# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://techhelplist.com/spam-list/1056-delay-with-your-order-invoice-malware

lpholfnvwbukqwye.onion
lpholfnvwbukqwye.tor2web.org
lpholfnvwbukqwye.onion.to
lpholfnvwbukqwye.onion.cab

# Reference: https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky.A

vjwmpxseu.fr
jywdohhfkypg.de
blydeylrayu.it
obvpxgcohmpsou.it
cqvgwp.uk
tdxgp.eu

# Misc.

jnfumwhpd.fr
weynektquvuh.fr

# Reference: https://malwr.com/analysis/OTdhZjg3ZTAzNGUxNDJjYzhiNGE1ZGM1MGFlNWM0NzE/

lahmar.choukri.perso.neuf.fr

# Reference: https://malwr.com/analysis/Yzc1NTEzOWM2MGY2NDJhZmJkZjZmNjMwOGM3NjQyODE/

kokoko.himegimi.jp

# Reference: https://otx.alienvault.com/pulse/56cf14f567db8c06345355e5/

mafiawantsyouqq.com
lenovowantsyouff.com
whereareyoumyfriendff.com
lenovomaybenotqq.com
ikstrade.co.kr
tosalaeigroup.com

# Reference: https://malwr.com/analysis/NzUyYjhiMDA0ZTQ4NGUzZmFkMjZhZGNmZTk5NGFjMzg/

blablaworldqq.com
ujajajgogoff.com

# Reference: https://www.virustotal.com/en/ip-address/142.25.97.48/information/

blablaworldqq.com
hellomisterbiznesqq.com
hellomydearqq.com
hrfgd74nfksjdcnnklnwefvdsf.materdunst.com
lenovomaybenotqq.com

# Reference: https://www.virustotal.com/en/ip-address/146.148.55.44/information/

blablaworldqq.com
fromjamaicaqq.com
hellomisterbiznesqq.com
hellomydearqq.com
mafianeedsyouqq.com
hellomisterbiznesqq.com
hellomydearqq.com
blablaworldqq.com
isthereanybodyqq.com
www.soclosebutyetqq.com
soclosebutyetqq.com
www.helloyoungmanqq.com
helloyungmenqq.com
thisisitsqq.com
yesitisqqq.com
itisverygoodqq.com
hpareyouhereqq.com
lenovomaybenotqq.com
www.gutentagmeinliebeqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
lenovowantsyouqq.com
goonwithmazerqq.com
arendroukysdqq.com
returnyourfiless.ru
www.invoiceholderqq.su
helloyoungmanqq.com
www.fromjamaicaqq.com
fromjamaicaqq.com
gutentagmeinliebeqq.com
invoiceholderqq.com
pren874bswsdbmbwe.returnyourfiless.ru
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
spannflow.com
www.thisisyourchangeqq.com
blizzbauta.com
nnrtsdf34dsjhb23rsdf.spannflow.com
pren874bwsdbmbwe.returnyourfiless.ru
www.itsyourtimeqq.su
bb34dbsjneefnsdefjsn.golemmalik.su
itsyourtimeqq.su
thisisyourchangeqq.com
invoiceholderqq.su
maniupulp.com
83gd65jfh24jbrwke43.brocksard.su
fausttime.com
gubbosiak.su
helloguysqq.su
hellowomenqq.su
l4rdnvb5jskjb45sdfb.mayofish.com
pot98bza3sgfjr35t.fausttime.com
h5534bvnrnkj345.maniupulp.com
helloworldqqq.com
fjfhsflj54t8ak439sm.wakonratio.com
pigglywigglyqq.com
mayofish.com
piglyeleutqq.com
sifetsere.com
skuawill.com
belableqq.com
belahhoast.net
www.belahhoast.net
3j2gdpsipa74bgm441.biz
lastooooomene2ie2e.com

# Reference: https://www.hybrid-analysis.com/sample/4290b85920a4079103047aa2ac58968f44672a05dc81a79225c3c66ad93d2faa?environmentId=4

w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at
u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com
po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at

# Reference: http://blog.dynamoo.com/2016/03/malware-spam-order-confirmation-payment.html

conspec.us
tmfilms.net
iqinternal.com
goktugyeli.com
saludaonline.com

# Reference: https://www.virustotal.com/en/ip-address/104.168.62.235/information/

ohellowruff.com
greetingsjamajcaff.com

# Reference: https://blogs.forcepoint.com/security-labs/lockys-new-dga-seeding-new-domains

bkadufmdyf.pm
kpvoxwgf.pm
fysck.fr
hsasjielgfkneh.ru
qquvjijtvatj.in
edmgbqygn.de
nbavfpb.uk
wyusb.yt
yuljfxdf.pm
bvtavc.nl
ktovxeteqtwtcsh.yt
xyfnvvbuovcd.be
hwsdymcytd.yt
cgwlamg.pw
ehfjt.pm
nfacehihugohhi.nl
cproso.pm
lnjrmdjyidprrse.de
nortkbiqhtdgd.de
ixwllqpbog.in
rvkgvjbp.it
ficpn.fr
ogworigxknalsd.eu
qaekmjxgrtcs.de
prydlvlxw.be
rsimigt.us
bqvcl.in
ovmspedrbkxlj.ru
xthppvomcxu.be
aupgcrvfm.us
uemtsb.uk
echmfrnyuwrlmas.uk
jaliqnp.yt
ejpmaxavyptyqnc.pw
nhkpknfyjnoqp.ru
iqountnrqs.ru
krpphdlu.yt
tpkmyc.ru
hubvdqgfcoierc.pw
qsaifcyuopyv.de
bxlrnw.pw
vhpurxfuohbqso.fr
ffkseaisuicb.eu
hgspblbnex.yt
cppvgch.in
lnkva.pw
ysbfaksqohpmf.in
iqvcaeogjeg.it
spxst.us
nycbuwfisadao.be
wwpyvxnihcm.fr
yxxpmghmx.uk
thcfqk.it
dfwqdyjrtyiuaij.pm
qrokkqdsmtxa.us
apgodprqgy.eu
djcbwpykgnsdikb.pm
fkkdmvsjnnptv.yt
athfaulmew.pw
cupggwpf.pm
lsotcg.in
gcsxwslqsvbhpr.pw
ivtlxgqfkiyj.it
dfxvcvxfa.be
kfifrxqke.in
fogyrq.uk
ombqnwvepxjeufs.tf
qnjoimqcqkokt.yt
lpmxewicfk.us
uubnggrp.in
woiwpu.fr
rxmbadyblcuoat.in
dlhhgett.us
mqvubo.de
haageiedrybojk.tf
jtlqoqfaykdj.uk
edpglqefm.it
nbdwqkj.fr
pcmfx.de
klqqvsewphwko.it
vqmkfujpobvu.us
xkxapdrojh.nl
stckmju.yt
uulhq.fr
esyjyjiklwnbhd.tf
ycdntrbxkuw.de
bdlpmukcp.eu
vmpthc.it
ddutcdmfvmbaaba.be
mbikamdjklmce.de
hkmaebphml.yt
jetxtfwv.pw
enxme.us
nllwyhyrvsdodo.fr
pmttrjeukjnl.yt
kvxcsnink.yt
vopbboe.tf
fmktk.pw
avppvitupmdtm.tf
cwxghlngfxo.nl
wguofdum.it
yhdrnk.ru
ifxjoqrmcmajhjf.ru
docniprmgcxm.be
adrefp.ru
jinpjwfrsjpmjgu.us
ekqmsioexowp.uk
glrbxuhejj.de
buvpbsq.pw
dvehl.pw
mtygfrrwfppuvv.us
hdvmubmbyxs.nl
radqq.tf
bfyilphwkctxdf.us
vhcrhadppxa.it
xidmofnsc.ru
srlkgw.pw
ustmanuqnxxhlmj.pm
eqplamxxqghrd.tf
yamyqrhatl.de
jxeepaassngeetq.in
sdsyswxogrhjf.tf
nfvdvistdi.nl
pgeeucpt.uk
yercwd.nl
mqjlvimienyxwr.fr
voebnwfybwkg.pw
qximfakki.fr
xjneysaum.us
hhbrghm.eu
jijps.in
ernthxdqkbuoi.tf
npixhjhhmpm.uk
burfvaac.pm
ksmbxx.in
mtuamviphwoapcq.uk
jjrlgvdlqurpa.pm
shmcsgbpypg.fr
uivmeislw.eu
prsobv.pm
ypnlcncyegxteub.in
bqvjrrodkfhjg.it
vaaytyxqyl.eu
fxnitwaq.fr
pvmyilqakqqkl.in
kfqoruddyo.nl
myxmilto.it
hicqd.us
qnqlfdthdyidbw.be
shxppmfnhjao.pm
nqcxfhycl.in
wowkllj.it

# Reference: http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/

iynus.net
jesusdenazaret.com.ve
southlife.church

# Reference: https://www.virustotal.com/gui/file/17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2/behavior/Lastline

dixbheudautb.be
xgyrjtjlhd.ru
inqvmknlystaai.de
vdnigs.pw
pvrsbcnsq.fr
qxxuucjephgjlok.fr
fxbyyc.fr
nlyyjkiaews.pw
avyikbtyliydohu.in
nlkejtxx.tf
snxiljkwq.us
mgcvnxmkklrl.uk

# Reference: https://mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&id=901

wblejsfob.pw
cgavqeodnop.it
kqlxtqptsmys.in
pvwinlrmwvccuo.eu

# Reference: http://blog.dynamoo.com/2016/02/malware-spam-payment-laurence-cottle.html

kqlxtqptsmys.in
cgavqeodnop.it
pvwinlrmwvccuo.eu
dltvwp.it
uxvvm.us
wblejsfob.pw

# Reference: https://techhelplist.com/spam-list/1048-attn-invoice-general-mills-malware

bnfoviesrdtnslo.uk
vldxhdofpmcos.uk
jbdog.it
odcxeeg.tf
cscrrxyiyc.be
tirohbvok.in

# Reference: https://ransomwaretracker.abuse.ch/tracker/locky/  (as seen on 2017-10-31)

aarnknthc.xyz
abvtqhwodwjmi.work
acbstypdrijslr.ru
accemfsqovkd.pw
acjhwpdjhlhbncf.click
ahsqbeospcdrngfv.info
ampjsppmftmfdblpt.info
arddxjkwrp.xyz
avxdypmdbo.pw
axnemuevqnstqyflb.work
barjhxoye.info
bciuemfaapyf.biz
bddadevlpkwrrmud.xyz
bkdjvmmkwgkvgw.su
blxbymhjva.info
bnjhx.eu
bqbbsfdw.be
bqukfjfv.org
bwcfinnt.work
bwpegsfa.info
bxlrywuuobje.pw
cdxbbpngq.pw
clhyelmwnuqhigecp.pw
cpawdrtxfjkwrkkl.pw
cpyrltela.pw
cudcfybkk.pw
cwprfpjtmjb.biz
cxlgwofgrjfoaa.info
dkoipg.pw
dltvwp.it
dolfexalto.com
dqtfhkgskushlum.org
dtojlhpasjk.pw
dvmbtgoobxcc.pw
dwytqrgblrynsgtew.org
eaxpifdtwsv.biz
ecjfdaqmmyusxntwl.work
egerdpkvutvodmtsy.pw
egovrxvuspxck.be
eoalsoub.pw
eqtrtdavtnr.pw
euduudaehipk.pw
eypdxikxsufj.pw
eywlmqugxx.info
fdehgchykmiqwdg.info
fhvjsmtkirihxh.xyz
fitga.ru
fmirgordkhig.xyz
fnarsipfqe.pw
fnjyygovdjyemga.xyz
fpashgkepwtoqdjg.pw
fqoapcjolfwwenqx.pw
fqtdrnqmeofknd.biz
fuuasvhpsvuihlnje.pw
fuuwnsv.pw
fyqtguo.biz
gccxqpuuylioxoip.pw
gfcuxnaek.ru
gfwncoyhbdvggns.pw
gguaxufrt.pw
gitybdjgbxd.nl
glhxgchhfemcjgr.pw
gsebqsi.ru
gsmdqrmqddqtuv.xyz
gvludcvhcrjwmgq.in
hmndhdbscgru.pw
hppfsslyeyseudg.biz
htankds.info
hycninyxuaa.xyz
ibtfqftkgi.pw
ifohvkxmyp.biz
iqfyujpvubwawc.pw
iuieylpvfurcvmpk.pw
jfmiondv.xyz
jghbktqepe.pw
jxqdry.ru
jymhmkdaxfbl.click
kcdfajaxngiff.info
kciylimohteftc.pw
kjkwjqvqrjocpi.xyz
kpybuhnosdrm.in
kqlxtqptsmys.in
ks-davis.com
ktlgpiilbj.biz
kwontdmplpnbl.pw
kypsuw.pw
lcrdceiajmiar.org
ltpwqva.xyz
luvenxj.uk
mmhmtea.pw
muuojcu.xyz
mwqwverayognn.pw
mxyfasm.pw
nhhyxorxbxarxe.org
nlpqflkbvkdde.eu
nwcpgymgh.work
odgtnkmq.pw
ohpbdikmrrhr.pw
ohplsuljopekq.biz
omeaswslhgdw.xyz
pdlbtnfhtoxghb.org
plfbvdrpvsm.pw
pnyviolg.eu
pornohd24.com
preeqlultgfifg.pw
pvwinlrmwvccuo.eu
qbqrfyeqqvcvv.pw
qcwbrevxrotoepsp.pw
qdesslfdcmd.pw
qdvkdyvrtpjc.pw
qsbfwgtedexirbyoq.pw
qvdgqayo.pw
rbwubtpsyokqn.info
rrcspgfghsjnklts.pw
sdwempsovemtr.yt
seelkqtkkqxvq.click
sgowntfjwkybawi.pw
sgrnhwyqxdk.pw
sqrgvbgfyya.org
ssvylrn.pw
svkjhguk.ru
svvgyjweurxn.click
swfqg.in
sxflmtgxerkpgwlnp.pw
tdhyjfxltpj.pw
toxnwbkoulii.pw
tqlcjh.fr
trxswbwxhr.xyz
tswsgajtwhqkosd.su
ttoyqvq.pw
uetwvrlnee.fr
uhgmnigjpf.biz
uhhvhjqowpgopq.xyz
uhjxayhpisr.pw
umjjvccteg.biz
urulvtffwoq.xyz
uvcmlfca.biz
uxvvm.us
vcabbvhrqhot.pw
wbaskcsxiffiax.info
wdvxeval.ru
wjfkoqueatxdmqw.biz
wpvvusso.xyz
wrubyjtvqhxaqkh.pw
wtxvmsikbmtbq.pw
wvltrlrnf.xyz
xfyubqmldwvuyar.yt
xhrnfffaixawpuob.pw
xmniabhrfafptwx.pw
xofguhypjgvxrm.pw
xvchcbeqxkd.pw
xyhhuxa.be
yavmxpiqfwmubk.pw
ycvcjbhgkmsiyhdd.info
yofkhfskdyiqo.biz
ytcijiooxdtlbevrh.info
yuysikankhqvdwdv.xyz
ywjgjvpuyitnbiw.info
aechjic.pw
lvanwwbyabcfevyi.pw
vpuroeit.pw
qfuxosx.eu
uuwflbmjmi.eu
dmwajvm.fr
macooptwafkwchtpo.pw
aqmip.fr
vujqbcditgsqxe.fr
juhacjacjckclqf.pw
qlwnvdjwro.pw
lrmficvqs.pw

# Reference: https://ransomwaretracker.abuse.ch/tracker/locky/  (as seen on 2017-12-07)

lyrnvane.pw
gnsquwmgukkpgpt.pw
ibjgnqsthdyp.pw
rqfsctpgpuani.pw
aechjic.pw
ozfin.ru
sqsigig.pw
yaynawvtuqcarjwc.pw
wqxvsxppjivs.pw
qqtphtlhny.pw

# Reference: https://ransomwaretracker.abuse.ch/tracker/locky/  (as seen on 2018-04-11)

exnqhgk.xyz
yuertao.pw
stevnxwq.pw
dyoravdkiavfkbkx.pw
waduavfijwkanvf.xyz
uxwavkmttywsuynt.pw

# Reference: https://ransomwaretracker.abuse.ch/tracker/locky/  (as seen on 2018-08-30)

pagaldaily.com
eppilxqwyqdhmpdsn.pw

# Reference: https://answers.microsoft.com/en-us/office/forum/office_2010-word/my-pc-words-excel-files-infected-encrypted-by/28a153a2-368a-4e8f-ad96-2f651138720b?auth=1

i3ezlvkoi7fwyood.tor2web.org
i3ezlvkoi7fwyood.onion.to
i3ezlvkoi7fwyood.onion.cab

# Reference: https://twitter.com/James_inthe_box/status/914111090425917440
# Reference: https://pastebin.com/6jrvxezV

hair-select.jp
/fef44gddd.enc

# Reference: https://twitter.com/pancak3lullz/status/751099312407351296

bicicletascortes.com
greatlakessawingsolutions.com
trevisancontruzionisrl.com
distributorsite.com
clear-sky.tk
crotoncreek.com
darkhollowcoffee.com
files.viva64.com
nooragrogroup.com
tabernadeltemple.com
taitorneria.com
tcnewhimki.ru
thesixthspace.com

# Reference: https://unit42.paloaltonetworks.com/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/

/7gyjgg5r6

# Reference: https://twitter.com/tmmalanalyst/status/790590663578439680

/linuxsucks.php

# Reference: https://twitter.com/0xtadavie/status/750602253581619200

http://185.106.122.38
http://185.106.122.46
/upload/_dispatch.php

# Reference: https://twitter.com/clucianomartins/status/825698473571909632

http://88.214.237.45

# Reference: https://twitter.com/pancak3lullz/status/748889645753118722

haselburg.cz

# Reference: https://app.any.run/tasks/16091017-2118-4909-8b38-01259d9858a2/

lytyjhtmogdcuxm.us
yoqlgkb.be
eqsculuql.ru
qbslvc.de
vgidmgof.ru
xjtintjnrbll.ru
http://86.104.134.144/main.php

# Reference: https://app.any.run/tasks/4b0ad213-124f-432e-9736-c0b2bc76b8ba/

http://185.102.136.67/checkupdate

# Reference: https://www.virustotal.com/gui/file/bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3/behavior/Lastline

hqdbxqwm.us
aiywslhvdebcx.eu
nxyqc.ru
uganqmfvoxw.it
pbkacwxfd.in
isjadfkkfogsbk.nl
yoqlgkb.be
eqsculuql.ru
qbslvc.de
xjtintjnrbll.ru
lytyjhtmogdcuxm.us
vgidmgof.ru
