# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: smokeloader, retefe

# Reference: https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/

coolwater-ltd-supportid.ru
localprivat-support.ru
service-consultingavarage.ru

# Reference: https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html

killermansopitu.com

# Reference: https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html
# Reference: http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/

nhocbo.bit

# Reference: https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html

ukcompany.me
ukcompany.pw
ukcompany.top

# Reference: https://twitter.com/ViriBack/status/1045123124910592000

supremebiz.info

# Reference: https://twitter.com/ViriBack/status/1047664167010926593

haxmall.in

# Reference: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

/js/metrology/jma.php

# Reference: https://twitter.com/Racco42/status/1097990743711461376

lzlgoy4b17sy5.com

# Reference: https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/

5gssghhs2w.org
dvhwzq.ru
hdxaet.ru
hghwwgh6.info
jdcbhs.ru
kdcbst.ru
kkted54d.ru
si2113gher.com
vshmesz.com
vygxxhh.bit

# Reference: https://twitter.com/malware_traffic/status/1112776731331620865

taj.co.ug

# Reference: https://twitter.com/James_inthe_box/status/1118534516379803648

anotherblock.bit

# Reference: https://twitter.com/James_inthe_box/status/1120693994428567552

mynah505.com.kz

# Reference: https://otx.alienvault.com/pulse/5ccb14c894ed463151dcced4
# Reference: https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe

bizbhutanevents.com/wp-rss.php
kjkpropertysolutions.com/wp-rss.php
laserowakasia.pl/wp-rss.php
racyroyalcoin.com/wp-rss.php
thealtilium.com/wp-rss.php
ltro3fxssy7xsqgz.onion

# Reference: https://twitter.com/Antelox/status/1104350571430141952

3bbbccvomp5uhznz.onion
auybplpgam3c62tc.onion
hiv3dylycjbvgrxr.onion
m2pgzofn4w6ttgbb.onion
n6g66hecwbnf7bg4.onion

# Reference: https://twitter.com/peterkruse/status/1049669678086479877

jpxgaweyfdym5zv2.onion

# Reference: https://twitter.com/JaromirHorejsi/status/1017739363613102083

yzpayb4sqad7gnin.onion

# Reference: https://twitter.com/JaromirHorejsi/status/1106230909282541568

bozuniy4sgprvinf.onion

# Reference: https://twitter.com/JaromirHorejsi/status/816203736636915712

f3lrid44upxfgnbe.onion

# Reference: https://twitter.com/P3pperP0tts/status/1133502768935784448

thebotarmy.com

# Reference: https://twitter.com/_CPResearch_/status/1141080891529334784
# Reference: https://pastebin.com/gg4ni5Pm
# Reference: https://www.virustotal.com/gui/file/fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934/detection
# Reference: https://otx.alienvault.com/pulse/5d094cbf85df945a77c3fa45
# Reference: https://research.checkpoint.com/2019-resurgence-of-smokeloader/
# Reference: https://otx.alienvault.com/pulse/5d24b44109756f4227d75025

babolgum.icu
esupdate.icu
fileboard.live
mypromo.online
skcalladhellormi.xyz
vinomag.pw
alltest-service012505.ru
besttest-service012505.ru
biotest-service012505.ru
clubtest-service012505.ru
domtest-service012505.ru
infotest-service012505.ru
kupitest-service012505.ru
megatest-service012505.ru
mirtest-service012505.ru
mostest-service012505.ru
mytest-service01242505.ru
mytest-service012505.ru
newtest-service012505.ru
proftest-service012505.ru
protest-01242505.tk
protest-01252505.ml
protest-01262505.ga
protest-01272505.cf
protest-01282505.gq
protest-01292505.com
protest-01302505.net
protest-01312505.org
protest-01322505.biz
protest-01332505.info
protest-01342505.eu
protest-01352505.nl
protest-01362505.mobi
protest-01372505.name
protest-01382505.me
protest-01392505.garden
protest-01402505.art
protest-01412505.band
protest-01422505.bargains
protest-01432505.bet
protest-01442505.blue
protest-01452505.business
protest-01462505.casa
protest-01472505.city
protest-01482505.click
protest-01492505.company
protest-01502505.futbol
protest-01512505.gallery
protest-01522505.game
protest-01532505.games
protest-01542505.graphics
protest-01552505.group
protest-02252505.ml
protest-02262505.ga
protest-02272505.cf
protest-02282505.gq
protest-03252505.ml
protest-03262505.ga
protest-03272505.cf
protest-03282505.gq
protest-05242505.tk
protest-06242505.tk
protest-service01242505.ru
protest-service012505.ru
rustest-service012505.ru
rutest-service01242505.ru
rutest-service012505.ru
shoptest-service012505.ru
supertest-service012505.ru
test-service01242505.ru
test-service012505.com
test-service012505.eu
test-service012505.fun
test-service012505.host
test-service012505.info
test-service012505.net
test-service012505.net2505.ru
test-service012505.online
test-service012505.org2505.ru
test-service012505.pp2505.ru
test-service012505.press
test-service012505.pro
test-service012505.pw
test-service012505.ru.com
test-service012505.site
test-service012505.space
test-service012505.store
test-service012505.su
test-service012505.tech
test-service012505.website
test-service012505.xyz
test-service01blog2505.ru
test-service01club2505.ru
test-service01dom2505.ru
test-service01forum2505.ru
test-service01info2505.ru
test-service01land2505.ru
test-service01life2505.ru
test-service01plus2505.ru
test-service01pro2505.ru
test-service01rus2505.ru
test-service01shop2505.ru
test-service01stroy2505.ru
test-service01torg2505.ru
toptest-service012505.ru
vsetest-service012505.ru

# Reference: https://twitter.com/James_inthe_box/status/1144917655503040515

zeronde.in

# Reference: https://twitter.com/James_inthe_box/status/1148406371265593344

http://51.91.19.20

# Reference: https://twitter.com/malware_traffic/status/1090366374772383745

youlifesucks.life

# Reference: https://twitter.com/marcos_alvares/status/1158680329881882625

jok3r5.pw
ktngb33.pw
l0vew1n5.xyz

# Reference: https://twitter.com/nao_sec/status/1162581586644070400
# Reference: https://app.any.run/tasks/09dd4638-ca3f-4649-bc37-a5a452070083/
# Reference: https://twitter.com/tkanalyst/status/1162733635679617025
# Reference: https://app.any.run/tasks/9b3c4d44-2996-470e-be96-ce7ae94fa8cd/

advertserv99.club
ezstat.ru
gougounu.site
mailadvert2551mk29.club
popadvert.world
sdstat9551as4.club
statexadvert.club

# Reference: https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/

zabugrom.bit

# Reference: https://twitter.com/i/status/1164236292407742464
# Reference: https://app.any.run/tasks/77a62614-4e5b-4e31-8a42-2238b3911194/

vilamax.home.pl
son0fman.pw

# Reference: https://twitter.com/nao_sec/status/1165997780675874816
# Reference: https://app.any.run/tasks/76f63a44-e603-43bf-8288-d9e01addcdba/

btcseller.club
zxtds.world

# Reference: https://twitter.com/tkanalyst/status/1170688633172443139
# Reference: https://app.any.run/tasks/fd9a41e5-4768-4ab0-afd3-83988feb49c8/

advertserv25.world

# Reference: https://twitter.com/peterkruse/status/1171685525377495040
# Reference: https://twitter.com/tkanalyst/status/1173068957386866688
# Reference: https://pastebin.com/kZVikTtP
# Reference: https://www.virustotal.com/gui/ip-address/5.101.181.35/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.25.50.148/relations
# Reference: https://www.virustotal.com/gui/ip-address/185.25.50.163/relations

advertland.net
advertmex.world
advertserv25.world
advertserv99.club
advexmai42dn.world
advexmail23mn.world
advexmail2551.club
advexmail255143x.club
advexmail2551fc7.club
advexmail270711.club
dsmail95.xyz
dsmailx9547.xyz
ecmero.com
fdmail70.club
griffintech.ru
kxserv65.club
kxserv652.club
kxservx6527.club
mailadvert17dt.world
mailadvert19.world
mailadvert2551.club
mailadvert2551zx1.club
mailadvert5917dx.world
mailadvert917dx.world
mailserv1551.club
mailserv1551ex97.club
mailserv1551kx3.club
mailserv171.club
mailserv7.club
mailserv75.com
mailserv85m.world
mailserv93fd.world
mailstat55.club
mailstat557.club
mailstatx5577.club
mextes.com
popadvert.world
sdstat901511.club
sdstat9551.club
sdstat955192rv.club
sdstat9551as4.club
sdstat9551pm3.club
sdstat95xz.world
sdstat97tp.world
serverupdate7.world
starserver45.world
starserver4551.club
starserver4551mx2.club
starserver715km.world
starserver75ms.world
statexadver32s.world
statexadver35111.club
statexadver3552.club
statexadver3552ap93.club
statexadver3552mn12.club
swissmarine.club
zel.biz
(advertmarin|advertpage|advertserv|advertstat|advexmai|cmailad|cmailadvert|gmailadvert|cmailserv|dsmaild|kmailserv|kstarserver|kxserv|kxservxmar|mailadvert|mailserv|mailsmall|mailstat|sdstat|smantex|starserver|statexadver|zmailserv)[0-9][0-9a-z]+\.(com|club|world)

# Reference: https://www.virustotal.com/gui/file/b1b974ceee5968a8453e015356edfded1e9dcba5dda50320f78abf24a4a3e0dd/relations

195.201.161.25:2012

# Reference: https://twitter.com/benkow_/status/1164894072580071424

rollansdx.icu

# Reference: https://github.com/silence-is-best/c2db#smokeloader

thankg1.org

# Reference: https://app.any.run/tasks/59bf16be-0c99-43f7-954c-94f952f5eb84/

blogserv27.com

# Reference: https://twitter.com/OttoScav/status/1189220259842187264

careandhelporganization.co.ug

# Generic trails

/advlogs9579/
/advlogs95/
/blogpics17/
/logstat95/
/logstatx77/
/serverlogs29/
/serverstat315/
