# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/
# Reference: https://otx.alienvault.com/pulse/5d40766ecabf3f345b3811db

http://212.109.198.22

# Reference: https://twitter.com/VK_Intel/status/1170955066355998721

http://188.225.38.30

# Reference: https://twitter.com/david_jursa/status/1171034657137319936

afgorc.xyz
djhjqg.xyz
drtest.xyz
yjomnb.xyz

# Reference: https://twitter.com/nao_sec/status/1171443035055390722

cuwygawipu.tk

# Reference: https://twitter.com/sans_isc/status/1172383709992931328
# Reference: https://isc.sans.edu/diary/25318

dhq.xyz
gtglax.xyz
mqtryi.xyz
ootsfq.xyz
yfmxng.xyz

# Reference: https://twitter.com/nao_sec/status/1173228978997354496

atztds17.world

# Reference: https://twitter.com/tkanalyst/status/1195867354338455552
# Reference: https://www.virustotal.com/gui/ip-address/94.130.90.228/relations

http://188.225.84.132
atztds25.world

# Reference: https://twitter.com/BroadAnalysis/status/804164835650965504
# Reference: https://broadanalysis.com/2016/11/30/rig-exploit-kit-via-the-eitest-delivers-cryptfile2-ransomware/

clickonlaramietoyota.com

# Reference: https://twitter.com/DynamicAnalysis/status/1182015863043567622
# Reference: https://pastebin.com/dunyKxnG

atztds177.world
atztds37.world
atztds775.world
btcseller.club
vapeshout.com
worplace.com
samsungt.com
wwwdailyforex.com
cryptaloot.pro
go2batch.com
fceacebook.com

# Reference: https://twitter.com/adrian__luca/status/1148186673739685888

scrappycoco.ru

# Reference: https://twitter.com/tkanalyst/status/1187735439240773632

reversepin.pro

# Reference: https://twitter.com/tkanalyst/status/1188025346009919490

fiestagoal.pro
hipeoutset.pro

# Reference: https://twitter.com/tkanalyst/status/1189558049901465601

contactfiests.pro
speakerboxnectar.info

# Reference: https://twitter.com/tkanalyst/status/1193121699002114048

http://173.82.114.254
raisedsky.info
trickfiesta.info

# Reference: https://twitter.com/tkanalyst/status/1194648639693451266

http://202.182.121.252
booblegums.info
stonefiesta.info

# Reference: https://broadanalysis.com/2019/12/02/rig-exploit-kit-delivers-bot-ransomware/
# Reference: https://otx.alienvault.com/pulse/5de907a4b04741669d476189

bestwalletapiandroid.world
lucretius-ada.com

# Reference: https://twitter.com/david_jursa/status/1207613694621999104

lendsblog.com
atztds702cv.xyz

# Reference: https://twitter.com/tkanalyst/status/1219244505640996864

http://199.247.5.69
fatykarying.xyz
fiestalume.info

# Reference: https://twitter.com/FaLconIntel/status/1230488503290449920

tldrbox.top

# Reference: https://twitter.com/FaLconIntel/status/1235580218842083329

fiestagg.info
morethanyouneed.xyz

# Reference: https://app.any.run/tasks/828e1e86-c4ee-4251-a20d-6aacc6b4b9cf/

http://82.146.46.180

# Reference: https://twitter.com/FaLconIntel/status/1241568444551741441
# Reference: https://app.any.run/tasks/e074bc0d-7edf-4e58-86ad-f7e3dd8df714/

http://176.57.220.16

# Reference: https://isc.sans.edu/forums/diary/CryptoShield+Ransomware+from+Rig+EK/22047/Hancitor/Pony

need.southpadreforsale.com
star.southpadrefishingguide.com

# Reference: https://twitter.com/david_jursa/status/1250716073437073409

likeaboss.club

# Reference: https://twitter.com/nao_sec/status/1254025079635075073

http://188.225.27.75

# Generic trails

\b(atztds|mtxtds)[0-9a-z]+\.(world|xyz)
