# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://ransomwaretracker.abuse.ch/tracker/cerber/

i01001.dgn.vn
chromebewfk.top
chromefastl.top
chromehakc.top
cleverdotl.top
ddiopoola.top
dealkolld.top
dokjasura.top
fkauueeepla.top
flowerxpo.top
foolalexas.top
googlefoad.top
newsectorbs.top
watherfka.top
weekendlk.top
zutzt67dcxr6mxcn.onion.to

# Reference: https://isc.sans.edu/diary/Sage%2B2.0%2BRansomware/21959

cocalolo.top
truepokemonant.top

# Reference: https://twitter.com/0bfusCat/status/1194975382795145218

besenok.biz

# Reference: https://blog.talosintelligence.com/2019/11/threat-roundup-1115-1122.html (# Win.Ransomware.Cerber-7395321-0)

ahrkvtgc.com
aynycxbgodmwi.com
fhvkufnnrlyfvx.com
gcijrxipe.com
hd63ueor8473y.com
ogltynjmtfiu.com
qegdtnvuanlyid.com
rlkeqcsygmmglv.com
shebkucvrunporc.com
uahvwkjphhklqigod.com
wdwefwefwwfewdefewfwefw.onion
wglxvkpybhnxhfv.com

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0131-0207.html (# Win.Ransomware.Cerber-7571364-0)

blasters.biz

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0207-0214.html (# Win.Ransomware.Cerber-7582361-0)

bocfgojek.click
cdwguymjxnyot.pl
cojkhmdxrwvxwxa.pw
dxpmkdipp.info
hkwyfnevdievebgjx.xyz
hldsfuh.info
iconhrdqmeueg.su
ligumssfsrtfpy.xyz
mmteenijjjuyoqju.info
mwddgguaa5rj7b54.onion
othcijmuhwb.pl
pqhwfeeivtkxi.click
qgilcuym.org
qoaouhgwfy.biz
rqtcmltkurtev.pw
veiqvqirdhmyis.org
ydgsjrjqotlffitfg.org

# Reference: https://github.com/StrangerealIntel/malware-notes/blob/master/Ransomware/_ransom_notes.md

decrypttozxybarc.onion

# Reference: https://app.any.run/tasks/7bebb866-3963-4843-9226-6cfc79c4c3bf/

ffoqr3ug7m726zou.onion.to

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0221-0228.html (# Doc.Malware.Valyria-7595017-0)

dosehoop.top
folueaport.top
footarepu.top
vvorootad.top
zofelaseo.top

# Reference: https://www.ey.com/Publication/vwLUAssets/ey-wannacry-ransomware-attack/$File/ey-wannacry-ransomware-attack.pdf

mbfce24rgn65bx3g.jktew0.com
mbfce24rgn65bx3g.lfsjkad.net
mbfce24rgn65bx3g.yio3lvx.com
7gie6ffnkrjykggd.2kzm0f.com
mbfce24rgn65bx3g.2kzm0f.com
7gie6ffnkrjykggd.jktew0.com
7gie6ffnkrjykggd.jpo2z1.net
mbfce24rgn65bx3g.6t4u2p.net
mbfce24rgn65bx3g.jpo2z1.net

# Reference: https://ransomwaretracker.abuse.ch/tracker/sage/  (as seen on 2017-10-31)

mbfce24rgn65bx3g.kye1ap.net
mbfce24rgn65bx3g.l3by4d.com
mbfce24rgn65bx3g.17b3o.net
mbfce24rgn65bx3g.2igu316.com
mbfce24rgn65bx3g.je9mlz.com
mbfce24rgn65bx3g.eho23d.net
mbfce24rgn65bx3g.hp8ewo.net
mbfce24rgn65bx3g.0ny42p.com
mbfce24rgn65bx3g.is0hvt1.com

# Reference: https://blog.talosintelligence.com/2019/06/threat-roundup-0614-0621.html (# Win.Ransomware.Sage-6995951-1)

mbfce24rgn65bx3g.we0sgd.com
mbfce24rgn65bx3g.y8lkjg5.net

# Reference: http://id-ransomware.blogspot.com/2017/01/sage-2-ransomware.html (Russian)

mbfce24rgn65bx3g.op7su2.com
mbfce24rgn65bx3g.rzunt3u2.com
7gie6ffnkrjykggd.rzunt3u2.com
7gie6ffnkrjykggd.er29sl.in
7gie6ffnkrjykggd.onion
z5dq36kjy5swjtmr.hp8ewo.net
z5dq36kjy5swjtmr.0ny42p.com

# Reference: https://isc.sans.edu/diary/Sage%2B2.0%2BRansomware/21959

mbfce24rgn65bx3g.er29sl.in

# Reference: https://blog.talosintelligence.com/2020/04/threat-roundup-0403-0410.html (# Win.Ransomware.Razy-7646351-0)

mbfce24rgn65bx3g.we0sgd.com
mbfce24rgn65bx3g.y8lkjg5.net

# Reference: https://twitter.com/pancak3lullz/status/1251227273950310400

31.184.192.3:6892

# Reference: https://app.any.run/tasks/a87d495b-2fb6-4130-a40d-f5b74610b8c2/

93.107.12.1:6893

# Reference: https://www.virustotal.com/gui/file/24db37158a6190d7fece714b37628e58bde229a0e89340c5999064ae9ccae7a4/detection
# Reference: https://www.virustotal.com/gui/domain/blasters.biz/relations

blasters.biz
abupkgiwale.blasters.biz
adymoxewupx.blasters.biz
afeqov.blasters.biz
afizepd.blasters.biz
agisypanyr.blasters.biz
agywyxedak.blasters.biz
ajeryguw.blasters.biz
apeholy.blasters.biz
apodizasor.blasters.biz
aqycun.blasters.biz
awacgmutub.blasters.biz
azlwitav.blasters.biz
emowebehyva.blasters.biz
esuxum.blasters.biz
ezaw.blasters.biz
ibyj.blasters.biz
icoxezsv.blasters.biz
icyxobofoq.blasters.biz
idytysu.blasters.biz
ikecodebina.blasters.biz
ikukyr.blasters.biz
isulagynu.blasters.biz
itydumyme.blasters.biz
kheg.blasters.biz
ngijyceloku.blasters.biz
oczkubo.blasters.biz
oduzudmwe.blasters.biz
ohibe.blasters.biz
udtfegafu.blasters.biz
ugawupelyw.blasters.biz
upalaft.blasters.biz
urumom.blasters.biz
utecipop.blasters.biz
uvud.blasters.biz
uwanakygoz.blasters.biz
yhyfu.blasters.biz
ynytyg.blasters.biz
yvizag.blasters.biz
zwudijupofy.blasters.biz

# Reference: https://app.any.run/tasks/84bf30fb-b9f4-4241-8960-08434d5cddb9/

93.107.12.0:6893

# Reference: https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html (# Win.Packed.Razy-9835522-0)
# Reference: https://www.virustotal.com/gui/file/03cd3bbb28b53c4f9b7bed0858cb1457c274634d35159be0ec5818ea9231cfbe/detection

alihoryty.klontrek.org
amsdoryr.klontrek.org
anikimogy.klontrek.org
apimumiluwe.klontrek.org
azazyvozo.klontrek.org
eqjcyn.klontrek.org
esergsicuqi.klontrek.org
esev.klontrek.org
fkisew.klontrek.org
gnoqovijds.klontrek.org
icupyno.klontrek.org
ikig.klontrek.org
inad.klontrek.org
jbyge.klontrek.org
jgihasov.klontrek.org
kpicyles.klontrek.org
ofyc.klontrek.org
udyhytu.klontrek.org
ulghyji.klontrek.org
uvenemico.klontrek.org
ybuny.klontrek.org
yhytabykoje.klontrek.org
ypybo.klontrek.org
ypyhelynac.klontrek.org

# Reference: https://www.virustotal.com/gui/file/854ca8ecec3aeb5510711199490218f25fe2c4a8bb4f47b52ba461209409eccf/detection

http://146.0.72.89

# Generic trails

\b(27lelchgcvs2wpm7|4kqd3hmqgptupi3p|52uo5k3t73ypjije|7gie6ffnkrjykggd|ahuqfrqk54v3vnzj|avsxrcoq2q5fgrw2|cerberhhyed5frqa|ffoqr3ug7m726zou|fnmi62725zfti2vy|ftoxmpdipwobp4qy|hjhqmbxyinislkkt|lfdachijzuwx4bc4|mbfce24rgn65bx3g|oqwygprskqv65j72|p27dokhpz2n7nvgr|pe2cku7pebkpgeko|pmenboeqhyrpvomq|qfjhpgbefuhenjp7|unocl45trpuoefft|vyohacxzoue32vvk|wjtqjleommc4z46i|xpcx6erilkjced3j|xrhwryizf5mui7a5|xxxxxxxxxxxxxxxx|z5dq36kjy5swjtmr)\.[a-z0-9.]+
