# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: zeus, zbot, vmzeus, citadel

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=GODADDY.COM,%20LLC

aefalcon.com
9virgins.com
lincolnkaraoke.com
vegantravelshow.com
roanmtbb.com
oycservicios.com
milkworks.org
prtscrinsertcn.net
toolsathomes.com
dphcustompins.com
bocaautocenters.com
tronuprising.heliohost.org
links.heliohost.org
bilbobaggins.comxa.com
danislenefc.info
sslsam.com
bots.configbinbots.info
joejdbjrmrkklfnmf.usr.me
z3us1.z-ed.info
kesikelyaf.com
felanco.heliohost.org
circleread-view.com.mocha2003.mochahost.com
resr.configure.8c1.net
server.bovine-mena.com
google.poultrymiddleeast.com
ice.ip64.net

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=ENOM,%20INC.

ozowarac.com
luenhinpearl.com
wayufilm.com
zetes.vdsinside.com
poolkingsthailand.com
me404.net
escuelanet.com
stats.lead.mysitehosted.com
hotelavalon.org
branchtist.com
spartanr.5gbfree.com
leon10.5gbfree.com
kraonkelaere.com
indongsang.com
lion.web2.0campus.net
lifeisgoodwhenu2.info
warriorinjapan.hostjava.net
wor6.b6dfnahea.ns2.name
mxstat230.com
yamleg.fu8.com

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=Namecheap

shadowraze.pw
speroni.pw
cryptmyexe.pw
dominoziele.pw
u8781a21.pw
japanparts.pw
waserazer.pw
martex-rybnik.pw
foxmanwer.pw
ohimmades.pw
ryuitaqw.pw
blogerjijer.pw
serverjainpangwang.pw
debservers.pw

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=R01-RU

bqtest2.ru
cd31411.tmweb.ru
jacoblanderville.myjino.ru
kadastr89.ru
islenpiding.hotmail.ru
natlalirans.hotmail.ru
dileconme.hotmail.ru
pharirgatic.hotmail.ru
imamnhearte.hotmail.ru
naaninggeschcho.hotmail.ru
rarabarnfi.hotmail.ru
gyodundena.hotmail.ru
ya-aaaa123123.myjino.ru

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=PDR%20Ltd.%20d/b/a%20PublicDomainRegistry.com

iphoneservisci.com
christianwomenpc.org
rajrainwater.org
mersinescortbayanlar.org
bppkbsulsel.com
franka.in.net
markhousecm.com
chhathpuja.com
cooldomainname.ws
gjiayimeiya.com
xclones.in.net

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=R01-REG-FID

bright.su
bitters.su
turkeyhotelnoslafas.su
angryshippflyforok.su
nonstopeddanceraz.su
pedropedreiromoxik.su
beatyhousesupporte.su
rsslessons.su

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=SHINJIRU%20MSC%20SDN%20BHD

cennoworld.com
classicalbitu.com
eresimgbo.com
emailsclient.com
micheal766.info
hillalala.com
yahoo-action.com

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=ERANET%20INTERNATIONAL%20LIMITED

depolakoeasre.pw
bolerakopsoa.pw
doratopelase.pw
samoniklo.pw
delaponitan.pw
slivoratikam.pw

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=TUCOWS%20DOMAINS%20INC.

demexsoft.com
blog.raw-recruits.com
burrinsurance.com
pfengineering.com
lonsmemorials.com
bbwscimanuk.pdsda.net

# Reference: https://zeustracker.abuse.ch/monitor.php?registrar=WEB%20COMMERCE%20COMMUNICATIONS%20LIMITED%20DBA%20WEBNIC.CC

domifondery3d.com
domifondery.com
securetestingnetwotk.com
littwronthath.net
hope-found-now.net
jangasm.org

# Reference: https://plot.ly/~vkremez/17

actualmove.ru
aflar.ru
alaska2russia.ru
almazdental.ru
atmape.ru
baims.ru
bbumn.ru
bitcoin-send.ru
blesslifelove.ru
bqtest2.ru
brr-21.ru.shn-host.ru
cd31411.tmweb.ru
cogoda.ru
danbeta.ru
dileconme.hotmail.ru
dozybrown.ru
eddw.ru
endnra.ru
fitytrade.ru
fx45.pp.ru
genmjob3.ru
geopryce.ru
goa-inf.ru
gyodundena.hotmail.ru
hjsahdjalsudioaso.ru
imamnhearte.hotmail.ru
islenpiding.hotmail.ru
jacoblanderville.myjino.ru
junniper.mcdir.ru
kadastr89.ru
lebedev30.ru
legitvendors.ru
lifestyles.pp.ru
lifestyles3d.ru
love.saleb.ru
lucoilosa.ru
madunixxx.ru
mcbt.ru
naaninggeschcho.hotmail.ru
natlalirans.hotmail.ru
now-work.ru
olwwe.ru
onlyl.ru
panorama-otel.ru
pharirgatic.hotmail.ru
platinum-casino.ru
pnmmn-cyvbiqzbe.ru
rarabarnfi.hotmail.ru
rich11ds2015sqr.ru
richus.ru
s888for.ru
sp4m.ru
tosyisha.ru
u0003321.cp.regruhosting.ru
ulogroup.ru
uralviolet.ru
viose.ru
vz81757.eurodir.ru
warfacebest.ru.swtest.ru
changeexchange2.ru
eroconlia.ru
luxkupe.ru
ruyacafe.net
tvergeneration.ru
zvenigorodskoe.ru
ya-aaaa123123.myjino.ru
zabava-bel.ru
zhyravlik.ru

# Reference: https://www.malwaredomainlist.com/forums/index.php?topic=2207.1255;wap2

zxjfcvfvhqfqsrpz.onion
zxjfcvfvhqfqsrpz.onion.gq
zxjfcvfvhqfqsrpz.onion.lt
zxjfcvfvhqfqsrpz.onion.cab
zxjfcvfvhqfqsrpz.onion.city
zxjfcvfvhqfqsrpz.onion.direct
zxjfcvfvhqfqsrpz.onion.link
zxjfcvfvhqfqsrpz.onion.nu
zxjfcvfvhqfqsrpz.tor2web.fi
zxjfcvfvhqfqsrpz.tor2web.blutmagie.de
zxjfcvfvhqfqsrpz.tor2web.org
zxjfcvfvhqfqsrpz.tor2web.ru
zxjfcvfvhqfqsrpz.tor-gateways.de

# Reference: https://www.virustotal.com/en/file/0663c151e7107e6d5378ecba52753f78ad50761ac6e32b63b95172dc840a1225/analysis/

aa.jn43d.su
ds38dks.net
tmp87.jn43d.su
tmp90.edns.su
tmp32.dns-free.su
c19h7.no-ip.su
fp-mk.net78.net
tmp21.dnsx23.su
tmp19.dns71.su
tmp12.dns-top.org
d65g.dw7g3.dns-free.su
d65g.dw7g3.dn3gwe.su
d65g.dw7g3.dnesa343.ru
d65g.dw7g3.dndfr44.su
d65g.dw7g3.d33jd.net
d65g.dw7g3.fefg934.info
d65g.dw7g3.46hf44.tv
d65g.dw7g3.dnrrrrrrrr.xxx

# Reference: https://www.threatcrowd.org/malware.php?md5=1ccde9e8e2599f7423ec0334013ef0c7

xdns.su

# Misc.

c19h7.no-ip-free.su
d65g.dw7g3.dns-free.su
ds.fdlo1.su
tmp19.dndddew1.su
tmp19.dns71.su
tmp21.dnsx23.su
tmp32.dns7free.su
tmp33.djuika.su
tmp33.dnsm2.su
tmp47.xdns.su
tmp90.dnsm2.su
ujn.sdf439.su

# Reference: https://blog.talosintelligence.com/2018/08/threat-roundup-0810-0817.html

blessedgroup.biz

# Reference: https://blog.talosintelligence.com/2018/08/threat-roundup-0824-0831.html

neosz.org

# Reference: https://blog.talosintelligence.com/2018/08/threat-roundup-0817-0824.html

www.crossatlantictrades.info

# Reference: https://reaqta.com/2018/09/global-malware-campaign-using-zeus-panda/

http://85.204.74.107
http://89.18.27.143
http://89.18.27.221
http://95.141.36.106
http://95.181.178.216
aanvraag-ing.nl
abnamto.com
adobeflashupdater.net
american-express.site
american-express24.com
apple-activated.com
apple-inc-server-icloud.com
apple-ins-server-icloud.com
apple-ituens.com
apple-ltunes-ios.com
appleid-find-usa.com
applessl.info
bdv4cc9rub.net
blochhain.com
blockchaiw.info
cibconline.cibc.com.ebm-anp.com
clickara.com
cloudflore.cc
colobinar.com
conectlo.qt
conishiret.com
disbanist.com
elementaleios.win
elementalelib.space
free-etherwallet.com
freeflysky.tk
gegirtan.com
gemendoloma.top
google-cloud.pw
gorevoin.com
gov.0.56v.us
guardnet.review
iban-abnamro.nl
iban-ing.nl
iban-marktplaats.nl
iban-rabobank.nl
icloudip-itunes.com
ielectrum.info
imap.em.gmailssdf.com
imap.maill.clintonemailhearing.com
lelectrum.com
lloyds-online-banking.verificaiton-stamp-online.com
maferdola.top
magentotoolset.com
mail30.power-gt.com
metrobanakonlline.com
mijning-ssl.info
mijning-ssl.nl
minotaris.com
mongovaca.win
nodertoma.top
polessdo.com
polinodara.com
power-gt.com
ppnl.info
procrd.pro
prosalesservice.com
sitergenis.com
sobentera.com
staticball.com
sucursalesvirtuales.at
sucursalvirtualpersonas.at
ukogono.top
verificaiton-stamp-online.com
vigerentis.com
waser.ml
worontau.top

# Reference: https://twitter.com/Bank_Security/status/1039211385752875008
# Reference: https://otx.alienvault.com/pulse/5b968a18fd673805822ff806

bizercise.top
cremedesoins.top
disithedtse.com
gaswanted.top
nauseorofte.ru
theeunload.website

# Reference: https://blog.talosintelligence.com/2018/09/threat-roundup-0907-0914.html (Win.Dropper.Zbot-6681657-0)

grandesupport.biz

# Reference: https://twitter.com/JAMESWT_MHT/status/1045564495723188225

94.102.60.144/1/gate.php
94.102.60.144/1/screenshot_gate.php

# Reference: https://twitter.com/r00tninja/status/1043978633558347777

wxyxgpescui4qpmc.onion

# Reference: https://twitter.com/blackorbird/status/1140519090961825792

br1vo.com

# Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-04-07-zbot-botnet-steals-thousands-credentials/zbot-botnet-steals-thousands-credentials.csv

merdekapalace.com
vodrasit.su

# Reference: https://twitter.com/James_inthe_box/status/1186291866511147008
# Reference: https://twitter.com/P3pperP0tts/status/1186565131829948417

baloobafoudanitojahdge.space
godisonourside5.store
molanounakomllbsedfrtee.xyz

# Reference: https://twitter.com/ChrisPSecc/status/1059374450100109313

foxbeagle.com

# Reference: https://twitter.com/James_inthe_box/status/1190320241139564544

ac-cofan.com

# Reference: https://blog.talosintelligence.com/2019/11/threat-roundup-1025-1101.html (# Win.Packed.Zbot-7364099-0)

alnisat.com
jagalot.com
myadvsit1.com

# Reference: https://www.virustotal.com/gui/ip-address/185.70.184.88/relations

http://185.70.184.88

# Reference: https://www.virustotal.com/gui/domain/appareluea.com/relations

appareluea.com

# Reference: https://viriback.com/30-days-later-97-panels/

nsdic.pp.ru
dtron.gdn

# Reference: https://www.virustotal.com/gui/file/0f799184fc1d6912469a26fc1c60e0f3f7fa4f9ef172f77d791911200168ee84/behavior/VirusTotal%20Cuckoofork

bonton.by

# Reference: https://www.virustotal.com/gui/file/eda6b09b87f893c7940219e19c2aa1ae1a4e0c9d07af13c4cedb9bd4ecc7cdda/behavior/VirusTotal%20Jujubox
# Reference: https://www.virustotal.com/gui/file/4e8d523f1c48f606a42a25a7ebacedc0747da860bfef6a489dfe6f3b72eb7762/behavior/VirusTotal%20Jujubox
# Reference: https://www.virustotal.com/gui/file/34c3e4f184b2b2551988e97941cc5aafaf9ad9bb47e03e35b4a6951a9ec502dc/behavior/Dr.Web%20vxCube

http://31.220.2.120/~bulblgh1/

# Reference: https://www.virustotal.com/gui/ip-address/185.170.43.187/relations

/ibbcgcwbrsghsovq/gate.php
/lgdrxgsorgvanizl/gate.php
/rnbqjgjxyqonejhm/gate.php
/wjsjltaipbnypilx/gate.php

# Reference: https://www.virustotal.com/gui/ip-address/167.114.89.205/relations

bemybooter.eu
edmundgroup.tk
emeonlineinc.com
estebantrejos.com
freetool.tk
partchecker.info
skmineinc.tk
swatt.me

# Reference: https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/

dasifosafjasfhasf.com
dsdjfhdsufudhjas.com
dsdjfhdsufudhjas.info
dsjdjsjdsadhasdas.com
fdsjfjdsfjdsdsjajjs.com
fdsjfjdsfjdsdsjajjs.info
fdsjfjdsfjdsjfdjsfh.com
fdsjfjdsjfdjsfh.com
idisaudhasdhasdj.com
idisaudhasdhasdj.info
kasfajfsafhasfhaf.com

# Reference: https://www.virustotal.com/gui/file/cdd21d133862b336d6e9f6023cabc8624f2dfe78b4060e22bcd560d83caa7725/detection

microsofto.sytes.net

# Reference: https://www.virustotal.com/gui/file/f3990a88fbcd2e6c31d6dc423bb90610444227e25bd26848e653939bf593b9ed/detection

http://93.174.89.19
