# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: smokeloader, retefe

# Reference: https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/

coolwater-ltd-supportid.ru
localprivat-support.ru
service-consultingavarage.ru

# Reference: https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html

killermansopitu.com

# Reference: https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html
# Reference: http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/

nhocbo.bit

# Reference: https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html

ukcompany.me
ukcompany.pw
ukcompany.top

# Reference: https://twitter.com/ViriBack/status/1045123124910592000

supremebiz.info

# Reference: https://twitter.com/ViriBack/status/1047664167010926593

haxmall.in

# Reference: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

/js/metrology/jma.php

# Reference: https://twitter.com/Racco42/status/1097990743711461376

lzlgoy4b17sy5.com

# Reference: https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/

5gssghhs2w.org
dvhwzq.ru
hdxaet.ru
hghwwgh6.info
jdcbhs.ru
kdcbst.ru
kkted54d.ru
si2113gher.com
vshmesz.com
vygxxhh.bit

# Reference: https://twitter.com/malware_traffic/status/1112776731331620865
# Reference: https://www.virustotal.com/gui/domain/taj.co.ug/relations

taj.co.ug
/xzcqefxa/index.php

# Reference: https://twitter.com/James_inthe_box/status/1118534516379803648

anotherblock.bit

# Reference: https://twitter.com/James_inthe_box/status/1120693994428567552

mynah505.com.kz

# Reference: https://otx.alienvault.com/pulse/5ccb14c894ed463151dcced4
# Reference: https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe

bizbhutanevents.com/wp-rss.php
kjkpropertysolutions.com/wp-rss.php
laserowakasia.pl/wp-rss.php
racyroyalcoin.com/wp-rss.php
thealtilium.com/wp-rss.php
ltro3fxssy7xsqgz.onion

# Reference: https://twitter.com/Antelox/status/1104350571430141952

3bbbccvomp5uhznz.onion
auybplpgam3c62tc.onion
hiv3dylycjbvgrxr.onion
m2pgzofn4w6ttgbb.onion
n6g66hecwbnf7bg4.onion

# Reference: https://twitter.com/peterkruse/status/1049669678086479877

jpxgaweyfdym5zv2.onion

# Reference: https://twitter.com/JaromirHorejsi/status/1017739363613102083

yzpayb4sqad7gnin.onion

# Reference: https://twitter.com/JaromirHorejsi/status/1106230909282541568

bozuniy4sgprvinf.onion

# Reference: https://twitter.com/JaromirHorejsi/status/816203736636915712

f3lrid44upxfgnbe.onion

# Reference: https://twitter.com/P3pperP0tts/status/1133502768935784448

thebotarmy.com

# Reference: https://twitter.com/_CPResearch_/status/1141080891529334784
# Reference: https://pastebin.com/gg4ni5Pm
# Reference: https://www.virustotal.com/gui/file/fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934/detection
# Reference: https://otx.alienvault.com/pulse/5d094cbf85df945a77c3fa45
# Reference: https://research.checkpoint.com/2019-resurgence-of-smokeloader/
# Reference: https://otx.alienvault.com/pulse/5d24b44109756f4227d75025

babolgum.icu
esupdate.icu
fileboard.live
mypromo.online
skcalladhellormi.xyz
vinomag.pw
alltest-service012505.ru
besttest-service012505.ru
biotest-service012505.ru
clubtest-service012505.ru
domtest-service012505.ru
infotest-service012505.ru
kupitest-service012505.ru
megatest-service012505.ru
mirtest-service012505.ru
mostest-service012505.ru
mytest-service01242505.ru
mytest-service012505.ru
newtest-service012505.ru
proftest-service012505.ru
protest-01242505.tk
protest-01252505.ml
protest-01262505.ga
protest-01272505.cf
protest-01282505.gq
protest-01292505.com
protest-01302505.net
protest-01312505.org
protest-01322505.biz
protest-01332505.info
protest-01342505.eu
protest-01352505.nl
protest-01362505.mobi
protest-01372505.name
protest-01382505.me
protest-01392505.garden
protest-01402505.art
protest-01412505.band
protest-01422505.bargains
protest-01432505.bet
protest-01442505.blue
protest-01452505.business
protest-01462505.casa
protest-01472505.city
protest-01482505.click
protest-01492505.company
protest-01502505.futbol
protest-01512505.gallery
protest-01522505.game
protest-01532505.games
protest-01542505.graphics
protest-01552505.group
protest-02252505.ml
protest-02262505.ga
protest-02272505.cf
protest-02282505.gq
protest-03252505.ml
protest-03262505.ga
protest-03272505.cf
protest-03282505.gq
protest-05242505.tk
protest-06242505.tk
protest-service01242505.ru
protest-service012505.ru
rustest-service012505.ru
rutest-service01242505.ru
rutest-service012505.ru
shoptest-service012505.ru
supertest-service012505.ru
test-service01242505.ru
test-service012505.com
test-service012505.eu
test-service012505.fun
test-service012505.host
test-service012505.info
test-service012505.net
test-service012505.net2505.ru
test-service012505.online
test-service012505.org2505.ru
test-service012505.pp2505.ru
test-service012505.press
test-service012505.pro
test-service012505.pw
test-service012505.ru.com
test-service012505.site
test-service012505.space
test-service012505.store
test-service012505.su
test-service012505.tech
test-service012505.website
test-service012505.xyz
test-service01blog2505.ru
test-service01club2505.ru
test-service01dom2505.ru
test-service01forum2505.ru
test-service01info2505.ru
test-service01land2505.ru
test-service01life2505.ru
test-service01plus2505.ru
test-service01pro2505.ru
test-service01rus2505.ru
test-service01shop2505.ru
test-service01stroy2505.ru
test-service01torg2505.ru
toptest-service012505.ru
vsetest-service012505.ru

# Reference: https://twitter.com/James_inthe_box/status/1144917655503040515

zeronde.in

# Reference: https://twitter.com/James_inthe_box/status/1148406371265593344

http://51.91.19.20

# Reference: https://twitter.com/malware_traffic/status/1090366374772383745

youlifesucks.life

# Reference: https://twitter.com/marcos_alvares/status/1158680329881882625

jok3r5.pw
ktngb33.pw
l0vew1n5.xyz

# Reference: https://twitter.com/nao_sec/status/1162581586644070400
# Reference: https://app.any.run/tasks/09dd4638-ca3f-4649-bc37-a5a452070083/
# Reference: https://twitter.com/tkanalyst/status/1162733635679617025
# Reference: https://app.any.run/tasks/9b3c4d44-2996-470e-be96-ce7ae94fa8cd/

advertserv99.club
ezstat.ru
gougounu.site
mailadvert2551mk29.club
popadvert.world
sdstat9551as4.club
statexadvert.club

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

zabugrom.bit

# Reference: https://twitter.com/i/status/1164236292407742464
# Reference: https://app.any.run/tasks/77a62614-4e5b-4e31-8a42-2238b3911194/

vilamax.home.pl
son0fman.pw

# Reference: https://twitter.com/nao_sec/status/1165997780675874816
# Reference: https://app.any.run/tasks/76f63a44-e603-43bf-8288-d9e01addcdba/

btcseller.club
zxtds.world

# Reference: https://twitter.com/tkanalyst/status/1170688633172443139
# Reference: https://app.any.run/tasks/fd9a41e5-4768-4ab0-afd3-83988feb49c8/

advertserv25.world

# Reference: https://twitter.com/peterkruse/status/1171685525377495040
# Reference: https://twitter.com/tkanalyst/status/1173068957386866688
# Reference: https://pastebin.com/kZVikTtP
# Reference: https://www.virustotal.com/gui/ip-address/5.101.181.35/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.25.50.148/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.25.50.163/relations

advertland.net
advertmex.world
advertserv25.world
advertserv99.club
advexmai42dn.world
advexmail23mn.world
advexmail2551.club
advexmail255143x.club
advexmail2551fc7.club
advexmail270711.club
dsmail95.xyz
dsmailx9547.xyz
ecmero.com
fdmail70.club
griffintech.ru
kxserv65.club
kxserv652.club
kxservx6527.club
mailadvert17dt.world
mailadvert19.world
mailadvert2551.club
mailadvert2551zx1.club
mailadvert5917dx.world
mailadvert917dx.world
mailserv1551.club
mailserv1551ex97.club
mailserv1551kx3.club
mailserv171.club
mailserv7.club
mailserv75.com
mailserv85m.world
mailserv93fd.world
mailstat55.club
mailstat557.club
mailstatx5577.club
mextes.com
popadvert.world
sdstat901511.club
sdstat9551.club
sdstat955192rv.club
sdstat9551as4.club
sdstat9551pm3.club
sdstat95xz.world
sdstat97tp.world
serverupdate7.world
starserver45.world
starserver4551.club
starserver4551mx2.club
starserver715km.world
starserver75ms.world
statexadver32s.world
statexadver35111.club
statexadver3552.club
statexadver3552ap93.club
statexadver3552mn12.club
swissmarine.club
zel.biz
(advertmarin|advertpage|advertserv|advertstat|advexmai|aqstarserver|bstarserver|cmailad|cmailadvert|gmailadvert|cmailserv|dsmaild|kmailserv|kstarserver|kxserv|kxservxmar|mailadvert|mailserv|mailsmall|mailstat|nadvexmail|pstarserver|rmailserv|rstarserver|rexstat|sdstat|smantex|starserver|statexadver|zmailserv)[0-9][0-9a-z]+\.(com|club|world|xyz)

# Reference: https://www.virustotal.com/gui/file/b1b974ceee5968a8453e015356edfded1e9dcba5dda50320f78abf24a4a3e0dd/relations

195.201.161.25:2012

# Reference: https://twitter.com/benkow_/status/1164894072580071424

rollansdx.icu

# Reference: https://github.com/silence-is-best/c2db#smokeloader

thankg1.org

# Reference: https://app.any.run/tasks/59bf16be-0c99-43f7-954c-94f952f5eb84/

blogserv27.com

# Reference: https://twitter.com/OttoScav/status/1189220259842187264

careandhelporganization.co.ug

# Reference: https://twitter.com/James_inthe_box/status/1197128315519193088

manikurshoping.ru

# Reference: https://twitter.com/wwp96/status/1206660123256655874

dill10n1.pw/tg/

# Reference: https://twitter.com/James_inthe_box/status/1207417534103732224
# Reference: https://app.any.run/tasks/0d1e9add-f1bc-4387-9bb9-e9fa67f393f6/

jungl35.pw

# Reference: https://twitter.com/kyleehmke/status/1209107746437652480

cloudfront365.com

# Reference: https://twitter.com/James_inthe_box/status/1084282526649147392

fribola.com
mailcdn-office365.io
rocket365.to
update-vmware-service.com

# Reference: https://twitter.com/nao_sec/status/1212931538658004994
# Reference: https://app.any.run/tasks/929d4bd2-2442-45c7-8662-88affaa43cea/

054-235-2465.com
234-25-23-423.com
3053-325-43-253.com
324-23-32432.com
35-23-4532-34.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1217739290270191616
# Reference: https://app.any.run/tasks/2d3d98af-5fcd-4bb0-b0c2-b1fbb09175a4/

kinokritikboss.ru

# Reference: https://www.exposedbotnets.com/2017/10/bookwormsbiorhythmtopsmoke-loader.html

bookwormsbiorhythm.top
charlesadvanced.top

# Reference: https://twitter.com/killamjr/status/1221505288194232320
# Reference: https://app.any.run/tasks/2fa282b6-3e39-49c6-b642-20c8e979d218/

j5cool.xyz

# Reference: https://twitter.com/JayTHL/status/1222384280057319427

troubleshootingasaservice.com

# Reference: https://twitter.com/tkanalyst/status/1225614413350064129
# Reference: https://app.any.run/tasks/ba7e7df3-5eca-4c97-89b6-ddc54f358c36/

chuam365.site

# Reference: https://twitter.com/James_inthe_box/status/1228084030853173248
# Reference: https://app.any.run/tasks/791ddd7b-8e65-461a-9b36-2a023a01e81b/
# Reference: https://app.any.run/tasks/78da8635-9460-45b9-a386-39408008de10/

wdifsdf9820.site
wdifsdf9820.xyz

# Reference: https://pastebin.com/inmdCbi1

soapstampingmachines.com/a2/
soapstampingmachines.com/a/
mac-pro.it/1/

# Reference: https://twitter.com/nao_sec/status/1231149711517634560
# Reference: https://app.any.run/tasks/f1cf470c-ae7e-4831-bc2a-d845a6e616a2/
# Reference: https://www.virustotal.com/gui/file/6f545b2b4503530d6c7df25150a9d68f192b078410086a6073a72c34d3b5f0ea/detection

huivaritaslloa.info
infinitydeveloperspes.info
unverifiedintigoosjai.info

# Reference: https://twitter.com/nao_sec/status/1239137537328701442
# Reference: https://app.any.run/tasks/72580d88-98c9-4495-8321-27f0f6763a2c/

bakery365sawamura.website
offwhiteoallrightou.today

# Reference: https://twitter.com/nao_sec/status/1244567558499389440
# Reference: https://app.any.run/tasks/29d5e021-b083-4316-a9b0-5ad0669f1f39/

bealkian.today
ferymspaniumryou.today
tophundretgoods.today

# Reference: https://app.any.run/tasks/964e4bb8-5a59-496b-9fa8-c3799b6f687e/

ferymspaniumryou.today
sumrachnorber.agency
seamseamnim.today
ruffsdf.today
stopcfams.today
buchxuchsd.agency
girlaina.fun

# Reference: https://twitter.com/James_inthe_box/status/1248964446505947136
# Reference: https://app.any.run/tasks/4cc95d8b-f2c7-457d-97d2-991d0115c1b4/

cleancleankkl.net
ghjk78kjhb.net

# Reference: https://twitter.com/FaLconIntel/status/1255665102264528898
# Reference: https://app.any.run/tasks/3f461626-f5e7-4a6c-8b5b-f517bb5619e2/

165.22.96.155:3719
as-1.9hits.com
as-2.9hits.com
as-3.9hits.com

# Refererence: https://exchange.xforce.ibmcloud.com/url/hfgfr56745fg.com/admin/gate.php

hfgfr56745fg.com

# Reference: https://www.virustotal.com/gui/file/016f95ec4da0bfd09781714004240abb4f79092b697ae3f3a0868dbfc68f7bf1/detection

45.142.214.39:2012

# Reference: https://twitter.com/reecdeep/status/1268489894306942976
# Reference: https://twitter.com/3rg4f4/status/1268470579541221377

agenciatributaria.site
transvil2.xyz
utenti.info
utenti.live

# Reference: https://twitter.com/reecdeep/status/1269911390141190144

flablenitev.site
lendojekam.xyz
lgrarcosbann.club
lpequdeliren.fun

# Reference: https://app.any.run/tasks/0f097295-2483-45fe-9e64-a55ca8033cb5/
# Reference: https://app.any.run/tasks/fabf6492-1583-4a83-8f7f-d1b9539d9a7c/
# Reference: https://www.virustotal.com/gui/domain/stoknolimchin.exnet.su/relations
# Reference: https://www.virustotal.com/gui/file/2e692927e6d8f711a6ab79e0b5cba6fd6608bfaa43415f1c634119bd296581d6/detection

bteyryeuliliezya.website
dilitainfstezya.website
etasuklavish.today
grammmdinss.today
iizminsaosgstezya.website
isemnisdsidfnstezya.space
kimchinikuzims.today
kimonodridstezya.website
kstlaspodastezya.space
kvkukodasstezya.website
lupadypa.dagestan.su
mragyzmachnobesdi.today
musaroprovadnikov.live
mvodicascdstezya.space
nastyagatezya.website
pikabysapindsstezya.website
roompampamgandish.wtf
skkrapchikuhdncstezya.space
slacvostinrius.today
stobikosdmstezya.website
stoknolimchin.exnet.su
stolkgolmishutich.termez.su
straponuliusyn.today
teemforyourexprensiti.life
viprasputinsd.chimkent.su
yptututdrfezya.website

# Reference: https://www.virustotal.com/gui/file/5bc98c9ee4c28735ed4e72d0b7e03aa824c17716d965b7b07c33a9629ef95335/detection

etasuklavish.today
grammmdinss.today
kimchinikuzims.today
lupadypa.dagestan.su
mragyzmachnobesdi.today
musaroprovadnikov.live
slacvostinrius.today
stoknolimchin.exnet.su
straponuliusyn.today
viprasputinsd.chimkent.su

# Reference: https://pastebin.com/5QKdKvZH

bblkatozainastezya.pet
bteyryeuliliezya.website
bzfdrtadestezya.abkhazia.su
dadadlodddstezya.space
dilitainfstezya.website
drandugaosissstezya.today
glovesddstezya.adygeya.su
iizminsaosgstezya.website
isemnisdsidfnstezya.space
kimonodridstezya.website
korybaxaya.today
kstlaspodastezya.space
ktxuentostsstezya.abkhazia.su
kvkukodasstezya.website
lambadadndstezya.adygeya.su
lgpakistandstezya.adygeya.su
mariusanna.live
mvodicascdstezya.space
nastyagatezya.website
olvnedorogocsnstezya.space
pcdakirgistanddstezya.adygeya.su
pikabysapindsstezya.website
promolniyaropsstezya.space
rastrirovaldrttezya.website
rdododopizzaarstezya.red
rumndadstezya.adygeya.su
semenoavsya.today
skkrapchikuhdncstezya.space
smkladryginichedkezya.today
sstempossdstezya.abkhazia.su
steplerstezya.today
stobikosdmstezya.website
vislouxoasstezya.pet
yptututdrfezya.website

# Reference: https://app.any.run/tasks/d87258f6-f4a5-426e-b6b7-addfe1a490e9/

4ermanderezya.website
bteyryeuliliezya.website
etasuklavish.today
grammmdinss.today
ihglassdzya.website
kimchinikuzims.today
klasgindtezya.space
kmileronurzya.website
lupadypa.dagestan.su
mikluhasya.website
mragyzmachnobesdi.today
musaroprovadnikov.live
pikabyatezya.website
riserdfnstezya.space
rufinurtdrfezya.website
slacvostinrius.today
stoknolimchin.exnet.su
straponuliusyn.today
streptokokusstezya.space
ticketbonus.fun
viprasputinsd.chimkent.su

# Reference: https://www.virustotal.com/gui/domain/swxadvexmail19mn.xyz/relations

swxadvexmail19mn.xyz

# Generic trails

/advlogs9579/
/advlogs95/
/blogpics17/
/logstat95/
/logstatx77/
/serverlogs29/
/serverstat315/
/statweb77/
