# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

briancobert.com

# Reference: http://cybercrime-tracker.net/index.php?search=AZORult

00v.xyz
0131.ga
4max.xyz
accqweqweazo.com
ad.icab.pk
aimnawnt.beget.tech
akingu.bit.md-98.webhostbox.net
alexblog24.p-host.in
among3919.com
andreimolchanov.siteme.org
art4.xyz
asdfz.ru
azorneutrino.com
banckofamerica.info
benchadcrd.nl
bitcoalko.com
bitscoinsme.com
blackexploitz.net
bmagikleak.website
bucscrup.ru
cc33782.tmweb.ru
ch.baskpower.com
coinbitbot.ru
cresbuy.ga
crypto-e.org
cryptopiabot.cc
cryptopiasupport.co
cryptotrust.today.md-35.webhostbox.net
defaultbrowser.xyz
donperenion.com
doueven.click
druvan.xyz
elowpuki.com
elysium-inc.pro
elysium-ltd.pro
ernazar.tk
eualube.com
fde4.tk
fdsv.ml
feamleys.com
flash-piayer-update.com.md-90.webhostbox.net
fsdf.ga
gmx7.com
gob.grantflaskparty.com
gohithatsandrof.win
grantflaskparty.com
hallojab.co.ua
hellojab.com
hhamay.website
holidey.pw
hondobakr.top
hotbest-apps.com
iddqdp.pw
imbaxqxq.org
inc0de.gq
kalakhomes.club
kamyn9ka.com
keyar12f.beget.tech
l2fog.ru
lelllnn.com
lers.xyz
levonside.space
loveyouneed.pw
mcgau2.bit.md-100.webhostbox.net
methodist.sch.id
mike.rivalserver.com
mix1456465.com.cp-47.webhostbox.net
mobwerpingthis.com
mopw.men
mybigfish.stream
myxamop.com
needmorelogs.club
nervozn.tk
nimerstat.ru
ninjatrader.life
npromo.world
ogabosworld.com
ortaksistem.com
panamera.site
pchel8.tk
poloniex.spb.ru
pornhospital.net
port.so.tl
preramet123.name
ps4akk.ru
qers.xyz
rar-lab.ru
rotkit.tk
sads.ml
scat01.tk
scat.cf
sepprod.com
sharfik.club
sinutinu.com
skyroot.ru
solimetalspa.com
sondomax.co
sskyokker256.bit.md-89.webhostbox.net
sslwmi.top
sumocloud.club
svchost.pw
sysplugins.com
taskdata.gq
trimasjaya.com
ubmwuyq.com
ultimaspots.co.uk
usa-bank.info.md-91.webhostbox.net
videocommercialsforyou.com
videopopups.com
vm239011.had.su
vsd1.net
wattmeter.win
www.alkratrad.com
www.antonskoritskii.com
www.asdasdq.com
www.azghost888.com
www.benchadcrd.nl
www.cryptopiasupport.co
www.elowpuki.com
www.ghost888abc.com
www.gopety.cc
www.grandmasson.pw
www.rar-lab.ru
x7x.xyz
zevs3.xyz
zevs5.xyz

# Reference: https://twitter.com/SevenLayerJedi/status/950761083509313536

macpay.pw

# Reference: https://twitter.com/James_inthe_box/status/1039250061065039873

microsoft-update-server.bit
securityupdateserver4.com

# Reference: https://twitter.com/ViriBack/status/983011333506588672
# Reference: https://pastebin.com/nwWHHFe0

fdos.tk
genri.ga
gfcv.tk
gfsd.ga
grlo.tk
qpzm.gq
suka1.tk
vfsv.tk

# Reference: https://cert.gov.ua/news/44
# Reference: https://www.virustotal.com/#/ip-address/192.198.87.130
# Reference: https://www.virustotal.com/#/ip-address/185.193.38.78

http://185.193.38.78/
cashouts.tk
vitani.tk

# Reference: https://twitter.com/JAMESWT_MHT/status/1046755632299352064

columbusfunnybone.com/images/drop.php

# Reference: https://twitter.com/ViriBack/status/1050032466164154368

bigchlen.tk

# Reference: https://www.malware-traffic-analysis.net/2018/10/12/index.html

bitdotz.top

# Reference: https://twitter.com/avman1995/status/1052426452187185153

qe.igg.biz/gate.php

# Reference: https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/

certipin.top
infolocalip.com
tohertgopening.com

# Reference: https://twitter.com/james_inthe_box/status/1022866075493355520

kenkelord.gq

# Reference: https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

s63.bit

# Reference: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/

/java/java9356/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106558836171632642

/027-xcv-j/index.php

# Reference: https://twitter.com/James_inthe_box/status/1106551689132138497

llkty.gq/8s/index.php

# Reference: https://twitter.com/James_inthe_box/status/1105124840501989378
# Reference: https://twitter.com/James_inthe_box/status/1110196027338817538

/simbi/index.php

# Reference: https://twitter.com/VK_Intel/status/1108604579938131968

google-analutics.com

# Reference: https://twitter.com/Racco42/status/1103435627343822848

directdns.duckdns.org
httsdomainset.ddns.net

# Reference: https://twitter.com/Racco42/status/1101131815216168961

myprepaidfiles.ddns.net
directdns.cc

# Reference: https://twitter.com/Racco42/status/1095444880749481986

maxmini.duckdns.org
newconnect.duckdns.org

# Reference: https://securelist.ru/azorult-analysis-history/93645/ (Russian)
# Reference: https://securelist.com/azorult-analysis-history/89922/ (English)

daticho.ac.ug
ravor.ac.ug

# Reference: https://twitter.com/luc4m/status/1107680285834006528

gsutekardookay.com

# Reference: https://twitter.com/luc4m/status/1078691595111878657

sherkseafoods.com

# Reference: https://twitter.com/ps66uk/status/1108295117826387969

/cz/cjin3/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109120289604931584

/azrt/index.php

# Reference: https://twitter.com/James_inthe_box/status/1109835474493829120
# Reference: https://pastebin.com/tvn8EMyS

ymad.ug/1/index.php

# Reference: https://twitter.com/ViriBack/status/1069965350442283009
# Reference: https://pastebin.com/PTkLE0se

/panel632541/admin.php
/io213b5obo/admin.php

# Reference: https://twitter.com/albertzsigovits/status/1110124808572948482

a.helps.site
azmarterroos.com
hellacademy.com
horseliker.ac.ug
justflux.org/webupl.php
parnakol.ug
stelfeshor.ru
zelner.info

# Reference: https://twitter.com/albertzsigovits/status/1110124941356212224

dragonfire.ac.ug
frupidgi.cn
hostname.vip
roninan.ac.ug
tembumgo.pw

# Reference: https://twitter.com/James_inthe_box/status/1110915814725550080

http://78.142.29.208/real/index.php

# Reference: https://twitter.com/Racco42/status/1111189949712420864

armasglass.com/oni/index.php

# Reference: https://twitter.com/James_inthe_box/status/1111666754604789760

recordsforsmssent.xyz/jeff/index.php

# Reference: https://twitter.com/x42x5a/status/1112693567103868928

http://92.63.192.72/index.php

# Reference: https://twitter.com/James_inthe_box/status/1113510502439616513

0x234.com/index.php

# Reference: https://twitter.com/thlnk3r/status/1113658517544550401

gamingserversplus.life/index.php

# Reference: https://twitter.com/ViriBack/status/1094261293693972480

ibrandworld.com/jsl.php

# Reference: https://twitter.com/takerk734/status/1113851637292920832

/Qw2XbN3/index.php

# Reference: https://twitter.com/angel11VR/status/1115343202167533568
# Reference: https://pastebin.com/0bX17LaY

cubaworts.gq

# Reference: https://twitter.com/x42x5a/status/1115651159388246016

cryptofaze.com

# Reference: https://twitter.com/VK_Intel/status/982346117298843649

balepinos.com

# Reference: https://twitter.com/LEICHAO_init/status/1118910795675521030

lestonline.gq

# Reference: https://twitter.com/pancak3lullz/status/1085591305269460992

/robb/index.php

# Reference: https://twitter.com/OttoScav/status/1080485559787835392

freetalksa.xyz

# Reference: https://twitter.com/James_inthe_box/status/1121047649459642369

mintyoctopus.com

# Reference: https://twitter.com/avman1995/status/1120893763977658369
# Reference: https://app.any.run/tasks/80464c35-e9f8-44ed-a346-50bf0642cec9

http://95.179.189.49/CC/index.php

# Reference: https://twitter.com/x42x5a/status/1121094286613852162

klyaksa.xyz

# Reference: https://twitter.com/x42x5a/status/1121523221432500225

asahi-tankar.com

# Reference: https://twitter.com/x42x5a/status/1121702655464751104

huanopkey.site

# Reference: https://twitter.com/Racco42/status/1122797588120592384
# Reference: https://app.any.run/tasks/ae52cc1b-f2d5-4d6d-a93c-8c15dff0132f

geu.life
millanplaners.duckdns.org
