# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: dorkbot, ngrbot

# Reference: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Dorkbot#tab=2

shannen.cc
lovealiy.com
shuwhyyu.com
syegyege.com

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Dorkbot-AO/detailed-analysis.aspx

negro001.com
negro002.com
negro003.com
thismynew.info
thismynew1.info
thismynew2.info
negro004.com
negro0045.com
negro005.com

# Reference: http://research.zscaler.com/2015/04/irc-botnets-alive-effective-evolving.html

api1.wipmania.com.wipmsc.ru
api2.wipmania.com.wipmsc.ru
api3.wipmania.com.wipmsc.ru
api4.wipmania.com.wipmsc.ru
api5.wipmania.com.wipmsc.ru
api6.wipmania.com.wipmsc.ru
api7.wipmania.com.wipmsc.ru
api8.wipmania.com.wipmsc.ru
api9.wipmania.com.wipmsc.ru
api.wipmania.com.fowd.ru
api.wipmania.com.selfmg.ru
api.wipmania.com.lotus5.ru
api.wipmania.com.wipmania.ru
api.wipmania.com.lotys.ru
api.wipmania.com.bwats.ru
api.wipmania.com.stcus.ru
api.wipmania.com.cmoen.ru
api.wipmania.com.artbcon3.ru
api.wipmania.com.yeloto.ru
update.wipmania.com.raulhost.ru

# Reference: https://www.malwareviz.com/static/html/MalwareViz_497b25ea944d382e5a6fa5ccd8d447c6.html

api1.wipmania.net

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-GQC/detailed-analysis.aspx

n.ezjhyxxbf.ru
n.hmiblgoja.ru
n.jntbxduhz.ru
n.lotys.ru
n.yqqufklho.ru

# Reference: http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/TrojanGenericKD18294833413650c55

n.lotys.ru
n.jntbxduhz.ru
n.hmiblgoja.ru
n.ezjhyxxbf.ru
n.yqqufklho.ru
n.vbemnggcj.ru
n.yxntnyrap.ru
n.oceardpku.ru
n.zhgcuntif.ru
n.jupoofsnc.ru
n.aoyylwyxd.ru
n.kvupdstwh.ru
n.spgpemwqk.ru
n.zhjdwkpaz.ru
n.dclhmfkcb.ru
n.yugypkhvl.ru
n.srobpranm.ru
n.zccgyxwfa.ru
n.lgcpogvly.ru
n.mqjcctzdu.ru
n.jthxriotb.ru
n.eoifjgjxl.ru
n.mmhjrarii.ru
n.lurgcdqwk.ru
n.adkxlenod.ru
n.lumzwlhum.ru
n.spdsazjaj.ru
n.rzyyjafvk.ru
n.orvjwcvqt.ru
n.nikejqiis.ru
n.uhwumfxht.ru
n.gznzenuve.ru
n.ipdcuzrbj.ru
n.axitdflcr.ru
n.gbckjrrzu.ru
n.kntrejzkq.ru
n.srxkwklks.ru
n.knyszaijv.ru
n.yjeuatihg.ru
n.zgfvfhtli.ru
n.hceymatul.ru
n.xiabhaoii.ru
n.oysaqcxbi.ru
n.raqimfebe.ru
n.kbwuxntle.ru
n.xcuygznmk.ru
n.fxazudqiv.ru
n.keqenlhsc.ru
n.hpufkdrqr.ru
n.yfxmjmbpd.ru
n.wbakrhdqe.ru
n.fxagapbcw.ru
n.bkgywvtsx.ru
n.zervwpzra.ru
n.akyjwkkqj.ru
n.heiylmruc.ru
n.yothepdgz.ru
n.jqltfflhx.ru
n.gbfelbdjz.ru
n.sjkguntum.ru
n.lxbluoryz.ru
n.khqrqoqoe.ru
n.lujjeazun.ru
n.votjsbqxi.ru
n.whukpjket.ru
n.jspowmxsl.ru
n.bhsbqjysh.ru
n.epbdyornt.ru
n.iclcakajd.ru
n.lbxfqfcxj.ru
n.zdxappufr.ru
n.wxvwsagfj.ru
n.phbndvdsy.ru
n.gxltnbgks.ru
n.jveblfxqs.ru
n.cfqqxfduf.ru
n.bjadvjfdx.ru
n.ggxvmjwgy.ru
n.avebiwdbf.ru
n.jractocvx.ru
n.srcbrtetb.ru
n.tekwkrsll.ru
n.hbukvpirg.ru
n.rpbzpxiyg.ru
n.cdtclxicx.ru
n.cjwxfmimx.ru
n.sabqauqxz.ru
n.ysmilxqbp.ru
n.oaclzemyh.ru
n.sokjrsoge.ru
n.rqbupminx.ru
n.tsmdeqpxz.ru
n.uqeuhlpbo.ru
n.owjbbpdam.ru
n.zjadtsvrd.ru
n.cusviecqs.ru
n.plrbchand.ru
n.zqpkvolqc.ru
n.qktjrlxil.ru
n.xyxbbuxhw.ru
n.nnzykujty.ru
n.elnytydma.com
n.mrjwqrvhe.com
n.nmdlqnsqv.com
n.eoxhxlxax.com
n.kpypmhotd.com
n.iegvyabpm.com
n.vvspbjbsj.com
n.rejtobfsz.com
n.kyhoimuag.com
n.nfjmrolyt.com
n.zfluvuuez.com
n.krpjpyuvr.com
n.jijvoiiqf.com
n.pszpnkbib.com
n.zhlhvgfpj.com
n.mvhrrpbab.com
n.xqbwkgtli.com
n.yykzejasl.com
n.uafvkahxq.com
n.onnaznfpi.com
n.bvjbygkhq.com
n.celujntse.com
n.nothauweh.com
n.bffihxjxo.com
n.onqxlsjsu.com
n.nzebzahio.com
n.ylbotqjmk.com
n.cbceluvnf.com
n.gurvnrthi.com
n.ckcwacpts.com
n.irhwtkyov.com
n.wnkgkwbbb.com
n.eepixnqaa.com
n.zodoyucra.com
n.dsnkjlkfu.com
n.wpsnxnegs.com
n.cvnuxxysj.com
n.wewhftcna.com
n.zjfprawyu.com
n.ukgorgrqm.com
n.nwsxkwjtb.com
n.rzhfwlaaj.com
n.cygzrpdct.com
n.uahauuzyr.com
n.cirgfzcxh.com
n.pxktczqpg.com
n.lwoucvztu.com
n.fwmfdsrdo.com
n.ysrzbwrhy.com
n.lsisqkwax.com
n.obfzdniwo.com
n.koiqczjzt.com
n.sbliadsxt.com
n.jxgxgdmnh.com
n.pubacyixo.com
n.xqrrrfjkk.com
n.ivqxnsonc.com
n.nxnpcnedd.com
n.nxoyntdzt.com
n.rxehjwklo.com
n.igmkzotyp.com
n.aumzkzwrl.com
n.jcawsrxup.com
n.abmadwhcr.com
n.lmfbywtms.com
n.hhxxcplyd.com
n.bjlajcvcy.com
n.kpmcbjlmz.com
n.ghovcuips.com
n.pucpdbgjm.com
n.zzwwnrwum.com
n.odeujslqf.com
n.ecnpjynwc.com
n.ynxjwgdec.com
n.xrbqavrjw.com
n.ipzfjqnzj.com
n.ulffiidks.com
n.qtcyitbce.com
n.abjuylahr.com
n.zepjdorss.com
n.vlwibqnup.com
n.eaxeebvnx.com
n.rjywkggko.com
n.zmvlqrhsl.com
n.unvsceumt.com
n.vimaspimf.com
n.myyhalxbr.com
n.rsxnjdvgu.com
n.kdrlowylf.com
n.tnylqmwer.com
n.wesocfgdj.com
n.sgteglshe.com
n.kbsdxnoqc.com
n.offbizvki.com
n.msosxcmuh.com
n.uczcgpuxv.com
n.wxctgbeou.com
n.lhklpacah.com
n.adhelcnoh.com
n.jcapalebj.com
abjuylahr.com
abmadwhcr.com
adhelcnoh.com
adkxlenod.ru
akyjwkkqj.ru
aoyylwyxd.ru
aumzkzwrl.com
avebiwdbf.ru
axitdflcr.ru
bffihxjxo.com
bhsbqjysh.ru
bjadvjfdx.ru
bjlajcvcy.com
bkgywvtsx.ru
bvjbygkhq.com
cbceluvnf.com
cdtclxicx.ru
celujntse.com
cfqqxfduf.ru
cirgfzcxh.com
cjwxfmimx.ru
ckcwacpts.com
cusviecqs.ru
cvnuxxysj.com
cygzrpdct.com
dclhmfkcb.ru
dsnkjlkfu.com
eaxeebvnx.com
ecnpjynwc.com
eepixnqaa.com
elnytydma.com
eoifjgjxl.ru
eoxhxlxax.com
epbdyornt.ru
ezjhyxxbf.ru
fwmfdsrdo.com
fxagapbcw.ru
fxazudqiv.ru
gbckjrrzu.ru
gbfelbdjz.ru
ggxvmjwgy.ru
ghovcuips.com
gurvnrthi.com
gxltnbgks.ru
gznzenuve.ru
hbukvpirg.ru
hceymatul.ru
heiylmruc.ru
hhxxcplyd.com
hmiblgoja.ru
hpufkdrqr.ru
iclcakajd.ru
iegvyabpm.com
igmkzotyp.com
ipdcuzrbj.ru
ipzfjqnzj.com
irhwtkyov.com
ivqxnsonc.com
jcapalebj.com
jcawsrxup.com
jijvoiiqf.com
jntbxduhz.ru
jqltfflhx.ru
jractocvx.ru
jspowmxsl.ru
jthxriotb.ru
jupoofsnc.ru
jveblfxqs.ru
jxgxgdmnh.com
kbsdxnoqc.com
kbwuxntle.ru
kdrlowylf.com
keqenlhsc.ru
khqrqoqoe.ru
kntrejzkq.ru
knyszaijv.ru
koiqczjzt.com
kpmcbjlmz.com
kpypmhotd.com
krpjpyuvr.com
kvupdstwh.ru
kyhoimuag.com
lbxfqfcxj.ru
lgcpogvly.ru
lhklpacah.com
lmfbywtms.com
lotys.ru
lsisqkwax.com
lujjeazun.ru
lumzwlhum.ru
lurgcdqwk.ru
lwoucvztu.com
lxbluoryz.ru
mmhjrarii.ru
mqjcctzdu.ru
mrjwqrvhe.com
msosxcmuh.com
mvhrrpbab.com
myyhalxbr.com
nfjmrolyt.com
nikejqiis.ru
nmdlqnsqv.com
nnzykujty.ru
nothauweh.com
nwsxkwjtb.com
nxnpcnedd.com
nxoyntdzt.com
nzebzahio.com
oaclzemyh.ru
obfzdniwo.com
oceardpku.ru
odeujslqf.com
offbizvki.com
onnaznfpi.com
onqxlsjsu.com
orvjwcvqt.ru
owjbbpdam.ru
oysaqcxbi.ru
phbndvdsy.ru
plrbchand.ru
pszpnkbib.com
pubacyixo.com
pucpdbgjm.com
pxktczqpg.com
qktjrlxil.ru
qtcyitbce.com
raqimfebe.ru
rejtobfsz.com
rjywkggko.com
rpbzpxiyg.ru
rqbupminx.ru
rsxnjdvgu.com
rxehjwklo.com
rzhfwlaaj.com
rzyyjafvk.ru
sabqauqxz.ru
sbliadsxt.com
sgteglshe.com
sjkguntum.ru
sokjrsoge.ru
spdsazjaj.ru
spgpemwqk.ru
srcbrtetb.ru
srobpranm.ru
srxkwklks.ru
tekwkrsll.ru
tnylqmwer.com
tsmdeqpxz.ru
uafvkahxq.com
uahauuzyr.com
uczcgpuxv.com
uhwumfxht.ru
ukgorgrqm.com
ulffiidks.com
unvsceumt.com
uqeuhlpbo.ru
vbemnggcj.ru
vimaspimf.com
vlwibqnup.com
votjsbqxi.ru
vvspbjbsj.com
wbakrhdqe.ru
wesocfgdj.com
wewhftcna.com
whukpjket.ru
wnkgkwbbb.com
wpsnxnegs.com
wxctgbeou.com
wxvwsagfj.ru
xcuygznmk.ru
xiabhaoii.ru
xqbwkgtli.com
xqrrrfjkk.com
xrbqavrjw.com
xyxbbuxhw.ru
yfxmjmbpd.ru
yjeuatihg.ru
ylbotqjmk.com
ynxjwgdec.com
yothepdgz.ru
yqqufklho.ru
ysmilxqbp.ru
ysrzbwrhy.com
yugypkhvl.ru
yxntnyrap.ru
yykzejasl.com
zccgyxwfa.ru
zdxappufr.ru
zepjdorss.com
zervwpzra.ru
zfluvuuez.com
zgfvfhtli.ru
zhgcuntif.ru
zhjdwkpaz.ru
zhlhvgfpj.com
zjadtsvrd.ru
zjfprawyu.com
zmvlqrhsl.com
zodoyucra.com
zqpkvolqc.ru
zzwwnrwum.com

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Dorkbot-FO/detailed-analysis.aspx

f.eastmoon.pl
gigasbh.org
gigasphere.su
h.opennews.su
o.dailyradio.su
photobeat.su
s.richlab.pl
uranus.kei.su
xixbh.com
xixbh.net

# Reference: https://blog.talosintelligence.com/2018/08/threat-roundup-0824-0831.html

aliluya.in

# Reference: https://www.threatcrowd.org/malware.php?md5=b3cf7cf6672708125946436c2fd0970a

otcu.co.cc

# Reference: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-fresh-variant-dorkbot-botnet/

abcxyz.com
api.wipmania.net/icon/n.api

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Dorkbot-KL/detailed-analysis.aspx

app.wipmania.net/icon/n.api
/icon/n.api

# Reference: http://secure.lavasoft.com/mylavasoft/malware-descriptions/blog/WormWin32Dorkbotcdde5fec37

h.k211128.com
y.cae1r699.ru
y.jo1rv99.com

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Dorkbot-H/detailed-analysis.aspx

blueverse.kz
gigasphere.su

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Dorkbot-I/detailed-analysis.aspx

appupdate.org
appupdate02.info
0days.me
0dayx.com
a7aneek.net

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2012/2012-09-20-ngrbot-spreads-via-chat/ngrbot-spreads-via-chat.csv

http.xxxx.zaberno.com

# Reference: https://blog.talosintelligence.com/2020/03/threat-roundup-0313-0320.html (# Win.Worm.Barys-7617456-0)
# Reference: https://blog.talosintelligence.com/2020/11/threat-roundup-1113-1120.html (# Win.Packed.Ruskill-9791575-1)

ezjhyxxbf.ru
hmiblgoja.ru
lotys.ru
yxntnyrap.ru
vbemnggcj.ru
yqqufklho.ru
jntbxduhz.ru
oceardpku.ru
zhgcuntif.ru
jupoofsnc.ru
kvupdstwh.ru
aoyylwyxd.ru
spgpemwqk.ru
dom.tuntu.info
dom.ka3ek.com
dom.l33t-milf.info
dom.xsaudix.net
dom.altincopps.com
dom.tut0r1allsvu.info
dom.yeh7292ahyssozananan.com
dom.x01bkr2.biz
nutqauytva513xyzf11zzzzz0.com
nutqauytva6213xyzf112zzz1.com
nutqauytva1413xyzf114zzz3.com
nutqauytv5a1113xyzf115zzz4.com

# Reference: https://blog.talosintelligence.com/2020/06/threat-roundup-0529-0605.html (# Win.Dropper.Barys-7914367-0)

fedosh.np-ip.biz
fedoshka.no-ip.biz
laotra.no-ip.info
matheustkt.no-ip.biz
panicofas.no-ip.org

# Reference: https://app.any.run/tasks/3adae169-e20c-47d4-9e2b-8d48bad102a4/

adoyou1understandme42.com
aiphon1egalaxyblack42.com
ajjjqws1fkxx42.com
amous1epadsafa42.com
a.adoyou1understandme42.com
a.aiphon1egalaxyblack42.com
a.ajjjqws1fkxx42.com
a.amous1epadsafa42.com

# Reference: https://app.any.run/tasks/50a50ca6-3f22-4044-9f7f-a8aba39cd6af/

plc.yuant.org
i.trizztal.info
plc.yuant.org
irc.you-irc.com

# Reference: https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz
# Reference: https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/012/156/original/snort3-community-rules.tar.gz

lolcantpwnme.net
myshopers.com
rewt.ru
x3x4.su
xxxxxxxxxxxxxxx.kei.su

# Reference: https://www.virustotal.com/gui/file/aaddcc70e3ac4cebfe2fc6e9c8f8a7b0c3013cf5b3937f38d09d0b673101ab5e/detection

helli.pl
yori.pl
parad.su

# Reference: https://www.virustotal.com/gui/file/cece9c163c1125ec2c64c15bb755b04d1cb73b71ec51079e5b120d42633a167f/detection

109.70.26.37:5102
ngme.yourwebfind.com

# Reference: https://www.virustotal.com/gui/file/c06a6b95a244e0a9fdf5f7b7202e3a35a629c20882e7763f034411a7c53e9a2c/detection

194.85.61.76:5101
ngme.babypin.net
ngme.beecitysearch.com
ngme.drwhox.com

# Reference: https://www.virustotal.com/gui/file/b39c6d83971d9a01c279639ed5756dc5fe7f58d9c0baa238823f155473bf6448/detection

gvr.no-ip.biz
gvr1.no-ip.biz

# Generic trails

/0xabad1dea.php
