# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ares, kronos, osiris, regretlocker

# Reference: https://www.proofpoint.com/us/threat-insight/post/kronos-reborn

jhrppbnh4d674kzh.onion
jmjp2l7yqgaj5xvv.onion
mysmo35wlwhrkeez.onion
suzfjfguuis326qw.onion
milliaoin.info
kioxixu.abkhazia.su
lionoi.adygeya.su
startupbulawayo.website

# Reference: http://www.broadanalysis.com/2016/10/31/compromised-site-redirects-to-rig-exploit-kit-delivering-kronos-and-nymaim/

2mynameins3344.net
johane3234.net

# Reference: https://twitter.com/nao_sec/status/1148799237049552896
# Reference: https://twitter.com/VK_Intel/status/1148803869239128071
# Reference: https://app.any.run/tasks/dcae4160-a76a-483c-ae4c-788eed561103/

xtaahlcqyfppmvwwprblvveog.paletoxyz.com

# Reference: https://twitter.com/JayTHL/status/1166744243861360642

d2gyv54plbc23to.onion

# Reference: https://twitter.com/Artilllerie/status/1179753482783473665

chlwdxvug4ptljce.onion

# Reference: https://blog.talosintelligence.com/2019/10/threat-roundup-for-september-27-to.html (# Win.Malware.Osiris-7191711-1)

updateserver4.top
updateserver7.top
updateserver5.top
updateserver9.top
updateserver2.top
updateserver8.top
updateserver10.top
updateserver6.top
updateserver3.top

# Reference: https://twitter.com/VK_Intel/status/1190317493224689667
# Reference: https://www.virustotal.com/gui/file/f61870ea2b807f6a3314ff303942961b6f4009464da09d98ea202d3450534ad3/detection

jpb3hvq7v7bsyemq.onion

# Reference: https://www.virustotal.com/gui/ip-address/142.93.190.102/relations

http://142.93.190.102
142.93.190.102:3389
142.93.190.102:443

# Reference: https://www.virustotal.com/gui/file/9d1b1960355e72b205189e7a122b6a9c4197cca650569edc89612a62d6b66efc/detection

managejave.myftp.org
update43x.myvnc.com

# Reference: https://twitter.com/malwrhunterteam/status/1321375502179905536
# Reference: https://www.virustotal.com/gui/file/a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4/detection

http://193.23.244.244
128.31.0.34:9131

# Reference: https://twitter.com/malwrhunterteam/status/1321388593416462337

344744.cloud4box.ru
regretzjibibtcgb.onion

# Reference: https://twitter.com/nazywam/status/1323624894458925056

o3qrynq3djknfebz.onion

# Reference: https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses
# Reference: https://otx.alienvault.com/pulse/60219f6bdc6edbc5308da56b/

ylnfkeznzg7o4xjf.onion

# Reference: https://twitter.com/D3LabIT/status/1359122226277195777
# Reference: https://www.virustotal.com/gui/file/8bbd51eb0dd0cac3e3cbd683b140b7eea3b6f13ce0c214af48f32a26791949e1/detection

mydynamite.dynv6.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1359404803596648450

rieseshopping.it/wp-content/plugins/set.exe
rieseshopping.it/wp-content/plugins/amss.jpg

# Reference: https://twitter.com/nazywam/status/1325399134808010752

linkoz.xyz

# Reference: https://www.virustotal.com/gui/file/57e348bbe709ef986f51259a8e14f6062ce36f98f2176d08f0165b124d72a9bb/detection

8.209.68.209:4039
march-socat01.com
march-socat01.xyz
marchassl01.com

# Reference: https://www.virustotal.com/gui/file/1d0ada2c71521fe445cf859da8f64b51ea469a5ed46af07364e777458c26c5ac/detection

185.220.101.193:20193
36.227.169.186:9030

# Reference: https://twitter.com/siri_urz/status/1369394878027825161
# Reference: http://vxvault.net/ViriList.php?MD5=BA756BD88B3C26C287DB5863FC232F50

wifoweijijfoiwjweoi.xyz

# Reference: https://twitter.com/benkow_/status/1369594973524553730

trqtfidgqmcmqytw.onion

# Reference: https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan
# Reference: https://otx.alienvault.com/pulse/606e1808f8f6722a577e7cf9

cabletv.top
ddkiieeelkif.xyz
ddkiiffdkijh.xyz
ddkiigedliji.xyz
ddkiihfelikh.xyz
ddkiilefmjim.xyz
ddkiiofelkkq.xyz
ddkiiqefmiir.xyz
ddkiirfdmjks.xyz
ddkiitefkkju.xyz
m3r7ifpzkdix4rf5.onion
qqkzfkax24p4elax.onion
securebankingapp.com
vbyrduc537l5po3w.onion
wifoweijijfoiwjweoi.xyz
ylnfkeznzg7o4xjf.onion

# Reference: https://twitter.com/The_d0c_T0R/status/1127233691451891712

88.184.237.14:8888

# Reference: https://www.virustotal.com/gui/file/56b14179deca2645e16d68a72d49c8b4fa46f8d64796b012bdd42661465c30e9/detection

asmkopvdmvoasdkm.ml
ddkiigfewewdliji.to
ddkiihsdffelikh.ml
ddkiiodgjgfelkkq.to
ddkiirwfdmjks.to
ddkiiseretfgdeelkif.ml
ddkiisfsdffdkijh.ml
ddkiitewefkkju.to
geotrackangsdfetatistics.ml
updatesdfetrtegfsv121.to

# Generic trails

/kpanel/connect.php
/panel/connect.php
/panel/upload/data.cmp
/ZRNlFwIb/connect.php
/tor/keys/fp-sk/
/tor/server/fp/
/tor/status-vote/current/consensus
