# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
# Reference: https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
# Reference: https://otx.alienvault.com/pulse/5ef67e89cde1d0c1b00dd02c

adsmarketart.com
advancedanalysis.be
advertstv.com
advokat-hodonin.info
amazingdonutco.com
bettyware.xyz
celebratering.xyz
cofeedback.com
consultane.com
devicelease.xyz
fakeframes.xyz
feedbackgive.com
flablenitev.site
gadgetops.xyz
guiapocos.xyz
hotphonecall.xyz
justbesarnia.xyz
kordelservers.xyz
lendojekam.xyz
lgrarcosbann.club
lpequdeliren.fun
ludwoodgroup.xyz
msoftwares.info
mwebsoft.com
net-giftshop.info
paiolets.com
penaz.info
respondcritique.xyz
rostraffic.com
szn.services
traffichi.com
transvil2.xyz
triomigratio.xyz
tritravlife.xyz
typiconsult.com
uplandcaraudio.xyz
utenti.info
utenti.live
veisllc.xyz
websitelistbuilder.com
websitesbuilder.info
wineguroo.xyz
woofwoofacademy.xyz
backup.awarfaregaming.com
click.clickanalytics208.com
connect.clevelandskin.com
connect.clevelandskin.net
connect.clevelandskin.org
cushion.aiimss.com
dns.proactiveads.be
link.easycounter210.com
rocket2.new10k.com
track.positiverefreshment.org

# Reference: https://www.menlosecurity.com/blog/increase-in-attack-socgholish
# Reference: https://twitter.com/BushidoToken/status/1370429928160759812

news.pocketstay.com

# Reference: https://twitter.com/tosscoinwitcher/status/1379505361787359233

5e7936bb.news.pocketstay.com

# Reference: https://twitter.com/Wanna_VanTa/status/1392537130396700681
# Reference: https://www.virustotal.com/gui/ip-address/81.4.122.193/relations

login.wwpcrisis.com

# Reference: https://twitter.com/malware_traffic/status/1420490383881129990
# Reference: https://www.virustotal.com/gui/ip-address/141.255.161.180/relations

certification.mountainaireautoglass.com
public.clickstat360.com
fe1eaf89.office.drpease.com

# Reference: https://blog.group-ib.com/prometheus-tds

4107e577.payment.refinedwebs.com
e186aeb2.news.pocketstay.com

# Reference: https://twitter.com/neonprimetime/status/1475841620428062724

80e16d50.xen.hill-family.us
a962296f.xen.hill-family.us

# Reference: https://twitter.com/MBThreatIntel/status/1466107514030751747
# Reference: https://www.virustotal.com/gui/ip-address/179.43.169.31/relations

jobs.tracybrey.com
popcorn.net-zerodesign.com
second.pmservicespr.com
eba80de9.xen.hill-family.us

# Reference: https://twitter.com/th3_protoCOL/status/1460356964140007424
# Reference: https://www.virustotal.com/gui/ip-address/87.249.50.201/relations
# Reference: https://www.virustotal.com/gui/file/89380aa78a9797c1906c1c8c8a646c08155eb3d16b79d8ad502789a59f0f7f9f/detection

upstream.fishslayerjigco.com
xen.hill-family.us

# Reference: https://www.virustotal.com/gui/file/89380aa78a9797c1906c1c8c8a646c08155eb3d16b79d8ad502789a59f0f7f9f/detection

368757c6.upstream.fishslayerjigco.com

# Reference: https://www.virustotal.com/gui/file/9e663136610eb7a07dafe19a706445c2c0527ef586b7d3fbaa36e54173ac7394/detection

05579f9d.xen.hill-family.us

# Reference: https://www.virustotal.com/gui/file/d1ed30acb9aee0c8ee12c4ce10102ab732b9f304cabf9b3df302654c667e6beb/detection

0e9ff460.xen.hill-family.us

# Reference: https://www.virustotal.com/gui/file/1913554c81ea9fa5004189f067bc8618d628b85ca6dbc8964ec6bf7a4bfc0385/detection

71d665d8.xen.hill-family.us

# Reference: https://twitter.com/MBThreatIntel/status/1478515956968083456

255e7219.xen.hill-family.us
second.pmservicespr.com

# Reference: https://twitter.com/MBThreatIntel/status/1440443682369388549
# Reference: https://www.virustotal.com/gui/ip-address/81.4.122.101/relations

e73fb99b.push.youbyashboutique.com
push.youbyashboutique.com
paggy.parmsplace.com

# Reference: https://twitter.com/MBThreatIntel/status/1480595880629587971

bfa73f60.xen.hill-family.us

# Reference: https://twitter.com/SecurityAura/status/1487564086929936388

7a3a7f86.xen.hill-family.us

# Reference: https://expel.com/blog/incident-report-spotting-socgholish-wordpress-injection/

notify.aproposaussies.com

# Reference: https://twitter.com/cr4shtest/status/1494365444421128203

a5b420bd.host.integrativehealthpartners.com

# Reference: https://twitter.com/MBThreatIntel/status/1494453598087835673

staticvisit.net
20go.staticvisit.net
43cbb37d.host.integrativehealthpartners.com
go.staticvisit.net
rotation.ahrealestatepr.com

# Reference: https://twitter.com/bryceabdo/status/1499048636319162371
# Reference: https://www.virustotal.com/gui/ip-address/91.219.236.192/relations

12cff833.widget.windsorbongvape.com
1dd355b6.widget.windsorbongvape.com
48bb0f7a.widget.windsorbongvape.com
b94c3406.widget.windsorbongvape.com
widget.windsorbongvape.com

# Reference: https://twitter.com/MBThreatIntel/status/1508575992041771013

design.lawrencetravelco.com

# Reference: https://twitter.com/MBThreatIntel/status/1513635853309861895

fasttracklegal.com
lines.fasttracklegal.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1516062361488171018

expugements.com
priority.expugements.com

# Reference: https://github.com/CronUp/Malware-IOCs/blob/main/2022-04-21_SocGholish-FakeUpdates

2ctmedia.com
bonneltravel.com
brannonsmiles.com
chandlermethodist.org
codigodebarra.co
pomdev.com
vipveinsaz.com
windsorbongvape.com
1.widget.windsorbongvape.com
connect.codigodebarra.co
doors.vipveinsaz.com
energy.pomdev.com
matrix.2ctmedia.com
missions.chandlermethodist.org
patients.brannonsmiles.com
stuff.bonneltravel.com

# Reference: https://twitter.com/MBThreatIntel/status/1521201292005154816

factor.vtaxlaw.com

# Reference: https://twitter.com/bigmacjpg/status/1524125086206332932

extra-tegic.com
java.extra-tegic.com

# Reference: https://twitter.com/bigmacjpg/status/1526197418940932097

agrandatubolsillo.com
jump.agrandatubolsillo.com

# Reference: https://twitter.com/bigmacjpg/status/1528860847178936320

academiadecontables.com
parked.academiadecontables.com

# Reference: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee
# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-May/030669.html

irsbusinessaudit.net
irsbusinessaudit.tax
irsgetwell.net

# Reference: https://twitter.com/bigmacjpg/status/1529921079132704788

newhomessection.com
schedule.newhomessection.com

# Reference: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html

bumpy.daniyalmedicaltech.com
contractor.thecaninescholar.com
craft.cheesedome.com
mamba.cpncredit.com
market.bluestonechiropractic.com
mines.cajonsoul.com
rotation.craigconnors.com
sdk.expresswayautopr.com
staff.beeboykind.com
trace.mukandratourandtravels.com

# Reference: https://twitter.com/th3_protoCOL/status/1536791876577112065

stradlings.com
reviews.stradlings.com
official.stradlings.com

# Reference: https://twitter.com/1ZRR4H/status/1537501582727778304

ibgenesis.org
genesis.ibgenesis.org

# Reference: https://twitter.com/atorrrr/status/1537107577418485761

northphxchiro.com

# Reference: https://twitter.com/bigmacjpg/status/1539000348941201408

jcscateringaz.com
spool.jcscateringaz.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1539681817497853952
# Reference: https://www.virustotal.com/gui/ip-address/176.10.124.180/relations

step.ifsguy.com
2a2da470.step.ifsguy.com
374d1389.step.ifsguy.com
4f8d0e70.step.ifsguy.com
6ea0e2c3.step.ifsguy.com
c95a786e.step.ifsguy.com
e316bac0.step.ifsguy.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1539976468876251140
# Referecne: https://twitter.com/C0ryInTheHous3/status/1539976414920704005
# Reference: https://www.virustotal.com/gui/ip-address/45.10.42.26/relations

cloud.bncfministries.org
craft.cheesedome.com
genesis.ibgenesis.org
hope.point521.com
market.bluestonechiropractic.com
mycontrol.alohaalsomeansgoodbye.com
repair.annetamkin.com
republic.beboldskincare.com

# Reference: https://twitter.com/bigmacjpg/status/1541775825833701377

app.pgica.org
00f4910b.app.pgica.org
0220f52a.app.pgica.org
084d2671.app.pgica.org
0a08fe76.app.pgica.org
108ada69.app.pgica.org
11e53a7d.app.pgica.org
16d356f0.app.pgica.org
1cf74659.app.pgica.org
1d7757ca.app.pgica.org
21acf799.app.pgica.org
21dcdf19.app.pgica.org
271dbdf0.app.pgica.org
284f616a.app.pgica.org
295cef1b.app.pgica.org
38c385af.app.pgica.org
4689d20c.app.pgica.org
539f0a1a.app.pgica.org
5d322fe2.app.pgica.org
71d44b01.app.pgica.org
721ddcba.app.pgica.org
80269b64.app.pgica.org
8b64ae28.app.pgica.org
96af898b.app.pgica.org
9a5c5bc1.app.pgica.org
9f08af01.app.pgica.org
b51d496b.app.pgica.org
b7e15726.app.pgica.org
bcf0d5de.app.pgica.org
cd8403ad.app.pgica.org
d50f86a6.app.pgica.org
dd465211.app.pgica.org
e7ec2c33.app.pgica.org
ed09a0b9.app.pgica.org
f4fbd5fe.app.pgica.org
f5de9db0.app.pgica.org

# Reference: https://twitter.com/ex_raritas/status/1544788160688709633

hunter.libertylawaz.com

# Reference: https://twitter.com/ex_raritas/status/1545057620142092293

center.blueoctopuspress.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1545111100089421824

gohnson.advanceditsolutionsaz.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1545111873779113986

expert.stmhonline.com
hope.point521.com
portfolio.rainbowgraffixx.com
puzzle.tricityintranet.com
stanley.planilla2021.com

# Reference: https://twitter.com/ex_raritas/status/1547335182478233601

cloud.bncfministries.org

# Reference: https://twitter.com/C0ryInTheHous3/status/1547654346162155523
# Reference: https://www.virustotal.com/gui/ip-address/45.10.43.78/relations
# Reference: https://www.virustotal.com/gui/domain/deal-institute.com/relations

deal-institute.com
courses.deal-institute.com
diamond.speaktomyheart.org
havana.littlehavanacigarstore.com
nivea.dreamworkscdc.com
reserves.deal-institute.com
volume.stoneoakcapital.net
west.bykikarose.com

# Reference: https://twitter.com/MBThreatIntel/status/1549094591881613312

call.pgee.org
performer.stmhonline.com

# Reference: https://twitter.com/bigmacjpg/status/1549111888839163904

smithfirm.agency
deal.smithfirm.agency

# Reference: https://twitter.com/bigmacjpg/status/1549110513879113730

bundles.trovatogroup.com

# Reference: https://twitter.com/jtrombley90/status/1549497835455975425

diamond.speaktomyheart.org

# Reference: https://twitter.com/mossdinger/status/1549822318826102784

record.usautosaleslv.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1550186874488102913

cats.johnbeach.us
cardo.diem-co.com
query.dec.works
record.usautosaleslv.com
training.ren-kathybermejo.com

# Reference: https://twitter.com/ex_raritas/status/1552329776337018880

master.ilsrecruitment.com

# Reference: https://twitter.com/C0ryInTheHous3/status/1552330589583429632

mafia.carverdesigngroup.com

# Reference: https://github.com/executemalware/Malware-IOCs/blob/main/2022-08-01%20SocGholish%20IOCs
# Reference: https://www.virustotal.com/gui/domain/ssl.topgearoutfitters.com/relations

cruize.updogtechnologies.com
ssl.topgearoutfitters.com
0bcd.ssl.topgearoutfitters.com
1059.ssl.topgearoutfitters.com
3305.ssl.topgearoutfitters.com
4519.ssl.topgearoutfitters.com
68b0.ssl.topgearoutfitters.com
85c4.ssl.topgearoutfitters.com
c575.ssl.topgearoutfitters.com
c946.ssl.topgearoutfitters.com
d307.ssl.topgearoutfitters.com
d754.ssl.topgearoutfitters.com
dc6d.ssl.topgearoutfitters.com
ee32.ssl.topgearoutfitters.com
f31e.ssl.topgearoutfitters.com
f44b.ssl.topgearoutfitters.com

# Generic

/Chrome.Quick.Update.ver.101.65.65282.js
/Chrome.Update.3b1362.js
/Chrome.Update.88fe59.js
/Opera.Update.426482.js
