/11/30/rig-exploit-kit-via-the-eitest-delivers-cryptfile2-ransomware/

clickonlaramietoyota.com

# Reference: https://twitter.com/DynamicAnalysis/status/1182015863043567622
# Reference: https://pastebin.com/dunyKxnG

atztds177.world
atztds37.world
atztds775.world
btcseller.club
vapeshout.com
worplace.com
samsungt.com
wwwdailyforex.com
cryptaloot.pro
go2batch.com
fceacebook.com

# Reference: https://twitter.com/adrian__luca/status/1148186673739685888

scrappycoco.ru

# Reference: https://twitter.com/tkanalyst/status/1187735439240773632

reversepin.pro

# Reference: https://twitter.com/tkanalyst/status/1188025346009919490

fiestagoal.pro
hipeoutset.pro

# Reference: https://twitter.com/tkanalyst/status/1189558049901465601

contactfiests.pro
speakerboxnectar.info

# Reference: https://twitter.com/tkanalyst/status/1193121699002114048

http://173.82.114.254
raisedsky.info
trickfiesta.info

# Reference: https://twitter.com/tkanalyst/status/1194648639693451266

http://202.182.121.252
booblegums.info
stonefiesta.info

# Reference: https://broadanalysis.com/2019/12/02/rig-exploit-kit-delivers-bot-ransomware/
# Reference: https://otx.alienvault.com/pulse/5de907a4b04741669d476189

bestwalletapiandroid.world
lucretius-ada.com

# Reference: https://twitter.com/david_jursa/status/1207613694621999104

lendsblog.com
atztds702cv.xyz

# Reference: https://twitter.com/tkanalyst/status/1219244505640996864

http://199.247.5.69
fatykarying.xyz
fiestalume.info

# Reference: https://twitter.com/FaLconIntel/status/1230488503290449920

tldrbox.top

# Reference: https://twitter.com/FaLconIntel/status/1235580218842083329

fiestagg.info
morethanyouneed.xyz

# Reference: https://app.any.run/tasks/828e1e86-c4ee-4251-a20d-6aacc6b4b9cf/

http://82.146.46.180

# Reference: https://twitter.com/FaLconIntel/status/1241568444551741441
# Reference: https://app.any.run/tasks/e074bc0d-7edf-4e58-86ad-f7e3dd8df714/

http://176.57.220.16

# Reference: https://isc.sans.edu/forums/diary/CryptoShield+Ransomware+from+Rig+EK/22047/Hancitor/Pony

need.southpadreforsale.com
star.southpadrefishingguide.com

# Reference: https://twitter.com/david_jursa/status/1250716073437073409

likeaboss.club

# Reference: https://twitter.com/nao_sec/status/1254025079635075073

http://188.225.27.75

# Reference: https://twitter.com/david_jursa/status/1278665984124039171

meetingzoom.us

# Reference: https://any.run/report/7e447d08da535d1ee4aff7f9b69b0a461c0a7c549c3a2444fc6486687badce45/4e32f20f-1228-4b2d-ae8d-4d472e586d87
# Reference: https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit

makemoneyeasy.live
http://82.146.63.94

# Reference: https://twitter.com/jeromesegura/status/1286087207829176320

http://142.93.161.173

# Reference: https://twitter.com/nao_sec/status/1286896740822478848

http://185.200.241.78
slolimoso.space

# Reference: https://twitter.com/MBThreatIntel/status/1289275954896936960

http://185.119.58.181

# Reference: https://twitter.com/nao_sec/status/1294871134001799168

http://185.119.56.54

# Reference: https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/

http://91.210.171.116

# Reference: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
# Reference: https://www.virustotal.com/gui/ip-address/162.219.29.77/relations

afanasitrita.top
azsmistnswezdezake.top
best4ygottna4er.top
bestbulikimygottna4er.top
bestgreenpop4d.top
bestlipopomulit32seder.top
bestrkapolik23kalil.top
bestwezdes2pope.top
brastikorana.top
britorikanosa.top
bulikimygottna4er.top
buyoasde1ingdse.top
buyolodes2ingdse.top
buyoloyogo12dse.top
doberabokaseno.top
elrapisokarino.top
fashionswezdes2pope.top
granbotakami.top
herazari.top
hihuravila.top
jimantutago.top
jonsolato.top
jotutikaruma.top
kalinpolik23kalil.top
lipopomulit32seder.top
losvaretakona.top
mabestrdayobline2t.top
masterdayobline2t.top
mertitakotara.top
mikalanovane.top
milorapasata.top
miropidevata.top
mistnswezdezake.top
mmsdrestrdayobline2t.top
newdeuyogo12dse.top
odnorkapolik23kalil.top
opaopomulit32seder.top
pirasokureta.top
pirosumona.top
pitakumata.top
polikbestgreenpop4d.top
popnswezdezake.top
popsasesaesa1sa.top
popssavestpalika2sed.top
popstereet32sdre.top
pritastromana.top
pritoparivata.top
rewitakinama.top
rotukojuto.top
sanegreenpop4d.top
sanijokorujama.top
tederosavito.top
theasesaada2sae.top
theasesabebesa2sae.top
thesaaseazsw21sa.top
thesaasesaesa1sa.top
thesabebesa2sae.top
tinasokapikada.top
tritakataga.top
tritoralikasa.top
trutosakato.top
vestkazatpalika2sed.top
vestpalika2sed.top
vestvavestpalika2sed.top
vulkane7xoprit.top
wezdes2pope.top

# Reference: https://twitter.com/EKFiddle/status/1324488758217994241

http://185.150.117.129

# Reference: https://twitter.com/nao_sec/status/1332097156434391040

http://95.216.179.33

# Reference: https://twitter.com/nao_sec/status/1342099082739732480

http://45.14.50.50

# Reference: https://twitter.com/malware_traffic/status/1346307776583262209

http://188.227.84.241

# Reference: https://twitter.com/MalwarePatrol/status/1350111033260695555

http://188.227.106.164
anklexit.online

# Reference: https://twitter.com/malware_traffic/status/1358878265923014656

http://188.227.57.214

# Reference: https://twitter.com/MBThreatIntel/status/1361824286499950601

http://188.225.75.54

# Reference: https://twitter.com/MBThreatIntel/status/1372674938901909505

myallexit.xyz

# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf

allindelivery.net
clickadusweep.vip
testclicktds.xyz
testtrack.xyz
zeroexit.xyz
enter.testclicktds.xyz
traffic.allindelivery.net
zero.testtrack.xyz

# Reference: https://twitter.com/nao_sec/status/1403322564580020227
# Reference: https://twitter.com/david_jursa/status/1403319802161213440
# Reference: https://app.any.run/tasks/f00d7529-d2b7-4ad8-86ea-3d3bd256d8c3/

http://188.227.107.144
exitmagall.xyz

# Generic trails

\b(atztds|mtxtds)[0-9a-z]+\.(world|xyz)
