# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://github.com/fideliscyber/indicators/blob/master/Blogs/New%20URSNIF%20Targeting%20Italy%20and%20US/url.csv

creatortherefore.cn
goinumder.su
goyanok.at
hothegivforsuffer.cn
hulivam.at
justiceseasfriends.cn
lopertopgo.su
mid100.at
nexpoo.at
noopex.at
outaplaceshave.cn
pergozip.at
therepalon.su
trepeatedandequal.cn

# Reference: https://www.forcepoint.com/blog/security-labs/many-faces-ursnif-email-hijacking-mailslots-and-insecure-servers

14ca1s5asc45.com
9qwe8q9w7asqw.com
asd5qwdqwe4qwe.com
d4q9d4qw9d4qw9d.com
dq9wq1wdq9wd1.com
dqowndqwnd.net
eq9we1qw1qw8.com
fqw4q8w4d1qw8.com
g98d4qwd4asd.com
gtqw5dgqw84.com
hhhasdnqwesdasd.com
hhjfffjsahsdbqwe.com
jjasdkeqnqweqwe.com
kkjkajsdjasdqwec.com
kkmmnnbbjasdhe.com
mmmnasdjhqweqwe.com
oiwerdnferqrwe.com
ooaisdjqiweqwe.com
oooiasndqjwenda.com
oooiawneqweasd.com
oqk4123613123.net
oyiyuarogonase.net
popopoqweneqw.com
ppoadajsqwenqw.com
ppoasdqnwesad.com
pqwoeasodiqwejes232.com
q5q1wdq41dqwd.com
qiwjesijdqweqs.com
qw6e54qwe54wq.com
qw8e78qw7e.com
qwd1q6w1dq6wd1.com
qwd1qw8d4q1wd.com
qwdohqwnduasndwjd212.com
qwe1q9we1qwe51.com
qwekasdqw8412.net
qweoiqwndqw.net
qwojdaisd1231.net
qwqw1e4qwe14we.com
qwqweqw4e1qwe.com
qwundqwjnd.net
r9qweq19w1dq.com
rqw1qwr8qwr.com
rrrradkqwdojnqwd.com
sdf5wer4wer.com
sdjqiweqwnesd.com
t8q79q8wdqw1d.com
tr8q4qwe41ewe.com
tttiweqwneasdqwe.com
uuasdjqwehnasd.com
uurty87e8rt7rt.com
uuyyhsdhasdbee.com
wdojqnwdwd.net
wdq9d5q18wd.com
yyjqnwejqnweqweq.com

# Reference: https://www.f-secure.com/v-descs/trojan_w32_ursnif.shtml

bergesoma.com
polinodara.com

# Reference: https://www.cert-pa.it/news?id=10536

werwaarogonase.net
fhjjndiasnew.net
axewansdownew.net

# Reference: https://twitter.com/JAMESWT_MHT/status/1045682605662851073

d792jssk19usnskdxnsw.com
29uwuwousuw8wuwyuwie.com
ye8283yeiw283929wu2.com
h2812932937292sjshskz.com

# Reference: https://twitter.com/luc4m/status/1045671697268051968

h2812932937292sjshskz.com

# Reference: https://twitter.com/avman1995/status/1047018001810300928

382oiso10si8sowppdoiwpc.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1047414713850781697

/MXE/files/
/TOL/files/

# Generic callback

/nerkom.php
/pagioiu88.php
/transaction.php2

# Reference: https://twitter.com/Bank_Security/status/1049640177361186818
# Reference: https://pastebin.com/mkMfAf9Z

app.kartop.at
doc.dicin.at
app.avitoon.at
doc.avitoon.at
ops.twidix.at
xx.go10og.at
api.kartop.at
m1.fofon.at
cdn.kartop.at
api.tylron.at
chat.twidix.at
api.kaonok.at
chat.jimden.at
mahono.cn
/huonasdh.php
/opanskot.php

# Reference: https://twitter.com/luc4m/status/1050806471603224576

/pagjfut54.php

# Reference: https://twitter.com/ViriBack/status/1051565888212791296

hdiwuey872629hsgs18702837.com
k37aos82skd9nal92kamcdla.com

# Reference: https://twitter.com/mgiovamo/status/1051771811438964736

load.testmykickstarter.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1052469234159239168

37iwdmx103qlsmx.com
againstitudents.com
ey271psx8127301.com
woatinkwoo.com
/levond.php

# Reference: https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware

nesocina.com
tapertoni.com
/Flux/tst/

# dork: "/Flux/tst/"

tenicoriv.com
onkoloper.com
nidersona.com
maxigozo.com
nasodirom.com

# Reference: https://twitter.com/Bank_Security/status/1055099888906702850
# Reference: https://pastebin.com/DYZhgSnH

kiki.33gourmetdelinyc.com
loads.smallworld-parties.com
load.kapswholesale.com
mino.aghapyfoodridgewood.com
nupp.810delicafe.com
nopp.ajisaijapanesenyc.com
pool.jfklandscape.com
/jogptfbuu

# Reference: https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/jp_ursnif_20161226

i56a4c1dlzcdsohkwr.biz
66ssywiogjvwljaopw.com
reebovnenewbne001.com
neneeeenqwenene188.com
ceeoerunw10.com
echo.listentree.com
pop.lawadviceonline.org
licensecanadian.ru
arewithoutwarranty.xyz
thenotwithsoldsuequiv.ru
goglosmmosss.com

# Reference: https://blog.yoroi.company/research/ursnif-long-live-the-steganography/

pereloplatka.host
roiboutique.ru
uusisnfbfaa.xyz
nolavalt.icu
sendertips.ru

# Reference: https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features

baderson.com
mopscat.com
gorsedog.com
pintodoc.com
ropitana.com
pirenaso.com
papirosn.com
delcapen.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1107662516824535041

/loq91/10x.php

# Reference: https://twitter.com/dvk01uk/status/1096445096306921472

/suoepwxpamxapxlamslxdo.php

# Reference: https://twitter.com/Racco42/status/1105504898525917184

/83939-2039.php
/89289_928_1.php

# Reference: https://twitter.com/JAMESWT_MHT/status/1100698122563567616

/iwp01-2ksm/20918201.php

# Reference: https://twitter.com/avman1995/status/1094181713121558529

qfelicialew.city
mzg4958lc.com
gxuxwnszau.band
/xap_102b-AZ1/704e.php

# Reference: https://twitter.com/avman1995/status/1108760534894170113

insurancephotolive.xyz
nophotoinsecure.xyz
topolotonop.xyz

# Reference: https://twitter.com/avman1995/status/1108623779062861824

fnyah44.email
wrladoph.city
rsf58.city
subaldodd.email

# Reference: https://twitter.com/James_inthe_box/status/1109520290323693568

keepincomemoney.website

# Reference: https://blog.talosintelligence.com/2019/03/threat-roundup-0315-0322.html (Win.Malware.Ursnif-6896385-0)

kkariannekatrina.company
f61leeii.com
qmitchelkp.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1110470611137114112

/2poef1/j.php

# Reference: https://otx.alienvault.com/pulse/5c9a405e5645c8011c7030f3

blogger.scentasticyoga.com

# Reference: https://twitter.com/bomccss/status/1110997371188465664

sumeriun.com

# Reference: https://twitter.com/gorimpthon/status/1078159820371288064

thatconditions.online

# Reference: https://twitter.com/gorimpthon/status/1077498826934480896

theanyexppatent.online

# Reference: https://twitter.com/Sec_S_Owl/status/1084967201222717440

theincludingte.online

# Reference: https://twitter.com/58_158_177_102/status/1087514326607355904

freetoper.accountant

# Reference: https://twitter.com/AES256bit/status/1079582045439877121

tformlicensable.online

# Reference: https://twitter.com/gorimpthon/status/1078159820371288064

thatconditions.online

# Reference: https://twitter.com/gorimpthon/status/1077498826934480896

theanyexppatent.online

# Reference: https://twitter.com/AES256bit/status/1063113281441738752

cjwefomatt.com
dubbergergbb.com
ticrerfgiff.com

# Reference: https://twitter.com/bomccss/status/1103211371817197568

mopscat.com

# Reference: https://twitter.com/CybereasonJPSOC/status/940267086802063360

comanylimiteddocume.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1113063803753684995
# Reference: https://app.any.run/tasks/223464af-a7be-454b-8f8f-2a8819bde8c1

posakloska.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1113429156040196096
# Reference: https://app.any.run/tasks/22f1f4c3-0297-49a9-89a9-787eee944de9

adonis-medicine.at

# Reference: https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/

nuovalo.icu
nuovalo.site

# Reference: https://twitter.com/JAMESWT_MHT/status/1115926996582830081

/skoex/po2.php

# Reference: https://twitter.com/avman1995/status/1116271689057427456

lunchrappz.com

# Reference: https://twitter.com/JAMESWT_MHT/status/1117694292359819265
# Reference: https://app.any.run/tasks/ca845868-1bba-47ac-8fc5-cf3ba9b86b80

eloiyus.site
nuovalo.icu

# Reference: https://twitter.com/JAMESWT_MHT/status/1117711355363168256
# Reference: https://app.any.run/tasks/f6198a2a-e3c2-48dd-b1ab-dcd723770fd1

itschoolegz.com
