# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chanitor, hancitor

# Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor

o3qz25zwu4or5mak.onion
o3qz25zwu4or5mak.tor2web.org
o3qz25zwu4or5mak.tor2web.ru
svcz25e3m4mwlauz.onion
svcz25e3m4mwlauz.tor2web.org
svcz25e3m4mwlauz.tor2web.ru
um6fsdil5ecma5kf.onion
um6fsdil5ecma5kf.tor2web.org
um6fsdil5ecma5kf.tor2web.ru

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru
tontheckcatan.ru

# Reference: https://pastebin.com/bPV4gVVL

heundthetrec.ru
perranrowsin.com
utteronhim.ru

# Reference: https://pastebin.com/CQGHUK03

caperlighleft.com
hescatofme.ru
ledeventutru.ru

# Reference: https://twitter.com/James_inthe_box/status/1047490196319612928

milliondollarlawsuit.co

# Reference: https://twitter.com/malware_traffic/status/1113586907655680001

waorveled.com

# Reference: https://twitter.com/Antelox/status/914949407442862080

kedmolorop.com

# Reference: https://twitter.com/BroadAnalysis/status/880488094277009408

repwasswithhow.com 

# Reference: https://twitter.com/BroadAnalysis/status/783725374161186816

gotevengsorol.ru

# Reference: https://twitter.com/BroadAnalysis/status/753688954323529729

wassuseidund.ru

# Reference: https://twitter.com/mesa_matt/status/1113866153108148224
# Reference: https://ghostbin.com/paste/27b9a/raw

alldogspoop.co
alldogspoop.org
alldogspoop.biz
alldogspoop.info
alldogspoop.mobi
alldogspoop.net
cherryhillpooperscoopers.com
pooperscooperfranchise.com
shopalldogspoop.com

# Reference: https://twitter.com/CapeSandbox/status/1132548710490148864

hinsurefling.ru
oneningsitar.com
witoftrinreb.ru

# Reference: https://twitter.com/VK_Intel/status/1143512697004331008
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt

hefidanot.com
metyrofhe.ru
usesindownne.ru

# Reference: https://twitter.com/malware_traffic/status/1145793372126416897

totharduron.com

# Reference: https://twitter.com/killamjr/status/1146108509324480514
# Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/

carbonatedcocktails.com
fizzics.biz
perlinisystems.com
shanakaplan.com

# Reference: https://twitter.com/VK_Intel/status/1146139326646034433
# Reference: https://twitter.com/James_inthe_box/status/1145765244645433344
# Reference: https://twitter.com/malware_traffic/status/1146503887215636480

http://31.44.184.201/fknmo/gate.php
http://31.44.184.33
tonsruhatbab.com

# Reference: https://twitter.com/James_inthe_box/status/1153326001155272704

forrolrestons.ru
hersdintfortho.ru
retredmuchwas.com

# Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832
# Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/

rolfikinme.ru
sparherrestal.ru

# Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778

ratlittonrigh.com
tofttoldboand.ru
fortroweventlac.ru

# Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

betsuriin.com
callereb.com
evengsosandpa.ru
felingdoar.ru
gmailsign.info
hecksafaor.com
heheckbitont.ru
hianingherla.com
hihimbety.ru
meketusebet.ru
mianingrabted.ru
moatleftbet.com
mopejusron.ru
muchcocaugh.com
ningtoparec.ru
nodosandar.com
ritbeugin.ru
rutithegde.ru
surofonot.ru
uldintoldhin.com
unjustotor.com
wassuseidund.ru

# Reference: https://twitter.com/JayTHL/status/1179794844262305793
# Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/

csinashville.com
spausence.com

# Reference: https://twitter.com/JayTHL/status/1179799689341886464

cowandchickens.com
chateaumorritt.ca
thegbar.net
thegbars.us
thegbars.net
fedtoner.com

# Reference: https://twitter.com/JayTHL/status/1179796029425754112

knoweent.ru
wortionce.ru

# Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744

compatime.ru
mandanoter.ru
warlarvars.com

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

avantusthea.com
cornbeijnvoxin.com

# Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536

branderryadhe.ru
caputenedif.ru

# Reference: https://pastebin.com/HLnQT4qy

adu0.xyz
asfpindia.org
austinhcg.com
bigsunshinebooks.com
brydenstt.com
dl-rw.com
drewcanole.com
episodez.online
hygieneteam.nl
pbssindia.in
pflagakron.org
talkshows.xyz
yooball.com
yourecovers.com
cornbeijnvoxin.com
digplaliatinte.ru
dvdflowerrook.ru

# Reference: https://twitter.com/wwp96/status/1184490107467788293

asfpindia.org
pbssindia.in
viplace.pt

# Reference: https://pastebin.com/bJ4ynhDe

afmichicago.org
african-trips.com
aftablarestan.ir
alferdows.com
cenovia.com
euroteriage.com
gotladyhope.ru
januserfish.ru

# Reference: https://pastebin.com/Q6aPDCDt

boatattorney.com
keramenzakt.com
linglentelevox.ru
mdistellerryck.ru

# Reference: https://twitter.com/malware_traffic/status/1186885436397850624
# Reference: https://app.any.run/tasks/742165cc-6e00-4483-af5e-6c49ae53b976/

31.44.184.160:8080

# Reference: https://twitter.com/K_N1kolenko/status/1187302956644929537

durestuasben.ru
sagitecheadle.com
vladiondul.ru

# Reference: https://pastebin.com/bKwb2Yig

pmk-55.ru

# Reference: https://twitter.com/K_N1kolenko/status/1188729131523031040

penreleaplif.ru
scangescangomu.ru
wickawbarrysci.com

# Reference: https://twitter.com/James_inthe_box/status/1188771146105147392
# Reference: https://app.any.run/tasks/de677fac-06c7-4c32-bd7a-05fc10cd5196/

blakejordan.com

# Reference: https://pastebin.com/JY6StTeK

youqu0.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1188837744568688640

pubarecaz.com

# Reference: https://twitter.com/JayTHL/status/1189934275476492288

damcoservices.com

# Reference: https://twitter.com/K_N1kolenko/status/1190903765005750272

selesesteq.ru
thaverenta.ru
wingritydet.com

# Generic heur trails

/4/forum.php
/admin/zaki.php
/bdl/gate.php
/fknmo/gate.php
/ls/gate.php
/ls5/forum.php
/ls6/gate.php
/plasma/gate.php
/sl/gate.php
/zapoy/gate.php
/123_123123.php
/342578_4378.php
/34894385_4378.php
/4234_32423.php
/rgovett.php
/rhf26.php
/rickyv319.php
/rjohn10657.php
/rmmurphy10.php
/robby_hanshaw.php
/robert.hicks.php
/robert1325.php
/ron_penfold.php
/rowantotal.php
/roydsingh.php
/rwhayne.php
/sailnsadle.php
/samurai40w.php
/sasshm.php
/scooby6060.php
/scottyw36.php
/shark601.php
/sheridanalan.php
/simonimp.php
/sjj53.php
/soberentexas.php
/sophiagamble.php
/soundm279.php
/st.vanaaken.php
/steve.heller.php
/storme.cosgrave.php
/stormnz54.php
/sullych43.php
/technoemporium.php
/terisitababe.php
/terrybailey2009.php
/thehornet1.php
/thetafly.php
/thomascarterpt.php
/timbrennan29.php
/tj.016677.php
/tjholden.php
/tjubell.php
/tss9999.php
/tstanis5.php
/vmpereira.php
/walli_sw.php
/warren.php
/wayneo125.php
/waynerice816.php
/wcwjr.php
/wdepietro.php
/weberdental.php
/welch9172.php
/wesleysebesta.php
/westharbour.php
/whitej58.php
/win.harris.php
/wjtconsult.php
/woodcock_jack.php
/wretchedchild5.php
/wschnei106.php
/yoshihito.shibahata.php
/ykootss.php
/yuki_chan2004jp.php
/ywingitt.php
/zecoimbra1951.php
/zubairseiendom.php
