# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: chanitor, hancitor

# Reference: https://www.threatcrowd.org/listMalware.php?page=0&antivirus=Trojan:Win32/Chanitor

o3qz25zwu4or5mak.onion
o3qz25zwu4or5mak.tor2web.org
o3qz25zwu4or5mak.tor2web.ru
svcz25e3m4mwlauz.onion
svcz25e3m4mwlauz.tor2web.org
svcz25e3m4mwlauz.tor2web.ru
um6fsdil5ecma5kf.onion
um6fsdil5ecma5kf.tor2web.org
um6fsdil5ecma5kf.tor2web.ru

# Reference: https://twitter.com/James_inthe_box/status/1044957343568388097
# Reference: https://pastebin.com/st49wnwB

onthethatsed.ru
tontheckcatan.ru

# Reference: https://pastebin.com/bPV4gVVL

heundthetrec.ru
perranrowsin.com
utteronhim.ru

# Reference: https://pastebin.com/CQGHUK03

caperlighleft.com
hescatofme.ru
ledeventutru.ru

# Reference: https://twitter.com/James_inthe_box/status/1047490196319612928

milliondollarlawsuit.co

# Reference: https://twitter.com/malware_traffic/status/1113586907655680001

waorveled.com

# Reference: https://twitter.com/Antelox/status/914949407442862080

kedmolorop.com

# Reference: https://twitter.com/BroadAnalysis/status/880488094277009408

repwasswithhow.com 

# Reference: https://twitter.com/BroadAnalysis/status/783725374161186816

gotevengsorol.ru

# Reference: https://twitter.com/BroadAnalysis/status/753688954323529729

wassuseidund.ru

# Reference: https://twitter.com/mesa_matt/status/1113866153108148224
# Reference: https://ghostbin.com/paste/27b9a/raw

alldogspoop.co
alldogspoop.org
alldogspoop.biz
alldogspoop.info
alldogspoop.mobi
alldogspoop.net
cherryhillpooperscoopers.com
pooperscooperfranchise.com
shopalldogspoop.com

# Reference: https://twitter.com/CapeSandbox/status/1132548710490148864

hinsurefling.ru
oneningsitar.com
witoftrinreb.ru

# Reference: https://twitter.com/VK_Intel/status/1143512697004331008
# Reference: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-06-25-hancitor-build-2705_437890-vk.txt

hefidanot.com
metyrofhe.ru
usesindownne.ru

# Reference: https://twitter.com/malware_traffic/status/1145793372126416897

totharduron.com

# Reference: https://twitter.com/killamjr/status/1146108509324480514
# Reference: https://app.any.run/tasks/fe00a2ef-0140-4335-8c29-31b2cf15e358/

carbonatedcocktails.com
fizzics.biz
perlinisystems.com
shanakaplan.com

# Reference: https://twitter.com/VK_Intel/status/1146139326646034433
# Reference: https://twitter.com/James_inthe_box/status/1145765244645433344
# Reference: https://twitter.com/malware_traffic/status/1146503887215636480

http://31.44.184.201/fknmo/gate.php
http://31.44.184.33
tonsruhatbab.com

# Reference: https://twitter.com/James_inthe_box/status/1153326001155272704

forrolrestons.ru
hersdintfortho.ru
retredmuchwas.com

# Reference: https://twitter.com/HerbieZimmerman/status/1166046889067896832
# Reference: https://app.any.run/tasks/6a8b1b54-320e-4cf8-aed0-0140714fdd10/

rolfikinme.ru
sparherrestal.ru

# Reference: https://twitter.com/K_N1kolenko/status/1096001487040331778

ratlittonrigh.com
tofttoldboand.ru
fortroweventlac.ru

# Reference: https://unit42.paloaltonetworks.com/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

betsuriin.com
callereb.com
evengsosandpa.ru
felingdoar.ru
gmailsign.info
hecksafaor.com
heheckbitont.ru
hianingherla.com
hihimbety.ru
meketusebet.ru
mianingrabted.ru
moatleftbet.com
mopejusron.ru
muchcocaugh.com
ningtoparec.ru
nodosandar.com
ritbeugin.ru
rutithegde.ru
surofonot.ru
uldintoldhin.com
unjustotor.com
wassuseidund.ru

# Reference: https://twitter.com/JayTHL/status/1179794844262305793
# Reference: https://app.any.run/tasks/0e56d1f8-8606-42d1-8951-88e4d134981b/

csinashville.com
spausence.com

# Reference: https://twitter.com/JayTHL/status/1179799689341886464

cowandchickens.com
chateaumorritt.ca
thegbar.net
thegbars.us
thegbars.net
fedtoner.com

# Reference: https://twitter.com/JayTHL/status/1179796029425754112

knoweent.ru
wortionce.ru

# Reference: https://twitter.com/K_N1kolenko/status/1182244055293599744

compatime.ru
mandanoter.ru
warlarvars.com

# Reference: https://twitter.com/malware_traffic/status/1182407518611529728

avantusthea.com
cornbeijnvoxin.com

# Reference: https://twitter.com/K_N1kolenko/status/1183657536588865536

branderryadhe.ru
caputenedif.ru

# Reference: https://pastebin.com/HLnQT4qy

adu0.xyz
asfpindia.org
austinhcg.com
bigsunshinebooks.com
brydenstt.com
dl-rw.com
drewcanole.com
episodez.online
hygieneteam.nl
pbssindia.in
pflagakron.org
talkshows.xyz
yooball.com
yourecovers.com
cornbeijnvoxin.com
digplaliatinte.ru
dvdflowerrook.ru

# Reference: https://twitter.com/wwp96/status/1184490107467788293

asfpindia.org
pbssindia.in
viplace.pt

# Reference: https://pastebin.com/bJ4ynhDe

afmichicago.org
african-trips.com
aftablarestan.ir
alferdows.com
cenovia.com
euroteriage.com
gotladyhope.ru
januserfish.ru

# Reference: https://pastebin.com/Q6aPDCDt

boatattorney.com
keramenzakt.com
linglentelevox.ru
mdistellerryck.ru

# Reference: https://twitter.com/malware_traffic/status/1186885436397850624
# Reference: https://app.any.run/tasks/742165cc-6e00-4483-af5e-6c49ae53b976/

31.44.184.160:8080

# Reference: https://twitter.com/K_N1kolenko/status/1187302956644929537

durestuasben.ru
sagitecheadle.com
vladiondul.ru

# Reference: https://pastebin.com/bKwb2Yig

pmk-55.ru

# Reference: https://twitter.com/K_N1kolenko/status/1188729131523031040

penreleaplif.ru
scangescangomu.ru
wickawbarrysci.com

# Reference: https://twitter.com/James_inthe_box/status/1188771146105147392
# Reference: https://app.any.run/tasks/de677fac-06c7-4c32-bd7a-05fc10cd5196/

blakejordan.com

# Reference: https://pastebin.com/JY6StTeK

youqu0.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1188837744568688640

pubarecaz.com

# Reference: https://twitter.com/JayTHL/status/1189934275476492288

damcoservices.com

# Reference: https://twitter.com/K_N1kolenko/status/1190903765005750272

selesesteq.ru
thaverenta.ru
wingritydet.com

# Reference: https://pastebin.com/mWznRNAS

3dpixelstudio.co
amtours.net
bbhs.org.ng
brighter-homes.com
businessmarker.ro
caddyhk.com

# Reference: https://twitter.com/BurnerVice/status/1201269199764475904

cetotrumo.com
krovsar.ru
mamaboss.io
page-store.ru

# Reference: https://twitter.com/malware_traffic/status/1201602127300354054

ianfelton.info
laticivue.com
omni-groupllc.com

# Reference: https://any.run/malware-trends/hancitor (Note: as seen on 2019-12-04)

businessmarker.ro
laadlifashionworld.com
laticivue.com
elesengrity.com
beestunduras.com
hismosedkaj.com
huncribeen.com
sageengineering.lk

# Reference: https://pastebin.com/QBYe5kCA

lardershe.ru
thatimine.ru
wintroperly.com

# Reference: https://twitter.com/wwp96/status/1202642416098062336

harrietljones.com

# Reference: https://twitter.com/malware_traffic/status/1202704333114150918

furnanadol.com

# Reference: https://pastebin.com/qpuaEEun

andalicur.ru
lappoing.com
theirchus.ru

# Reference:

barindice.ru
lietarion.com
legroaled.ru

# Reference: https://twitter.com/James_inthe_box/status/1220036840192757762

cousidrebn.ru
hourtschem.com
thicatlies.ru

# Reference: https://pastebin.com/raw/2cpkJrW5

rindicatle.ru
tariroalz.com
torssestih.ru

# Reference: https://twitter.com/James_inthe_box/status/1221822109564858368
# Reference: https://www.virustotal.com/gui/domain/kovasrot.cz/relations
# Reference: https://pastebin.com/UmYZ30eH

diermedir.com
kovasrot.cz
ussismates.ru
wernmicaz.ru

# Reference: https://twitter.com/turduckencat/status/1222556491745570816

twereptale.com

# Reference: https://pastebin.com/raw/3mpyeQPx

charovalso.ru
gengrasjeepram.com
verectert.ru
yaqeennews.96.lt

# Reference: https://twitter.com/K_N1kolenko/status/1233366724357042176

dundrazach.com
turumency.ru
wappreraf.ru

# Reference: https://twitter.com/K_N1kolenko/status/1238071539825860608

cludions.com
othasidka.com
thumbeks.com

# Reference: https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/
# Reference: https://otx.alienvault.com/pulse/5e6a5ded0435e2c043e7e206

freetospeak.me

# Reference: https://twitter.com/malware_traffic/status/1239629010377887746

bralibuda.com
greferezud.com

# Reference: https://www.virustotal.com/gui/file/12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b/detection

primecaviar.com

# Reference: https://twitter.com/JayTHL/status/1250274763479506945

clarityupstate.com

# Reference: https://twitter.com/200_okay_/status/1250278567352532993

raihanchow.us/portfolio/tomcat1432u.php

# Reference: https://twitter.com/malware_traffic/status/1250442899700891648

maktabiprezidentivmkb.tj/glstj/seawolf126.php

# Reference: https://twitter.com/JayTHL/status/1250460683977834496
# Reference: https://www.virustotal.com/gui/ip-address/47.254.92.217/relations

clarityupstate.com
furcoatexchange.com
furcoatliquidators.com
furwholesaler.com
re-fur-bished.com
refurpose.com
rentcoat.com
rentmink.com
rentminkcoat.com
rentthecoat.com
theminkcoat.com

# Reference: https://twitter.com/DynamicAnalysis/status/1260275056644685824

afya.geefto.com
cashforfurcoat.com

# Reference: https://twitter.com/K_N1kolenko/status/1265580857944936455

nalinkrobej.ru
restozaped.ru
thozentaini.com
fantavending.mobi/wp-content/themes/sketch-new/1
oxorobotic.com/wp-content/themes/sketch/1
fotobooth.at/wp-content/themes/sketch/1
amatheakids.com/wp-content/themes/sketch/1
wp.regalporn.com/wp-content/plugins/three-column-screen-layout/1

# Reference: https://twitter.com/James_inthe_box/status/1283511249817358341

schemeconnect.com
sportbettingdubuque.com

# Reference: https://app.any.run/tasks/07ce2b58-f619-4a3c-8232-b3a69a3233cb/

overnightfile.com

# Reference: https://twitter.com/K_N1kolenko/status/1318104716790943744

netodughra.ru
phercopar.com
sjogetahit.ru

# Reference: https://twitter.com/James_inthe_box/status/1318571872343052288
# Reference: https://twitter.com/executemalware/status/1318625990931865602

marspetcarelawsuit.com
parkwayorthopedics.ca/transport.php
volunteerslawsuit.com

# Reference: https://app.any.run/tasks/31d5e956-b217-427a-8b87-1ddadfd12769/

stylefersan.com
nepbag.com
functionalrejh.com

# Reference: https://twitter.com/malware_traffic/status/1321182175916679168
# Reference: https://www.virustotal.com/gui/ip-address/8.209.127.167/relations

breakingladd.com
faneuil-lawsuit.com
legacyhealthlawsuit.com
marspetcarelawsuit.com
nepbag.com
oreillyautolawsuit.com
partycitylawsuit.com
tomykat.com
worc-place.com
ziverbsel.com

# Reference: https://twitter.com/James_inthe_box/status/1321467050422726656

schrijfdrift.nl

# Reference: https://twitter.com/ThreatHive/status/1321489094900371456

blemecem.com
epperhaptem.com
peralsyste.com

# Reference: https://www.virustotal.com/gui/file/84c98a0aefad86ecbdcc6f87909f2c2a9f6b1744f37b130f43ef36b29796146f/detection
# Reference: https://www.virustotal.com/gui/file/01a9f5e9d83e6d8eb585b5448ca471ce795adc03ded41ccf8c12ca2f8309c77b/detection

achremittanceservices.com

# Reference: https://www.virustotal.com/gui/file/773f5e4bc9f8c4aac82f8cab8f416efe83f5a39735358301c6ca0559d61c8bf0/detection

caperesto.ru
succupen.com

# Reference: https://www.virustotal.com/gui/file/fcba3daba91a4c061d7ea5ac9a2076668f9c029826e4b2b9d2894f90673f65ab/detection

eventlarva.com

# Reference: https://app.any.run/tasks/6199802d-512f-46b4-b0e7-8ba46dacbdb5/

kuzinium.com
shhirtradej.ru

# Reference: https://www.malware-traffic-analysis.net/2020/11/04/index.html

cootbooro.ru
czyszczeniesrebra.pl
dirtroadpestle.com
juulslabel.nl
kaibophil.com
kuzinium.com
megalodonjet.ru
necemblem.ru
rounzabout.ru
shhirtradej.ru
systemperal.ru
taylorgolob.com
ubercancellationfeelawsuit.com

# Reference: https://www.virustotal.com/gui/file/cca24cf66321e5b2f63bb52b5183e9cc437bf1b59d5f34043307dbd3ab02ae62/detection

cussoricti.com
dirtroadpestle.com

# Reference: https://twitter.com/Unit42_Intel/status/1324815102630121474
# Reference: https://www.virustotal.com/gui/file/09b3c97457d3ad02204f2da76d1f9f4dadc681bcb32b0a58469461df2f7bd6b7/detection

albilverde.com
cussoricti.com
fabickng.ru
ithelpstaffing.com

# Reference: https://twitter.com/malware_traffic/status/1326204620255842304
# Reference: https://app.any.run/tasks/77f8bb6c-f055-4405-9438-c608ba947ebb/

codathegorthe.ru
taftahrice.com

# Reference: https://twitter.com/James_inthe_box/status/1328716329189220352
# Reference: https://twitter.com/wwp96/status/1328743039045677057
# Reference: https://app.any.run/tasks/060046bd-5c82-4bcf-b15e-7c36f40bbf92/
# Reference: https://www.virustotal.com/gui/file/d13601fe7d4f9ceaf033421f18256c408d01ce9987cf413f1c10aec272d0ff10/detection

easyactorwebsites.com
summervillesouthernsmiles.com
theriond.com

# Reference: https://twitter.com/K_N1kolenko/status/1328996091237371906
# Reference: https://twitter.com/Myrtus0x0/status/1329124918378647553

brankinsto.ru
duarreecto.ru
edisrictisirs.ru
finincin.com
preargeoph.ru

# Reference: https://twitter.com/K_N1kolenko/status/1329737222623535107

denduchor.com
frostation.ru
jurenaree.ru

# Reference: https://twitter.com/ffforward/status/1330909939607416840
# Reference: https://twitter.com/James_inthe_box/status/1330914110804955137

lecionewhounl.ru
pulbilood.com
shisougus.ru

# Reference: https://twitter.com/ffforward/status/1331620320659304448

lielftworiss.com

# Reference: https://twitter.com/James_inthe_box/status/1333463841347289088
# Reference: https://app.any.run/tasks/3743aba9-0cf0-4401-91dc-ec8e4134751d/

aribliffored.ru
frosemodynd.ru
propywast.com

# Reference: https://www.virustotal.com/gui/ip-address/185.133.40.192/relations

denduchor.com
finincim.com
lielftworiss.com
propywast.com
prouserting.com
pulbilood.com
theriond.com
trideprere.com

# Reference: https://twitter.com/James_inthe_box/status/1334150354515030016
# Reference: https://twitter.com/James_inthe_box/status/1334170368521564163
# Reference: https://twitter.com/Myrtus0x0/status/1334173921533325312
# Reference: https://app.any.run/tasks/962ba100-b3fc-4d6e-b147-b2dfc6f18a0e

behelzho.ru
eaussill.com
hossangerts.ru

# Reference: https://twitter.com/malware_traffic/status/1334531678602207243
# Reference: https://twitter.com/K_N1kolenko/status/1334768640927920129
# Reference: https://www.virustotal.com/gui/file/293d8e49687debac46ec1a4102b0d84df1ecb837ebe1e131e0362238c4063ff8/detection

bandieve.com
decturnearrips.ru
exieverhiltur.ru
looduchavens.ru
otsoebabe.com

# Reference: https://app.any.run/tasks/43c75fe6-d0a3-4a9e-8680-b16d0fee06c1/
# Reference: https://www.virustotal.com/gui/ip-address/185.68.93.10/relations

maduabin.com

# Reference: https://app.any.run/tasks/b23524bb-3d6a-429d-93c0-d6c08e8f4335/
# Reference: https://www.virustotal.com/gui/file/142b34879f514aaca5092081860f52f0578d551255186416f07914c91b7909c2/detection

gadeforsenate.com
nuatanste.com

# Reference: https://www.virustotal.com/gui/ip-address/185.43.223.169/relations

leffersinda.ru
pritursivers.ru
shwashate.ru
thircussovirom.ru

# Reference: https://twitter.com/malware_traffic/status/1338530303736889350
# Reference: https://www.virustotal.com/gui/ip-address/8.208.96.63/relations

ductivery.com
gade4senate.com
gadebrigade.com
gadeforsenate.com
gadeforsenator.com
gadeforussenate.com

# Reference: https://twitter.com/executemalware/status/1338889235785523202
# Reference: https://www.virustotal.com/gui/ip-address/185.87.194.148/relations

bicescuryseu.ru
forticheire.ru
horyinwheorm.ru
nentrivend.ru
novearecoms.ru
wourionlion.ru

# Reference: https://www.virustotal.com/gui/file/774f95ecfc34799562ae36b87c3694f208b5e81cdf73befe10e2dfbce2397fa7/detection

purclughtz.com

# Reference: https://www.virustotal.com/gui/ip-address/212.80.219.69/relations

firodingdet.ru
strucervach.ru

# Reference: https://twitter.com/James_inthe_box/status/1339261429778579456

bicescuryseu.ru
meordsovellia.ru
ulaginceter.com

# Reference: https://twitter.com/ffforward/status/1349018081486659587
# Reference: https://www.virustotal.com/gui/ip-address/91.215.170.225/relations

ductivery.com
fruciand.com
peasseal.com
purclughtz.com
ulaginceter.com

# Reference: https://twitter.com/executemalware/status/1339708971305852930
# Reference: https://pastebin.com/nwD54q3u

clientpreview.site
crm.brees.com.au/multilist.php
crm.brees.com.au/november.php
plataforma.iestpasco.edu.pe/madera.php
hvlegal.com.mx/twitchily.php
phqindia.paramwebinfo.in/hardship.php
phqindia.paramwebinfo.in/ubiety.php
store.matstijmes.com/trephines.php

# Reference: https://www.virustotal.com/gui/file/3191fd599a6738f152f95c0badb73598623b760b2171addf5aeb85b633e98450/detection

spardethe.com

# Reference: https://www.virustotal.com/gui/file/be2e214e37d5e54cbc7ec3e806083112abaaeb5b223714489c237cca53ef1361/detection

neectuded.com

# Reference: https://www.virustotal.com/gui/file/2074ad2dc62a398d62ab1f91d446ca269a4bc1cb5cbd5a677904afbf2d3685e0/detection

cotaftation.ru

# Reference: https://twitter.com/James_inthe_box/status/1349379545313411073

conlymorect.ru
requirend.com
spabyasiande.ru

# Reference: https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/
# Reference: https://www.malware-traffic-analysis.net/2021/01/12/index.html
# Reference: https://otx.alienvault.com/pulse/5fff646040d1907e50f04814

http://3.133.244.105/irs.php
expertcircles.co.uk/assotiation.php
libifield.co.za/oilcan.php
libifield.co.za/figs.php
savortrading.com/toweringly.php

# Reference: https://twitter.com/James_inthe_box/status/1349739212162035712
# Reference: https://app.any.run/tasks/5c55844b-a62a-40cc-a492-27d33c547dd5/

geopertsure.ru
mailartmen.ru
ocifirtaterity.com

# Reference: https://twitter.com/malware_traffic/status/1351588946858315776
# Reference: https://www.virustotal.com/gui/ip-address/185.220.177.176/relations

opulteme.com

# Reference: https://twitter.com/stoerchl/status/1351923918613999621

areentthrices.ru
cloolyepervir.com
syleclisizame.ru

# Reference: https://twitter.com/K_N1kolenko/status/1352217470459928577

tharepirms.ru
worteltiffee.ru

# Reference: https://twitter.com/James_inthe_box/status/1354095154618011649
# Reference: https://www.virustotal.com/gui/ip-address/213.5.229.12/relations
# Reference: https://www.virustotal.com/gui/ip-address/95.216.84.231/relations
# Reference: https://www.virustotal.com/gui/file/d64568ebb71238b5367d1a4feb69ffd1492c36e320ce13698967dced10a0ef31/detection

anatereplage.com
enincyrepater.ru
iderfeirel.com
locroplenes.ru
surpopene.ru

# Reference: https://twitter.com/K_N1kolenko/status/1355170344211017728

imextralgall.ru
poresson.com
witeseurturan.ru

# Reference: https://twitter.com/K_N1kolenko/status/1354738007983730688

sicantort.com
theirrissublu.ru
woulauserpect.ru

# Reference: https://twitter.com/James_inthe_box/status/1356614185828843520

antialkinno.com
knorshand.ru
thistrespor.ru

# Reference: https://twitter.com/K_N1kolenko/status/1357273962431082500

buillingter.ru
curishisral.ru
efelsdvismade.com

# Reference: https://twitter.com/K_N1kolenko/status/1357620421269610497

feirecropl.com
oresteseu.ru
respoishis.ru

# Reference: https://twitter.com/K_N1kolenko/status/1359069659438469122

ludiesibut.ru
sameastar.ru

# Reference: https://twitter.com/James_inthe_box/status/1359183083929411584

ceirsitsin.ru
formawas.ru
sibetaver.com

# Reference: https://twitter.com/James_inthe_box/status/1359519224046120961
# Reference: https://app.any.run/tasks/3ccaa664-d690-4fa0-b514-7566fe2a6019/

anumessensan.ru
grectedparices.ru
shifiticans.com

# Reference: https://twitter.com/malware_traffic/status/1359585588240875529

b2b.ebike-your-life.com/commemorative.php

# Reference: https://twitter.com/James_inthe_box/status/1359887832010035202
# Reference: https://www.virustotal.com/gui/file/e44b3e5ed0dcbf05b28aa377e9dc263f249e702665d643c8b803be7ad99073c0/detection

desuctoette.ru
matuattheires.ru
myinstabuzzz.co
nuencres.com

# Reference: https://twitter.com/James_inthe_box/status/1361710425486680065

belcineloweek.ru
eviddinlahal.com

# Reference: https://twitter.com/James_inthe_box/status/1362064790995173378
# Reference: https://twitter.com/K_N1kolenko/status/1362333103407198208

hatuderefer.com
thavelede.ru
zinsubtal.ru

# Reference: https://twitter.com/James_inthe_box/status/1364585517438832652
# Reference: https://app.any.run/tasks/cce5a6ef-a46d-43f0-999a-69ae30d82376/
# Reference: https://app.any.run/tasks/32c7a83a-c54b-4cad-a9bc-3f0515127a2e/

aftereand.com
sromecorlduce.ru
sweyblidian.com

# Reference: https://twitter.com/K_N1kolenko/status/1364891169294057472

aftereand.com
froplivernat.ru
nevemicies.ru

# Reference: https://twitter.com/executemalware/status/1366432635300573193

losgedeones.com

# Reference: https://twitter.com/K_N1kolenko/status/1366681253831979010
# Reference: https://www.virustotal.com/gui/file/7bfd59b4c8b046bf15cb408e51ed482a9d19c3d9201d510978b82c9f58cf8e8a/detection

ementincied.com
noriblerughly.ru
watoredprocaus.ru

# Reference: https://twitter.com/K_N1kolenko/status/1367045073414848512

duchateman.ru
sonalsovele.ru
witakilateg.com

# Reference: https://twitter.com/malware_traffic/status/1367152943158468610
# Reference: https://pastebin.com/raw/TvLvgpLm

bgurbanglam.com/severely.php
crm.basilrealty.in/beady.php
mainctional.com

# Reference: https://twitter.com/K_N1kolenko/status/1367414834220978176

disrulaytin.ru
puldefletat.ru

# Reference: https://twitter.com/malware_traffic/status/1367526827221204996
# Reference: https://app.any.run/tasks/534e3de9-18fd-4468-803d-c7a8b835fae0/

imilifeesinci.ru
throsesspeotte.com

# Reference: https://twitter.com/executemalware/status/1370023113124061186

koepfamily.com

# Reference: https://www.virustotal.com/gui/file/32a1f6000760b5eaa73ccfcbb44b2e26a575130cffdb2bb0ba5d0562e7e720c3/detection

pensionskasse.gr

# Reference: https://twitter.com/malware_traffic/status/1372705905880530950
# Reference: https://www.malware-traffic-analysis.net/2021/03/18/index.html

froursmonesed.com

# Reference: https://twitter.com/fr0s7_/status/1374039545654751238
# Reference: https://www.virustotal.com/gui/file/121e2902c085cf41c9b9cddab5bf499da02b01f36ef999aa9aa8f7d818a884ac/detection

abouniteta.ru
diverbsez.ru
froursmonesed.com

# Reference: https://twitter.com/NaomiSuzuki_/status/1376601663792836609
# Reference: https://www.virustotal.com/gui/ip-address/188.130.139.76/relations

gloporiente.ru
probassita.com
thabilemithe.ru

# Reference: https://twitter.com/K_N1kolenko/status/1376842582311985156
# Referennce: https://www.virustotal.com/gui/ip-address/45.129.96.192/relations
# Reference: https://www.virustotal.com/gui/ip-address/88.85.89.108/relations

abouniteta.ru
diverbsez.ru
frobenalini.ru
intaticducalso.ru
lationvold.com
popubjettor.ru
proubleblecilm.ru
tricilidiany.com

# Reference: https://twitter.com/James_inthe_box/status/1376920282053574657

stionicksilid.com
succupenous.ru

# Reference: https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
# Reference: https://otx.alienvault.com/pulse/606790333e10af33e8950580

allanabolicsteam.net
alumaicelodges.com
anabolicsteroidsbuy.info
baadababada.ru
backupez.com
belcineloweek.ru
bobcatofredding.com
buckeyesecurity.net
canadiantourismroundtable.com
drivewaysnowservice.com
g1smurt.ru
gade4senate.com
gadebrigade.com
gadeforsenate.com
gadeforussenate.com
kilopaskal.ru
klaustrofebia.ru
myinstabuzzz.co
mymooney.ru
nepbag.com
nvgeeforsegt.ru
onlybamboofabrics.com
oreillyautolawsuit.com
pirijinko.ru
roanokemortgages.com
sromecorlduce.ru
sungardspo.com
trustpilot-scam.com
try-dent.net
wesleydonehue.org
wheredidmarkmakehismoney.com
wouatiareves.ru

# Reference: https://twitter.com/executemalware/status/1379828268417826817

save.makemoneywith.website

# Reference: https://pastebin.com/wtxn3CZZ

http://3.133.244.105
nucala.inspia.net/antemeridian.php
andrewsworld.com.ng/total.php
andrewsworld.com.ng/weediness.php
api.cdmvertical.com/cling.php
ccucu.com/carry.php
ccucu.com/refund.php
itemp.ppdkuk.com/stipendless.php
itemp.ppdkuk.com/unsurpassed.php
mybrandedge.com/bridle.php
mybrandedge.com/dyadic.php
mybrandedge.com/scratchpad.php
timberart.com.br/hi.php
timberart.com.br/strobing.php
databet96.com/tepidity.php
databet96.com/tuneups.php
educacionvirtualavanzada.mx/preserved.php
educacionvirtualavanzada.mx/temblor.php
latiounitere.ru
twomplon.ru
varembacen.com

# Reference: https://twitter.com/phage_nz/status/1382471613963128838

culadinces.ru
merinocraft.ro/unbroken.php

# Reference: https://pastebin.com/qsf3se6f

coliessrass.ru
dingulbolies.com
aarambhaad.com.np/anointment.php
citricadvertising.com/purgation.php
citricadvertising.com/snuffbox.php
educacionvirtualavanzada.mx/inexact.php
impactmarketingservice.in/fuchsine.php
impactmarketingservice.in/whipsaw.php
itco.pe/shelly.php
merinocraft.ro/tearing.php
natural-healing-central.com/factorization.php
somdeeppalace.com/comer.php
xtracomsolutions.com/indispensable.php

# Reference: https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure

cametateleb.ru
divelerevol.com
polionallas.ru

# Reference: https://twitter.com/James_inthe_box/status/1387053533871050757

caperesto.com
thuniopme.ru
watiounds.ru

# Reference: https://twitter.com/ScarletSharkSec/status/1387443189720788996
# Reference: https://app.any.run/tasks/5021b093-9557-4512-b497-e83a5866bfc6/

sumbahas.com

# Reference: https://twitter.com/Artilllerie/status/1387783551836434433

chasslace.ru
lamuni8f.ru
nencivelf.com
somargesion.ru

# Reference: https://gist.github.com/silence-is-best/852a1c7c7dcf29fdc8d5df73433e7676

adrouterigh.com
balcatioplo.ru
lerevahel.com
regatimmish.com
windetheta.com

# Generic

/4/forum.php
/6/forum.php
/7/forum.php
/8/forum.php
/.well-known/ron.php
/.well-known/rweaver732.php
/123_123123.php
/345_3429_34.php
/342578_4378.php
/34894385_4378.php
/4234_32423.php
/437843_347843.php
/5787478_74.php
/63943_54783.php
/7834_2378.php
/78435_347823.php
/83922_543.php
/852435_34859.php
/89623_3247.php
/admin/zaki.php
/bdl/gate.php
/dkywh9p/rick.php
/fknmo/gate.php
/glstj/seawolf126.php
/ls/gate.php
/ls5/forum.php
/ls6/gate.php
/plasma/gate.php
/rglennn.php
/rgovett.php
/rhf26.php
/rick.php
/rickyv319.php
/rigman43.php
/rjohn10657.php
/rjyoung007.php
/rmdrinkwater.php
/rmmurphy10.php
/robbjorgensen.php
/robby_hanshaw.php
/robert.hicks.php
/robert1325.php
/roberto.rubbiani.php
/robohip1.php
/roger.ponniah.php
/rogerpoitras7.php
/rojas5439.php
/roland.avignon.php
/rolfanderson.php
/rollntwist.php
/ron_penfold.php
/ronco9.php
/rowantotal.php
/roydsingh.php
/rswmisc.php
/rubencpa.php
/rwhayne.php
/ryanzeitler.php
/sailnsadle.php
/samurai40w.php
/sasshm.php
/sboles7.php
/scooby6060.php
/scottyw36.php
/sd37667.php
/seawolf126.php
/senmotomajin.php
/sfcw1.php
/shark601.php
/shellie.php
/sherdian19.php
/sheridanalan.php
/shogin1.php
/simonimp.php
/sjj53.php
/sjmod5.php
/sjwhome.php
/skovvaenget19.php
/sl/gate.php
/slamduncker.php
/smittybar4.php
/soberentexas.php
/sophiagamble.php
/soundm279.php
/st.vanaaken.php
/stefamherd.php
/steve.heller.php
/steveswanson22.php
/storme.cosgrave.php
/stormnz54.php
/sullych43.php
/t.carp.php
/tankeukjf.php
/tbcfix3.php
/tbconsulting.php
/technoemporium.php
/terisitababe.php
/terrybailey2009.php
/thehornet1.php
/thetafly.php
/thomasautomotive.php
/thomascarterpt.php
/thong.5.php
/timbrennan29.php
/timeflyz97.php
/tj.016677.php
/tjholden.php
/tjubell.php
/tmoen3.php
/tomcat1432u.php
/tomgosse.php
/tommino.php
/tonynguyen854.php
/tonypkeeling.php
/topsprop1.php
/ttregino.php
/tss9999.php
/tstanis5.php
/vancewl.php
/vmpereira.php
/walli_sw.php
/warren.php
/wayneo125.php
/waynerice816.php
/wbasser.php
/wbeliz2002.php
/wbferguson.php
/wco3520.php
/wcwjr.php
/wdavidmajor.php
/wdepietro.php
/weberdental.php
/welch9172.php
/wesleysebesta.php
/westharbour.php
/wggoep.php
/wghoward.php
/wheatstiger.php
/whitej58.php
/wildpitch.php
/williamhcondon.php
/willid5223.php
/willieotero13.php
/win.harris.php
/winterof63.php
/wjtconsult.php
/wnothhelfer.php
/woodcock_jack.php
/wretchedchild5.php
/wschnei106.php
/wsr3214.php
/wtomnelson.php
/wturnermi.php
/wwatone.php
/wyckoff1012.php
/x24spike.php
/yazanmoussa.php
/ykootss.php
/yngwll57.php
/yoshihito.shibahata.php
/ytyniec.php
/yuki_chan2004jp.php
/ywingitt.php
/zab4ksnk.php
/zapoy/gate.php
/zecoimbra1951.php
/zeke112.php
/zenrchi.php
/zubairseiendom.php