# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99&tabid=2

rmnzerobased.com
awecerybtuitbyatr.com
awrcaverybrstuktdybstr.com
qwevrbyitntbyjdtyhvsdtrhr.com
yeiolertxwerh.com
ytioghfdghvcfgbgvdf.com

# Reference: https://web.archive.org/web/20120106212034/http://amada.abuse.ch/blocklist.php?download=domainblocklist

awecerybtuitbyatr.com
fget-career.com
nagwa.mooo.com
poopthree.com
zahlung.name

# Reference: https://research.checkpoint.com/ramnits-network-proxy-servers/

k0ntuero.com
oaifpapl.com
vupkimcu.com
nkootxbt.com
ramilhgme.com
havonolwc.com
anulwyqw.com
mtankfqv.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy

xohrikvjhiu.eu

# Reference: https://www.virustotal.com/#/file/66699ca374cf3e41ed56559ca5849b432733f6698af0d7ca069c50716b8c014a/behavior

stromoliks.com
promoliks.com
pornoliks.com

# Reference: https://totalhash.cymru.com/analysis/?ad13a92a6b2d5dc85276d86c9536767386dba37e
# Reference: https://www.virustotal.com/gui/file/d3c6fd31788c213762c3a330257f1eea1f24f0bda50e44641dd79a2fe37907d9/detection

abbyycommunity.com

# Reference: https://twitter.com/VK_Intel/status/1092554468497989632

newrendomainnext.com

# Reference: https://twitter.com/VK_Intel/status/1045340516559278081

net-info.info

# Reference: https://twitter.com/pollo290987/status/1110189491728334849

supnewdmn.com

# Reference: https://twitter.com/VK_Intel/status/1115533117467627520
# Reference: https://github.com/k-vitali/ramnit-re/blob/master/2019-04-09-ramnit_client_botnet_dga.txt

firstcrypttestingfree.com
awxmyvbdep.com
yinhbygrm.com
rfoghyrpkljtmaf.com
bwwtnkysunpa.com
aqwmiphorpa.com
udmyjkkbye.com
jqqfiiuajow.com
bfopeafbutexacmdk.com
sucxshtffgitu.com
suadurtto.com
aidylvvhmwpnip.com
glwkxqjjutyccmax.com
fduaxbnjgntk.com
ciytmtvarkucn.com
xjchwlvxhakebv.com
enovvejrmghen.com
pilwocpaj.com
evqtjqbkpffhhnyp.com
gsciljwcjwwtnvjflh.com
nylpscgnkglaosv.com
kugmjxfea.com
xfbgthmvyvw.com
nmwprnfbryifxebapxf.com
sxvhjgui.com
byschplxmorfeee.com
xshwkvppmwtsbld.com
fvhqcwetlpnpm.com
hqsdywcg.com
quvnfxgmwe.com
kgpigdehnulwyvdoxpt.com
jfnwxxircwx.com
muahfvjsvr.com
dgooodsqe.com
vxvxwwiefignkacrvq.com
hvyxqwda.com
estxikwflqyiuwu.com
lwnlwalvrwt.com
cehfkwweq.com
edvdnudrmiuansfht.com
jhfqsdntkbvpe.com
qxssoxhj.com
hafjuglmoqyjnvdcd.com
ixgwkuqtydvmeiuo.com
oibwiqayyy.com
nhrnuqncnlvmlmc.com
lbqgkgutngeks.com
kcjudtmwvdbel.com
dbooojfb.com
ixvrjrgyqmgeaxgxl.com
ugwbusodliwg.com

# Reference: https://twitter.com/SickPeaSec/status/1138513877090443264
# Reference: https://app.any.run/tasks/556d8b64-060e-425a-b71c-be8f59981310/
# Reference: https://www.virustotal.com/gui/ip-address/121.41.39.145/relations

121.41.39.145:7443

# Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Malware.Ramnit-7057249-1)

atfpjouljn.com
bphnopydih.com
bwnkdjlesbf.com
echrepdvcd.com
esxfrepgcyyvoim.com
fbhtsymefdwstuivosx.com
ffdjiuvufw.com
gwlqggasgcluo.com
haqcdkwtukdegysigtv.com
hivlcjcvux.com
htiobrofuirwkgn.com
jhapjgvatltxunklfwk.com
mbtseiltigrijncw.com
ntqchcmoegeif.com
qdvmstrtkslghpmunuk.com
qmbmbyqkltqfbbtxxc.com
rghwarmlxmqivfmcs.com
saqjrigpkuins.com
tswgqcseq.com
uacwwgvrdgqscbwb.com
vqrsxslnbqt.com
wgpvglbadxo.com
wwteytsfaiyrrg.com
ybhiodxwwmoymuv.com
ykvhpxixrqgid.com

# Reference: https://twitter.com/nao_sec/status/1160566105829601281
# Reference: https://app.any.run/tasks/c5f89af4-b740-4a25-bd21-7371c103c006/

pizdavamjaposhki.com
falls.transil.space
busatan-tokyo.site

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

eppixrakqeueuttiuvi.com
hdyejdn638ir8.com
tmgmgjcvt.com

# Reference: https://twitter.com/nao_sec/status/1170284036809355264
# Reference: https://app.any.run/tasks/d3226768-0b3f-496b-bff8-f9cdb519cf73/

firstlabelserverlive.com

# Reference: https://twitter.com/tkanalyst/status/1173121485889667073
# Reference: https://app.any.run/tasks/ec7b7dc9-823e-4dc8-8aae-f7c2ff2c6128/

duiqemfxnwcvndtoq.com
ghjwekbefv.com
mgpcuaph.com

# Reference: https://www.virustotal.com/gui/ip-address/5.180.102.147/relations

aytpgnkdcmsmaqyeqms.com
firstlabelserverlive.com
gcgyxdkpl.com
njojdicg.com
rfprukfsdf.com
unitariumstate.com
vkaisyssaikqxpsb.com

# Reference: https://twitter.com/pancak3lullz/status/740566474427752451

58.215.79.72:7158

# Reference: https://twitter.com/pancak3lullz/status/739876007029575681

45.34.191.159:1996

# Reference: https://twitter.com/pancak3lullz/status/739571723826139136

hzgunn.com

# Reference: https://app.any.run/tasks/7f756e5c-cc68-4b59-b64d-62db4cada914/

103.85.110.75:8080

# Reference: https://app.any.run/tasks/213b39c9-2831-4195-97fd-faccbc0c183c/

homestudios.co

# Reference: https://twitter.com/DGAFeedAlerts/status/1233800063459217409

uodtkaehsnyqd.com

# Reference: https://twitter.com/DGAFeedAlerts/status/1233830197922795521

wdenobvxggva.com

# Reference: https://github.com/silence-is-best/c2db#ramnit

yx-lj.com

# Reference: https://blog.talosintelligence.com/2020/10/threat-roundup-1016-1023.html (# Win.Trojan.Zegost-9778522-0)

srawslorpower.com

# Reference: https://www.virustotal.com/gui/file/150604b884a85bbc9f3202f9fed47c5adfd80d652274f74b7396737c66c7390b/detection

vtboss.yolox.net
