# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chanitor, hancitor

# Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor

o3qz25zwu4or5mak.onion
o3qz25zwu4or5mak.tor2web.org
o3qz25zwu4or5mak.tor2web.ru
svcz25e3m4mwlauz.onion
svcz25e3m4mwlauz.tor2web.org
svcz25e3m4mwlauz.tor2web.ru
um6fsdil5ecma5kf.onion
um6fsdil5ecma5kf.tor2web.org
um6fsdil5ecma5kf.tor2web.ru

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru
tontheckcatan.ru

# Reference: https://pastebin.com/bPV4gVVL

heundthetrec.ru
perranrowsin.com
utteronhim.ru

# Reference: https://pastebin.com/CQGHUK03

caperlighleft.com
hescatofme.ru
ledeventutru.ru

# Reference: https://twitter.com/James_inthe_box/status/1047490196319612928

milliondollarlawsuit.co

# Reference: https://twitter.com/malware_traffic/status/1113586907655680001

waorveled.com

# Reference: https://twitter.com/Antelox/status/914949407442862080

kedmolorop.com

# Reference: https://twitter.com/BroadAnalysis/status/880488094277009408

repwasswithhow.com 

# Reference: https://twitter.com/BroadAnalysis/status/783725374161186816

gotevengsorol.ru

# Reference: https://twitter.com/BroadAnalysis/status/753688954323529729

wassuseidund.ru

# Reference: https://twitter.com/mesa_matt/status/1113866153108148224
# Reference: https://ghostbin.com/paste/27b9a/raw

alldogspoop.co
alldogspoop.org
alldogspoop.biz
alldogspoop.info
alldogspoop.mobi
alldogspoop.net
cherryhillpooperscoopers.com
pooperscooperfranchise.com
shopalldogspoop.com

# Reference: https://twitter.com/CapeSandbox/status/1132548710490148864

hinsurefling.ru
oneningsitar.com
witoftrinreb.ru

# Reference: https://twitter.com/VK_Intel/status/1143512697004331008
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt

hefidanot.com
metyrofhe.ru
usesindownne.ru

# Reference: https://twitter.com/malware_traffic/status/1145793372126416897

totharduron.com

# Reference: https://twitter.com/killamjr/status/1146108509324480514
# Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/

carbonatedcocktails.com
fizzics.biz
perlinisystems.com
shanakaplan.com

# Reference: https://twitter.com/VK_Intel/status/1146139326646034433
# Reference: https://twitter.com/James_inthe_box/status/1145765244645433344
# Reference: https://twitter.com/malware_traffic/status/1146503887215636480

http://31.44.184.201/fknmo/gate.php
http://31.44.184.33
tonsruhatbab.com

# Reference: https://twitter.com/James_inthe_box/status/1153326001155272704

forrolrestons.ru
hersdintfortho.ru
retredmuchwas.com

# Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832
# Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/

rolfikinme.ru
sparherrestal.ru

# Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778

ratlittonrigh.com
tofttoldboand.ru
fortroweventlac.ru

# Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

betsuriin.com
callereb.com
evengsosandpa.ru
felingdoar.ru
gmailsign.info
hecksafaor.com
heheckbitont.ru
hianingherla.com
hihimbety.ru
meketusebet.ru
mianingrabted.ru
moatleftbet.com
mopejusron.ru
muchcocaugh.com
ningtoparec.ru
nodosandar.com
ritbeugin.ru
rutithegde.ru
surofonot.ru
uldintoldhin.com
unjustotor.com
wassuseidund.ru

# Reference: https://twitter.com/JayTHL/status/1179794844262305793
# Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/

csinashville.com
spausence.com

# Reference: https://twitter.com/JayTHL/status/1179799689341886464

cowandchickens.com
chateaumorritt.ca
thegbar.net
thegbars.us
thegbars.net
fedtoner.com

# Reference: https://twitter.com/JayTHL/status/1179796029425754112

knoweent.ru
wortionce.ru

# Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744

compatime.ru
mandanoter.ru
warlarvars.com

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

avantusthea.com
cornbeijnvoxin.com

# Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536

branderryadhe.ru
caputenedif.ru

# Reference: https://pastebin.com/HLnQT4qy

adu0.xyz
asfpindia.org
austinhcg.com
bigsunshinebooks.com
brydenstt.com
dl-rw.com
drewcanole.com
episodez.online
hygieneteam.nl
pbssindia.in
pflagakron.org
talkshows.xyz
yooball.com
yourecovers.com
cornbeijnvoxin.com
digplaliatinte.ru
dvdflowerrook.ru

# Reference: https://twitter.com/wwp96/status/1184490107467788293

asfpindia.org
pbssindia.in
viplace.pt

# Reference: https://pastebin.com/bJ4ynhDe

afmichicago.org
african-trips.com
aftablarestan.ir
alferdows.com
cenovia.com
euroteriage.com
gotladyhope.ru
januserfish.ru

# Reference: https://pastebin.com/Q6aPDCDt

boatattorney.com
keramenzakt.com
linglentelevox.ru
mdistellerryck.ru

# Reference: https://twitter.com/malware_traffic/status/1186885436397850624
# Reference: https://app.any.run/tasks/742165cc-6e00-4483-af5e-6c49ae53b976/

31.44.184.160:8080

# Reference: https://twitter.com/K_N1kolenko/status/1187302956644929537

durestuasben.ru
sagitecheadle.com
vladiondul.ru

# Reference: https://pastebin.com/bKwb2Yig

pmk-55.ru

# Reference: https://twitter.com/K_N1kolenko/status/1188729131523031040

penreleaplif.ru
scangescangomu.ru
wickawbarrysci.com

# Reference: https://twitter.com/James_inthe_box/status/1188771146105147392
# Reference: https://app.any.run/tasks/de677fac-06c7-4c32-bd7a-05fc10cd5196/

blakejordan.com

# Reference: https://pastebin.com/JY6StTeK

youqu0.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1188837744568688640

pubarecaz.com

# Reference: https://twitter.com/JayTHL/status/1189934275476492288

damcoservices.com

# Reference: https://twitter.com/K_N1kolenko/status/1190903765005750272

selesesteq.ru
thaverenta.ru
wingritydet.com

# Reference: https://pastebin.com/mWznRNAS

3dpixelstudio.co
amtours.net
bbhs.org.ng
brighter-homes.com
businessmarker.ro
caddyhk.com

# Reference: https://twitter.com/BurnerVice/status/1201269199764475904

cetotrumo.com
krovsar.ru
mamaboss.io
page-store.ru

# Reference: https://twitter.com/malware_traffic/status/1201602127300354054

ianfelton.info
laticivue.com
omni-groupllc.com

# Reference: https://any.run/malware-trends/hancitor (Note: as seen on 2019-12-04)

businessmarker.ro
laadlifashionworld.com
laticivue.com
elesengrity.com
beestunduras.com
hismosedkaj.com
huncribeen.com
sageengineering.lk

# Reference: https://pastebin.com/QBYe5kCA

lardershe.ru
thatimine.ru
wintroperly.com

# Reference: https://twitter.com/wwp96/status/1202642416098062336

harrietljones.com

# Reference: https://twitter.com/malware_traffic/status/1202704333114150918

furnanadol.com

# Reference: https://pastebin.com/qpuaEEun

andalicur.ru
lappoing.com
theirchus.ru

# Reference:

barindice.ru
lietarion.com
legroaled.ru

# Reference: https://twitter.com/James_inthe_box/status/1220036840192757762

cousidrebn.ru
hourtschem.com
thicatlies.ru

# Reference: https://pastebin.com/raw/2cpkJrW5

rindicatle.ru
tariroalz.com
torssestih.ru

# Reference: https://twitter.com/James_inthe_box/status/1221822109564858368
# Reference: https://www.virustotal.com/gui/domain/kovasrot.cz/relations
# Reference: https://pastebin.com/UmYZ30eH

diermedir.com
kovasrot.cz
ussismates.ru
wernmicaz.ru

# Reference: https://twitter.com/turduckencat/status/1222556491745570816

twereptale.com

# Reference: https://pastebin.com/raw/3mpyeQPx

charovalso.ru
gengrasjeepram.com
verectert.ru
yaqeennews.96.lt

# Reference: https://twitter.com/K_N1kolenko/status/1233366724357042176

dundrazach.com
turumency.ru
wappreraf.ru

# Reference: https://twitter.com/K_N1kolenko/status/1238071539825860608

cludions.com
othasidka.com
thumbeks.com

# Reference: https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/
# Reference: https://otx.alienvault.com/pulse/5e6a5ded0435e2c043e7e206

freetospeak.me

# Reference: https://twitter.com/malware_traffic/status/1239629010377887746

bralibuda.com
greferezud.com

# Reference: https://www.virustotal.com/gui/file/12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b/detection

primecaviar.com

# Reference: https://twitter.com/JayTHL/status/1250274763479506945

clarityupstate.com

# Reference: https://twitter.com/200_okay_/status/1250278567352532993

raihanchow.us/portfolio/tomcat1432u.php

# Reference: https://twitter.com/malware_traffic/status/1250442899700891648

maktabiprezidentivmkb.tj/glstj/seawolf126.php

# Reference: https://twitter.com/JayTHL/status/1250460683977834496
# Reference: https://www.virustotal.com/gui/ip-address/47.254.92.217/relations

clarityupstate.com
furcoatexchange.com
furcoatliquidators.com
furwholesaler.com
re-fur-bished.com
refurpose.com
rentcoat.com
rentmink.com
rentminkcoat.com
rentthecoat.com
theminkcoat.com

# Reference: https://twitter.com/DynamicAnalysis/status/1260275056644685824

afya.geefto.com
cashforfurcoat.com

# Reference: https://twitter.com/K_N1kolenko/status/1265580857944936455

nalinkrobej.ru
restozaped.ru
thozentaini.com
fantavending.mobi/wp-content/themes/sketch-new/1
oxorobotic.com/wp-content/themes/sketch/1
fotobooth.at/wp-content/themes/sketch/1
amatheakids.com/wp-content/themes/sketch/1
wp.regalporn.com/wp-content/plugins/three-column-screen-layout/1

# Reference: https://twitter.com/James_inthe_box/status/1283511249817358341

schemeconnect.com
sportbettingdubuque.com

# Reference: https://app.any.run/tasks/07ce2b58-f619-4a3c-8232-b3a69a3233cb/

overnightfile.com

# Reference: https://twitter.com/K_N1kolenko/status/1318104716790943744

netodughra.ru
phercopar.com
sjogetahit.ru

# Reference: https://twitter.com/James_inthe_box/status/1318571872343052288
# Reference: https://twitter.com/executemalware/status/1318625990931865602

marspetcarelawsuit.com
parkwayorthopedics.ca/transport.php
volunteerslawsuit.com

# Reference: https://app.any.run/tasks/31d5e956-b217-427a-8b87-1ddadfd12769/

stylefersan.com
nepbag.com
functionalrejh.com

# Reference: https://twitter.com/malware_traffic/status/1321182175916679168
# Reference: https://www.virustotal.com/gui/ip-address/8.209.127.167/relations

breakingladd.com
faneuil-lawsuit.com
legacyhealthlawsuit.com
marspetcarelawsuit.com
nepbag.com
oreillyautolawsuit.com
partycitylawsuit.com
tomykat.com
worc-place.com
ziverbsel.com

# Reference: https://twitter.com/James_inthe_box/status/1321467050422726656

schrijfdrift.nl

# Reference: https://twitter.com/ThreatHive/status/1321489094900371456

blemecem.com
epperhaptem.com
peralsyste.com

# Reference: https://www.virustotal.com/gui/file/84c98a0aefad86ecbdcc6f87909f2c2a9f6b1744f37b130f43ef36b29796146f/detection
# Reference: https://www.virustotal.com/gui/file/01a9f5e9d83e6d8eb585b5448ca471ce795adc03ded41ccf8c12ca2f8309c77b/detection

achremittanceservices.com

# Reference: https://www.virustotal.com/gui/file/773f5e4bc9f8c4aac82f8cab8f416efe83f5a39735358301c6ca0559d61c8bf0/detection

caperesto.ru
succupen.com

# Reference: https://www.virustotal.com/gui/file/fcba3daba91a4c061d7ea5ac9a2076668f9c029826e4b2b9d2894f90673f65ab/detection

eventlarva.com

# Reference: https://app.any.run/tasks/6199802d-512f-46b4-b0e7-8ba46dacbdb5/

kuzinium.com
shhirtradej.ru

# Reference: https://www.malware-traffic-analysis.net/2020/11/04/index.html

cootbooro.ru
czyszczeniesrebra.pl
dirtroadpestle.com
juulslabel.nl
kaibophil.com
kuzinium.com
megalodonjet.ru
necemblem.ru
rounzabout.ru
shhirtradej.ru
systemperal.ru
taylorgolob.com
ubercancellationfeelawsuit.com

# Reference: https://www.virustotal.com/gui/file/cca24cf66321e5b2f63bb52b5183e9cc437bf1b59d5f34043307dbd3ab02ae62/detection

cussoricti.com
dirtroadpestle.com

# Reference: https://twitter.com/Unit42_Intel/status/1324815102630121474
# Reference: https://www.virustotal.com/gui/file/09b3c97457d3ad02204f2da76d1f9f4dadc681bcb32b0a58469461df2f7bd6b7/detection

albilverde.com
cussoricti.com
fabickng.ru
ithelpstaffing.com

# Reference: https://twitter.com/malware_traffic/status/1326204620255842304
# Reference: https://app.any.run/tasks/77f8bb6c-f055-4405-9438-c608ba947ebb/

codathegorthe.ru
taftahrice.com

# Reference: https://twitter.com/James_inthe_box/status/1328716329189220352
# Reference: https://twitter.com/wwp96/status/1328743039045677057
# Reference: https://app.any.run/tasks/060046bd-5c82-4bcf-b15e-7c36f40bbf92/
# Reference: https://www.virustotal.com/gui/file/d13601fe7d4f9ceaf033421f18256c408d01ce9987cf413f1c10aec272d0ff10/detection

easyactorwebsites.com
summervillesouthernsmiles.com
theriond.com

# Reference: https://twitter.com/K_N1kolenko/status/1328996091237371906
# Reference: https://twitter.com/Myrtus0x0/status/1329124918378647553

brankinsto.ru
duarreecto.ru
edisrictisirs.ru
finincin.com
preargeoph.ru

# Reference: https://twitter.com/K_N1kolenko/status/1329737222623535107

denduchor.com
frostation.ru
jurenaree.ru

# Reference: https://twitter.com/ffforward/status/1330909939607416840
# Reference: https://twitter.com/James_inthe_box/status/1330914110804955137

lecionewhounl.ru
pulbilood.com
shisougus.ru

# Reference: https://twitter.com/ffforward/status/1331620320659304448

lielftworiss.com

# Reference: https://twitter.com/James_inthe_box/status/1333463841347289088
# Reference: https://app.any.run/tasks/3743aba9-0cf0-4401-91dc-ec8e4134751d/

aribliffored.ru
frosemodynd.ru
propywast.com

# Reference: https://www.virustotal.com/gui/ip-address/185.133.40.192/relations

denduchor.com
finincim.com
lielftworiss.com
propywast.com
prouserting.com
pulbilood.com
theriond.com
trideprere.com

# Reference: https://twitter.com/James_inthe_box/status/1334150354515030016
# Reference: https://twitter.com/James_inthe_box/status/1334170368521564163
# Reference: https://twitter.com/Myrtus0x0/status/1334173921533325312
# Reference: https://app.any.run/tasks/962ba100-b3fc-4d6e-b147-b2dfc6f18a0e

behelzho.ru
eaussill.com
hossangerts.ru

# Generic

/4/forum.php
/6/forum.php
/7/forum.php
/8/forum.php
/.well-known/ron.php
/.well-known/rweaver732.php
/123_123123.php
/345_3429_34.php
/342578_4378.php
/34894385_4378.php
/4234_32423.php
/437843_347843.php
/5787478_74.php
/63943_54783.php
/7834_2378.php
/78435_347823.php
/83922_543.php
/852435_34859.php
/89623_3247.php
/admin/zaki.php
/bdl/gate.php
/dkywh9p/rick.php
/fknmo/gate.php
/glstj/seawolf126.php
/ls/gate.php
/ls5/forum.php
/ls6/gate.php
/plasma/gate.php
/rglennn.php
/rgovett.php
/rhf26.php
/rick.php
/rickyv319.php
/rigman43.php
/rjohn10657.php
/rjyoung007.php
/rmdrinkwater.php
/rmmurphy10.php
/robbjorgensen.php
/robby_hanshaw.php
/robert.hicks.php
/robert1325.php
/roberto.rubbiani.php
/robohip1.php
/roger.ponniah.php
/rogerpoitras7.php
/rojas5439.php
/roland.avignon.php
/rolfanderson.php
/rollntwist.php
/ron_penfold.php
/ronco9.php
/rowantotal.php
/roydsingh.php
/rswmisc.php
/rubencpa.php
/rwhayne.php
/ryanzeitler.php
/sailnsadle.php
/samurai40w.php
/sasshm.php
/sboles7.php
/scooby6060.php
/scottyw36.php
/sd37667.php
/seawolf126.php
/senmotomajin.php
/sfcw1.php
/shark601.php
/shellie.php
/sherdian19.php
/sheridanalan.php
/shogin1.php
/simonimp.php
/sjj53.php
/sjmod5.php
/sjwhome.php
/skovvaenget19.php
/sl/gate.php
/slamduncker.php
/smittybar4.php
/soberentexas.php
/sophiagamble.php
/soundm279.php
/st.vanaaken.php
/stefamherd.php
/steve.heller.php
/steveswanson22.php
/storme.cosgrave.php
/stormnz54.php
/sullych43.php
/t.carp.php
/tankeukjf.php
/tbcfix3.php
/tbconsulting.php
/technoemporium.php
/terisitababe.php
/terrybailey2009.php
/thehornet1.php
/thetafly.php
/thomasautomotive.php
/thomascarterpt.php
/thong.5.php
/timbrennan29.php
/timeflyz97.php
/tj.016677.php
/tjholden.php
/tjubell.php
/tmoen3.php
/tomcat1432u.php
/tomgosse.php
/tommino.php
/tonynguyen854.php
/tonypkeeling.php
/topsprop1.php
/ttregino.php
/tss9999.php
/tstanis5.php
/vancewl.php
/vmpereira.php
/walli_sw.php
/warren.php
/wayneo125.php
/waynerice816.php
/wbasser.php
/wbeliz2002.php
/wbferguson.php
/wco3520.php
/wcwjr.php
/wdavidmajor.php
/wdepietro.php
/weberdental.php
/welch9172.php
/wesleysebesta.php
/westharbour.php
/wggoep.php
/wghoward.php
/wheatstiger.php
/whitej58.php
/wildpitch.php
/williamhcondon.php
/willid5223.php
/willieotero13.php
/win.harris.php
/winterof63.php
/wjtconsult.php
/wnothhelfer.php
/woodcock_jack.php
/wretchedchild5.php
/wschnei106.php
/wsr3214.php
/wtomnelson.php
/wturnermi.php
/wwatone.php
/wyckoff1012.php
/x24spike.php
/yazanmoussa.php
/ykootss.php
/yngwll57.php
/yoshihito.shibahata.php
/ytyniec.php
/yuki_chan2004jp.php
/ywingitt.php
/zab4ksnk.php
/zapoy/gate.php
/zecoimbra1951.php
/zeke112.php
/zenrchi.php
/zubairseiendom.php