# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chanitor, hancitor

# Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor

o3qz25zwu4or5mak.onion
o3qz25zwu4or5mak.tor2web.org
o3qz25zwu4or5mak.tor2web.ru
svcz25e3m4mwlauz.onion
svcz25e3m4mwlauz.tor2web.org
svcz25e3m4mwlauz.tor2web.ru
um6fsdil5ecma5kf.onion
um6fsdil5ecma5kf.tor2web.org
um6fsdil5ecma5kf.tor2web.ru

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru
tontheckcatan.ru

# Reference: https://pastebin.com/bPV4gVVL

heundthetrec.ru
perranrowsin.com
utteronhim.ru

# Reference: https://pastebin.com/CQGHUK03

caperlighleft.com
hescatofme.ru
ledeventutru.ru

# Reference: https://twitter.com/James_inthe_box/status/1047490196319612928

milliondollarlawsuit.co

# Reference: https://twitter.com/malware_traffic/status/1113586907655680001

waorveled.com

# Reference: https://twitter.com/Antelox/status/914949407442862080

kedmolorop.com

# Reference: https://twitter.com/BroadAnalysis/status/880488094277009408

repwasswithhow.com 

# Reference: https://twitter.com/BroadAnalysis/status/783725374161186816

gotevengsorol.ru

# Reference: https://twitter.com/BroadAnalysis/status/753688954323529729

wassuseidund.ru

# Reference: https://twitter.com/mesa_matt/status/1113866153108148224
# Reference: https://ghostbin.com/paste/27b9a/raw

alldogspoop.co
alldogspoop.org
alldogspoop.biz
alldogspoop.info
alldogspoop.mobi
alldogspoop.net
cherryhillpooperscoopers.com
pooperscooperfranchise.com
shopalldogspoop.com

# Reference: https://twitter.com/CapeSandbox/status/1132548710490148864

hinsurefling.ru
oneningsitar.com
witoftrinreb.ru

# Reference: https://twitter.com/VK_Intel/status/1143512697004331008
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt

hefidanot.com
metyrofhe.ru
usesindownne.ru

# Reference: https://twitter.com/malware_traffic/status/1145793372126416897

totharduron.com

# Reference: https://twitter.com/killamjr/status/1146108509324480514
# Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/

carbonatedcocktails.com
fizzics.biz
perlinisystems.com
shanakaplan.com

# Reference: https://twitter.com/VK_Intel/status/1146139326646034433
# Reference: https://twitter.com/James_inthe_box/status/1145765244645433344
# Reference: https://twitter.com/malware_traffic/status/1146503887215636480

http://31.44.184.201/fknmo/gate.php
http://31.44.184.33
tonsruhatbab.com

# Reference: https://twitter.com/James_inthe_box/status/1153326001155272704

forrolrestons.ru
hersdintfortho.ru
retredmuchwas.com

# Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832
# Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/

rolfikinme.ru
sparherrestal.ru

# Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778

ratlittonrigh.com
tofttoldboand.ru
fortroweventlac.ru

# Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

betsuriin.com
callereb.com
evengsosandpa.ru
felingdoar.ru
gmailsign.info
hecksafaor.com
heheckbitont.ru
hianingherla.com
hihimbety.ru
meketusebet.ru
mianingrabted.ru
moatleftbet.com
mopejusron.ru
muchcocaugh.com
ningtoparec.ru
nodosandar.com
ritbeugin.ru
rutithegde.ru
surofonot.ru
uldintoldhin.com
unjustotor.com
wassuseidund.ru

# Reference: https://twitter.com/JayTHL/status/1179794844262305793
# Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/

csinashville.com
spausence.com

# Reference: https://twitter.com/JayTHL/status/1179799689341886464

cowandchickens.com
chateaumorritt.ca
thegbar.net
thegbars.us
thegbars.net
fedtoner.com

# Reference: https://twitter.com/JayTHL/status/1179796029425754112

knoweent.ru
wortionce.ru

# Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744

compatime.ru
mandanoter.ru
warlarvars.com

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

avantusthea.com
cornbeijnvoxin.com

# Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536

branderryadhe.ru
caputenedif.ru

# Generic heur trails

/4/forum.php
/bdl/gate.php
/fknmo/gate.php
/ls/gate.php
/ls5/forum.php
/ls6/gate.php
/plasma/gate.php
/sl/gate.php
/zapoy/gate.php
/rjohn10657.php
/rmmurphy10.php
/rowantotal.php
/shark601.php
/sheridanalan.php
/simonimp.php
/soberentexas.php
/sophiagamble.php
/terisitababe.php
/tj.016677.php
/wdepietro.php
/win.harris.php
/zecoimbra1951.php