# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: pony stealer, pony loader

# Reference: https://www.f-secure.com/weblog/archives/00002793.html

angryflo.ru
reggpower.su

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Fareit-CAD/detailed-analysis.aspx

dhfgfgshds.top

# Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Fareit-AAJ/detailed-analysis.aspx

sandrethe.ru

# Reference: https://blog.talosintelligence.com/2018/09/threat-roundup-0914-0921.html (Win.Dropper.Fareit-6688124-0)

aerolitigate.com
anotherlscreation.com
businessintuitive.expert
instrovate.com
maisonlecallennec.com
meesebyte.com
mufflerbrothersbellbrook.net
mxauny.men
weltho.com
ybnonline.com
weltho.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1050332889844465664

spimports.com.br/age/panel/gate.php

# Reference: https://www.cyren.com/blog/articles/iceland-police-phishing-attack-targets-bank-credentials
# Reference: https://www.virustotal.com/#/file/53cf32ce0c34df94422c43e295e928c69c7b1b2090cf6943000470f7e0128d67/relations

iam.shadesoul.online
heis.shadesoul.online
the.shadesoul.online

# Reference: https://blog.talosintelligence.com/2019/05/threat-roundup-0426-to-0503.html (# Win.Malware.Fareit-6958493-0)

snooper112.ddns.net
harryng.ddns.net
icabodgroup.hopto.org
popen.ru
hfgdhgjkgf.ru
rtyrtygjgf.ru

# Reference: https://blog.talosintelligence.com/2019/08/threat-roundup-0726-0802.html (# Win.Trojan.Fareit-7090291-0)

digitalimagellc.us
dkaul.su
ffuex.su
kglso.ru

# Reference: https://app.any.run/tasks/64044834-369b-4be0-92e6-0c1cf7ae6f28/

katerobinson.icu

# Reference: https://app.any.run/tasks/7cd3d776-4db0-4382-9609-05d71b48e15e/

/g_38472341.php

# Reference: https://app.any.run/tasks/323e1e84-a200-4547-91d7-e46e8724b6de

sariincofood.co.id/nev/panelnew/gate.php

# Reference: https://www.virustotal.com/gui/file/c1544759a8f64f854d13e72a72d8db811d77a3e47e8d828bd34d546c4b57e842/behavior/VirusTotal%20Jujubox

xperiencerem.duckdns.org
79.134.225.52:9106

# Reference: https://blog.talosintelligence.com/2018/09/threat-roundup-0907-0914.html (Win.Dropper.Ponystealer-6680912-0)

3zci3b.info
841bifa.com
aditsachde.com
ayursanskar.biz
benthanh-toyota.com
bigmovephilly.com
casineuros.com
chfnik.com
chinaxzl.com
crstudents.net
custombusinessapps.net
cyn.ink
dk-drugs.com
donghairc.com
fattoupdates.date
femalesdress.com
fiveroot.com
float2fit.com
funnysworld.com
giftedaroundtheworld.com
globaltimbereurope.com
goedutravel.com
happyslider.com
ketones.info
luxuryconversion.com
mizukusahonpomeibi.com
mjkrol.com
oane4.win
planeggerstrasse.info
puptowngirl.net
qfs.ink
rabe-networks.com
redkoe-porno.info
reducetarian.biz
reviewhqs.com
revivemyappliance.com
rsstatic.com
scgcgg.com
schmidtatlanguage.com
selviproperty.com
sjckt888.com
studio51.style
suatusta.com
telegraphresidences.com
theadvancedcoach.com
theniftyfiftiesband.com
thienduonghoaviet.com
vdemg.info
verzuimverzekering.info
webbyen.com
xctljc.com
xn--fjqu42jgii.com
xn--vuqu93jrjhqkc.net
zjjdmd.com

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru/d2/about.php
onthethatsed.ru/mlu/forum.php
tontheckcatan.ru/d2/about.php
tontheckcatan.ru/mlu/forum.php

# Reference: https://pastebin.com/bPV4gVVL

perranrowsin.com/d2/about.php
perranrowsin.com/mlu/forum.php
heundthetrec.ru/d2/about.php
heundthetrec.ru/mlu/forum.php
utteronhim.ru/d2/about.php
utteronhim.ru/mlu/forum.php

# Reference: https://app.cymon.io/report/AVy8uj-LEb4shFlhGDGG/68c37e5f81188f8f478b60b1b4a56fc366ee8aa15763104d49159e41ebe899c2

/po/asdfkuj.php

# Reference: https://blog.talosintelligence.com/2018/10/threat-roundup-1012-1019.html (Win.Malware.Tspy-6721070-0)
# Reference: https://www.virustotal.com/#/file/22ef53123754caa2ac3871eb01221c99482e4318b59a30c8f07b9525afae52bd/detection

myp0nysite.ru

# Reference: https://twitter.com/dvk01uk/status/1088793739223539713

/aloze/gate.php

# Reference: https://twitter.com/dvk01uk/status/1088391460892880896

/erweryui/gate.php

# Reference: https://twitter.com/Racco42/status/1029986121286074369

/reforte/gate.php

# Reference: https://twitter.com/dvk01uk/status/1115576796848762880

smartcoonect.duckdns.org

# Reference: https://twitter.com/pancak3lullz/status/1119334013246873600

blurbgood.live
loadedrones.tk
ownday.live

# Reference: https://twitter.com/pancak3lullz/status/1092804207252525065

/lopty/gate.php

# Reference: https://twitter.com/James_inthe_box/status/1123236500311724032

brugsreator.site

# Reference: https://twitter.com/dvk01uk/status/1123851987152510977
# Reference: https://app.any.run/tasks/29a96490-8160-4cf6-b458-38023c0a8220

/ba6/gate.php

# Reference: https://twitter.com/Racco42/status/1124293167476609025
# Reference: https://app.any.run/tasks/d1e32293-d755-4472-aaa2-5cfc3e612485

/ba8/gate.php

# Reference: https://twitter.com/jorgemieres/status/1131624801272049664

masezda.top
toperdoano.top
piggera.top
pinescop.top

# Reference: https://twitter.com/P3pperP0tts/status/1134513995510145026

shop-ukranya.tk

# Reference: http://tracker.viriback.com/ (# Pony)

lojalstil.mk
officeman.tk
vman23.com

# Reference: http://tracker.viriback.com/ (# Pony)

belllflight.com
ketof.000webhostapp.com
shokeydservers.tk
skylite.com.sa

# Reference: https://twitter.com/Lvanoel/status/1136505326302388224
# Reference: https://app.any.run/tasks/4d2f70a2-9546-4891-8ce6-fc7051f4281d/

lookatme-v65.gq

# Reference: https://twitter.com/HerbieZimmerman/status/1136681091258036225

mojavkicks.com

# Reference: https://twitter.com/Racco42/status/1141966760016523264

marvin-watches.com

# Reference: https://twitter.com/dvk01uk/status/1147799231090085888
# Reference: https://app.any.run/tasks/5575bf61-458a-47b4-94d2-5c93daeb67e2/
# Reference: https://www.virustotal.com/gui/file/e0d96be81946b579cd5c22d7d34e2ec97996c285f86b7c620ab031d8f46ef5fe/detection

pigeonwings.in/jss/ck/host/server/gate.php

# Reference: https://www.virustotal.com/gui/domain/service.tellepizza.com/relations

service.tellepizza.com

# Reference: https://twitter.com/Racco42/status/1152176917078073344

global-technology.in/wp-admin/bb/panelnew/gate.php

# Reference: https://twitter.com/coderippers/status/1153267389632602114

okworlds.space/wp-includes/css/panel/gate.php

# Reference: https://twitter.com/Racco42/status/1153606677385662465

fouadalemadi.com/admin/xuisp/gate.php

# Reference: https://twitter.com/wwp96/status/1166365912775254016

philliptipton.com

# Reference: https://twitter.com/P3pperP0tts/status/1176118315892314112

phoenixcnc.in

# Reference: https://app.any.run/tasks/c13231e7-a13e-418d-9b55-049a646a0cde/

sendergrid.club

# Reference: https://pastebin.com/HLnQT4qy

cornbeijnvoxin.com
digplaliatinte.ru
dvdflowerrook.ru

# Reference: https://twitter.com/Paladin3161/status/1184609691504037888

bioenecco.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1184754696571015168

onlygoodn.com

# Reference: https://twitter.com/P3pperP0tts/status/1184774736494186496

coguiworld.com

# Reference: https://app.any.run/tasks/88ed0a76-7c1c-4e31-96e3-cc9b8d2ae047/

chirayugroup.in

# Reference: https://twitter.com/Paladin3161/status/1187160285884211200

manerck.com

# Reference: https://twitter.com/pancak3lullz/status/734808391835492352
# Reference: https://www.virustotal.com/gui/domain/zurekconstruction.com/relations

8gaming.tk
zurekconstruction.com

# Reference: https://twitter.com/P3pperP0tts/status/1189106674503766017

joindauto.com/onli/admin.php

# Reference: https://twitter.com/ScumBots/status/1189648684503519232

vman21.com

# Reference: https://twitter.com/Paladin3161/status/1186779578380873731

oackhond.com

# Reference: https://pastebin.com/29uSdMAk

jicago-jp.com

# Reference: http://tracker.viriback.com/ (# 2019-11-04, Pony)

http://185.79.156.18
http://194.36.173.109
http://94.102.53.52
2lcfo.com
aamran.com
acousticallysound.com.au
aec.co.ir
alharshagroup.com
amiriepl-aus.com
antonioguteres.com
avchennai.edu.in
belllflight.com
bioenecco.com
camautensili.com
captaincolemanphilip.com
carereport.life
chinalarnpbase.com
chisom.j.pl
coguiworld.com
f2wa.com
fatimasalman.com
forexdispatch.info
fouadalemadi.com
fuckxy22.com
goldenfashiondeeds.com
jajar.ru
jicago-jp.com
keissy.ml
ketof.000webhostapp.com
learn.cloudience.com
lifemix123.com
lojalstil.mk
lookatme-v65.gq
maganlagame.com
manerck.com
mgimpax.com
mrhenterprises.in
oackhond.com
officeman.tk
onlygoodam.com
onlygoodn.com
osa-co.com
owentr.ru
perspexfabricationsofbrisbane.com.au
pigeonwings.in
remabad.com
saliyumakan.club
samskuad.work
setauketpitahouse.com
shokeydservers.tk
shop-ukranya.tk
skylite.com.sa
spueriniromnangratinfo.tk
thedoorshop.com.au
tioq.ga
tourscentralasian.com
ttkplc.com
tumpengsemarang.com
vman20.com
vman21.com
vman22.com
vman23.com
wroft-fd.club

# Reference: https://app.any.run/tasks/ba3fa1fe-ea61-4579-918b-3d782b1c603d/

owenewturk.ru
myp0nysite.ru

# Reference: https://pastebin.com/7Ak2nP2T

yehovahbuilders.com

# Reference: https://blog.talosintelligence.com/2019/12/threat-roundup-1206-1213.html (# Win.Dropper.Fareit-7431743-0)

loqapeek.pw
xistoons.pw

# Reference: https://twitter.com/ScumBots/status/1210097313798086657

sbrbuilding.com

# Reference: https://app.any.run/tasks/f398fe3c-a494-486d-8d12-a08025f62091/

5.34.177.9:80

# Reference: https://twitter.com/James_inthe_box/status/1217781646717419520

1800propainter.com/sepp/panelnew/gate.php

# Reference: https://twitter.com/James_inthe_box/status/1217814277597220864

79.134.225.45:44556

# Reference: https://app.any.run/tasks/41969422-f520-4e24-bf11-fda6d7d91a50/

http://195.123.222.104/viewtopic.php
http://195.123.222.104/p/g_38472341.php

# Reference: https://twitter.com/James_inthe_box/status/1219670820500336640

ozteary.ru

# Reference: https://app.any.run/tasks/a329bb27-d552-4d45-8317-7c6eb7336584/

http://85.217.171.218/p/g_38472341.php

# Reference: https://twitter.com/neonprimetime/status/1220464928785674240

uphosting.info/pro/nanny/admin.php

# Reference: https://www.virustotal.com/gui/file/01224912907f1455f128aa33ff81bddef67c23a3be538c3aecdc7f95f6ef2f6c/detection

frteary.ru

# Reference: https://app.any.run/tasks/c2520065-cc72-4acf-addd-ddf61f9c0488/

http://195.123.240.67

# Reference: https://app.any.run/tasks/18bd5b34-e5c0-40aa-9eaa-ed86cca12a5f/

http://45.90.57.16

# Reference: https://twitter.com/wwp96/status/1226893051685199872

castmart.ga

# Reference: https://blog.talosintelligence.com/2020/02/threat-roundup-0207-0214.html (# Win.Packed.Ponystealer-7581286-0)

streetcode3.com

# Reference: https://app.any.run/tasks/0643b085-4919-444c-b674-949bd7967d53/

financeunitedgroup.com

# Reference: https://www.virustotal.com/gui/file/504e294991f1676fb7ecb712b19a110359ce25b89dcaf056b6c8b8aca13817f1/detection

cp71017.tmweb.ru

# Reference: https://www.virustotal.com/gui/file/4a2fdeaf23b28536703058b0eda67ad6c5267d7fd2bfbc9214cb83eed1e6edd0/detection

cm05540.tmweb.ru

# Reference: https://twitter.com/ps66uk/status/1229853090662227973
# Reference: https://app.any.run/tasks/22607a2d-bbae-4a24-9525-d99b6636ee3b/

suspend-puncture.dvrlists.com

# Reference: https://app.any.run/tasks/3daa715d-efe6-4dd8-bc3f-ec9f9188bac8/

http://195.123.225.9

# Reference: https://app.any.run/tasks/7830938e-021d-4f6d-8b27-c791dfa4f530/

http://185.234.72.142

# Reference: https://www.virustotal.com/gui/domain/papergang.ru/relations

papergang.ru

# Reference: https://www.virustotal.com/gui/domain/opixib.bid/relations

opixib.bid

# Reference: https://www.virustotal.com/gui/domain/bags.mn/relations

bags.mn

# Reference: https://www.virustotal.com/gui/domain/dualserverz.info/relations

dualserverz.info

# Reference: https://www.virustotal.com/gui/domain/frankweb.club/relations

frankweb.club

# Reference: https://www.virustotal.com/gui/domain/aloucakbileti.com/relations

aloucakbileti.com

# Reference: https://www.virustotal.com/gui/ip-address/108.166.65.182/relations

108.166.65.182:80
108.166.65.182:8080

# Reference: https://twitter.com/SevenLayerJedi/status/979030953275293702

bundletops.ml
carikapapa.ml
centranets.ml
cuogargaming.com
dazzlelogs.ml
dunysaki.ru
efficienci.ml
erintoba.info
gokubid.review
grandmoney.ml
hostelunke.ml
hypercosine.ml
irishgrind.ml
pharma–partners.com
preutainer.ml
rolexkings.ml
stauniverseqp.com
suruperet.ml
taineruder.ml
theonlygoodman.com
thousandan.ml
totalguage.ml
uy-akwaibom.ru
viettrust-vn.net
vinglosine.ml

# Reference: https://exchange.xforce.ibmcloud.com/url/pony.lovekhao.com/panel/gate.php

pony.lovekhao.com

# Reference: https://twitter.com/avman1995/status/1054260755183353858

medipedics.com

# Reference: https://www.virustotal.com/gui/domain/ark.treassurebank.org/relations

ark.treassurebank.org

# Reference: https://www.virustotal.com/gui/domain/fishhd.cn/relations

fishhd.cn

# Reference: https://twitter.com/pancak3lullz/status/1054800229654945792
# Reference: https://twitter.com/Racco42/status/1051847768657014784
# Reference: https://www.virustotal.com/gui/domain/farmaboti.es/relations

farmaboti.es

# Reference: https://www.virustotal.com/gui/domain/perfectnobody.xyz/relations

perfectnobody.xyz

# Reference: https://exchange.xforce.ibmcloud.com/url/domsrv.host/panel/gate.php

domsrv.host

# Reference: https://www.virustotal.com/gui/domain/simbatekhomes.com/relations

simbatekhomes.com

# Reference: https://www.virustotal.com/gui/domain/masariqroup.com/relations

masariqroup.com
sensimatino.us
slimpityio3.us
slowidyter.us

# Reference: https://www.virustotal.com/gui/domain/sstorm1k.000webhostapp.com/relations

sstorm1k.000webhostapp.com

# Reference: https://twitter.com/0bfusCat/status/1054363637274603520

ali55551.co.kr

# Reference: https://twitter.com/James_inthe_box/status/1069928327861854208

cm-lagoa.pt

# Reference: https://twitter.com/_lockhum/status/1236426156511027201

treshbux.ru

# Reference: https://app.any.run/tasks/8f567536-cd55-4dfd-992b-92057b5fcb4b/

rohs.amd.my.id

# Reference: https://www.virustotal.com/gui/file/9df797811c3ad9f45f17ae71eb76f51345b1b9c858f85027f88ce6d1992a87ec/detection

hpsupport.site

# Reference: https://www.virustotal.com/gui/domain/animal-planet.site/relations

animal-planet.site

# Reference: https://www.virustotal.com/gui/domain/ubixs.xyz/relations

ubixs.xyz

# Reference: http://cybercrime-tracker.net/index.php?search=shotgumscy.com

shotgumscy.com

# Reference: https://twitter.com/James_inthe_box/status/1245023450239889409

kanavagronomy.in/star

# Reference: https://twitter.com/_lockhum/status/1246080178037686278

ks-marine.com

# Reference: https://www.virustotal.com/gui/domain/regul.club/relations

regul.club

# Reference: https://www.virustotal.com/gui/domain/chomik.pro/relations

chomik.pro

# Reference: https://twitter.com/Jouliok/status/1247039700013060101

kanavagronomy.in/star/panel/

# Reference: https://twitter.com/pancak3lullz/status/1249696308182626304

schelliing.com

# Reference: https://pastebin.com/0MH0gsyv

ardstiobek.com
ationsopors.com
hoagoomde.com

# Reference: https://pastebin.com/dtR7uD4k

jaling.aba.vg

# Reference: https://www.virustotal.com/gui/file/f3ee2c7189752aa65a0803d879a3be59384eab730d31edddff4c61e2fdd2d738/detection

clogwars.com

# Reference: https://www.virustotal.com/gui/ip-address/8.208.22.87/relations

fitollday.site
gdboot.site
figjfigjeordhjdofijhdifh.xyz
huysto02.xyz
lsdldllatoooyrs.site
mantiak.site
perlof.site
uiotpe22.xyz
votonline1.site
wotonline.site

# Reference: https://twitter.com/James_inthe_box/status/1266005512958603264

http://185.177.59.58/viewtopic.php

# Reference: https://www.virustotal.com/gui/file/95ef821c5a53d006083999f9b3fde8ad97e750de5fb409e0e55f81fa0bc77cc3/detection

mmxgfzadrian.xyz

# Reference: https://www.virustotal.com/gui/file/1146b539c57e8e02a6ec06478e527e2c2e6a3ff2a5519ba4a2ecc848dc092692/detection
# Reference: https://www.virustotal.com/gui/file/cfad38ea55054337012e0e3c4794973fee9e3c8df85523d23ac6ca6cba939b82/detection

45.125.66.95:3067
chainonline.info
elizvanroos.info

# Generic trails (heur)

/d2/about.php
/mlu/forum.php
/host/server/gate.php
/p/g_38472341.php
/p/z05857687.php
/ponychin/gate.php
/pony/gate.php
/pony/panel/
/ponygrace/Panel/
/ponyz/gate.php
/v1/gate.php
/v2/gate.php
/v3/gate.php
/v4/gate.php
/v5/gate.php
/v6/gate.php
/v7/gate.php
/v8/gate.php
/v9/gate.php
/v10/gate.php
/vic/gate.php
/wpi/panelnew/gate.php
