# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chanitor, hancitor

# Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor

o3qz25zwu4or5mak.onion
o3qz25zwu4or5mak.tor2web.org
o3qz25zwu4or5mak.tor2web.ru
svcz25e3m4mwlauz.onion
svcz25e3m4mwlauz.tor2web.org
svcz25e3m4mwlauz.tor2web.ru
um6fsdil5ecma5kf.onion
um6fsdil5ecma5kf.tor2web.org
um6fsdil5ecma5kf.tor2web.ru

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru
tontheckcatan.ru

# Reference: https://pastebin.com/bPV4gVVL

heundthetrec.ru
perranrowsin.com
utteronhim.ru

# Reference: https://pastebin.com/CQGHUK03

caperlighleft.com
hescatofme.ru
ledeventutru.ru

# Reference: https://twitter.com/James_inthe_box/status/1047490196319612928

milliondollarlawsuit.co

# Reference: https://twitter.com/malware_traffic/status/1113586907655680001

waorveled.com

# Reference: https://twitter.com/Antelox/status/914949407442862080

kedmolorop.com

# Reference: https://twitter.com/BroadAnalysis/status/880488094277009408

repwasswithhow.com 

# Reference: https://twitter.com/BroadAnalysis/status/783725374161186816

gotevengsorol.ru

# Reference: https://twitter.com/BroadAnalysis/status/753688954323529729

wassuseidund.ru

# Reference: https://twitter.com/mesa_matt/status/1113866153108148224
# Reference: https://ghostbin.com/paste/27b9a/raw

alldogspoop.co
alldogspoop.org
alldogspoop.biz
alldogspoop.info
alldogspoop.mobi
alldogspoop.net
cherryhillpooperscoopers.com
pooperscooperfranchise.com
shopalldogspoop.com

# Reference: https://twitter.com/CapeSandbox/status/1132548710490148864

hinsurefling.ru
oneningsitar.com
witoftrinreb.ru

# Reference: https://twitter.com/VK_Intel/status/1143512697004331008
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt

hefidanot.com
metyrofhe.ru
usesindownne.ru

# Reference: https://twitter.com/malware_traffic/status/1145793372126416897

totharduron.com

# Reference: https://twitter.com/killamjr/status/1146108509324480514
# Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/

carbonatedcocktails.com
fizzics.biz
perlinisystems.com
shanakaplan.com

# Reference: https://twitter.com/VK_Intel/status/1146139326646034433
# Reference: https://twitter.com/James_inthe_box/status/1145765244645433344
# Reference: https://twitter.com/malware_traffic/status/1146503887215636480

http://31.44.184.201/fknmo/gate.php
http://31.44.184.33
tonsruhatbab.com

# Reference: https://twitter.com/James_inthe_box/status/1153326001155272704

forrolrestons.ru
hersdintfortho.ru
retredmuchwas.com

# Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832
# Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/

rolfikinme.ru
sparherrestal.ru

# Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778

ratlittonrigh.com
tofttoldboand.ru
fortroweventlac.ru

# Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

betsuriin.com
callereb.com
evengsosandpa.ru
felingdoar.ru
gmailsign.info
hecksafaor.com
heheckbitont.ru
hianingherla.com
hihimbety.ru
meketusebet.ru
mianingrabted.ru
moatleftbet.com
mopejusron.ru
muchcocaugh.com
ningtoparec.ru
nodosandar.com
ritbeugin.ru
rutithegde.ru
surofonot.ru
uldintoldhin.com
unjustotor.com
wassuseidund.ru

# Reference: https://twitter.com/JayTHL/status/1179794844262305793
# Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/

csinashville.com
spausence.com

# Reference: https://twitter.com/JayTHL/status/1179799689341886464

cowandchickens.com
chateaumorritt.ca
thegbar.net
thegbars.us
thegbars.net
fedtoner.com

# Reference: https://twitter.com/JayTHL/status/1179796029425754112

knoweent.ru
wortionce.ru

# Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744

compatime.ru
mandanoter.ru
warlarvars.com

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

avantusthea.com
cornbeijnvoxin.com

# Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536

branderryadhe.ru
caputenedif.ru

# Reference: https://pastebin.com/HLnQT4qy

adu0.xyz
asfpindia.org
austinhcg.com
bigsunshinebooks.com
brydenstt.com
dl-rw.com
drewcanole.com
episodez.online
hygieneteam.nl
pbssindia.in
pflagakron.org
talkshows.xyz
yooball.com
yourecovers.com
cornbeijnvoxin.com
digplaliatinte.ru
dvdflowerrook.ru

# Reference: https://twitter.com/wwp96/status/1184490107467788293

asfpindia.org
pbssindia.in
viplace.pt

# Reference: https://pastebin.com/bJ4ynhDe

afmichicago.org
african-trips.com
aftablarestan.ir
alferdows.com
cenovia.com
euroteriage.com
gotladyhope.ru
januserfish.ru

# Reference: https://pastebin.com/Q6aPDCDt

boatattorney.com
keramenzakt.com
linglentelevox.ru
mdistellerryck.ru

# Reference: https://twitter.com/malware_traffic/status/1186885436397850624
# Reference: https://app.any.run/tasks/742165cc-6e00-4483-af5e-6c49ae53b976/

31.44.184.160:8080

# Reference: https://twitter.com/K_N1kolenko/status/1187302956644929537

durestuasben.ru
sagitecheadle.com
vladiondul.ru

# Reference: https://pastebin.com/bKwb2Yig

pmk-55.ru

# Reference: https://twitter.com/K_N1kolenko/status/1188729131523031040

penreleaplif.ru
scangescangomu.ru
wickawbarrysci.com

# Reference: https://twitter.com/James_inthe_box/status/1188771146105147392
# Reference: https://app.any.run/tasks/de677fac-06c7-4c32-bd7a-05fc10cd5196/

blakejordan.com

# Reference: https://pastebin.com/JY6StTeK

youqu0.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1188837744568688640

pubarecaz.com

# Reference: https://twitter.com/JayTHL/status/1189934275476492288

damcoservices.com

# Reference: https://twitter.com/K_N1kolenko/status/1190903765005750272

selesesteq.ru
thaverenta.ru
wingritydet.com

# Reference: https://pastebin.com/mWznRNAS

3dpixelstudio.co
amtours.net
bbhs.org.ng
brighter-homes.com
businessmarker.ro
caddyhk.com

# Reference: https://twitter.com/BurnerVice/status/1201269199764475904

cetotrumo.com
krovsar.ru
mamaboss.io
page-store.ru

# Reference: https://twitter.com/malware_traffic/status/1201602127300354054

ianfelton.info
laticivue.com
omni-groupllc.com

# Reference: https://any.run/malware-trends/hancitor (Note: as seen on 2019-12-04)

businessmarker.ro
laadlifashionworld.com
laticivue.com
elesengrity.com
beestunduras.com
hismosedkaj.com
huncribeen.com
sageengineering.lk

# Reference: https://pastebin.com/QBYe5kCA

lardershe.ru
thatimine.ru
wintroperly.com

# Reference: https://twitter.com/wwp96/status/1202642416098062336

harrietljones.com

# Reference: https://twitter.com/malware_traffic/status/1202704333114150918

furnanadol.com

# Reference: https://pastebin.com/qpuaEEun

andalicur.ru
lappoing.com
theirchus.ru

# Reference:

barindice.ru
lietarion.com
legroaled.ru

# Reference: https://twitter.com/James_inthe_box/status/1220036840192757762

cousidrebn.ru
hourtschem.com
thicatlies.ru

# Reference: https://pastebin.com/raw/2cpkJrW5

rindicatle.ru
tariroalz.com
torssestih.ru

# Reference: https://twitter.com/James_inthe_box/status/1221822109564858368
# Reference: https://www.virustotal.com/gui/domain/kovasrot.cz/relations
# Reference: https://pastebin.com/UmYZ30eH

diermedir.com
kovasrot.cz
ussismates.ru
wernmicaz.ru

# Reference: https://twitter.com/turduckencat/status/1222556491745570816

twereptale.com

# Reference: https://pastebin.com/raw/3mpyeQPx

charovalso.ru
gengrasjeepram.com
verectert.ru
yaqeennews.96.lt

# Reference: https://twitter.com/K_N1kolenko/status/1233366724357042176

dundrazach.com
turumency.ru
wappreraf.ru

# Reference: https://twitter.com/K_N1kolenko/status/1238071539825860608

cludions.com
othasidka.com
thumbeks.com

# Reference: https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/
# Reference: https://otx.alienvault.com/pulse/5e6a5ded0435e2c043e7e206

freetospeak.me

# Reference: https://twitter.com/malware_traffic/status/1239629010377887746

bralibuda.com
greferezud.com

# Reference: https://www.virustotal.com/gui/file/12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b/detection

primecaviar.com

# Reference: https://twitter.com/JayTHL/status/1250274763479506945

clarityupstate.com

# Reference: https://twitter.com/200_okay_/status/1250278567352532993

raihanchow.us/portfolio/tomcat1432u.php

# Reference: https://twitter.com/malware_traffic/status/1250442899700891648

maktabiprezidentivmkb.tj/glstj/seawolf126.php

# Reference: https://twitter.com/JayTHL/status/1250460683977834496
# Reference: https://www.virustotal.com/gui/ip-address/47.254.92.217/relations

clarityupstate.com
furcoatexchange.com
furcoatliquidators.com
furwholesaler.com
re-fur-bished.com
refurpose.com
rentcoat.com
rentmink.com
rentminkcoat.com
rentthecoat.com
theminkcoat.com

# Reference: https://twitter.com/DynamicAnalysis/status/1260275056644685824

afya.geefto.com
cashforfurcoat.com

# Reference: https://twitter.com/K_N1kolenko/status/1265580857944936455

nalinkrobej.ru
restozaped.ru
thozentaini.com
fantavending.mobi/wp-content/themes/sketch-new/1
oxorobotic.com/wp-content/themes/sketch/1
fotobooth.at/wp-content/themes/sketch/1
amatheakids.com/wp-content/themes/sketch/1
wp.regalporn.com/wp-content/plugins/three-column-screen-layout/1

# Generic heur trails

/4/forum.php
/6/forum.php
/.well-known/ron.php
/.well-known/rweaver732.php
/123_123123.php
/345_3429_34.php
/342578_4378.php
/34894385_4378.php
/4234_32423.php
/437843_347843.php
/5787478_74.php
/63943_54783.php
/7834_2378.php
/78435_347823.php
/83922_543.php
/852435_34859.php
/89623_3247.php
/admin/zaki.php
/bdl/gate.php
/dkywh9p/rick.php
/fknmo/gate.php
/glstj/seawolf126.php
/ls/gate.php
/ls5/forum.php
/ls6/gate.php
/plasma/gate.php
/rglennn.php
/rgovett.php
/rhf26.php
/rick.php
/rickyv319.php
/rigman43.php
/rjohn10657.php
/rjyoung007.php
/rmdrinkwater.php
/rmmurphy10.php
/robbjorgensen.php
/robby_hanshaw.php
/robert.hicks.php
/robert1325.php
/roberto.rubbiani.php
/robohip1.php
/roger.ponniah.php
/rogerpoitras7.php
/rojas5439.php
/roland.avignon.php
/rolfanderson.php
/rollntwist.php
/ron_penfold.php
/ronco9.php
/rowantotal.php
/roydsingh.php
/rswmisc.php
/rubencpa.php
/rwhayne.php
/ryanzeitler.php
/sailnsadle.php
/samurai40w.php
/sasshm.php
/sboles7.php
/scooby6060.php
/scottyw36.php
/sd37667.php
/seawolf126.php
/senmotomajin.php
/sfcw1.php
/shark601.php
/shellie.php
/sherdian19.php
/sheridanalan.php
/shogin1.php
/simonimp.php
/sjj53.php
/sjmod5.php
/sjwhome.php
/skovvaenget19.php
/sl/gate.php
/slamduncker.php
/smittybar4.php
/soberentexas.php
/sophiagamble.php
/soundm279.php
/st.vanaaken.php
/stefamherd.php
/steve.heller.php
/steveswanson22.php
/storme.cosgrave.php
/stormnz54.php
/sullych43.php
/t.carp.php
/tankeukjf.php
/tbcfix3.php
/tbconsulting.php
/technoemporium.php
/terisitababe.php
/terrybailey2009.php
/thehornet1.php
/thetafly.php
/thomasautomotive.php
/thomascarterpt.php
/thong.5.php
/timbrennan29.php
/tj.016677.php
/tjholden.php
/tjubell.php
/tmoen3.php
/tomcat1432u.php
/tomgosse.php
/tommino.php
/tonynguyen854.php
/tonypkeeling.php
/topsprop1.php
/ttregino.php
/tss9999.php
/tstanis5.php
/vancewl.php
/vmpereira.php
/walli_sw.php
/warren.php
/wayneo125.php
/waynerice816.php
/wbasser.php
/wbeliz2002.php
/wbferguson.php
/wco3520.php
/wcwjr.php
/wdavidmajor.php
/wdepietro.php
/weberdental.php
/welch9172.php
/wesleysebesta.php
/westharbour.php
/wghoward.php
/wheatstiger.php
/whitej58.php
/wildpitch.php
/williamhcondon.php
/willid5223.php
/willieotero13.php
/win.harris.php
/winterof63.php
/wjtconsult.php
/wnothhelfer.php
/woodcock_jack.php
/wretchedchild5.php
/wschnei106.php
/wsr3214.php
/wtomnelson.php
/wturnermi.php
/wwatone.php
/wyckoff1012.php
/x24spike.php
/yazanmoussa.php
/ykootss.php
/yngwll57.php
/yoshihito.shibahata.php
/ytyniec.php
/yuki_chan2004jp.php
/ywingitt.php
/zab4ksnk.php
/zapoy/gate.php
/zecoimbra1951.php
/zeke112.php
/zenrchi.php
/zubairseiendom.php