# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

briancobert.com

# Reference: http://cybercrime-tracker.net/index.php?search=AZORult

00v.xyz
0131.ga
4max.xyz
accqweqweazo.com
ad.icab.pk
aimnawnt.beget.tech
akingu.bit.md-98.webhostbox.net
alexblog24.p-host.in
among3919.com
andreimolchanov.siteme.org
art4.xyz
asdfz.ru
azorneutrino.com
banckofamerica.info
benchadcrd.nl
bitcoalko.com
bitscoinsme.com
blackexploitz.net
bmagikleak.website
bucscrup.ru
cc33782.tmweb.ru
ch.baskpower.com
coinbitbot.ru
cresbuy.ga
crypto-e.org
cryptopiabot.cc
cryptopiasupport.co
cryptotrust.today.md-35.webhostbox.net
defaultbrowser.xyz
donperenion.com
doueven.click
druvan.xyz
elowpuki.com
elysium-inc.pro
elysium-ltd.pro
ernazar.tk
eualube.com
fde4.tk
fdsv.ml
feamleys.com
flash-piayer-update.com.md-90.webhostbox.net
fsdf.ga
gmx7.com
gob.grantflaskparty.com
gohithatsandrof.win
grantflaskparty.com
hallojab.co.ua
hellojab.com
hhamay.website
holidey.pw
hondobakr.top
hotbest-apps.com
iddqdp.pw
imbaxqxq.org
inc0de.gq
kalakhomes.club
kamyn9ka.com
keyar12f.beget.tech
l2fog.ru
lelllnn.com
lers.xyz
levonside.space
loveyouneed.pw
mcgau2.bit.md-100.webhostbox.net
methodist.sch.id
mike.rivalserver.com
mix1456465.com.cp-47.webhostbox.net
mobwerpingthis.com
mopw.men
mybigfish.stream
myxamop.com
needmorelogs.club
nervozn.tk
nimerstat.ru
ninjatrader.life
npromo.world
ogabosworld.com
ortaksistem.com
panamera.site
pchel8.tk
poloniex.spb.ru
pornhospital.net
port.so.tl
preramet123.name
ps4akk.ru
qers.xyz
rar-lab.ru
rotkit.tk
sads.ml
scat01.tk
scat.cf
sepprod.com
sharfik.club
sinutinu.com
skyroot.ru
solimetalspa.com
sondomax.co
sskyokker256.bit.md-89.webhostbox.net
sslwmi.top
sumocloud.club
svchost.pw
sysplugins.com
taskdata.gq
trimasjaya.com
ubmwuyq.com
ultimaspots.co.uk
usa-bank.info.md-91.webhostbox.net
videocommercialsforyou.com
videopopups.com
vm239011.had.su
vsd1.net
wattmeter.win
www.alkratrad.com
www.antonskoritskii.com
www.asdasdq.com
www.azghost888.com
www.benchadcrd.nl
www.cryptopiasupport.co
www.elowpuki.com
www.ghost888abc.com
www.gopety.cc
www.grandmasson.pw
www.rar-lab.ru
x7x.xyz
zevs3.xyz
zevs5.xyz

# Reference: https://twitter.com/SevenLayerJedi/status/950761083509313536

macpay.pw

# Reference: https://twitter.com/James_inthe_box/status/1039250061065039873

microsoft-update-server.bit
securityupdateserver4.com

# Reference: https://twitter.com/ViriBack/status/983011333506588672
# Reference: https://pastebin.com/nwWHHFe0

fdos.tk
genri.ga
gfcv.tk
gfsd.ga
grlo.tk
qpzm.gq
suka1.tk
vfsv.tk

# Reference: https://cert.gov.ua/news/44
# Reference: https://www.virustotal.com/#/ip-address/192.198.87.130
# Reference: https://www.virustotal.com/#/ip-address/185.193.38.78

http://185.193.38.78/
cashouts.tk
vitani.tk

# Reference: https://twitter.com/JAMESWT_MHT/status/1046755632299352064

columbusfunnybone.com/images/drop.php

# Reference: https://twitter.com/ViriBack/status/1050032466164154368

bigchlen.tk

# Reference: https://www.malware-traffic-analysis.net/2018/10/12/index.html

bitdotz.top

# Reference: https://twitter.com/avman1995/status/1052426452187185153

qe.igg.biz/gate.php

# Reference: https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/

certipin.top
infolocalip.com
tohertgopening.com

# Reference: https://twitter.com/james_inthe_box/status/1022866075493355520

kenkelord.gq

# Reference: https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

s63.bit

# Reference: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

/java/java9356/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106558836171632642

/027-xcv-j/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106551689132138497

llkty.gq/8s/index.php

# Reference: https://twitter.com/James_inthe_box/status/1105124840501989378
# Reference: https://twitter.com/James_inthe_box/status/1110196027338817538

/simbi/index.php

# Reference: https://twitter.com/VK_Intel/status/1108604579938131968

google-analutics.com

# Reference: https://twitter.com/Racco42/status/1103435627343822848

directdns.duckdns.org
httsdomainset.ddns.net

# Reference: https://twitter.com/Racco42/status/1101131815216168961

myprepaidfiles.ddns.net
directdns.cc

# Reference: https://twitter.com/Racco42/status/1095444880749481986

maxmini.duckdns.org
newconnect.duckdns.org

# Reference: https://securelist.ru/azorult-analysis-history/93645/ (Russian)
# Reference: https://securelist.com/azorult-analysis-history/89922/ (English)

daticho.ac.ug
ravor.ac.ug

# Reference: https://twitter.com/luc4m/status/1107680285834006528

gsutekardookay.com

# Reference: https://twitter.com/luc4m/status/1078691595111878657

sherkseafoods.com

# Reference: https://twitter.com/ps66uk/status/1108295117826387969

/cz/cjin3/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109120289604931584

/azrt/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109835474493829120
# Reference: https://pastebin.com/tvn8EMyS

ymad.ug/1/index.php

# Reference: https://twitter.com/ViriBack/status/1069965350442283009
# Reference: https://pastebin.com/PTkLE0se

/panel632541/admin.php
/io213b5obo/admin.php

# Reference: https://twitter.com/albertzsigovits/status/1110124808572948482

a.helps.site
azmarterroos.com
hellacademy.com
horseliker.ac.ug
justflux.org/webupl.php
parnakol.ug
stelfeshor.ru
zelner.info

# Reference: https://twitter.com/albertzsigovits/status/1110124941356212224

dragonfire.ac.ug
frupidgi.cn
hostname.vip
roninan.ac.ug
tembumgo.pw

# Reference: https://twitter.com/James_inthe_box/status/1110915814725550080

http://78.142.29.208/real/index.php

# Reference: https://twitter.com/Racco42/status/1111189949712420864

armasglass.com/oni/index.php

# Reference: https://twitter.com/James_inthe_box/status/1111666754604789760

recordsforsmssent.xyz/jeff/index.php

# Reference: https://twitter.com/x42x5a/status/1112693567103868928

http://92.63.192.72/index.php

# Reference: https://twitter.com/James_inthe_box/status/1113510502439616513

0x234.com/index.php

# Reference: https://twitter.com/thlnk3r/status/1113658517544550401

gamingserversplus.life/index.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/takerk734/status/1113851637292920832

/Qw2XbN3/index.php

# Reference: https://twitter.com/angel11VR/status/1115343202167533568
# Reference: https://pastebin.com/0bX17LaY

cubaworts.gq

# Reference: https://twitter.com/x42x5a/status/1115651159388246016

cryptofaze.com

# Reference: https://twitter.com/VK_Intel/status/982346117298843649

balepinos.com

# Reference: https://twitter.com/LEICHAO_init/status/1118910795675521030

lestonline.gq

# Reference: https://twitter.com/pancak3lullz/status/1085591305269460992

/robb/index.php

# Reference: https://twitter.com/OttoScav/status/1080485559787835392

freetalksa.xyz

# Reference: https://twitter.com/James_inthe_box/status/1121047649459642369

mintyoctopus.com

# Reference: https://twitter.com/avman1995/status/1120893763977658369
# Reference: https://app.any.run/tasks/80464c35-e9f8-44ed-a346-50bf0642cec9

http://95.179.189.49/CC/index.php

# Reference: https://twitter.com/x42x5a/status/1121094286613852162

klyaksa.xyz

# Reference: https://twitter.com/x42x5a/status/1121523221432500225

asahi-tankar.com

# Reference: https://twitter.com/x42x5a/status/1121702655464751104

huanopkey.site

# Reference: https://twitter.com/Racco42/status/1122797588120592384
# Reference: https://app.any.run/tasks/ae52cc1b-f2d5-4d6d-a93c-8c15dff0132f

geu.life
millanplaners.duckdns.org

# Reference: https://twitter.com/Racco42/status/1123953925831446529

izone.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1124625622913806336

lusectech.eu

# Reference: https://twitter.com/x42x5a/status/1125467728406548481

istats.club

# Reference: https://twitter.com/JAMESWT_MHT/status/1126092095465381888

formigations.world

# Reference: https://twitter.com/James_inthe_box/status/1126182590153515009

prolificwealth.ml/wp-content/mee/32/index.php

# Reference: https://twitter.com/James_inthe_box/status/1126846840060571648

/nedu/32/index.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1128675913728700416

dawanepondi.com

# Reference: https://twitter.com/ViriBack/status/1128826571010260994

doomaal.ac.ug

# Reference: https://twitter.com/James_inthe_box/status/1129460760076115969

http://77.222.55.225/index.php

# Reference: https://twitter.com/x42x5a/status/1130816960315498496

mikmuncen.ac.id

# Reference: https://twitter.com/P3pperP0tts/status/1131607738457513989

evaglobal.eu

# Reference: https://twitter.com/nao_sec/status/1132588323262742528
# Reference: https://app.any.run/tasks/27aec731-68a6-4bdf-9feb-55c413acd9f0/

getsee-soft.xyz

# Reference: https://twitter.com/P3pperP0tts/status/1133520317341753347

arispedservices.eu

# Reference: https://twitter.com/SethKingHi/status/1133564418355163136

aramkaaz14.temp.swtest.ru
bigsuper.rocks
bloomsolutions.top
i2kq82kd.cn
lary-pages.com
narcos.3utilities.com
qepxc.ga
witatto.co

# Reference: https://twitter.com/jorgemieres/status/1130863029573312512

privacytool.ru

# Reference: https://twitter.com/James_inthe_box/status/1134149799601553408

begurtyut.info

# Reference: https://twitter.com/James_inthe_box/status/1134464016095383552

veegoo.com.sg

# Reference: https://twitter.com/ViriBack/status/1134662952898965504
# Reference: https://pastebin.com/pkZ0TBnc

arispedservices.eu
binnatto.de
binatech.eu
kmgroup.pw
yogh.eu
lexaalkash.temp.swtest.ru

# Reference: https://twitter.com/JAMESWT_MHT/status/1135515112121540609
# Reference: https://app.any.run/tasks/a470917e-fb77-4f53-945a-109804624e8b/

http://185.79.156.18/jam/index.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1136204624342503425
# Reference: https://www.virustotal.com/gui/domain/tmweb.ru/relations

\bc[a-z]{1}[0-9]{5}\.tmweb\.ru

# Reference: https://twitter.com/Racco42/status/1136602289953746944

visionscape.duckdns.org

# Reference: https://twitter.com/James_inthe_box/status/1139630548626751488

http://185.62.190.23/index.php

# Reference: https://twitter.com/DbgShell/status/1142257921889316870
# Reference: https://www.virustotal.com/gui/file/72288ab34ee508d0f65e7ebf884b21e94ee191e96de5931dd68288fcc8bfcf7f/detection

dotbit.me/a/

# Reference: https://twitter.com/malware_traffic/status/1143662206099365890
# Reference: https://app.any.run/tasks/4365c9b9-7ea6-4d90-897c-8302410c9234/
# Reference: https://twitter.com/JAMESWT_MHT/status/1144239446759563265
# Reference: https://app.any.run/tasks/61f4998e-27bf-4429-80c6-e23c694e6c65/

http://51.15.241.96/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php
http://51.15.231.96/4/3AFDF4A3-33B5-4028-B8B8-E66616F1CBA7/index.php

# Reference: https://twitter.com/James_inthe_box/status/1144227200209580032

lusecproducts.top

# Reference: https://twitter.com/Paladin3161/status/1144341515428196352
# Reference: https://pastebin.com/i6Gfxs0q

http://185.164.72.241/wogor/index.php

# Reference: https://twitter.com/P3pperP0tts/status/1144868292525461504

stanendybiz.top

# Reference: https://app.any.run/tasks/dee05de9-4286-45b5-8b0d-7291e09f6c16/

vh64.timeweb.ru

# Reference: https://twitter.com/malware_traffic/status/1145749834923696129

lucknowww.top

# Reference: https://twitter.com/MisterCh0c/status/1145598683997724673

69.kl.com.ua

# Reference: https://twitter.com/P3pperP0tts/status/1146398222904152066

http://92.63.192.127/index.php

# Reference: https://twitter.com/benkow_/status/1147442492046020608

brain.ac.ug
jopa.ac.ug
nobrain.ac.ug

# Reference: https://twitter.com/ps66uk/status/1148876602727653376

http://103.133.106.156/july/index.php

# Reference: https://twitter.com/ps66uk/status/1148876604296368129

http://103.125.191.69/donserly/index.php

# Reference: https://twitter.com/adrian__luca/status/1149689208405221378
# Reference: https://app.any.run/tasks/333bda58-5a37-4543-8492-d3b7d2d85361/
# Reference: https://twitter.com/nao_sec/status/1160878626688008195

vh308850.eurodir.ru
vh307870.eurodir.ru
vh314957.eurodir.ru
vh[0-9]{6}\.eurodir\.ru

# Reference: https://twitter.com/malware_traffic/status/1090366374772383745

http://51.15.241.168/AEDD77D05-A028-477C-B013-04F33F1385C3/index.php

# Reference: https://twitter.com/James_inthe_box/status/1150418960464039936

timekeeper.ug
hjkg456hfg.ru

# Reference: https://twitter.com/James_inthe_box/status/1151222412890927104

k.icf-fx.kz

# Reference: https://twitter.com/Paladin3161/status/1151447962058465282

dottybiz.top
mrjbis.top

# Reference: https://twitter.com/James_inthe_box/status/1151583038087655424

7wereareyou.icu

# Reference: https://app.any.run/tasks/15240364-844c-4489-9b74-c6f28a9d72d1

/.well-known/backup/index.php

# Reference: https://twitter.com/Paladin3161/status/1152645058434338816

asicivilsurvey.com

# Reference: https://twitter.com/x42x5a/status/1153208780714369025

dfghdfghhffd.ru
timebound.ug

# Reference: https://twitter.com/Racco42/status/1153297037791760385

savana.duckdns.org
xchange.duckdns.org

# Reference: https://twitter.com/Racco42/status/1154713892314066944

edirect.duckdns.org
irila1.duckdns.org

# Reference: https://twitter.com/Artilllerie/status/1155851644262920199

free-bitcoin-earnings.tk

# Reference: https://twitter.com/Paladin3161/status/1156509693872758784

http://185.136.171.122/russia/index.php

# Reference: https://twitter.com/Paladin3161/status/1157069487662723072

http://137.74.181.121/index.php
http://184.164.137.183/index.php

# Reference: https://twitter.com/romonlyht/status/1157190035868807169

warnning-accounts-recovery-appleid-apple.com

# Reference: https://twitter.com/Paladin3161/status/1158527567411871744

trafficaddicts.ru

# Reference: https://twitter.com/Lvanoel/status/1159335174838083584
# Reference: https://app.any.run/tasks/6340754c-5c71-4690-877f-55cb33e480e9/

firemetrics.com.au

# Reference: https://twitter.com/Paladin3161/status/1159984827124162560

lycos.top
modexcommunications.eu

# Reference: https://twitter.com/Paladin3161/status/1160640437272469504

program.zadc.ru

# Reference: https://twitter.com/Paladin3161/status/1160887839770284033

http://185.11.146.158/index.php

# Reference: https://twitter.com/Paladin3161/status/1161226389476929536

http://185.11.146.144/index.php

# Reference: https://twitter.com/Paladin3161/status/1160892405760966656
# Reference: https://www.virustotal.com/gui/domain/myihor.ru/relations

ih[0-9]{7}\.myihor\.ru

# Reference: https://twitter.com/Paladin3161/status/1161420183124058112

bazar-top4ik.best

# Reference: https://twitter.com/gorimpthon/status/1163616173860122624

modcloudserver.eu

# Reference: https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/

soroog.xyz

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

http://103.253.27.234/teststeal/gate.php
parking-services.us

# Reference: https://twitter.com/Paladin3161/status/1163788023005208577

http://185.222.56.163/index.php

# Reference: https://twitter.com/Paladin3161/status/1163997644898750465

normpost.club
testaztest.xyz

# Reference: https://twitter.com/James_inthe_box/status/1164898833500798976

losjardinesdejavier.com/admin/32/index.php

# Reference: https://twitter.com/DynamicAnalysis/status/1165720711219929088
# Reference: https://pastebin.com/wHV90Sc2

http://151.80.8.23/panel/index.php
http://185.222.56.163/index.php
http://23.227.201.16/gidi/index.php
http://92.63.192.119/index.php
a0327852.xsph.ru
a0329841.xsph.ru
cdl24885oq.temp.swtest.ru
kilangsprcoket.tk
latiso.ru
modcloudserver.eu
roberto.ac.ug
testaztest.xyz
testieng.kl.com.ua
u4504124br.ha003.t.justns.ru
lakeshoreintegrated.com/ch/index.php
xcvcdgfg.ru

# Reference: https://twitter.com/P3pperP0tts/status/1166320996640419841

http://87.98.166.117

# Reference: https://twitter.com/Paladin3161/status/1166341820533497856

hellhounds713.ddnsking.com

# Reference: https://twitter.com/smica83/status/1166348627025039360

craft-holdings.duckdns.org
westernautoweb.duckdns.org

# Reference: https://twitter.com/Paladin3161/status/1166480667992936449

opengopro.live

# Reference: https://twitter.com/Paladin3161/status/1166665502803890176

dell2.ug

# Reference: https://twitter.com/P3pperP0tts/status/1167083511385378816

new-credit.space

# Reference: https://twitter.com/Paladin3161/status/1167411656122519552

wasserettederoos.nl

# Reference: https://twitter.com/P3pperP0tts/status/1168068329027694594

gdfdfv.ru

# Reference: https://twitter.com/benkow_/status/1168598376977448960

twooo.cn

# Reference: https://twitter.com/killamjr/status/1168904634498502656

dooo74.imparisystems.com

# Reference: https://twitter.com/Paladin3161/status/1169585589420580864
# Reference: https://pastebin.com/CWzW2L5U

http://45.76.87.43
absetup7.icu

# Reference: https://twitter.com/JAMESWT_MHT/status/1169911257987780608

http://170.130.205.86

# Reference: https://twitter.com/James_inthe_box/status/1171154845908140038

http://192.95.56.53/index.php

# Reference: https://twitter.com/Paladin3161/status/1172235296223584256

http://83.97.20.170/index.php

# Reference: https://twitter.com/Paladin3161/status/1172252192054661122

bruxara.com

# Reference: https://twitter.com/SolutionsXnotes/status/1173236541092556807

bloggingmarks.ga

# Reference: https://twitter.com/James_inthe_box/status/1174336699112906752

geohotw.com

# Reference: https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html

jma-go.jp
ivanoffol3.temp.swtest.ru
mockerton.top
nagoyashi.chimkent.su

# Reference: https://blog.talosintelligence.com/2019/09/odt-malware-twist.html
# Reference: https://otx.alienvault.com/pulse/5d92273c5bc9b66ef6ef87a7

amibas8722.ddns.net
wh-32248.portmap.io

# Reference: https://twitter.com/P3pperP0tts/status/1178989832380518401

flozzy.uk/wp-admin/file/32/panel/admin.php
flozzy.uk/wp-includes/admin/32/panel/admin.php
worldmasterclass.com/wp-admin/file/32/panel/admin.php

# Reference: https://blog.prevailion.com/2019/10/mastermana-botnet.html

http://216.170.126.146/2ky/index.php
http://216.170.126.146/ahsan/index.php
http://23.249.163.135/index.php

# Reference: https://twitter.com/eramirezgc/status/1179519997057667073

http://170.130.205.86/index.php

# Reference: https://twitter.com/P3pperP0tts/status/1181170339675553793

testieng.kl.com.ua

# Reference: https://twitter.com/P3pperP0tts/status/1181504485685899264

superlatinradio.com/edu/32/panel/admin.php
superlatinradio.com/nons/32/panel/admin.php

# Reference: https://twitter.com/P3pperP0tts/status/1181526309438185473

gstfast.tk/wp-content/cii/32/panel/admin.php

# Reference: https://app.any.run/tasks/2c1d5942-b788-4316-952b-320f61494fd2/

http://5.188.231.19/index.php

# Reference: https://twitter.com/Racco42/status/1183676828910804992

1990.duckdns.org
c1e86f3506cfe05a6738ea6893ff7e.duckdns.org

# Reference: https://twitter.com/P3pperP0tts/status/1184082484050518019

riascos.org/cjay/32/panel/admin.php

# Reference: https://app.any.run/tasks/fc2c8026-c40c-493d-aadc-4b701bdc516b/

http://81.177.6.14/index.php

# Reference: https://twitter.com/wwp96/status/1188830383401504768

http://185.250.240.237

# Reference: https://twitter.com/DrStache_/status/1188917585540276224

rsk.co.tz

# Reference: https://twitter.com/P3pperP0tts/status/1189107385341743105

http://18.216.84.23

# Reference: https://twitter.com/P3pperP0tts/status/1190217928949534720

sylvaclouds.eu

# Reference: https://twitter.com/P3pperP0tts/status/1191014883028062211

waresystem.com
