# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bokbot, icedid

# Reference: https://github.com/JR0driguezB/malware_configs/tree/master/IcedID

arcadyflyff.com
atlanimeday.com
binncu.net
camorata.com
comeontrk.com
csuwbru.net
cupicratings.com
daliyudin.net
debonointl.net
dorothyle.net
expling.net
firebbernank.net
freegameshacks.net
fzlajsf.net
gordondeen.net
jefchinloans.com
joronda.com
jumpsworks.com
medicalciferol.com
miraquebolsis.com
nobleduty.com
timmasanz.net
tradequel.net
wbgjds.net
youaboard.com

# Reference: https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

efoijowufjaowudawd.com

# Reference: https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

lik0sa1.com
nejokexulang.example.com
payfinance.net

# Reference: https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
# Reference: https://otx.alienvault.com/pulse/5c99fb543acc7f5eb0e7e933

acquistic.space
ambusted.space
coultra.space
exhausines.space
exterine.space
haractice.space
hospirit.com
overein.space
parchick.space
portened.space
resurround.pw
segregory.com
stocracy.space
stradition.space
subsquire.com
tybalties.com
ugrigo.space
waharactic.com
yorubal.space

# Reference: https://twitter.com/James_inthe_box/status/1110564181021908993

mathedro.com

# Reference: https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/

zonefb.com

# Reference: https://twitter.com/malware_traffic/status/1123458651434434563

marakusta.at
saudienter.pw

# Reference: https://twitter.com/CapeSandbox/status/1123605348466741249
# Reference: https://cape.contextis.com/analysis/70719/

forsynanchyv.com
hipponexunam.org

# Reference: https://twitter.com/CapeSandbox/status/1121084063903821824
# Reference: https://cape.contextis.com/analysis/68966/

arguerns.top
extenterms.top
minental.top

# Reference: https://twitter.com/malware_traffic/status/1136690489757974538

37.59.68.215:443
goodinzone.at
mozambiquest.pw

# Reference: https://twitter.com/James_inthe_box/status/1136950895986429954

albarthurst.pro
hipponexunam.org

# Reference: https://twitter.com/malware_traffic/status/1147303805115162624

germakhya.xyz

# Reference: https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html

albarthurst.pro
carlsbadenomise.top
chardiop.club
ethracial.pw
exchangests.xyz
forsynanchyv.com
goodinzone.at
hipponexunam.org
hydrylater.online
mechangerous.space
mozambiquest.pw
parenessed.icu
ransmittend.club
saudienter.pw
summerch.xyz
wagenstead.xyz

# Reference: https://twitter.com/takerk734/status/1135955547310632960
# Reference: https://app.any.run/tasks/13d6d9f9-7033-4ce7-9ad4-76591f15274c/

http://195.123.234.12
http://95.213.217.139
http://54.36.218.96
185.143.145.90:443
maidcafeyoyo.fun
simbaooshi.space
summerch.xyz
wagenstead.xyz

# Reference: https://twitter.com/James_inthe_box/status/1163512836930199552
# Reference: https://pastebin.com/rcwZmSu0

bumpsitting.pro
diplomainter.pro
duffered.pro
existination.pro
hahashow67.bit
pitfields.pro

# Reference: https://twitter.com/SoulRage6/status/1168171341998149637

casternsinc.com
casternsblog.com

# Reference: https://github.com/silence-is-best/c2db#icedid

memphase.com

# Reference: https://twitter.com/SoulRage6/status/1184141516534702081
# Reference: https://www.virustotal.com/gui/file/6f72987e323aa2d0a81c74e45851b62c1f415f703be20afb662748bc709f9361/detection
# Reference: https://twitter.com/JasonMilletary/status/1184201998381522944
# Reference: https://pastebin.com/vnwHadJk
# Reference: https://twitter.com/JasonMilletary/status/1190286207751733248
# Reference: https://pastebin.com/cz2HePMS

amongolia.com
bavariousltc.com
bhagavana.com
biorexis.top
builtitute.com
contrmved.com
corposted.com
coujtried.com
demonike.com
demonsoon.com
dioneras.top
eurobable.com
founddhog.com
honolfogy.com
jjanuatu.com
leonopic.top
lionerat.top
magnwnce.com
mastroga.top
memphase.com
molinaro.top
nopelrod.top
pidronog.top
piloresi.top
presifered.com
sacrecope.com
semistor.top
sheaffic.com
sheaffic.net
sheaffic.nl
sheaffic.org
tadpoleonilc.com
tidesore.top
wentinueqhcr.com
whyeelong.com

# Reference: https://twitter.com/OttoScav/status/1186356752406724609

gfthwards.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1187390560384049155

gfthwards.com
gfthwards.eu
piloresi.top
presifered.com

# Reference: https://twitter.com/wwp96/status/1189244489472319489

kbtseafood.com

# Reference: https://twitter.com/malware_traffic/status/1190026665952497667
# Reference: https://www.virustotal.com/gui/ip-address/217.182.188.118/relations

217.182.188.118:443
demonsoon.com
emperimen.com
magnwnce.com
moreogramlfgt.com
orsement.net
orsement.org
resultiplrt.com

# Reference: https://twitter.com/malware_traffic/status/1068570263732789248

govenian.host
suprecien.host

# Reference: https://twitter.com/malware_traffic/status/1068281897346838528

freshwallet.at
labadegmc.com
listmyfloor.com
modelssohn.website

# Reference: https://twitter.com/pollo290987/status/996471190221983746

3200bpm.com
autozpolisy.pl
tagamol.com

# Reference: https://twitter.com/JR0driguezB/status/978937668921970688
# Reference: https://github.com/JR0driguezB/malware_configs/blob/master/IcedID/C2.txt

arcadyflyff.com
atlanimeday.com
binncu.net
camorata.com
comeontrk.com
csuwbru.net
cupicratings.com
daliyudin.net
debonointl.net
dorothyle.net
expling.net
firebbernank.net
freegameshacks.net
fzlajsf.net
gordondeen.net
jefchinloans.com
joronda.com
jumpsworks.com
medicalciferol.com
miraquebolsis.com
nobleduty.com
timmasanz.net
tradequel.net
wbgjds.net
youaboard.com

# Reference: https://twitter.com/Paladin3161/status/1156867967260303360

bumpsitting.pro
heinless.pro
mainly.pro

# Reference: https://twitter.com/Paladin3161/status/1156632752260648960

diplomainter.pro
existination.pro
forsynanchyv.com
stalitic.pro

# Reference: https://twitter.com/JAMESWT_MHT/status/1194631881007910921

aginia.net
aginia.top
leonopic.top
nopelrod.top
sacrecope.com
telected.xyz

# Reference: https://twitter.com/stecar792/status/1194745611377135616
# Reference: https://pastebin.com/FhbU27vC
# Reference: https://pastebin.com/if2VpJJg

bhagavana.com
eurobable.com
leonopic.top
lionerat.top
memphase.com
mirkolkdb.com
mirkolkdb.eu
mirkolkdb.net
mirkolkdb.nl
nopelrod.top
pidronog.top
sacrecope.com
semistor.top
tadpoleonilc.com
telected.com
telected.eu
telected.in
telected.net
telected.nl
telected.one
telected.org
telected.tel
telected.top
telected.xyz
wentinueqhcr.com
whyeelong.com

# Reference: https://twitter.com/JasonMilletary/status/1177323562425815049
# Reference: https://pastebin.com/XF980VrW

bhagavana.com
biorexis.top
centrash.com
duffice.com
eurobable.com
fallium.com
gioredoh.top
kenoted.com
leonopic.top
lionerat.top
mamerona.top
mastroga.top
memphase.com
molinaro.top
nopelrod.top
pidronog.top
samioner.top
scatholics.com
semistor.top
tidesore.top
uniresio.top
vulcate.com

# Reference: https://twitter.com/JasonMilletary/status/1176934514414759936

genepbisulphite.nl
yavagumchewer.com

# Reference: https://twitter.com/JasonMilletary/status/1174026442100940800

eonopic.top
ionerat.top
ioredoh.top
mamerona.top
olinaro.top
samioner.top
uniresio.top

# Reference: https://www.f5.com/labs/articles/threat-intelligence/de-icing-icedid--decompression-and-decryption-methods-explained-?

ygrenevresed.fun

# Reference: https://twitter.com/CapeSandbox/status/1168607522795790337
# Reference: https://twitter.com/SoulRage6/status/1168171341998149637

casternsblog.com
casternsclub.com
casternsinc.com
casternssite.com
rankrns.com
staterns.com
webcasterns.com

# Reference: https://twitter.com/JasonMilletary/status/1197209873294999553
# Reference: https://pastebin.com/964KsuMx

bhagavana.com
dioleg.top
eurobable.com
fioure.top
goidiom.top
guiertr.top
hiolne.top
leonopic.top
lionerat.top
memphase.com
mirkolkdb.com
mirkolkdb.eu
mirkolkdb.net
mirkolkdb.nl
monerto.top
nopelrod.top
pidronog.top
riopwe.top
sacrecope.com
semistor.top
tadpoleonilc.com
tierton.top
tyuerse.top
wentinueqhcr.com
whyeelong.com
ziones.top

# Reference: https://twitter.com/JasonMilletary/status/1197541828402143233

37.48.83.137:80
37.48.83.137:443

# Reference: https://twitter.com/JasonMilletary/status/1197593565863518208
# Reference: https://app.any.run/tasks/30cb7b07-6cff-4ff0-88eb-e69c6d60397a/

berrydom.top

# Reference: https://twitter.com/Kostastsale/status/1199604381751988225
# Reference: https://app.any.run/tasks/b3f60bc6-c821-4921-b4e4-221e32b2d7e7/
# Reference: https://app.any.run/tasks/6e5996c2-81b1-45ac-bdd0-3ec9517608ce/

astenitral.club
desreona.top
gerrredona.top
nedisona.top

# Reference: https://any.run/malware-trends/icedid (Note: as seen on 2019-12-04)

dirosad.top
jikolis.top
monerto.top
ziones.top
tierton.top
ddos.dnsnb8.net
semistor.top
guiertr.top
tyuerse.top
thuocnam.tk
desreona.top
nedireob.top
gerrredona.top
nameseorin.top

# Reference: https://pastebin.com/ErESEBNy

herrasei.top

# Reference: https://twitter.com/killamjr/status/1203183444127354880
# Reference: https://www.virustotal.com/gui/domain/colonisfg.com/relations
# Reference: https://www.virustotal.com/gui/file/5cfbcfac6faea9055f9c7bebc1974aac0ec445f4d08900100b5a3a389ec02610/detection

colonisfg.com
derilopa.top
dezaredo.top
gerontos.top
netionax.top
seniorex.top

# Reference: https://twitter.com/luc4m/status/1204861411010207744

certifacto.com
beaderza.top
gertuko.top
hiperdom.top
modestog.top
nonedore.top

# Reference: https://twitter.com/malware_traffic/status/1208205022925860865

b99vxjju.com
jlb81hdvernon.com
v60yuuu1415.com

# Reference: https://app.any.run/tasks/5e1ba7ba-4a11-44d0-a80b-ea188041fd76/
# Reference: https://pastebin.com/higQqzwD

arkanacarszoom.pro
arkanacarszoom.red
arkanaways.pro
arkanaways.red
baberdon.top
bavariousltc.com
bavidopa.top
beaderza.top
berrydom.top
bilopans.top
biodeser.top
bladisuka.red
brekatrinado.red
carensod.top
certifacto.com
colonisfg.com
containerfirearms.com
copiresd.top
coridef.top
cowspidzu.pro
demandary.com
desreona.top
dioledoe.top
dioleg.top
dirosad.top
elabortin.com
exceptionalsanta.pro
fanisder.top
fidonau.top
fioure.top
foxitone.top
geropil.top
gertuko.top
giretona.top
golitope.top
goredoma.top
goresoin.top
herdomo.top
hiolne.top
hiperdom.top
hironmen.com
hovernor.com
jikolis.top
kololokoip.red
korendor.top
kuskusnamnam.icu
loperdon.top
manyloaddss.red
maredosa.top
maxikolo.top
modestog.top
monerto.top
moreogramlfgt.com
muratinue.com
nedisona.top
newyeardocs.pro
newyearfreaks.pro
nikolopu.top
nonedore.top
owspidzu.pro
piterdos.top
redilok.top
renaultarkana.pro
renaultarkana.red
resultiplrt.com
riopwe.top
rubonder.top
santaclausdriver.red
serkolo.top
sionerde.top
sisipiciliko.pro
skachkiiloady.pro
stata.link
succine.com
systemory.com
thrushmore.com
tierton.top
transityfade.pro
transityfade.top
viderson.top
vilokilofilo.pro
viterex.top
voperdom.top
xyuvuugadali.info
xyuvuugadali.pro
ziones.top

# Reference: https://pastebin.com/VniAbG5k

ecowis.com
exceptionalsanta.red
fmjstorage.com
happysantacows.red

# Reference: https://twitter.com/SoulRage6/status/1215259274055704577

letsgotopluto.best
plutomylove.monster
plutoisaplanet.best
plutomylove.monster
plutusforpluto.best
saveplutoplanet.xyz

# Reference: https://twitter.com/JAMESWT_MHT/status/1215260222832463873
# Reference: https://app.any.run/tasks/47590dc6-e93a-49e9-b053-974230cf8d3c/

hillenincopenhagen.best
willenhillen.xyz

# Reference: https://app.any.run/tasks/36d30924-4064-4288-a4e3-bc3ea44bda3e/

venusplanet.best

# Reference: https://twitter.com/JasonMilletary/status/1227975671282118657
# Reference: https://pastebin.com/kVWnJkaC

4success8.pro
creativedevelopment.xyz
developme.best
fridgehealth.best
geminichair.xyz
imreherzog.xyz
kinuplayer.info
langlawer.pro
nasafridge.xyz
spacecable.best
starofporn.xyz
thefeelingsapple.xyz

# Reference: https://twitter.com/Paladin3161/status/1228359000359501824
# Reference: https://pastebin.com/GUGbsQxE

appleparkca.best
bigbonmax.best
firedoggy.xyz
laroshelle.best
stamptowns.best
stsseriesdilemma.xyz

# Reference: https://twitter.com/James_inthe_box/status/1228452446978002944

applethecompany.best
bulbulmeni.best

# Reference: https://app.any.run/tasks/e7fb661a-6968-4367-9cd4-2077419a702d/

jagerteam.top
bibliophil.club
happyhunters.pw
bibliophil.pw

# Reference: https://twitter.com/malware_traffic/status/1243645177245380610
# Reference: https://www.malware-traffic-analysis.net/2020/03/27/index.html
# Reference: https://app.any.run/tasks/16c7bbfb-1c6a-40be-a625-bf8bc870354b
# Reference: https://app.any.run/tasks/9f2e532c-24d9-42d5-9be2-7ce9a8920980

conceptinteriors.ae
karantino.xyz
pravizzillo.club
projectfatty.club

# Reference: https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html
# Reference: https://app.any.run/tasks/d092cd7a-3e1c-479f-93e0-6494e464f44e/

hxxp://45.147.231.107
customscripts.us
hinkaly.club
karantino.xyz
zajjizev.club

# Reference: https://twitter.com/malware_traffic/status/1256297802948399104

ghefgekil.club
obratapres.pw
smallhole.club
severeconditions.xyz

# Reference: https://twitter.com/James_inthe_box/status/1257418677760282624

knockaddress.xyz

# Reference: https://pastebin.com/vCfWusnR

lokolojazz.club

# Reference: https://twitter.com/SBousseaden/status/1258564579463921665
# Reference: https://app.any.run/tasks/c98c5585-ad28-4744-8156-476efa30674e/

turtlesfun.fun

# Reference: https://twitter.com/James_inthe_box/status/1262856956613554176

connuwedro.xyz

# Reference: https://bazaar.abuse.ch/sample/837f40c12fc476d81d0741da2ab0bc0ee5c9857fe9623f2dfa33fb9f9d20f6ce/

bividilli.xyz

# Reference: https://app.any.run/tasks/6b57fda7-dd83-44c9-a8d0-3befecb7c4c6/
# Reference: https://bazaar.abuse.ch/sample/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec
# Reference: https://www.virustotal.com/gui/file/df0b5d6ca7ba81e22d98e1f4dafe4d222ce496c31299e4189d8d773d9b70d6ec/detection

cryptocrio.pw
cryptocrio.top

# Reference: https://twitter.com/abuse_ch/status/1265989591628238848

3chickens.pw

# Reference: https://pastebin.com/bUzE4Df6

fordthunderbirth.site
gotofresno.xyz
luxcarlegend.top
nicebirththunder.cloud
poloturtles.top
robertogunez.xyz
totheocean.pw

# Reference: https://twitter.com/James_inthe_box/status/1268985862173257728

porkon3stuff.top

# Reference: https://twitter.com/Artilllerie/status/1270013362194219008

makindra.xyz
pohindra.best
prostokilo.top

# Reference: https://twitter.com/malware_traffic/status/1270158384738770951

trythisrandom.top
ziddat.com/registration.doc

# Reference: https://twitter.com/malware_traffic/status/1271588921168867329

musicapuntocero.com
wloppyload.top

# Reference: https://github.com/f0wl/deICEr/blob/master/README.md

boldidiotruss.xyz
nizaoplov.xyz
153ishak.best
ilu21plane.xyz

# Reference: https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware
# Reference: https://pastebin.com/Sz16iU57

2pillsofhunderts.pw
30miles.xyz
3chickens.pw
3glanzepages.top
antivarevare.club
antivarevare.pw
bavadivaclub.club
beradocolon.top
bividilli.xyz
bluekit.pw
bonwes.bid
bredretre.uno
carpetkisa.xyz
carztesla.xyz
chumocarz.club
citytrallbus.xyz
colocarantino.xyz
connuwedro.xyz
cosacasa.top
costacolonel.club
costamustero.pw
coucarachiz.top
cozyappt.club
crossbones.email
cryptocrio.pw
cryptocrio.top
cucumberz99.club
dayafterthe.xyz
dezisenkor.club
docccutime.xyz
emergencytoolz.pw
extraordinarycurc.club
fekilopol.xyz
feminization.xyz
fidelliware.pw
filacolonel.site
filacolonel.xyz
filteroggy.pw
fishmak.pw
flighfinder.xyz
flightslots.online
forwardnogi.pw
fredoferodo.top
frenchfries8.top
fullplainefares.club
gerenada.club
ghefgekil.club
gigakolors.club
glassyradua.xyz
goodcolonell.xyz
goodservers.top
groggypirogy.top
herekeder.best
hinkaly.club
instarobotics.club
karantino.xyz
kassadesada.top
knockaddress.xyz
knockdomain.xyz
loacorecoder.club
lokolojazz.club
menosmeno.best
millogorillo.top
nadalia.top
northdestrickt.top
oggytarakan.club
oggythecoucca.xyz
polymorphis.top
pravizzillo.club
pravizzillo.email
presserdresser.best
pyramide33.pw
pythonfinder.top
safebanktest.top
seguridadcolonel.club
sharedocar.xyz
siffersniffer.best
silkycow.pw
smallhole.club
stuffed8tomatoes.club
svaerossi.pw
testermeisterz.top
tourdayly.top
tryfreder.xyz
trythisone2.best
uxozhuki.pw
vereseptem.pw
vodkahater.xyz
withoutemblems.top
yahzdaje2.website
zajjizev.club

# Reference: https://twitter.com/ffforward/status/1275364648091557889
# Reference: https://app.any.run/tasks/f4945f71-1327-43d4-b948-326bcc730033/

khaliel.com/load/
loadthird.casa

# Reference: https://twitter.com/abuse_ch/status/1275526243404972034
# Reference: https://bazaar.abuse.ch/sample/921138bc2b28d01a51e6673c6e61ba3237592d08875180e0b3749d8e47fdfd6d/

germana-arad.ro/tds.php
redbrookconservatories.com/wp-content/themes/genesis/tds.php

# Reference: https://twitter.com/abuse_ch/status/1278373790054076417

ldrbasketball.net

# Reference: https://twitter.com/baberpervez2/status/1279177216249733120

lotusabloom.com

# Reference: https://twitter.com/James_inthe_box/status/1282793500325498881
# Reference: https://app.any.run/tasks/0a4d263a-75d7-4e10-8129-4b260141ebcf/

neptuneloadz.casa

# Reference: https://twitter.com/JAMESWT_MHT/status/1283450384061800453
# Reference: https://www.virustotal.com/gui/domain/ldrglobal.casa/relations
# Reference: https://www.virustotal.com/gui/ip-address/104.248.62.43/relations

ldrglobal.casa
ldrgreecehome.casa

# Reference: https://pastebin.com/raw/DZNj1XQ6

circleoccupy.best
ldrtango.casa
mramoritto.top

# Reference: https://twitter.com/JAMESWT_MHT/status/1285210383557558273
# Reference: https://www.virustotal.com/gui/ip-address/157.230.17.102/relations

loadberlin.casa
loadprague.casa

# Reference: https://www.virustotal.com/gui/file/502268717d5b2e7c70d800f09daaebb861d0c05baf66f96f698215107bcf82d3/detection
# Reference: https://www.virustotal.com/gui/file/4794fc23f8b61badab67099a5f31ab20a1864a061fabd89d60695c5cefe2a29b/detection

citytrallbus.xyz
cluebullet.best
conspiracylegal.xyz
freekolobanga.top
kolobanga.press
mannycoder.top

# Reference: https://twitter.com/malware_traffic/status/1285669899696775175
# Reference: https://www.virustotal.com/gui/ip-address/178.128.195.34/relations
# Reference: https://www.virustotal.com/gui/ip-address/89.105.198.105/relations

againstrocket.top
androsandro.top
blmfuck.best
blmfuck.top
changewinds.top
fegmetozza.top
helicopterstarted.top
italyvenice.top
newwildtuna.top
overthewater.top
plainlanded.top
shopunderwater.top
venicefood.best
venicefood.top
loaderprototype.casa

# Reference: https://app.any.run/tasks/d52f66be-14f1-47fc-ad3b-77c89c0e2b77/

loadhnichar.co

# Reference: https://pastebin.com/raw/bfTG05My
# Reference: https://www.virustotal.com/gui/ip-address/194.5.249.122/relations

betafrosner.best
foztrotalphatester.xyz
gigaholliver.top
iskuliokilo.pw
loadkanoe.casa
passiopersio.top

# Reference: https://pastebin.com/a5rqv7c7

ldrfoxtrot.casa
ldrvals.casa
loadproto.co

# Reference: https://pastebin.com/NvzmauW1

ldrgopak.casa
loadbudapest.casa

# Reference: https://github.com/tsale/Kostas_Yara-Rules/blob/master/Malware/IcedID_loader.yar

requiregreen.com

# Reference: https://twitter.com/0bfusCat/status/1243213416837402624

monoplanebis.xyz

# Reference: https://www.virustotal.com/gui/ip-address/95.174.65.224/relations

blackbullhorns.pro
blackcowlegs.best
boldidiotruss.xyz
bullhorns.xyz
bullyhorn.xyz
cargoship.top
cargovan.top
colocalzz.xyz
daretohaveyours.xyz
freeclubcargo.club
freeshippingto.top
hornybull.best
landoffarming.xyz
landstorages.best
nizaoplov.xyz
propanballoon.club
propanballoon.top
selectedship.top
servantstat.best
shalomgashish.best
shalomisrael.xyz
shalomshabatt.best
shishashalom.pro
sizhinpin.best
spinnertrousers.best
trustedcommand.top
verticalzz.pro

# Reference: https://www.virustotal.com/gui/file/79723cbc2234e26aae3111b8c7b6711da68a46d01e5808598a1492e49c331f60/detection

mexicanfoodinmiami.pro
exceptionalsanta.pro
happysantacows.red

# Reference: https://twitter.com/0bfusCat/status/1209421391910645760

santaclausdriver.pro

# Reference: https://twitter.com/0bfusCat/status/1059084917756301318
# Reference: https://www.virustotal.com/gui/file/199351acf7947ed415f6b4ed0049757fba0b0111aed1cfc20030efebe5af5005/detection

alldo.club
office365.bit
specialnan.date

# Reference: https://twitter.com/reecdeep/status/1290260109260595200
# Reference: https://app.any.run/tasks/dbf04eb6-35c7-4a8c-b311-67f6ffc1b54f/

ldrflippo.co

# Reference: https://twitter.com/p5yb34m/status/1290408585273344001
# Reference: https://www.virustotal.com/gui/ip-address/134.209.191.228/relations
# Reference: https://www.virustotal.com/gui/file/677fd9bc5ee34b4e171897fc07082a7fa14854d2f881cd62a23cb0c2181fa240/detection

ldrneptuno.net
loadagent.casa
loaderclass3.casa

# Reference: https://twitter.com/James_inthe_box/status/1290773214520434690
# Reference: https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
# Reference: https://app.any.run/tasks/b4beb108-60c8-4ae5-8f7b-4f21ffa5da7a/

loadfreeman.casa

# Reference: https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+IcedID+Bokbot/26438/
# Reference: https://otx.alienvault.com/pulse/5f2d7028f25fbdc6daa1b016
# Reference: https://www.virustotal.com/gui/ip-address/94.100.18.58/relations

31goalsyaher.co
atalantaclub.co
juveperdhue.top
leaderfreeder.co
northkorisla.co
qazyaquanauti.co

# Reference: https://twitter.com/reecdeep/status/1292828204445696001
# Reference: https://app.any.run/tasks/59666532-c5e3-4080-9266-7812f337a104/

nothingtodo.co

# Reference: # Reference: https://twitter.com/p5yb34m/status/1292886770246225920

soldkorean.top

# Reference: https://pastebin.com/raw/Ye7MrSqV
# Reference: https://www.virustotal.com/gui/ip-address/45.66.250.145/relations

debuggerhelper.top
discsnooker.best
felliohreffer.co
jallioradio.co
youmecube.top

# Reference: https://twitter.com/0bfusCat/status/1293218539684401154
# Reference: https://www.virustotal.com/gui/ip-address/159.203.184.41/relations
# Reference: https://www.virustotal.com/gui/file/d99c8340e0a0c65212465e36ea184e48b16136ccda77dcf2b2a0865b154f70c6/detection

accentio.online
boxeschannel.co
dassentrio.top
ulanudeo.online
zalkipamat.top

# Reference: https://twitter.com/reecdeep/status/1295399848569712642
# Reference: https://app.any.run/tasks/26ef48a4-c45b-48f3-8a63-c5b02f7467b4/
# Reference: https://www.virustotal.com/gui/ip-address/134.122.73.8/relations

loadlisboa.casa
loadofficer.casa

# Reference: https://pastebin.com/raw/4tgby2qV
# Reference: https://www.virustotal.com/gui/file/9ba8f41f73a563796c021dbe89d3bd9a8d3a2d0226425e43efc271536f5f376b/detection
# Reference: https://www.virustotal.com/gui/ip-address/165.227.41.66/relations

loadrome.directory
crypnotes.co
ghererrafleur.co
helindraold.co
hwakiraklir.top
mahindranew.co
staerfraer.co

# Reference: https://twitter.com/reecdeep/status/1295727323052945411
# Reference: https://app.any.run/tasks/c33bd52b-f56e-486f-9b7f-55ac112e8554/

firstava.top
fourthava.club
secava.best

# Reference: https://twitter.com/Unit42_Intel/status/1296500515065536515
# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-18-TA551-IOCs-for-IcedID.txt

apparatto.top
babafirst.top
babafourth.club
cheapoilz.best
mintrillion.club
musorru.top
rolifo23.top
thirdava.cyou

# Reference: https://twitter.com/reecdeep/status/1296809596351283200
# Reference: https://www.virustotal.com/gui/ip-address/138.197.137.215/relations

ballsinluza.co
ferhalirish.co
ldralfa.casa
ldrbeta.casa
ldrcharlie.casa
lifregal.co
snookermaster.co
spplohh.co

# Reference: https://twitter.com/reecdeep/status/1300432198135418880
# Reference: https://twitter.com/reecdeep/status/1301159068279746561
# Reference: https://app.any.run/tasks/f3c7a321-bead-4914-b780-bd9e1dca32a2/
# Reference: https://app.any.run/tasks/f312482a-bf13-4f05-ac58-9bf0a91ef132/
# Reference: https://www.virustotal.com/gui/ip-address/64.227.95.68/relations

classified.best
customrecustom.top
deskofreserve.top
dissdoorg.top
explodevices.top
huhunadekil.top
ldrtugi.casa
niggpigs.best
piggyniga.pw
programmelexc.club
singleperson.pw
terminpolg.top

# Reference: https://www.virustotal.com/gui/file/2a9fe9fdc49ae22a691d027f721bab70a430136559b2207b528e905c390343f6/detection

195.69.187.86:443
93.189.149.176:443
ignorepairs.pro

# Reference: https://pastebin.com/QSqT99xJ

albarthurst.pro
ambiguing.net
anothese.xyz
answerved.net
bandstreat.pro
berlingbowman.pro
bugandonesis.club
camishniacing.pw
carlsbadenomise.top
centrastroyer.club
charactic.pro
chardiop.club
consequencycle.pw
contempty.club
demandymedes.xyz
dorentmeofts.com
egainvisit.pw
ettestinbalt.com
exchangests.xyz
forsynanchyv.com
germakhya.xyz
goodinzone.at
harbournal.club
hipponexunam.org
hornformance.pro
hydrylater.online
ichthererbob.org
ignorepairs.pro
importional.com
maiowforecto.org
massentern.pw
mechangerous.space
meiyardionsa.org
minoriticipal.pw
monkeyflowed.pro
mozambiquest.pw
murderinal.pro
parenessed.icu
ransmittend.club
rolescene.xyz
runethern.pro
seconominist.com
seeminism.pw
stimateurs.club
summerch.xyz
talogue.pw
teautotaillhurneg.org
therlanding.xyz
thracial.pw
thussailled.pw
tracroadsmendisan.org
tradication.pw
wagenstead.xyz
writtee.pro

# Reference: https://twitter.com/p5yb34m/status/1303408866483290112
# Reference: https://twitter.com/p5yb34m/status/1304108801860071424
# Reference: https://www.virustotal.com/gui/ip-address/194.113.34.92/relations

eurisiuri.top
kilogoncha.casa
ldflipper.casa
ldfolkland.casa
ldklippers.casa
loadbejing.casa
loadgermy.casa
loadlondon.casa
loadnewjersey.casa
loadperventin.casa
loadseoul.casa
loadxiniang.casa
repofinlsnd.casa
sleepymaxer.cyou
vbikdemokk.casa
vloppiloker.cyou
zasudaproteet.casa

# Reference: https://twitter.com/reecdeep/status/1304051067093692422
# Reference: https://twitter.com/reecdeep/status/1304071658521669632
# Reference: https://app.any.run/tasks/c0d6f2fb-ad34-4ce8-9a87-ee2c9ac94055/
# Reference: https://app.any.run/tasks/0db6cb2f-b477-4e8a-8b7e-a7911fcfc8f0/
# Reference: https://www.virustotal.com/gui/ip-address/159.65.137.90/relations
# Reference: https://twitter.com/reecdeep/status/1305523915054354433
# Reference: https://app.any.run/tasks/2c48723a-6803-4f9d-a330-63d546408b9d/

9dayscitadel.co
biglosses.top
ldleadflip.top
ldrfatty.casa
ldrglass.casa
ldrplastic.casa
loadbiofill.casa
loadbooker.casa
loadhooker.casa
loadnavycomp.casa
loadspanny.casa
roofallkilo.co
waysoflibis.best

# Reference: https://www.virustotal.com/gui/ip-address/51.210.73.176/relations

fikilederes.club
ldjersey.casa
ldrinsertion.casa
ldrpanel.casa
ldrporollon.casa
loaderooker.casa
loadflooker.casa
loadfrooker.casa
loadgooker.casa
loadsite2.casa
pussiageorge.cyou
starterdewakilo.best

# Reference: https://pastebin.com/Z4kWrhSF

10hesadety.pw
85vumbut.best
asnerkifa.cyou
aspellino.cyou
bcertyuo.cyou
gastellino.top
hurmaniut.cyou
matrossinio.xyz
povoliporillio.xyz
zopenret.top

# Reference: https://twitter.com/malware_traffic/status/1304507387957608450
# Reference: https://pastebin.com/bRT1y6rv
# Reference: https://www.virustotal.com/gui/ip-address/68.183.47.194/relations
# Reference: https://www.virustotal.com/gui/ip-address/164.90.153.241/relations

budagent.cyou
castrovillage.cyou
daswerbworse.best
delegatoz.xyz
jheckler.top
malgs.best
patriwifecis.cyou
saqerisation.best
tatarovers.best
tizersincluded.best

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-14-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/134.122.55.164/relations

77hertykol.club
90nesokret.top
astrafrodo.asia
bcertyou.cyou
bettercontact.co
downdomino.click
examoplerevo.pw
ldrdropper.casa
ldrpaperkoz.casa
ldrpitcher.casa
ldrruble.casa
ldrshekel.casa
ldrstar.casa
ldruniverse.casa
loadgo2.casa
loadro3.casa
loadwe4.casa
trapotorio.best

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-07-14-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/194.5.249.158/relations

circleoccupy.best
corporotto.top
mramoritto.top
papuanewguinew.club
portivitto.top
slizilinno.top

# Reference: https://www.virustotal.com/gui/ip-address/45.153.240.223/relations

loadwarsaw.casa

# Reference: https://www.virustotal.com/gui/ip-address/79.141.171.183/relations

allpikoloserdzwe.cyou
gaagachelo.cyou
obnaprimezert.cyou
odnovoennbundes.cyou
sipmptomsledy.top
sprbumazna.club
uragapediculez.top

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-07-20-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/161.35.148.20/relations

ldrplutos.casa
loaderoverlord.casa

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-07-31-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/165.22.120.138/relations

ldrpolka.casa

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-03-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/161.35.207.41/relations

houssio45.co
littlehomies.cyou
radicaltreppo.co
transferhouse.cyou
twoloftscats.cyou

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-14-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/89.105.198.114/relations

atombody.best
blholove.best
blholove.co
coverbeacon.top
cutbroken.club
lostinbush.best

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-20-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/104.131.13.31/relations

ldrfewa.casa
ldrgeo.casa
ldrnuri.casa
ldrpopi.casa

# Reference: https://www.virustotal.com/gui/ip-address/159.203.35.240/relations

gugafirst.top
gugasecond.cyou
ldrfohill.casa
womindo.co

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-27-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/89.105.194.231/relations

chinadedoing.best
feretraidsouth.cyou
musiciange.club
pommiopeo.cyou
rightsaqua.cyou

# Reference: https://www.virustotal.com/gui/ip-address/128.199.121.86/relations

balancesheets.pw
destroyerspussan.top
stryjerefer.buzz
swedenstats.best
tank50.top
xixoloadr.casa

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-08-28-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/67.205.166.105/relations

dluizz.top
ldrloki.casa
nothingtodo.co
shammunani.top
situator.best
sleepstops.club

# Reference: https://www.virustotal.com/gui/ip-address/185.147.15.25/relations

kajakracer.top
sequoejak.club
statuator.pw
swedenstats.best
withmar.club

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-01-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/167.71.229.185/relations

gigacouckarach.xyz
ldrulmio.casa
piggyniga.top

# Reference: https://www.virustotal.com/gui/ip-address/159.89.226.226/relations

dissdoorg.top
explodevices.top
trazzhres.top

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-08-TA551-IOCs-for-IcedID.txt

loudnavycomp.casa

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-17-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/142.93.218.110/relations

astedolo.asia
ldrcantimo.casa
ldrearth.casa
ldrkrona.casa
ldrmercury.casa
ldrpanel.casa
ldrpeso.casa
ldrphound.casa
ldrporollon.casa
ldrspace.casa
ldrsuede.casa
ldrvenus.casa
vragafraga.beer
wertigohol.click

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-21-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/134.122.101.157/relations

10hesadety.pw
85vumbut.best
bcertyuo.cyou
doremifasol.online
likofedo.club

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-09-23-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/206.81.11.50/relations

andronicakopianz.top
assfingerz.club
droidattac.cyou
geraldiconews.cyou
spacerevodron.pw

# Reference: https://www.virustotal.com/gui/ip-address/46.101.10.119/relations

antologymaster.pw
headtroller.pw
lokopotio.pw
smavellpolia.cyou

# Reference: https://www.malware-traffic-analysis.net/2020/10/06/index.html
# Reference: https://www.virustotal.com/gui/ip-address/161.35.111.71/detection
# Reference: https://www.virustotal.com/gui/ip-address/91.235.116.132/relations
# Reference: https://www.virustotal.com/gui/file/58708f4f20813442260ac0983ad6edb8666c4173606debef497d546bec2b1a2a/detection

america2020.cyou
donmekyrm.top
figatrummpper.cyou
fikilederes.club
firstava.top
flathommy.top
holubicoklire.top
huliosmall.cyou
huntinglon.com
islandfighters.top
ldraccumuu.fit
ldrautos.fit
ldrcalifa.click
ldreuro.casa
ldrforce.click
ldrjersey.beer
ldrpeset.casa
loadbmw.click
loadgiga.click
loadmercedes.beer
loadpascal.asia
loadwater.casa
lobechess.cyou
placestostart.club
realparallel.top
rufepuksuka.cyou
sepneretyiu.cyou
softcornerz47.top
uzhokpidarok.cyou

# Reference: https://twitter.com/malware_traffic/status/1313952618948030464
# Reference: https://pastebin.com/raw/Dv6edvut
# Reference: https://www.virustotal.com/gui/ip-address/178.62.243.45/relations

donmekrym.top
grablihuiz.cyou
holubicoklire.top
obnulenush.cyou
sepneretyiu.cyou

# Reference: https://isc.sans.edu/diary/rss/26674
# Reference: https://www.virustotal.com/gui/ip-address/134.209.25.122/relations

huntysmally.top
jazzcity.top
ldrdifference.casa
ldrright.beer
loadfelicio.fit
loadmarcello.beer
smalleryurta.club
whiskeybravo.xyz

# Reference: https://www.virustotal.com/gui/ip-address/143.110.176.28/relations

minishtab.cyou
novemberdejudge.cyou
sryvplanrespublican.cyou
suddekaster.best
xoxofuck.cyou

# Reference: https://www.virustotal.com/gui/ip-address/104.131.38.173/relations

ldrengineer.casa
ldrk50.casa
sadawerty.link

# Reference: https://twitter.com/malware_traffic/status/1317238281554317313
# Reference: https://www.malware-traffic-analysis.net/2020/10/16/index.html

engisilo.best
likoncar.cyou
phauballistic.club
skrepamulan.cyou
weaponreich.pw

# Reference: https://www.virustotal.com/gui/ip-address/206.189.179.174/relations

japansoldat.asia
kommyplete.cyou
loadcuhel.beer
loadhelico.asia
rusoldat.click
smallplaces.shop
spaceprogramm.cloud
spehanemzu.top
zomboboxer.top

# Reference: https://www.virustotal.com/gui/ip-address/46.101.0.125/relations

americansoldat.link
anklavartefact.cyou
greerknees.top
ideaofplet.club
isolatedglobus.top
kleeslikreff.top
konzsered.best
ldrleft.asia
loadbombardier.beer
loadcessna.asia
loaddyna.fit
loadnelliko.click
ostiriozhio.top
qapoloki.cyou
seaforrest.asia
startcapital.top
vernerfonbraun.pw
voairtaxetion.xyz
wasserherehiller.club

# Reference: https://www.virustotal.com/gui/ip-address/159.65.114.23/relations

familyfromforrest.club
fihokiliopo.pw
filopipilo.top
millogorillo.pw
mishagrisha.top

# Reference: https://github.com/pan-unit42/iocs/blob/master/TA551/2020-10-19-TA551-IOCs-for-IcedID.txt
# Reference: https://www.virustotal.com/gui/ip-address/68.183.125.188/relations

defthebest.club
isolatedglubus.top
luxcarlegend.club
pizzaeaters.top
posipako.top
touchification.pw

# Reference: https://twitter.com/malware_traffic/status/1321211578113511425
# Reference: https://pastebin.com/raw/Szm0xFwr
# Reference: https://www.virustotal.com/gui/ip-address/188.166.82.172/relations

hdfouter.pw
rivercoockinh.cyou
maseratipirosh.top
tyrek87.cyou
fodsijjire.cyou

# Reference: https://twitter.com/58_158_177_102/status/1321583599485820928
# Reference: https://app.any.run/tasks/4e842de4-2dee-4f8c-ab25-d52a0c7bc4c0/
# Reference: https://app.any.run/tasks/2bbc6d3e-f0ca-42cd-8cac-f3af5296eea5/
# Reference: https://app.any.run/tasks/dbc926f6-eb68-43af-9a55-bc307b781754/
# Reference: https://app.any.run/tasks/deebf118-abe7-4ea5-9e33-81bce557d426/
# Reference: https://app.any.run/tasks/f64b9924-6022-428e-a0d7-4bd8ed3a3f01/
# Reference: https://www.virustotal.com/gui/ip-address/167.99.248.130/relations

redicilious.online

# Reference: https://twitter.com/MBThreatIntel/status/1321963911365586944
# Reference: https://www.virustotal.com/gui/ip-address/188.166.103.231/relations
# Reference: https://www.virustotal.com/gui/file/4d3c594e119e5137a2baafc1174d57b08f7b8bbd8e9116331abf8063837c0222/detection

heredeire.xyz
