# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/JR0driguezB/malware_configs/tree/master/IcedID

arcadyflyff.com
atlanimeday.com
binncu.net
camorata.com
comeontrk.com
csuwbru.net
cupicratings.com
daliyudin.net
debonointl.net
dorothyle.net
expling.net
firebbernank.net
freegameshacks.net
fzlajsf.net
gordondeen.net
jefchinloans.com
joronda.com
jumpsworks.com
medicalciferol.com
miraquebolsis.com
nobleduty.com
timmasanz.net
tradequel.net
wbgjds.net
youaboard.com

# Reference: https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

efoijowufjaowudawd.com

# Reference: https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

lik0sa1.com
nejokexulang.example.com
payfinance.net

# Reference: https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
# Reference: https://otx.alienvault.com/pulse/5c99fb543acc7f5eb0e7e933

acquistic.space
ambusted.space
coultra.space
exhausines.space
exterine.space
haractice.space
hospirit.com
overein.space
parchick.space
portened.space
resurround.pw
segregory.com
stocracy.space
stradition.space
subsquire.com
tybalties.com
ugrigo.space
waharactic.com
yorubal.space

# Reference: https://twitter.com/James_inthe_box/status/1110564181021908993

mathedro.com

# Reference: https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/

zonefb.com

# Reference: https://twitter.com/malware_traffic/status/1123458651434434563

marakusta.at
saudienter.pw

# Reference: https://twitter.com/CapeSandbox/status/1123605348466741249
# Reference: https://cape.contextis.com/analysis/70719/

forsynanchyv.com
hipponexunam.org

# Reference: https://twitter.com/CapeSandbox/status/1121084063903821824
# Reference: https://cape.contextis.com/analysis/68966/

arguerns.top
extenterms.top
minental.top

# Reference: https://twitter.com/malware_traffic/status/1136690489757974538

37.59.68.215:443
goodinzone.at
mozambiquest.pw

# Reference: https://twitter.com/James_inthe_box/status/1136950895986429954

albarthurst.pro
hipponexunam.org

# Reference: https://twitter.com/malware_traffic/status/1147303805115162624

germakhya.xyz

# Reference: https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html

albarthurst.pro
carlsbadenomise.top
chardiop.club
ethracial.pw
exchangests.xyz
forsynanchyv.com
goodinzone.at
hipponexunam.org
hydrylater.online
mechangerous.space
mozambiquest.pw
parenessed.icu
ransmittend.club
saudienter.pw
summerch.xyz
wagenstead.xyz

# Reference: https://twitter.com/James_inthe_box/status/1163512836930199552
# Reference: https://pastebin.com/rcwZmSu0

bumpsitting.pro
diplomainter.pro
duffered.pro
existination.pro
hahashow67.bit
pitfields.pro

# Reference: https://twitter.com/SoulRage6/status/1168171341998149637

casternsinc.com
casternsblog.com

# Reference: https://github.com/silence-is-best/c2db#icedid

memphase.com

# Reference: https://twitter.com/SoulRage6/status/1184141516534702081
# Reference: https://www.virustotal.com/gui/file/6f72987e323aa2d0a81c74e45851b62c1f415f703be20afb662748bc709f9361/detection
# Reference: https://twitter.com/JasonMilletary/status/1184201998381522944
# Reference: https://pastebin.com/vnwHadJk
# Reference: https://twitter.com/JasonMilletary/status/1190286207751733248
# Reference: https://pastebin.com/cz2HePMS

amongolia.com
bavariousltc.com
bhagavana.com
biorexis.top
builtitute.com
contrmved.com
corposted.com
coujtried.com
demonike.com
demonsoon.com
dioneras.top
eurobable.com
founddhog.com
honolfogy.com
jjanuatu.com
leonopic.top
lionerat.top
magnwnce.com
mastroga.top
memphase.com
molinaro.top
nopelrod.top
pidronog.top
piloresi.top
presifered.com
sacrecope.com
semistor.top
sheaffic.com
sheaffic.net
sheaffic.nl
sheaffic.org
tadpoleonilc.com
tidesore.top
wentinueqhcr.com
whyeelong.com

# Reference: https://twitter.com/OttoScav/status/1186356752406724609

gfthwards.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1187390560384049155

gfthwards.com
gfthwards.eu
piloresi.top
presifered.com

# Reference: https://twitter.com/wwp96/status/1189244489472319489

kbtseafood.com

# Reference: https://twitter.com/malware_traffic/status/1190026665952497667
# Reference: https://www.virustotal.com/gui/ip-address/217.182.188.118/relations

217.182.188.118:443
demonsoon.com
emperimen.com
magnwnce.com
moreogramlfgt.com
orsement.net
orsement.org
resultiplrt.com

# Reference: https://twitter.com/malware_traffic/status/1068570263732789248

govenian.host
suprecien.host

# Reference: https://twitter.com/malware_traffic/status/1068281897346838528

freshwallet.at
labadegmc.com
listmyfloor.com
modelssohn.website

# Reference: https://twitter.com/pollo290987/status/996471190221983746

3200bpm.com
autozpolisy.pl
tagamol.com

# Reference: https://twitter.com/JR0driguezB/status/978937668921970688
# Reference: https://github.com/JR0driguezB/malware_configs/blob/master/IcedID/C2.txt

arcadyflyff.com
atlanimeday.com
binncu.net
camorata.com
comeontrk.com
csuwbru.net
cupicratings.com
daliyudin.net
debonointl.net
dorothyle.net
expling.net
firebbernank.net
freegameshacks.net
fzlajsf.net
gordondeen.net
jefchinloans.com
joronda.com
jumpsworks.com
medicalciferol.com
miraquebolsis.com
nobleduty.com
timmasanz.net
tradequel.net
wbgjds.net
youaboard.com

# Reference: https://twitter.com/Paladin3161/status/1156867967260303360

bumpsitting.pro
heinless.pro
mainly.pro

# Reference: https://twitter.com/Paladin3161/status/1156632752260648960

diplomainter.pro
existination.pro
forsynanchyv.com
stalitic.pro

# Reference: https://twitter.com/JAMESWT_MHT/status/1194631881007910921

aginia.net
aginia.top
leonopic.top
nopelrod.top
sacrecope.com
telected.xyz

# Reference: https://twitter.com/stecar792/status/1194745611377135616
# Reference: https://pastebin.com/FhbU27vC
# Reference: https://pastebin.com/if2VpJJg

bhagavana.com
eurobable.com
leonopic.top
lionerat.top
memphase.com
mirkolkdb.com
mirkolkdb.eu
mirkolkdb.net
mirkolkdb.nl
nopelrod.top
pidronog.top
sacrecope.com
semistor.top
tadpoleonilc.com
telected.com
telected.eu
telected.in
telected.net
telected.nl
telected.one
telected.org
telected.tel
telected.top
telected.xyz
wentinueqhcr.com
whyeelong.com

# Reference: https://twitter.com/JasonMilletary/status/1177323562425815049
# Reference: https://pastebin.com/XF980VrW

bhagavana.com
biorexis.top
centrash.com
duffice.com
eurobable.com
fallium.com
gioredoh.top
kenoted.com
leonopic.top
lionerat.top
mamerona.top
mastroga.top
memphase.com
molinaro.top
nopelrod.top
pidronog.top
samioner.top
scatholics.com
semistor.top
tidesore.top
uniresio.top
vulcate.com

# Reference: https://twitter.com/JasonMilletary/status/1176934514414759936

genepbisulphite.nl
yavagumchewer.com

# Reference: https://twitter.com/JasonMilletary/status/1174026442100940800

eonopic.top
ionerat.top
ioredoh.top
mamerona.top
olinaro.top
samioner.top
uniresio.top

# Reference: https://www.f5.com/labs/articles/threat-intelligence/de-icing-icedid--decompression-and-decryption-methods-explained-?

ygrenevresed.fun

# Reference: https://twitter.com/CapeSandbox/status/1168607522795790337
# Reference: https://twitter.com/SoulRage6/status/1168171341998149637

casternsblog.com
casternsclub.com
casternsinc.com
casternssite.com
rankrns.com
staterns.com
webcasterns.com

# Reference: https://twitter.com/JasonMilletary/status/1197209873294999553
# Reference: https://pastebin.com/964KsuMx

bhagavana.com
dioleg.top
eurobable.com
fioure.top
goidiom.top
guiertr.top
hiolne.top
leonopic.top
lionerat.top
memphase.com
mirkolkdb.com
mirkolkdb.eu
mirkolkdb.net
mirkolkdb.nl
monerto.top
nopelrod.top
pidronog.top
riopwe.top
sacrecope.com
semistor.top
tadpoleonilc.com
tierton.top
tyuerse.top
wentinueqhcr.com
whyeelong.com
ziones.top

# Reference: https://twitter.com/JasonMilletary/status/1197541828402143233

37.48.83.137:80
37.48.83.137:443

# Reference: https://twitter.com/JasonMilletary/status/1197593565863518208
# Reference: https://app.any.run/tasks/30cb7b07-6cff-4ff0-88eb-e69c6d60397a/

berrydom.top

# Reference: https://twitter.com/Kostastsale/status/1199604381751988225
# Reference: https://app.any.run/tasks/b3f60bc6-c821-4921-b4e4-221e32b2d7e7/
# Reference: https://app.any.run/tasks/6e5996c2-81b1-45ac-bdd0-3ec9517608ce/

193.109.69.17:443
198.54.120.132:443
77.222.63.110:443
astenitral.club
desreona.top
gerrredona.top
nedisona.top

# Reference: https://any.run/malware-trends/icedid (Note: as seen on 2019-12-04)

dirosad.top
jikolis.top
monerto.top
ziones.top
tierton.top
ddos.dnsnb8.net
semistor.top
guiertr.top
tyuerse.top
thuocnam.tk
desreona.top
nedireob.top
gerrredona.top
nameseorin.top

# Reference: https://pastebin.com/ErESEBNy

herrasei.top

# Reference: https://twitter.com/killamjr/status/1203183444127354880
# Reference: https://www.virustotal.com/gui/domain/colonisfg.com/relations
# Reference: https://www.virustotal.com/gui/file/5cfbcfac6faea9055f9c7bebc1974aac0ec445f4d08900100b5a3a389ec02610/detection

colonisfg.com
derilopa.top
dezaredo.top
gerontos.top
netionax.top
seniorex.top

# Reference: https://twitter.com/luc4m/status/1204861411010207744

certifacto.com
beaderza.top
gertuko.top
hiperdom.top
modestog.top
nonedore.top

# Reference: https://twitter.com/malware_traffic/status/1208205022925860865

b99vxjju.com
jlb81hdvernon.com
v60yuuu1415.com

# Reference: https://app.any.run/tasks/5e1ba7ba-4a11-44d0-a80b-ea188041fd76/
# Reference: https://pastebin.com/higQqzwD

arkanacarszoom.pro
arkanacarszoom.red
arkanaways.pro
arkanaways.red
baberdon.top
bavariousltc.com
bavidopa.top
beaderza.top
berrydom.top
bilopans.top
biodeser.top
bladisuka.red
brekatrinado.red
carensod.top
certifacto.com
colonisfg.com
containerfirearms.com
copiresd.top
coridef.top
cowspidzu.pro
demandary.com
desreona.top
dioledoe.top
dioleg.top
dirosad.top
elabortin.com
exceptionalsanta.pro
fanisder.top
fidonau.top
fioure.top
foxitone.top
geropil.top
gertuko.top
giretona.top
golitope.top
goredoma.top
goresoin.top
herdomo.top
hiolne.top
hiperdom.top
hironmen.com
hovernor.com
jikolis.top
kololokoip.red
korendor.top
kuskusnamnam.icu
loperdon.top
manyloaddss.red
maredosa.top
maxikolo.top
modestog.top
monerto.top
moreogramlfgt.com
muratinue.com
nedisona.top
newyeardocs.pro
newyearfreaks.pro
nikolopu.top
nonedore.top
owspidzu.pro
piterdos.top
redilok.top
renaultarkana.pro
renaultarkana.red
resultiplrt.com
riopwe.top
rubonder.top
santaclausdriver.red
serkolo.top
sionerde.top
sisipiciliko.pro
skachkiiloady.pro
stata.link
succine.com
systemory.com
thrushmore.com
tierton.top
transityfade.pro
transityfade.top
viderson.top
vilokilofilo.pro
viterex.top
voperdom.top
xyuvuugadali.info
xyuvuugadali.pro
ziones.top

# Reference: https://pastebin.com/VniAbG5k

ecowis.com
exceptionalsanta.red
fmjstorage.com
happysantacows.red

# Reference: https://twitter.com/SoulRage6/status/1215259274055704577

letsgotopluto.best
plutomylove.monster
plutoisaplanet.best
plutomylove.monster
plutusforpluto.best
saveplutoplanet.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1215260222832463873
# Reference: https://app.any.run/tasks/47590dc6-e93a-49e9-b053-974230cf8d3c/

hillenincopenhagen.best
willenhillen.xyz

# Reference: https://app.any.run/tasks/36d30924-4064-4288-a4e3-bc3ea44bda3e/

venusplanet.best

# Reference: https://twitter.com/JasonMilletary/status/1227975671282118657
# Reference: https://pastebin.com/kVWnJkaC

4success8.pro
creativedevelopment.xyz
developme.best
fridgehealth.best
geminichair.xyz
imreherzog.xyz
kinuplayer.info
langlawer.pro
nasafridge.xyz
spacecable.best
starofporn.xyz
thefeelingsapple.xyz

# Reference: https://twitter.com/Paladin3161/status/1228359000359501824
# Reference: https://pastebin.com/GUGbsQxE

appleparkca.best
bigbonmax.best
firedoggy.xyz
laroshelle.best
stamptowns.best
stsseriesdilemma.xyz

# Reference: https://twitter.com/James_inthe_box/status/1228452446978002944

applethecompany.best
bulbulmeni.best

# Reference: https://app.any.run/tasks/e7fb661a-6968-4367-9cd4-2077419a702d/

jagerteam.top
bibliophil.club
happyhunters.pw
bibliophil.pw

# Reference: https://twitter.com/malware_traffic/status/1243645177245380610
# Reference: https://www.malware-traffic-analysis.net/2020/03/27/index.html
# Reference: https://app.any.run/tasks/16c7bbfb-1c6a-40be-a625-bf8bc870354b
# Reference: https://app.any.run/tasks/9f2e532c-24d9-42d5-9be2-7ce9a8920980

conceptinteriors.ae
karantino.xyz
pravizzillo.club
projectfatty.club

# Reference: https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
# Reference: https://app.any.run/tasks/d092cd7a-3e1c-479f-93e0-6494e464f44e/

hxxp://45.147.231.107
customscripts.us
hinkaly.club
karantino.xyz
zajjizev.club

# Reference: https://twitter.com/malware_traffic/status/1256297802948399104

ghefgekil.club
obratapres.pw
smallhole.club
severeconditions.xyz

# Reference: https://twitter.com/James_inthe_box/status/1257418677760282624

knockaddress.xyz

# Reference: https://pastebin.com/vCfWusnR

lokolojazz.club

# Reference: https://twitter.com/SBousseaden/status/1258564579463921665
# Reference: https://app.any.run/tasks/c98c5585-ad28-4744-8156-476efa30674e/

turtlesfun.fun

# Reference: https://twitter.com/James_inthe_box/status/1262856956613554176

connuwedro.xyz

# Reference: https://bazaar.abuse.ch/sample/837f40c12fc476d81d0741da2ab0bc0ee5c9857fe9623f2dfa33fb9f9d20f6ce/

bividilli.xyz

# Reference: https://app.any.run/tasks/6b57fda7-dd83-44c9-a8d0-3befecb7c4c6/
# Reference: https://bazaar.abuse.ch/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
# Reference: https://www.virustotal.com/gui/file/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec/detection

cryptocrio.pw
cryptocrio.top

# Reference: https://twitter.com/abuse_ch/status/1265989591628238848

3chickens.pw

# Reference: https://pastebin.com/bUzE4Df6

fordthunderbirth.site
gotofresno.xyz
luxcarlegend.top
nicebirththunder.cloud
poloturtles.top
robertogunez.xyz
totheocean.pw

# Reference: https://twitter.com/James_inthe_box/status/1268985862173257728

porkon3stuff.top

# Reference: https://twitter.com/Artilllerie/status/1270013362194219008

makindra.xyz
pohindra.best
prostokilo.top

# Reference: https://twitter.com/malware_traffic/status/1270158384738770951

trythisrandom.top
ziddat.com/registration.doc

# Reference: https://twitter.com/malware_traffic/status/1271588921168867329

musicapuntocero.com
wloppyload.top

# Reference: https://github.com/f0wl/deICEr/blob/master/README.md

boldidiotruss.xyz
nizaoplov.xyz
153ishak.best
ilu21plane.xyz

# Reference: https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware
# Reference: https://pastebin.com/Sz16iU57

2pillsofhunderts.pw
30miles.xyz
3chickens.pw
3glanzepages.top
antivarevare.club
antivarevare.pw
bavadivaclub.club
beradocolon.top
bividilli.xyz
bluekit.pw
bonwes.bid
bredretre.uno
carpetkisa.xyz
carztesla.xyz
chumocarz.club
citytrallbus.xyz
colocarantino.xyz
connuwedro.xyz
cosacasa.top
costacolonel.club
costamustero.pw
coucarachiz.top
cozyappt.club
crossbones.email
cryptocrio.pw
cryptocrio.top
cucumberz99.club
dayafterthe.xyz
dezisenkor.club
docccutime.xyz
emergencytoolz.pw
extraordinarycurc.club
fekilopol.xyz
feminization.xyz
fidelliware.pw
filacolonel.site
filacolonel.xyz
filteroggy.pw
fishmak.pw
flighfinder.xyz
flightslots.online
forwardnogi.pw
fredoferodo.top
frenchfries8.top
fullplainefares.club
gerenada.club
ghefgekil.club
gigakolors.club
glassyradua.xyz
goodcolonell.xyz
goodservers.top
groggypirogy.top
herekeder.best
hinkaly.club
instarobotics.club
karantino.xyz
kassadesada.top
knockaddress.xyz
knockdomain.xyz
loacorecoder.club
lokolojazz.club
menosmeno.best
millogorillo.top
nadalia.top
northdestrickt.top
oggytarakan.club
oggythecoucca.xyz
polymorphis.top
pravizzillo.club
pravizzillo.email
presserdresser.best
pyramide33.pw
pythonfinder.top
safebanktest.top
seguridadcolonel.club
sharedocar.xyz
siffersniffer.best
silkycow.pw
smallhole.club
stuffed8tomatoes.club
svaerossi.pw
testermeisterz.top
tourdayly.top
tryfreder.xyz
trythisone2.best
uxozhuki.pw
vereseptem.pw
vodkahater.xyz
withoutemblems.top
yahzdaje2.website
zajjizev.club

# Reference: https://twitter.com/ffforward/status/1275364648091557889
# Reference: https://app.any.run/tasks/f4945f71-1327-43d4-b948-326bcc730033/

khaliel.com/load/
loadthird.casa

# Reference: https://twitter.com/abuse_ch/status/1275526243404972034
# Reference: https://bazaar.abuse.ch/sample/921138bc2b28d01a51e6673c6e61ba3237592d08875180e0b3749d8e47fdfd6d/

germana-arad.ro/tds.php
redbrookconservatories.com/wp-content/themes/genesis/tds.php
