# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ares, kronos, osiris, regretlocker

# Reference: https://www.proofpoint.com/us/threat-insight/post/kronos-reborn

jhrppbnh4d674kzh.onion
jmjp2l7yqgaj5xvv.onion
mysmo35wlwhrkeez.onion
suzfjfguuis326qw.onion
dkb-agbs.com
fritsy83.website
oo00mika84.website
milliaoin.info
kioxixu.abkhazia.su
lionoi.adygeya.su
startupbulawayo.website

# Reference: http://www.broadanalysis.com/2016/10/31/compromised-site-redirects-to-rig-exploit-kit-delivering-kronos-and-nymaim/

2mynameins3344.net
johane3234.net

# Reference: https://twitter.com/nao_sec/status/1148799237049552896
# Reference: https://twitter.com/VK_Intel/status/1148803869239128071
# Reference: https://app.any.run/tasks/dcae4160-a76a-483c-ae4c-788eed561103/

xtaahlcqyfppmvwwprblvveog.paletoxyz.com

# Reference: https://twitter.com/JayTHL/status/1166744243861360642

d2gyv54plbc23to.onion

# Reference: https://twitter.com/Artilllerie/status/1179753482783473665

chlwdxvug4ptljce.onion

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-for-september-27-to.html (# Win.Malware.Osiris-7191711-1)

updateserver4.top
updateserver7.top
updateserver5.top
updateserver9.top
updateserver2.top
updateserver8.top
updateserver10.top
updateserver6.top
updateserver3.top

# Reference: https://twitter.com/VK_Intel/status/1190317493224689667
# Reference: https://www.virustotal.com/gui/file/f61870ea2b807f6a3314ff303942961b6f4009464da09d98ea202d3450534ad3/detection

jpb3hvq7v7bsyemq.onion

# Reference: https://www.virustotal.com/gui/ip-address/142.93.190.102/relations

http://142.93.190.102
142.93.190.102:3389
142.93.190.102:443

# Reference: https://www.virustotal.com/gui/file/9d1b1960355e72b205189e7a122b6a9c4197cca650569edc89612a62d6b66efc/detection

managejave.myftp.org
update43x.myvnc.com

# Reference: https://twitter.com/malwrhunterteam/status/1321375502179905536
# Reference: https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection

http://193.23.244.244
128.31.0.34:9131

# Reference: https://twitter.com/malwrhunterteam/status/1321388593416462337

344744.cloud4box.ru
regretzjibibtcgb.onion

# Reference: https://twitter.com/nazywam/status/1323624894458925056

o3qrynq3djknfebz.onion

# Reference: https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses
# Reference: https://otx.alienvault.com/pulse/60219f6bdc6edbc5308da56b/

ylnfkeznzg7o4xjf.onion

# Reference: https://twitter.com/D3LabIT/status/1359122226277195777
# Reference: https://www.virustotal.com/gui/file/8bbd51eb0dd0cac3e3cbd683b140b7eea3b6f13ce0c214af48f32a26791949e1/detection

mydynamite.dynv6.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1359404803596648450

rieseshopping.it/wp-content/plugins/set.exe
rieseshopping.it/wp-content/plugins/amss.jpg

# Reference: https://twitter.com/nazywam/status/1325399134808010752

linkoz.xyz

# Reference: https://www.virustotal.com/gui/file/57e348bbe709ef986f51259a8e14f6062ce36f98f2176d08f0165b124d72a9bb/detection

8.209.68.209:4039
march-socat01.com
march-socat01.xyz
marchassl01.com

# Reference: https://www.virustotal.com/gui/file/1d0ada2c71521fe445cf859da8f64b51ea469a5ed46af07364e777458c26c5ac/detection

185.220.101.193:20193
36.227.169.186:9030

# Reference: https://twitter.com/siri_urz/status/1369394878027825161
# Reference: http://vxvault.net/ViriList.php?MD5=BA756BD88B3C26C287DB5863FC232F50

wifoweijijfoiwjweoi.xyz

# Reference: https://twitter.com/benkow_/status/1369594973524553730

trqtfidgqmcmqytw.onion

# Reference: https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan
# Reference: https://pastebin.com/XU6YfvWG
# Reference: https://otx.alienvault.com/pulse/606e1808f8f6722a577e7cf9

cabletv.top
ddkdfefflfff.top
ddkdfheekfgj.top
ddkdflefmdgm.top
ddkdfodfkdhq.top
ddkdfqfemdgq.top
ddkdiedekdig.top
ddkdihfdlfji.top
ddkdiledmdkm.top
ddkdioedkeio.top
ddkdiqedlejs.top
ddkdjeddmfkf.top
ddkdjhffldlh.top
ddkdjledlfkm.top
ddkdjodekflo.top
ddkdjqeekdjs.top
ddkdleeflfnf.top
ddkdlhdfmelh.top
ddkdlleflenl.top
ddkdlodfmfmp.top
ddkdlqefkelr.top
ddkdoeefkeqg.top
ddkdoheekepi.top
ddkdolddlfpm.top
ddkdoofeleop.top
ddkdoqeemdpr.top
ddkdseffkdte.top
ddkdshdekfui.top
ddkdsledmfsn.top
ddkdsofdmdsp.top
ddkdsqeeldur.top
ddkifeeeligf.top
ddkifhfekjhi.top
ddkifldemifn.top
ddkifodekjfo.top
ddkifqfemkgq.top
ddkiieddkjif.top
ddkiieeelkif.xyz
ddkiiffdkijh.xyz
ddkiigedliji.xyz
ddkiihdemjii.top
ddkiihfelikh.xyz
ddkiildfmikm.top
ddkiilefmjim.xyz
ddkiioeflijq.top
ddkiiofelkkq.xyz
ddkiiqddmiiq.top
ddkiiqefmiir.xyz
ddkiirfdmjks.xyz
ddkiitefkkju.xyz
ddkijedelklg.top
ddkijheemikj.top
ddkijledmjll.top
ddkijodemkjo.top
ddkijqedmjlr.top
ddkikefflime.top
ddkikhddljlj.top
ddkiklfemkll.top
ddkikodfkklo.top
ddkikqedljls.top
ddkileedljmg.top
ddkilhfdljlh.top
ddkillfdmilm.top
ddkiloedlkmo.top
ddkilqedlkns.top
ddkioeeflioe.top
ddkiohdfljqj.top
ddkioleekjom.top
ddkioodemkpp.top
ddkioqedljpq.top
ddkiseeelitg.top
ddkishddmkui.top
ddkisldelitm.top
ddkisodekkuo.top
ddkisqffmkts.top
ddkxfedflzhe.top
ddkxfhfelygj.top
ddkxflefkyfl.top
ddkxfodfmzhp.top
ddkxfqdemxfq.top
ddkxieddkxkg.top
ddkxihefkyij.top
ddkxilefmzil.top
ddkxioefmxjo.top
ddkxiqdfkxks.top
ddkxjeeelylg.top
ddkxjheflxji.top
ddkxjlefmxln.top
ddkxjoffmzlq.top
ddkxjqefmyls.top
ddkxkeddmylg.top
ddkxkhffkzkj.top
ddkxklfekyml.top
ddkxkoddmykq.top
ddkxkqeelxlr.top
ddkxleddmzlf.top
ddkxlhfdlzmi.top
ddkxlldflzll.top
ddkxloddmzlo.top
ddkxlqeemymr.top
ddkxoefdkzpg.top
ddkxohedlxpi.top
ddkxolddmzql.top
ddkxooffkxpo.top
ddkxoqefkxqq.top
ddkxsedfmzuf.top
ddkxshfemysi.top
ddkxslfemxum.top
ddkxsoddkyuo.top
ddkxsqddkxss.top
m3r7ifpzkdix4rf5.onion
qqkzfkax24p4elax.onion
securebankingapp.com
vbyrduc537l5po3w.onion
wifoweijijfoiwjweoi.xyz
ylnfkeznzg7o4xjf.onion

# Reference: https://twitter.com/The_d0c_T0R/status/1127233691451891712

88.184.237.14:8888

# Reference: https://www.virustotal.com/gui/file/56b14179deca2645e16d68a72d49c8b4fa46f8d64796b012bdd42661465c30e9/detection

asmkopvdmvoasdkm.ml
ddkiigfewewdliji.to
ddkiihsdffelikh.ml
ddkiiodgjgfelkkq.to
ddkiirwfdmjks.to
ddkiiseretfgdeelkif.ml
ddkiisfsdffdkijh.ml
ddkiitewefkkju.to
geotrackangsdfetatistics.ml
updatesdfetrtegfsv121.to

# Reference: https://twitter.com/malwrhunterteam/status/1410197757667823618
# Reference: https://www.virustotal.com/gui/file/531686f56257eafa0da5908fa50d5ef2ef51efee156c1185c212ed0958ee5b59/detection

193.11.164.243:9030
94.16.114.105:8080

# Reference: https://www.joesandbox.com/analysis/439583/0/html

ljp2pqlc7i4ooqhk.onion

# Generic trails

/kpanel/connect.php
/panel/connect.php
/panel/upload/data.cmp
/ZRNlFwIb/connect.php
/tor/keys/fp-sk/
/tor/server/fp/
/tor/status-vote/current/consensus
