360netlab / dga Goto Github PK

View Code? Open in Web Editor NEW

181.0 36.0 35.0 14.92 MB

Suspicious DGA from PDNS and Sandbox.

License: MIT License

Python 100.00%

dga's Introduction

DGA

Suspicious DGA from PassiveDNS.cn and 360+VT Sandbox.

Index

*NCR: Need Confirm and Reverse

Link	Status
50	Benign DGA of TeleRU, an Android APK related DGA
49	The DGA of MyDoom
48	An unpredictable DGA
39	Done New seeds of Banjori
38	Done New DGA: XshellGhost
37	Not DGA
36	Not DGA
35	Not DGA
34	Done New seed of Padcrypt
33	Benign TcpRoute2
32	Benign Chrome
31	Done New DGA: Vidro
30	Done New seed of Murofet
29	Done Suppobox use new TLDs
28	Done New seed of Banjori
27	Done New seed of Ranbyus
26	Closed The same as #11
25	Done New seed of Banjori
24	Not DGA
23	Not DGA
22	Not DGA
21	Done New seed of Tinba
20	Not DGA
19	Not DGA
18	Not DGA
17	Not DGA
16	NCR
15	Done New seed of Tinba
14	NCR
13	NCR
12	NCR
11	Done New seed of Murofet
10	Not DGA
9	Done New seed of Tinba
8	NCR
7	NCR
6	NCR
5	Not DGA
4	Done New seed of Symmi
3	Done New seed of Simda
2	NCR
1	Done New DGA: Chinad

dga's People

Contributors

Stargazers

Watchers

dga's Issues

From PDNS: A length of 12-18, mix a-z and 0-9, tlds: [com]

Suspicious DGA cluster from PDNS
Not found MD5
Domains on 04/06/2018

afjfvvqhvnbegu.com
ahlxjrgcrzxezzsb1l.com
aisiqybabjer.com
alzwjtrevyewaka.com
atcomvqhypz54.com
axwlkmmxuex56.com
bccvgzwwlfonmbvv.com
bcigxvruczox2t.com
bcpiarkyenlx.com
bdjjehvkzzrdrj41.com
benzshxnbhuvcjify.com
bfqjepjhbqgceud0h.com
biujekzuih5o.com
bnjwnnqfcmiajltax.com
bogvviicnruhd.com
bsxanjbmchrtblsqao.com
btnncwgktavmeh5o.com
btxtqfhevrhplxkx.com
bwmcgxbgiaxen.com
bxzjakfzxpjdlqlre.com
bycbevgiahbzfz.com
cafsroyyymoxqg0.com
cedlgrqbtouyr7.com
cehcrwfsrbpchdgrc.com
cfvmixqmpcwy.com
cjcxhgyxlyzusq.com
clltpwidgyzwlnnngc.com
cmylbaprckath.com
cpovexfaggnb.com
cssoakpmnaqte0.com
ctzenauigpcltq.com
cykifmvftfmj.com
dafoqycqhkzwyhx5v.com
dbbhkouawpumfh7.com
dgmiqltukkaffojvlr.com
diniqrtnmzmgb.com
dodqrlfgplxv8.com
dpjwzqwnbzeb62.com
drdlbbayqvgecx.com
dvmmkjalqprhxmq.com
efbqedmtiqrrf.com
egqvpmuvskssci.com
ejfbynwglgmanfufth.com
elnqxeivzfsm.com
eninrxtjhbtnpeca.com
enliuzvvzyqnusfe7i.com
eqdqtwfulprqxgye.com
eqpewplevjyyzfhta2.com
etmredgoathpxgnv.com
etppcjybftd4x.com
ewobnhrvymuc.com
exymjrxletkk.com
fakuovgfpbxsx0.com
fazelarkgiucb.com
fbqwsepsmblw2c.com
fhjpttjotzufh.com
fhtvicjlpbvpbgg05.com
fjgoaenwydnbcvtu.com
flwhntvfwyfbwooc5.com
foeowtuahuoaavwiw.com
fpefzogigwvbv03.com
frxuozfhokx4o.com
fsurnwdjmk2o.com
fwcspsctjqwthpyw.com
fwsrdzkrvpuovq.com
gbpryrpwaswczcc1.com
gciqzhlkrjawfu4p.com
gdrtxiopsdnxibnzrz.com
gfkaxgwqjpr6b.com
ggmwwsvuscpbqbwrw.com
gkgipupaetbe0.com
gktzrujmqnhgr9.com
gmamqfrvesiixxd8x.com
gqlvqgpkandki.com
gqylmzpaqxpxzhg6.com
grvhtrswqabv9.com
gvnizifxypisk.com
gxncsqoceyeixyz.com
hbwfldwqrkwz.com
hchrplhizchby.com
hcmvpvrjolsfdh7h.com
hgnztjcohozyhfjta2.com
hjlfulsrszfm.com
hnkrgojmxjecjs.com
hplxpfdswia46.com
hpmpboojsqruz2.com
htoywfrimwi63.com
husxiizocxmeqgt70.com
hvylurcqkytlam7g.com
hxckgdipdyfn.com
hyoiylmziy5f.com
hzfyvfddcy81.com
ibcklvkvuzoc.com
icwufmiqnwyak.com
ijmowydlpfwsig91.com
imhubsvkjikbm7w.com
iogcacyrnstxj.com
iotsplwyvizubgx.com
irqenjlsjxcddl.com
itwzrmpxfdjz.com
ixrkdbzebdultuep5q.com
ixykoewkcw3k.com
jbddmebwcxsahz1y.com
jcbidgrdpydhtgtp.com
jcptmsrdlqtdjfgjd.com
jeaqqikbjmlhhz.com
jebwpepgabikfie0w.com
jeewskcqzouf.com
jfyqvlppkzwcnotve.com
jmmmxuykspsmg.com
jmnewfpumxaobxom.com
jnxursycbjamglpg9e.com
junoqrztcofwovtwm.com
jwnazyphunchyq.com
jynkojorcluzhigue.com
kgdrxqnpiix2.com
kglgiqnybzacn.com
kgmomyvrum2v.com
kjxcugxftanukbyb7p.com
kmlrxltiukzeomevc.com
kriuuddyvqhz13.com
ksxmsoymjskoc9o.com
kuswuakrjlkujfyo.com
leefdxcwpeofcq.com
leoxaqdnhthuhh2h.com
lgiilofjwelbm6.com
lhocfbuusoyjvqdh5z.com
llmewcauxpakgeiv.com
llubutbphvdfzsw82.com
lodqnyynjzi0z.com
lpywezaefyzt3.com
lthhsehhhe8e.com
ltlytentiawjj.com
luxybleyddxiurvj9y.com
lvvmskexslvjiwmn.com
lyehxcomqprmcqzjtk.com
lynowprllcpxyn.com
mehfihotzqmgvc.com
mialpujcnrpz.com
mjlshbowqlakdp.com
mkebxtqgqhxdzbe.com
mlrzvfoqrilxswy.com
mmhuefnmthi7k.com
mmkrjlzvyoulmgp.com
morgmnjotm9h.com
mrhvylpypt36.com
mrkmtcssqsuybf2j.com
mxhuadqtxofemxu.com
mzaqvmphuvjoecv.com
nehkekgcnkdzc.com
nimdyvwknwlaic7v.com
niqbdaazzgtw.com
nrlvdvibayoarkrp9.com
nslopccafpue.com
nyyomfkllzbqslp.com
oajkgcgyucotkeq3.com
oomlduphyypc.com
opeumvjsqzttj.com
osnzxkhzdedl.com
otalsoslkxvw.com
othrnbiwswtfa.com
ovexarqnmfjv.com
pjrudpdchzdezyzx.com
qaxeqvgyuxx03.com
qayjnpdgvfzdef5.com
qevigztqhrzge4.com
qezaoyoklrruiofqyq.com
qfzklwwnzfnmbqcvb5.com
qirkkgjtddodswic8h.com
qmqeakzcwieb.com
qnxfixyovll8y.com
qpfdohvzrkxusjhage.com
qqupfkoqiewzkoc.com
qsudkzjdunvfjaprok.com
qwrlcztmzptl.com
qzqswwlwbsozttc.com
qzuhquuejfejzr.com
radtuzfwylkgt.com
rebdjpcattkckzmkl9.com
rgbjxkzutmk35.com
rhthunfkbzgh.com
rjfpnefoflpsnrb.com
rpaanuoetfamq7n.com
rptozskombdvtktqr.com
rrczgamofwzccwqz.com
rtmumpsvpyahkez6e.com
rzdxmffcjfpnpv7m.com
scauiimgdciiktbahd.com
sdpdtxqvrbyc5.com
sfuunsgulumsehv6s.com
spgiuyatlsxd8.com
squgofplpczayz.com
stltdomezasri.com
sueghocsaqdvrkev.com
sxgturibbt7z.com
tgecbfxvjvhvyjdiv9.com
thqhjazwucyascr.com
tmqjpyokayvqm.com
tocusrgzstcddkql2.com
turwsugswnhd.com
uayvqbackoaxqlvw.com
ujnjjaclunxqg34.com
ulczxigqjvkzvewiuu.com
unapckihuqzo.com
unhietpexbvh.com
unxkknipfavlfta.com
usfhzgpcmeisafzkc.com
utvccjwypkggpm3n.com
uuijhoiwrhtnwpilu9.com
uutaivgaincwninw.com
uuwdegjfyqtxd50.com
uvubibslrtbc.com
uziinxzjmduhj.com
uzqwhqenmluzha5r.com
vaogsnsqbwizude.com
vbiujazqxfjg.com
vkkzkjtspzh4.com
vojmhrjvfbrppkiq4p.com
vooeeeqvmzsy18.com
vtzzjmwpoqgn9.com
vubslmsvndesfv7.com
vzjddgvobsxmqzxu.com
wcpszyzexpvsgqiy.com
wgdeaxwsnjxjchtec.com
wgrvvlnbudcmdk9.com
wolridwsvslnomy.com
woxqlhaxxxz48.com
wpxhjcmgiousy.com
wrhbetucepcvcda2j.com
wuysaaydbaqj.com
xhxdroxfodzm35.com
xkcxesvfvfnqsx8.com
xkucrotronjgmcqvd.com
xnncxksbtoo1.com
xqvvbgunxynshc7.com
xuyyfeqhgilj.com
yjrcftfexymi1l.com
yrjkwgvgvqhubfic8.com
yspwgultnrkito.com
yujvbwatiycznmeg.com
zbovqcynmygiteu4.com
zbtwxmfrakcbk.com
zbvvwfqrcuydkam.com
zfrnlmfhdghnry25.com
zgesrrywwyqmqs0g.com
zkyqatovameuhbgr.com
zlsbokllxzzdjsd2.com
zvrlfksajjcyoy.com
zxzxcreerkv9.com
zzczmaranvjlwtjf5m.com

From VT: Looks like a TID DGA

MD5:
11846ad0916e66a25defcf41b676d0f7
VT link
Brief
Run it in Cuckoo once more, got the same DNS queries.
It should be a time independent DGA.
DNS queries from Cuckoo sandbox
zizybilyxu.com
gikupilah.com
muhopohucyqu.com
wygibodubowu.com
pegabafifid.com
tijusenenoqije.com
ralexezoj.com
gakenofod.com
rexiqarifotoq.com
xyvenuvewa.com
peqokasyzato.com
radososaxuw.com
xalybaron.com
wavipixibuno.com
hupugivuz.com
liqevesagis.com
qysudipiboza.com
vyqivaneh.com
gygokelara.com
wyduzylys.com
mysupigaqyme.com
zilebelywa.com
zypomamuzosa.com
ypyrezaba.com
litubibam.com
vehyraceke.com
qajivehucewupo.com
pakakywuseleri.com
nylujusofo.com
pubyhixasuhu.com
gyravatimak.com
zotaziweboxe.com
pykolujij.com
xibipijuxoj.com
wumytaxuboly.com
ydijajyb.com
laxesepaweno.com
fugegewulevu.com
tevisuwapucumu.com
sirakapofeti.com
zenevakyfa.com
pifajeniwyt.com
cuhucupivu.com
sumuryvynuh.com
tuwynaropotit.com
cikipihigilani.com
waliwetixybuk.com
tixirukemosa.com
myfofeviqilo.com
xaqygacatewuk.com
cadyfahirecyci.com
dazixydecamur.com
tepucazij.com
dolagomosu.com
jicylegavade.com
bumucewafypevy.com
igotiroda.com
utuhubolype.com
ykilyxagesop.com
ygywiguxake.com

From VT: New seed of Tinba DGA?

MD5:
2acc3bfcde1bc81af00186d4ed977ffa
Link to VT
Today, 2016-09-02, run this sample in My VirtualBox, some domains were generated.
bdttlsviqfkt.club
bdttlsviqfkt.pw
bdttlsviqfkt.us
bdttlsviqfkt.xyz
bggtbbxiffgp.club
bggtbbxiffgp.pw
bggtbbxiffgp.us
bggtbbxiffgp.xyz
bjxphhqqrinp.club
bjxphhqqrinp.pw
bjxphhqqrinp.us
bjxphhqqrinp.xyz
chebcidhgcpl.club
chebcidhgcpl.pw
chebcidhgcpl.us
chebcidhgcpl.xyz
crsxgyxxmmll.club
crsxgyxxmmll.pw
crsxgyxxmmll.us
crsxgyxxmmll.xyz
dl.client.baidu.com
dns.msftncsi.com
dr.sg.baidu.com
dvvuhsqdvjpc.club
dvvuhsqdvjpc.pw
dvvuhsqdvjpc.us
dvvuhsqdvjpc.xyz
endlmnbkoufi.club
endlmnbkoufi.pw
endlmnbkoufi.us
endlmnbkoufi.xyz
jjqbsgoggkke.club
jjqbsgoggkke.pw
jjqbsgoggkke.us
jjqbsgoggkke.xyz
lddjnmfghink.club
lddjnmfghink.pw
lddjnmfghink.us
lddjnmfghink.xyz
mutmnffvyhsx.club
mutmnffvyhsx.pw
mutmnffvyhsx.us
mutmnffvyhsx.xyz
osogugfexsmt.club
osogugfexsmt.pw
osogugfexsmt.us
osogugfexsmt.xyz
pjwqxprfukmc.club
pjwqxprfukmc.pw
pjwqxprfukmc.us
pjwqxprfukmc.xyz
plbywowksonm.club
plbywowksonm.pw
plbywowksonm.us
plbywowksonm.xyz
pqddbjojlrhx.club
pqddbjojlrhx.pw
pqddbjojlrhx.us
pqddbjojlrhx.xyz
psbswldkklef.club
psbswldkklef.pw
psbswldkklef.us
psbswldkklef.xyz
ptvrghksijks.pw
ptvrghksijks.xyz
pxtttxbghkjq.club
pxtttxbghkjq.pw
pxtttxbghkjq.us
pxtttxbghkjq.xyz
qngxxpxswgow.club
qngxxpxswgow.pw
qngxxpxswgow.us
qngxxpxswgow.xyz
riwthpklxxqd.club
riwthpklxxqd.pw
riwthpklxxqd.us
riwthpklxxqd.xyz
srfihognsxyb.club
srfihognsxyb.pw
srfihognsxyb.us
srfihognsxyb.xyz
stat.client.baidu.com
symvrqdogkip.club
symvrqdogkip.pw
symvrqdogkip.us
symvrqdogkip.xyz
vovgbbfedcfq.club
vovgbbfedcfq.pw
vovgbbfedcfq.us
vovgbbfedcfq.xyz
vvfjmngtiurc.club
vvfjmngtiurc.pw
vvfjmngtiurc.us
vvfjmngtiurc.xyz
vvgttdgppheb.club
vvgttdgppheb.pw
vvgttdgppheb.us
vvgttdgppheb.xyz
vwdetjbjrumu.club
vwdetjbjrumu.pw
vwdetjbjrumu.us
vwdetjbjrumu.xyz
whutnffnqeuu.club
whutnffnqeuu.pw
whutnffnqeuu.us
whutnffnqeuu.xyz
wpxlusttwnir.club
wpxlusttwnir.pw
wpxlusttwnir.us
wpxlusttwnir.xyz
wueiqltsgqns.club
wueiqltsgqns.pw
wueiqltsgqns.us
wueiqltsgqns.xyz
yyrlwvervfhl.club
yyrlwvervfhl.pw
yyrlwvervfhl.us
yyrlwvervfhl.xyz
Regex Results from DGArchive show these domains could belong to the DGA of Tinba.

Benign DGA from TcpRoute2

A cluster from our LTCA(Long tail cluster algorithms).

Date	Hostname
20170418	1492462334dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170418	1492459806dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170418	1492462441dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170418	1492460830dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170418	1492462508dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170419	1492589511dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170419	1492590065dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170419	1492590773dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170419	1492590072dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com
20170419	1492590075dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com

Actually, these domains were generated by an application named TcpRoute2.

go func() {
    defer wg.Done()
        for _, q := range queries {
            domain := fmt.Sprint(time.Now().Unix(), "dshsdjhsdsgsevstyhndrdrntrtvsvstbruiuok095g.com")
            q.query(domain, recordChan, exitChan)
        }
}()

Do not need to block these queries on DNS service.

Suppobox use new TLDs: [ru, net]

word list	MD5
1	eeaa43bb04003f98a29b92430ddd22ab
2	204fe23181c98c6fac4f624c2e842cd7
3	ab8b17382c4656c4a4aa6cd3f0abf123

Domains

word list 1:

$ fdark -m eeaa43bb04003f98a29b92430ddd22ab | cut -f 5 | cut -d '=' -f 2 | tail
alonespecial.net
thinkgoodbye.net
strangeflower.net
classcorner.net
classspecial.net
twelvespecial.net
thinkgoodbye.ru
collegeadvance.net
presentgoodbye.net

[2016/11/04 14:07:05]

word list 2:

$ fdark -m 204fe23181c98c6fac4f624c2e842cd7 | cut -f 5 | cut -d '=' -f 2 | tail
southnice.net
arivenice.ru
arivenice.net
ariveelse.net
southelse.net
thisbreak.net
uponfine.net
arivefine.net
whichfine.net
uponnice.net

[2016/11/01 21:05:56]

word list 3:

$ fdark -m ab8b17382c4656c4a4aa6cd3f0abf123 | cut -f 5 | cut -d '=' -f 2 | tail                         
madeleinecharisma.net
glanvilletennyson.net
antonettecharisma.net
catherineanderson.ru
antonetteanderson.net
antonetteanastacia.net
charlottebernadine.net
stephaniebernadine.net
stephanieanastacia.net
stephaniebernadine.ru

[2016/11/04 08:33:20]

From sandbox: The DGA of XshellGhost

MD5
97363d50a279492fda14cbab53429e75
Domains generated on 2017/12/10 in the sandbox
tczafklirkl.com

Susp DGA from VT: A fix length of 7, a-z, tlds: [net]

MD5
c3c260899fa7caea5edc4cfe5ad57e9c
Hints from [VT]
bonylec.net
bopamum.net
bopegim.net
bopipyf.net
bopizyf.net
bopucef.net
bopybim.net
bovatat.net
bovozot.net
cibopet.net
cidicif.net
cidipif.net
cidozof.net
cihazom.net
ciherom.net
cihykam.net
cinaryt.net
cinazyt.net
direfes.net
direvys.net
disixub.net
disusyb.net
dixusow.net
But this DNS requests can not repeat in our Cuckoo Sandbox. Maybe I should run it in my Win7 VirtualBox.

From VT: 3 new seeds of Banjori

MD5
64c3e837c828b1c937f006736bd6cf8e
Seed
censorshipecmascriptivylv.com
The number of domains
40
Domains from our sandbox

censorshipecmascriptivylv.com
nhsdorshipecmascriptivylv.com
jjtrorshipecmascriptivylv.com
txeeorshipecmascriptivylv.com
qwmyorshipecmascriptivylv.com
hllgorshipecmascriptivylv.com
gojporshipecmascriptivylv.com
ocpsorshipecmascriptivylv.com
zpgzorshipecmascriptivylv.com
rhphorshipecmascriptivylv.com
rryiorshipecmascriptivylv.com
smioorshipecmascriptivylv.com
zjziorshipecmascriptivylv.com
aerporshipecmascriptivylv.com
icruorshipecmascriptivylv.com
vlevorshipecmascriptivylv.com
jrfdorshipecmascriptivylv.com
fzcqorshipecmascriptivylv.com
oyiiorshipecmascriptivylv.com
pxpgorshipecmascriptivylv.com
ouvhorshipecmascriptivylv.com
oobiorshipecmascriptivylv.com
pdiforshipecmascriptivylv.com
nfnjorshipecmascriptivylv.com
pluaorshipecmascriptivylv.com
iquworshipecmascriptivylv.com
xpjgorshipecmascriptivylv.com
wmxborshipecmascriptivylv.com
qafsorshipecmascriptivylv.com
bnyporshipecmascriptivylv.com
jvzvorshipecmascriptivylv.com
xzouorshipecmascriptivylv.com
kuqqorshipecmascriptivylv.com
ttbworshipecmascriptivylv.com
igbporshipecmascriptivylv.com
qojyorshipecmascriptivylv.com
hvinorshipecmascriptivylv.com
npnborshipecmascriptivylv.com
hxmworshipecmascriptivylv.com
wcakorshipecmascriptivylv.com

From VT: A length of 9-14, a-z, tlds: [com], the sixth new seed of FakeAV?

MD5
8df8b0115c9f3142591a610ba8716d9c
Domains
See below.
Looks like a time independent DGA.

From PDNS: Another fix length of 7, a-z. tlds: [ru, com]

The range of 3ld is from 'update' to 'update33'.
Sample domains from PDNS.

update.bcmeays.ru
update.bhtgvgd.ru
update.bjqlscz.ru
update.buicfza.com
update.buqgkvy.ru
update.ckwvect.com
update.cmbwgpt.ru
update.coqqtuy.ru
update.cxabxmn.ru
update.dkwktat.ru
update.dpyabij.ru
update.dpzsqdm.ru
update.dtqutmz.ru
update.duhpcxu.ru
update.dywkeki.ru
update.enyzyeq.ru
update.eyfudfb.ru
update.fcjziku.ru
update.fsfzgut.ru
update.fvojelg.ru
update.galnpfd.ru
update.gbuhxnb.ru
update.gmdqfbb.ru
update.gojrckb.com
update.haikgpx.ru
update.hdpnrvz.ru
update.hhuflmr.ru
update.hrorczy.com
update.hyjuwfz.ru
update.icdghvi.ru
update.indmszq.ru
update.izshmxw.ru
update.jbioydq.ru
update.juppdqq.ru
update.jxevrvv.ru
update.jzgjldk.ru
update.kedmtgy.com
update.klcgduk.ru
update.kvfwrbc.ru
update.lnjgukh.ru
update.lzeaeac.ru
update.mcuyfnh.ru
update.mefzluk.ru
update.mlxfyoz.ru
update.msmrlsa.ru
update.myfvwmj.ru
update.mzvapmw.ru
update.nugdtbl.ru
update.nyrfkra.ru
update.nzmmbxw.ru
update.osqhhum.ru
update.othihmm.ru
update.pblkxax.com
update.peyjasy.ru
update.pgzarrr.ru
update.ptaabfj.com
update.qbasipa.ru
update.qeprhiu.ru
update.qhlhtmd.ru
update.qlpyewm.ru
update.rgmriau.ru
update.rpzbtxx.ru
update.rqtcxnh.ru
update.rvzordc.ru
update.ryorpcr.ru
update.sbshxhb.ru
update.slvefiv.ru
update.tpiqcmd.ru
update.trawxsf.ru
update.tsferre.ru
update.ttkkmvk.com
update.ujozgxz.ru
update.ukwqrlk.ru
update.uqhbgyb.ru
update.usildbq.ru
update.utqudlq.ru
update.vcfkruz.ru
update.vfppkkd.ru
update.vhbyqsa.ru
update.vscpuki.ru
update.vuebcdx.ru
update.whbnuik.ru
update.whtjpzk.ru
update.widvmyb.com
update.xamnebn.ru
update.xfetdwu.ru
update.xsqckec.ru
update.ybdnfqm.ru
update.yncupri.com
update.zdkhdhg.ru
update.zhwkwzd.ru
update.zkerayl.ru
update.zlgqgfd.ru
update.zpbjdeb.ru
update0.bcmeays.ru
update0.bhtgvgd.ru
update0.bjqlscz.ru
update0.buicfza.com
update0.buqgkvy.ru
update0.ckwvect.com
update0.cmbwgpt.ru
update0.coqqtuy.ru
update0.cxabxmn.ru
update0.dkwktat.ru
update0.dpyabij.ru
update0.dpzsqdm.ru
update0.dtqutmz.ru
update0.duhpcxu.ru
update0.dywkeki.ru
update0.enyzyeq.ru
update0.eyfudfb.ru
update0.fcjziku.ru
update0.fsfzgut.ru
update0.fvojelg.ru
update0.galnpfd.ru
update0.gbuhxnb.ru
update0.gmdqfbb.ru
update0.gojrckb.com
update0.haikgpx.ru
update0.hdpnrvz.ru
update0.hhuflmr.ru
update0.hrorczy.com
update0.hyjuwfz.ru
update0.icdghvi.ru
update0.indmszq.ru
update0.izshmxw.ru
update0.jbioydq.ru
update0.juppdqq.ru
update0.jxevrvv.ru
update0.jzgjldk.ru
update0.kedmtgy.com
update0.klcgduk.ru
update0.kvfwrbc.ru
update0.lnjgukh.ru
update0.lzeaeac.ru
update0.malijoo.ru
update0.mcuyfnh.ru
update0.mefzluk.ru
update0.mlxfyoz.ru
update0.mqecrky.ru
update0.msmrlsa.ru
update0.myfvwmj.ru
update0.mzvapmw.ru
update0.nugdtbl.ru
update0.nyrfkra.ru
update0.nzmmbxw.ru
update0.osqhhum.ru
update0.othihmm.ru
update0.pblkxax.com
update0.peyjasy.ru
update0.pgzarrr.ru
update0.ptaabfj.com
update0.qbasipa.ru
update0.qeprhiu.ru
update0.qhlhtmd.ru
update0.qlpyewm.ru
update0.rgmriau.ru
update0.rpzbtxx.ru
update0.rqtcxnh.ru
update0.rvzordc.ru
update0.ryorpcr.ru
update0.sbshxhb.ru
update0.slvefiv.ru
update0.tpiqcmd.ru
update0.trawxsf.ru
update0.tsferre.ru
update0.ttkkmvk.com
update0.ujozgxz.ru
update0.ukwqrlk.ru
update0.uqhbgyb.ru
update0.usildbq.ru
update0.utqudlq.ru
update0.vcfkruz.ru
update0.vfppkkd.ru
update0.vhbyqsa.ru
update0.vscpuki.ru
update0.vuebcdx.ru
update0.whbnuik.ru
update0.whtjpzk.ru
update0.widvmyb.com
update0.xamnebn.ru
update0.xfetdwu.ru
update0.xsqckec.ru
update0.ybdnfqm.ru
update0.yncupri.com
update0.zdkhdhg.ru
update0.zhwkwzd.ru
update0.zkerayl.ru
update0.zlgqgfd.ru
update0.zpbjdeb.ru

From VT: A new seed of Banjori.

MD5
9aa940bad13b8de2d9094e4710d112d0
Example of domains
adulthoodivettewl.com
ewqjthoodivettewl.com
gkotthoodivettewl.com
syybthoodivettewl.com
mucjthoodivettewl.com
ooirthoodivettewl.com
ymynthoodivettewl.com
eouhthoodivettewl.com
esqbthoodivettewl.com
yugnthoodivettewl.com

From PDNS: A fix length of 22, tlds:[in, ru, su]

A suspicious DGA cluster from PDNS
Domains

aefiabeuodbauobfaoebbf.in
aefiabeuodbauobfaoebbf.ru
aefiabeuodbauobfaoebbf.su
aefouaeaooaobaubvaeubv.in
aefouaeaooaobaubvaeubv.ru
aefouaeaooaobaubvaeubv.su
aeiueigafiegfaiedeiuag.in
aeiueigafiegfaiedeiuag.su
afeoadaueodgeouaoueofu.in
afeoadaueodgeouaoueofu.ru
afeoadaueodgeouaoueofu.su
aoeubfoabeoufadaeufoue.in
aoeubfoabeoufadaeufoue.su
arsohoduauahfhofuhfdus.in
arsohoduauahfhofuhfdus.ru
arsohoduauahfhofuhfdus.su
auiaaedabzabevbiiedizf.in
auiaaedabzabevbiiedizf.ru
auiaaedabzabevbiiedizf.su
awdauegdouegfageuofguo.in
awdauegdouegfageuofguo.ru
awdauegdouegfageuofguo.su
pfeakpfiahefupafoahefd.in
pfeakpfiahefupafoahefd.ru
pfeakpfiahefupafoahefd.su
srgsougshfouaoehfaghae.in
srgsougshfouaoehfaghae.su

From PDNS: A fix length of 13, tlds:[club, com, info, me, net, vip]

A suspicious DGA cluster from PDNS
URL

http://www.bt9i4x9v8pen7.com/tixvpn/tixvpnR.asp?
http://www.cbbrcieg6h2t1.info/brightR.asp?

Not found MD5
Domains

www.bt9i4x9v8pen7.com
www.bt9i4x9v8pen7.net
www.1t8i6xfv3pdn6.club
www.1t8i6xfv3pdn6.com
www.1t8i6xfv3pdn6.info
www.1t8i6xfv3pdn6.me
www.1t8i6xfv3pdn6.net
www.1t8i6xfv3pdn6.vip
www.2t6ifxbv6p7nd.club
www.2t6ifxbv6p7nd.com
www.2t6ifxbv6p7nd.info
www.2t6ifxbv6p7nd.me
www.2t6ifxbv6p7nd.net
www.2t6ifxbv6p7nd.vip
www.3t6i4x3vbp4n5.club
www.3t6i4x3vbp4n5.com
www.3t6i4x3vbp4n5.info
www.3t6i4x3vbp4n5.me
www.3t6i4x3vbp4n5.net
www.3t6i4x3vbp4n5.vip
www.3t8i0x7vap2na.club
www.3t8i0x7vap2na.com
www.3t8i0x7vap2na.info
www.3t8i0x7vap2na.me
www.3t8i0x7vap2na.net
www.3t8i0x7vap2na.vip
www.6t5i7x7v0p7n6.club
www.6t5i7x7v0p7n6.com
www.6t5i7x7v0p7n6.info
www.6t5i7x7v0p7n6.me
www.6t5i7x7v0p7n6.net
www.6t5i7x7v0p7n6.vip
www.7tbifxdv1p9n6.info
www.7tbifxdv1p9n6.me
www.7tbifxdv1p9n6.net
www.8tdi3x3v2p2n2.club
www.8tdi3x3v2p2n2.com
www.8tdi3x3v2p2n2.info
www.8tdi3x3v2p2n2.me
www.8tdi3x3v2p2n2.net
www.8tdi3x3v2p2n2.vip
www.9t3idxdv8p3ne.club
www.9t3idxdv8p3ne.com
www.9t3idxdv8p3ne.info
www.9t3idxdv8p3ne.me
www.9t3idxdv8p3ne.net
www.9t3idxdv8p3ne.vip
www.bt8i6x3vdpbnc.info
www.bt8i6x3vdpbnc.me
www.bt8i6x3vdpbnc.net
www.bt9i4x9v8pen7.club
www.bt9i4x9v8pen7.com
www.bt9i4x9v8pen7.info
www.bt9i4x9v8pen7.me
www.bt9i4x9v8pen7.net
www.bt9i4x9v8pen7.vip
www.dt5i7xcv0pand.club
www.dt5i7xcv0pand.com
www.dt5i7xcv0pand.info
www.dt5i7xcv0pand.me
www.dt5i7xcv0pand.net
www.dt5i7xcv0pand.vip

Susp DGA from VT: A fix length of 32, mix a-z and 0-9, tlds: [info]

MD5
ad96cdc76bb48811adc89fb56805e2ba
Domain looks like generate by DGA:
2bj9j5mq889idfca58p7ccu13t3fnlvj.info
2bl19mo5ogcp3asl65v6fe14akilfg4a.info
2blap6o4oe22b3mamjkullosijakpbdb.info
2blg650v4f1j618mv0vd0gn4e8kr2k6c.info
2bm50afm9g8kp6m2krrrkigltf9qa1j1.info
2bm52tgg6rokrjimvaqlofg7gp3nm7qi.info
2bm5iv7ldho1tl86gg2otnb5b4k5gnna.info
2bpejvagmkq37q1bgaoodkp221q4pqos.info
2bphpmdvekaisljla693ievnhmbcvufl.info
2bq2g61r7ae1qupho62ve16nh3p9vbrd.info
2bqaopr0tkkj5gfq9fmg96u29fcdhked.info
2br4ochmourhe8hb78minnjbgsakiv9c.info
2brhhkf3aki13eer6rscl9e429m09rsb.info
2brk2u55hj6i4ei58m8o8jfe8d51t3of.info
2brl336dpt2pksj8tk7i5dm922jgfbsk.info
2bs5lcpgcc0ngei65to1aijlbg3scegf.info
2bseo1glsqvmg75b7k01lohrnjd26nh5.info
2bsikvav62s3k33eahit1f2a44pd16rc.info
2bsquch4rsjfmpv4l5h598fubo7bf31d.info
2bulpig5la0p4n8d7o1n3bjabq294v07.info
2bviemlmpendv4epu2qbvafdfq1o3uij.info
2bvivlal9pr17hotv0lujfupl8br87t8.info
2c1afcvq2nu3qv99tq4a93ncr6t579tf.info
2c1sq984vdrs9k76ggec5romfvkvm38e.info
2c2l66mlei0tqf79335jvl0gdi2eaacq.info
2c3icokbmsoko5bdq57v2fcaahbqu92d.info
2c42751iffqs20pupnsd18qah8ubp3j0.info
2c4es278v5tnh2hqda5etdctb183q9qt.info
2c4f71slqdig38afc9jbbq0lmnqog71t.info
2c4jiita8fvrl756evu5v1vu7j4dj3ii.info
2c5in883a9uc8mdpad5uvdlrfmapbcji.info
2c5n5hdv257m70jnaenv4v9ogljf9uui.info
But this sample also query these domains, made me confused whether it implemented a DGA.
300birch.info
300blkusa.info
300boerboels-germany.info
300book.info
300bushelcorn.info
300canalbldg3.info
300canalbldg5.info
300canal.info
300capitalists.com
300capitalists.info
300capitalmanagement.info
300capmanagement.info
300cchrysler.info
300cc.info
300cedarbraecourt.info
300cheltenhamave.info
300coach.info
300colastreet.info
300cubits.info
300daily.info
300dd.info
300d.info
300dishduel.info
300-dollar-data-recovery.info
300dollardatarecovery.info
300dollardays.info
300dollars.info
300dpi.info
300dundee110a.info
300dundee305.info

Benign DGA of TeleRU

MD5
b24b8cf072c778a4133db02716a82466
6aca8624257a0d24be706a8ab31e8aa5
Domains from our mobile sandbox on 2019-02-08 11:23:53

93b375dd6cd9f2704d613d1016dbe0f2.info
93b375dd6cd9f2704d613d1016dbe0f2.tk
afcc0c1f4b9fd590a61ba1c24b49b525.ga
afcc0c1f4b9fd590a61ba1c24b49b525.info
afcc0c1f4b9fd590a61ba1c24b49b525.ml
afcc0c1f4b9fd590a61ba1c24b49b525.online
bbc16e2659b9b9b5128c2f7e5877d29b.cf
bbc16e2659b9b9b5128c2f7e5877d29b.ga
bbc16e2659b9b9b5128c2f7e5877d29b.gq
bbc16e2659b9b9b5128c2f7e5877d29b.info
bbc16e2659b9b9b5128c2f7e5877d29b.ml
bbc16e2659b9b9b5128c2f7e5877d29b.tk
bbc16e2659b9b9b5128c2f7e5877d29b.top
f62b550a0e5e4f234fdd30c927665c91.ga
f62b550a0e5e4f234fdd30c927665c91.gq
f62b550a0e5e4f234fdd30c927665c91.ml
f62b550a0e5e4f234fdd30c927665c91.online
f62b550a0e5e4f234fdd30c927665c91.tk
f62b550a0e5e4f234fdd30c927665c91.xyz

From VT: Only change the first 6 characters of given domain, similiar to Banjor

MD5
5ad10e801bb00476705ade2f9a33c218
Link to VT
Domains
memssomgxsfm.com
kmkccqmgxsfm.com
gasqqimgxsfm.com
kieaqomgxsfm.com
acquuimgxsfm.com
aggmwwmgxsfm.com
yiauuimgxsfm.com
iikmgqmgxsfm.com
uowsaamgxsfm.com
asoyyumgxsfm.com
ugeuucmgxsfm.com
easaimmgxsfm.com
mosmmwmgxsfm.com
omiooemgxsfm.com
iuimmsmgxsfm.com
amsqqwmgxsfm.com
aqqgyymgxsfm.com
ckksoymgxsfm.com
gcgwwumgxsfm.com
oayacqmgxsfm.com
escmucmgxsfm.com
mkooegmgxsfm.com
macaykmgxsfm.com
yyekswmgxsfm.com
uyaiiymgxsfm.com
ygwqsomgxsfm.com
auesscmgxsfm.com
kuywaamgxsfm.com
qkyqqmmgxsfm.com
oqmmwumgxsfm.com
wsgmaamgxsfm.com
yaeawumgxsfm.com
uamaoimgxsfm.com

From PDNS: New seed of proslikefan DGA?

These past two weeks, DNS requests of these domains have been active, the number of clients reached hundreds.
awaptfhcywz.biz
bomffwnm.biz
dkrwpi.net
ecxpij.net
eubuesq.biz
fxbxpeo.ru
gputzirpn.ru
hafuvgg.biz
hhheoujfk.ru
iiixhbxj.biz
ioxmpbwzd.info
ipsxnpr.ru
izolchilyv.ru
jhcwhynhh.ru
jhzxgxgji.eu
jroptwvq.ru
jyiruhuve.info
kjzghtkx.ru
koajzeef.eu
kzoxbfqm.eu
lbfcnjyf.ru
lrogqk.eu
lwtpvavi.info
mcigspygl.info
mjyjpzw.eu
mywwwpdjq.eu
myyajf.ru
nqxcfnnbjs.eu
nsnmcewnhs.info
omvqqsz.se
pcialmfe.com
peqehgtd.se
pmkodzc.in
prmgxr.name
qewrpffwv.org
qhocqqov.name
qkfrlza.com
qssrzy.in
ralqflyjvv.in
rdswccti.se
rmqquixisq.org
rpulgh.name
rwmneqv.com
sfgwcdn.com
sievgcoalr.in
sokxihuec.com
spiygv.org
syjdikt.name
tqxsbtk.name
tvyklbcuja.in
txaveyno.org
txkoyliwf.com
udchrwc.in
ufphng.org
upkkzmu.com
usbvhxga.name
uyggbvqore.in
vhayrog.com
vnakhug.org
vwzzosjdz.net
xgzedqycbs.net
Regex results from DGArchive show that it is a DGA of proslikefan

From VT: A length of 9-14, a-z, tlds: [com], the fourth new seed of FakeAV?

MD5
179c40a4abc5c7d114c9d96079e78df8
Example of domains
gipupeceta.com
hehyvixiru.com
hemusyheduf.com
hobolamitajy.com
jetuqaroxos.com
jocojihuc.com
jyxirafyhulora.com
labicycosibuw.com
laruryjuzycez.com
ledimajezociw.com
Also Time independent

From VT: A length of 12-16, a-z. tlds: [biz, com, info, net, org]

MD5
9690bee17e9d4b83ae584f5d91849a6e
DNS requests in [VT]
iieqqoytgohjytil.com
iieqqoytgohjytil.info
kpjprkqhsmqrmsj.org
njpqlupthfhwxqns.com
njpqlupthfhwxqns.org
qwdlnpptqrgsdprf.net
qwdlnpptqrgsdprf.org
wtgtpbrzogowkjt.biz
wtgtpbrzogowkjt.com
Then run it again in our Cuckoo Sandbox, DNS requests was a noticeable difference from the VT one.
nmqgnfwphujk.biz
nmqgnfwphujk.com
znhignykyyfrdlj.info
znhignykyyfrdlj.com
thrusjzvpgjpaikl.net
thrusjzvpgjpaikl.biz
cvyqpjqvjdplssq.info
cvyqpjqvjdplssq.com
rvqoovmmoqptspi.org
rvqoovmmoqptspi.com
oqrivpkkeujnqrrq.biz
oqrivpkkeujnqrrq.org
lsurhmvpmzkhwp.net
lsurhmvpmzkhwp.com
qkqxtfwunoyogxkp.info
qkqxtfwunoyogxkp.biz
pjrvnrqspptzn.net
pjrvnrqspptzn.org
qrstrupvskriebvw.info
qrstrupvskriebvw.com
mkqpykkpqyuul.biz
mkqpykkpqyuul.com
gyrhkosqoisgkfn.info
gyrhkosqoisgkfn.org
txhohmpovjstukpi.net
txhohmpovjstukpi.biz
Should it be a time dependent DGA?

From 360 Sandbox: A length of 9-20, a-x, tlds: [ddns.net]

MD5
08232e7b2f4d1753bc872a100673b05a
Hints from 360 Sanbox on 2016-04-05
acgaaqsovipeos.ddns.net
echufivoci.ddns.net
kaukihviavfui.ddns.net
lobuxewofiraap.ddns.net
olleitumsebe.ddns.net
ompeuhumhuas.ddns.net
vukaewloetu.ddns.net
xuxakuiwet.ddns.net
Then I run that sample in Cuckoo again. I guess this sample should implement a time dependent DGA, because the DNS queries change into these:
saotociwu.ddns.net
amefluri.ddns.net
ushetonauwnume.ddns.net
ilciiwvuu.ddns.net
avudiptak.ddns.net
uqapgerukeequ.ddns.net
uweqxutiuxuxo.ddns.net
hareremagaopavi.ddns.net
soebubcuqiegsaa.ddns.net
antosauca.ddns.net
ipvoesenox.ddns.net
aqdeudbepekeda.ddns.net
owqaehreutwaubh.ddns.net
qaucububfoli.ddns.net
nopuoriwxuahpi.ddns.net
houvacoflimeb.ddns.net
luenatamgeovtig.ddns.net
faicigap.ddns.net
keusawaqxeu.ddns.net
qiwuukoxi.ddns.net
avciuteseckepo.ddns.net
xioduwta.ddns.net
xiikvoirebu.ddns.net
kaarqufamafe.ddns.net
foekacloxuriab.ddns.net
fericaopo.ddns.net
tiuqodigo.ddns.net
opatovapiwvi.ddns.net
etcarutoimqion.ddns.net
elixofbee.ddns.net
geavmaavdioqugi.ddns.net
bucietguiqfi.ddns.net
apxusumuq.ddns.net
abivebuku.ddns.net
ugekabamo.ddns.net
qesaluwoi.ddns.net
huwexihiotab.ddns.net
wiopokfimuoqab.ddns.net
fubiuritsaup.ddns.net
hehacoaqushu.ddns.net
opuxnoolowa.ddns.net
funosomo.ddns.net
uhripikiig.ddns.net
abgugoewuxcef.ddns.net
dunaeqemelgeb.ddns.net
onwiigotqeo.ddns.net
alubunivucru.ddns.net
unfauqrefiancex.ddns.net
kupuseipruofpe.ddns.net
xuecxauh.ddns.net
adpoxeevocg.ddns.net
evfoandu.ddns.net
vuoguluco.ddns.net
baovlauhagukma.ddns.net
baamsegie.ddns.net
rohihedewi.ddns.net
ebegudnoonqeit.ddns.net
sotufosenowuovo.ddns.net
neavuteqil.ddns.net
ihivweircee.ddns.net
oseppoeg.ddns.net
coivepvawokiubs.ddns.net
xeseumhea.ddns.net
ubdawoqulual.ddns.net
meicocfeqiwiva.ddns.net
urdaveremao.ddns.net
ecundiemuve.ddns.net
doegkecepekexov.ddns.net
pouvtexoxuh.ddns.net
xeatorikaga.ddns.net
baedfeetxiebd.ddns.net
oxceetutvuipha.ddns.net
uhsiedidqekuevu.ddns.net
opkuaqocc.ddns.net
doodisegaribik.ddns.net
reqoxuan.ddns.net
quexotvutaarpe.ddns.net
mohoophaofi.ddns.net
moaftoliecovud.ddns.net
ifedetvigogoug.ddns.net
atulakecuplal.ddns.net
goduecweqiop.ddns.net
ecasviparofouqv.ddns.net
ukibotsiewivi.ddns.net
geimivilp.ddns.net
tuumilupiwg.ddns.net
expeagfasuabi.ddns.net
ocroowxoohexbe.ddns.net
oqibenaxiseho.ddns.net
gososiqemile.ddns.net
upuqvouvgep.ddns.net
afrusiboikec.ddns.net
uposrifac.ddns.net
unuptopikifuise.ddns.net
liwiwusea.ddns.net
geraguquhifa.ddns.net
ivxeviagpinoid.ddns.net
ahuqavhupaigvoe.ddns.net
digeosqilau.ddns.net
paawarlodav.ddns.net
kawuelogahuwgeu.ddns.net
dituabwuba.ddns.net
dudotiuse.ddns.net
imiccipucesitua.ddns.net
heiqsicuwouwu.ddns.net
lexibiuludquo.ddns.net
igboecga.ddns.net
ekafovceu.ddns.net
ogogpiixopr.ddns.net
esneuqtuarumiv.ddns.net
loqoullap.ddns.net
ixneepgi.ddns.net
daiwtugo.ddns.net
avsuobunnakokii.ddns.net
xuahworoepbi.ddns.net
ufelehugn.ddns.net
ikkeaqugqe.ddns.net
ahsedaovcaab.ddns.net
uvavkidesiduwa.ddns.net
ponuavhigoa.ddns.net
ursoituloqisi.ddns.net
ebehwihaegabeqt.ddns.net

From VT: A length of 9-14, a-z, tlds: [com], the seventh new seed of FakeAV?

MD5
a83e49c21483adac7978fa6718a4331e
Domains
List below.
Time independent.

A new seed of Banjori.

MD5
fd37d983948607542d7956fc506776b9
VT analysis
Domains
nodomen.com
uipxmen.com
kmrmmen.com
pzyvmen.com
dntnmen.com
jvuomen.com
qscumen.com
dzxcmen.com
yinjmen.com
acfcmen.com

From sandbox: A fix length of 10, hexadecimal notation, tlds:[pw]

MD5s
9da6968a32db144b6b44211c14987b8f
85d96d421b2c63c882c07a87621fae42
Domains generated on 2018-05-25 in the sandbox

0137c9948c.pw
10187cdf58.pw
469255523b.pw
59e68dd72f.pw
5ce5a3010e.pw
8aa2f2db8e.pw
b0e94453c7.pw
c7d7c9b876.pw
c983ad2490.pw
d02f264235.pw
d0cb5d08cd.pw
e64b1e1e2d.pw
fe5a7035db.pw
...

Another cluster on 2018-06-07

cc9089dfb9.pw
8a66446ab5.pw
5149aecef4.pw
c7ea5c7056.pw
...

The sample was packed by VMP and hard to crack

From 360 Sandbox: A new seed of Ranbyus

MD5
692db19e1ec34d19b3aa269b797bc98d
Domains generated on 2016-05-31
aiwfrmhtxfhaxkfex.in
tecpvceyyngfpfwph.pw
yjojydbhexqkeqpco.me
nxyqfkjibdpuinccm.cc
gexktciaqidrlawqd.tw
mbclufyjvjoueskqe.su
dwmepxvqmooifbmwp.net
tnegvvkjorcxvcctq.cc
yoqrrldjtiestoahb.com
mehdjxwhjaldgraox.me
wfjymmidagssegpqb.pw
tbygyweybgvrrjlvj.net
hvnfydkpxmyuaafnj.in
uondheemhwjnufrjy.cc
ddqulbkmxvadafaku.in
latphoweduhhprqyh.in
gcqwvbnikfrsdooix.me
aulkysrwheqyxegdw.tw
fwvocruubecpvkgfb.cc
bsnhidqyvxqrxknfd.me
aoqpyjmhgbluodfcg.su
fekyvsesiootsjblb.in
ccqtfiiflirdknxeq.com
pvnigifbodvvbktdn.net
khnicxflcjnccrhgp.pw
fwfwtytdtrafildll.in
wphndbdkwwbrvsfgl.su
bsfolmbvdefpxuetg.su
ihduugnasejvervhn.tw
wjywvkvmlbltjfpdf.cc
kealpiegxquxauaya.com
kfhycrcyntihetsqw.me
adrkfepxotyvbqpsy.pw
axrwdinfgtpvmqnjj.su
cbueowjhbhjrwdxng.me
jeqndpsewtcuhngho.tw
emfmrdysypmqeddkf.cc
lenkdpbagrnyjgpra.com
vcnalqikrhjfgwdnm.net
xuwwrccjuoqtyiiky.pw
kwliqirwfebfsnmyp.com
ejcdgbaolqodlvxvw.in
noclgiytxnsstxkum.pw
kvfdqecumujrscpaf.net
nbdoivwibivyjvmyw.tw
irosnoxdjrrmgrqrc.pw
vanwnfqfddntyvqdx.net
owtaayyxgwcylhawq.me
uwpcfhwaoijevbhya.me
bjqotdcxvlumvddcn.su
cuyyqnijqelulavkq.cc
axwwfshpxfwkvtkse.in
xbavqtrlkgoqbjcdc.su
kkaigyirqxetjbtur.cc
ppqfhyhnyoyofhiad.tw
vxiucmdsevhobgmvt.me
xqptkreijbvcwvsae.com
unvxulqebdxdujtbg.tw
dukhochkheybmfcqv.pw
uglapusdwbrukogiy.cc
ghauhdbuuxcdxaqkr.in
vljfcmofafuiaosdj.net
mqagkwejnufvnuuad.tw
bvwkkyewugditfdpe.in
jofdujjwwlodfvewh.net
pxrdccbgcuwryyuyg.tw
jwosdvldxhjwithch.com
ahofnajdymqfmlclx.com
mriubbpqxrtmvsmkg.pw
pxiwfwsxsdwacocpd.com
tbynbklwehjjxioei.cc
qoajrdkqbxqgalydw.me
foksivhtwfapxhcyx.su
spmmgfmrrsggonsfn.pw
meknjkutlmtpngpfl.net
eamkmnysagprwseao.me
yulvrlubqitlefonr.com
tcqfridrkomasxqdh.tw
mkgybhehymibseaex.pw
kfapvxdqhbqoikjbi.cc
ftireexfolnncujsi.su
sotgnbwvqauaydjtd.pw
qduyrgfifmeofjcwg.in
bykdoqbmiwvrrrono.su
mdulppximxqffudgh.net

From PDNS: A fix length of 16, hexadecimal notation, tlds:[com]

A suspicious DGA cluster from PDNS
Domains on 2018-06-18

32994a8c5b77d4ba.com
3fa34e473d565b43.com
4ad2453b3d16477b.com
4e7a6af91ba29a22.com
7387c88fc2feff5b.com
8e3746b91711cf9d.com
97e36cef4a6221be.com
9c90f99c44a8e61f.com
b91076d16f4ea33c.com
ba6ab0a5d7a4e503.com
f48c01a836b4c3de.com

From VT: The DGA of FakeAV

MD5：
2cb2cc33f56f0d6bada25dad5a18c767
Link to VT
Domains:
xaxymivirocis.com
vuforazaj.com
fyzybopufanuj.com
nyzysemadyk.com
gavotataran.com
pubepujiwusiwy.com
zetofyhecynovu.com
hypulycyfaqaba.com
rehudomydefe.com
vequtycarykeg.com
nypucevys.com
sesycifaqago.com
lozebymova.com
davizyzaky.com
wihasiwaji.com
cixizacakudyko.com
qulygimokine.com
dihojocitiz.com
mimopywyn.com
qobirawif.com
gavywelugamoqe.com
cikojavif.com
rinysegaci.com
mobesinolacuke.com
xybobimaholos.com
posubudiqof.com
tucaxiqiwityp.com
pulumacugefel.com
sucejukas.com
xopimynycerev.com
jihamisunos.com
qocakizali.com
netiqugerin.com
cimuxorazag.com
juvizovih.com
bivuzygaden.com
bekukokymyje.com
sowevicekem.com
losajabevyjydu.com
nibycexadytyn.com
pekiwimozoha.com
wohocebutiqy.com
metuzamygyjo.com
zokykajobu.com
sabisocuci.com
fazobugylov.com
bivuxejak.com
kofajisatum.com
suqyjuxumo.com
hijurefugeb.com
xonibawylabep.com
cajarihejeluw.com
It should be a time independent DGA.

From Sandbox: New seed of Padcrypt

MD5:
1e69889644fd30e906c1f5c923599bef
Domains from Sandbox, 73 in total.

[datetime: 2017-05-17 02:18:58]
ceaonmlmcdefkbmd.com
beoamaebcldfkcdn.net
neadamaflkckddan.com
bbnkdfekaocadlkc.online
momdflefflamkadn.tk
caacemceebmfmofb.online
eckcafccffnoddco.com
dlffbnobdkkdcdmf.com
cnbmbdfllanfaecb.com
obbcoomndnccmela.org
alblmfdamndebckk.com
dkeackfnkakbdcke.ga
aaelmaomkffbaaoc.website
eaebeafdodobmnff.tk
ffcldmfkankdlefn.de
fadmaoclbldofddd.net
accbkadamdcnffnb.com
cdofacfaobbaadck.de
bdfafmbmfokkmcen.org
dkfnbefckcdllabk.online
dedeonalolcmccdn.net
dcbadcfkcobfdbom.com
afmdkbnalffbldab.co.uk
dfmdmekmdnbdbebk.tk
cldnmebabkcdldlb.ga
laacbdabfonledab.org
bfffcndcmdldndkb.info
ebnnbelccdcdlben.info
odkfnfabbacdfcke.com
mofkafmnmmcalndn.de
fdoedfldfbolblbf.website
fbflbfffceadocac.org
defaffaooabbadbf.cc
abfddfbmkmfaffec.co.uk
flcadcnoamldofef.de
eafbfndbcffdocka.online
nbbbcaabackbafbb.co.uk
bfcaclomdaodabml.ga
becbdfabdbbfaldd.co.uk
faoaeeacfommdeab.website
adknbalfedfabdab.co.uk
ipinfo.io A 52.74.166.76 A 52.221.28.84 52.221.28.84
dallfmfdnmkcmkda.co.uk
abldkfanoobebbaf.com
cbbaaekbdckmabbd.de
cbffmmdkblodeeck.com
fffcbdbacfodedbf.tk
eclcedafkfddnkec.tk
lbaafbblfadddedm.org
cbfbfcdafdomaann.com
aeocfacnadfcccda.de
benffabcfbmddoac.co
mlackfemdlndfcfo.de
ffakcdacdaoolbab.co.uk
kldnlafolkdbeebk.info
bcdcacnnboabdlll.de
fanfbndcaaccncce.net
nkfbcdmndkaendff.com
lbdodamcdbaabldc.com
alecadbefcddoacf.org
cdkfafmaldlboald.info
lcnlbadmfbeeokob.info
mdleakbnnbellnaa.net
baccebofcoomcabf.com
donelffkbfankmfd.net
aamccaaffkclafca.net
bkdbcbfffkedamba.com
ddacdoanccefmabm.co
aadmebacfeaancfe.website
dnlfcdlacdbbabcd.cc
cdaaacdnafnbcaod.co
kbnbffkakbkdcbdm.net
aoaedbkoabalbcfa.info

From VT: A length of 9-14, a-z, tlds: [com], the third new seed of FakeAV?

21d181a638846e6aab83917a4b030d27

Domain
See the list of all domains below.
Time independent DGA

Susp DGA from PDNS: A fix length of 16, mix a-z and 0-9, tlds: [org, ru, cn, net, info, biz]

MD5
55c447191d9566c7442e25c4caf0d2fe
These suspicious domains had been noticed for a long time from PDNS system, but until weeks ago, we found a new method to map these domains to the target MD5. Domains sampled on Aug 07, 2016:
53ptxfec6a4mwbrl.org
ou16nagv4pashauc.ru
cav36gi2q7sw1quk.cn
vnbbj9a2udxpfq2c.cn
fqtk3dzc23momnpg.org
4w30kxhvkfel0oup.net
9n78kfujyzmip0qv.info
w2ot29dbfzg6keue.ru
d9tan26jpjpz9snt.cn
guf7vdg5eutsacyj.ru
l1sfcoafyl7x1gkr.biz
jq1i45ll407n59fi.info
p5oaqfyxb94yig2t.org
9q02paxvmei1v6sp.ru
jayzvrpixxlc58bc.info
eseu24pzdd5f72vv.biz
dcydfwpx6g5to34s.cn
ydd3i2lh6afrfmw1.ru
Malware sample[ 55c447191d9566c7442e25c4caf0d2fe] DNS queries, very similar to those domains in the list above.
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
tjklzgosi2xivjs4.biz
zinna4ltt9yx9bih.com
0aa05rcmqxnz7vzj.net
29cqdf6obnq462yv.com
2s3txyhr1ptozde7.info
5qip6brukxyf9lhk.ru
7vzlqhsisdgk1diw.net
8ccl6qveudd642rq.ru
dahs7d52v40cyxgi.info
etkxskxjy8sn4niz.ru
gkczbuwjza2s1khf.net
gnjvn08gxgd2u6dh.info
nhamoigj5jd1qyn4.cn
o47xa659ueqorz57.org
p7rmkau94thlq1tb.cn
qowhi81jvoid4j0m.biz
So, really looking forward to reverse engineer this binary and feed back the implementation of DGA, then we can filter out these malicious domains in PDNS system.

From PDNS: A fix length of 40, hexadecimal notation, tlds:[com, net, org]

A suspicious DGA cluster from PDNS
Domains on 2018-06-17

bb323d822f4797fc84845f12fb29bc96ee70e65b.com
bb323d822f4797fc84845f12fb29bc96ee70e65b.net
bb323d822f4797fc84845f12fb29bc96ee70e65b.org
k35e061fe90493acc9471b2b046454bc7c32d251.com
k35e061fe90493acc9471b2b046454bc7c32d251.net
k35e061fe90493acc9471b2b046454bc7c32d251.org

From VT： A length of 10-15, a-z. tlds: [com], unpredictable DGA

MD5s
5bbb6d8c1d27f962427777cdbc1c11d5
c8e576a095eaf36edeb47175ba9b16f2
c68151a15a88a0b3cdda1bbcba2aac89
Domains

dvzejqipdw.com
lotnptdatj.com
lyrbqcnynrzk.com
ohrhywpjwslk.com
pmcetqvgssvk.com
tfuypxmfgbmh.com
tpchekteer.com
vjxfspyxky.com

ahnmhhaxqmxbaj.com
cjxdzcrmkjdqctl.com
fwlqhjbwjzdavc.com
glzjtshrugau.com
pcjsthmobaxct.com
qrpxcvntrct.com
yppervqsbhtbdux.com
zwekgmilcs.com

dekmubqkuxqhue.com
dqdmeznkiygrjv.com
hgdazksaghsagf.com
hljfvdmlhot.com
igaftxinblhu.com
mqpljbgkczm.com
nnkmgbvthwxhg.com
pozxzlmrzexlzbn.com

From VT: A length of 8-14, a-z, tld:[com].

MD5
b762ca0491c5f451726e146d5eacaa84
Domains
List below.
Should be a time independent DGA.

From VT: A new time independent DGA?

MD5
94d31d4606a0ddf45a2a3da37ab67304
Domains
bivobakumuv.com
cysuhevuzilu.com
dewyvoryr.com
gajejunymepewo.com
jeryqitego.com
kakukunucatih.com
kipuhazasalel.com
kypojufiruqym.com
merurelecotele.com
negujavigoken.com
pelituhypivi.com
qamikumopy.com
vahijitenate.com
wabypukov.com
wavysyfykylic.com
wewaqaloqad.com
wyqaqitasulaz.com
zisixexaboci.com
Being run twice at different date, get the same domain list, so it should be a time independent DGA.

From sandbox: A fix length of 16, tlds: [onion.to, onion.link, onion.cab, onion.nu]

MD5: 65e009cae27d879380bdba98725d9d1d
Domains:
gmpsfqrlquaokfl5.onion.nu
qcuifb2klqqkwc5q.onion.to
Looks like DGA

From VT: New seed of Randomloader DGA?

MD5
baf268f88c0bf8501efe2cdeee712ce1
Domains from VT sandbox
cgyck.museum
cimumks.nu
fyyayyyoc.vg
gtxwwagzv.vg
gymsuagbjpr.mp
icmok.tk
kohydmqzd.ws
mfcqlfmve.museum
mmqcwjzykqs.tk
pesoeyxgwcc.cd
psufsoqsgkquy.museum
qluwbykqusk.cd
tvoaikyqpk.cd
ucymkoe.pw
ugmkgqi.tk
vouysxzkmebw.cd
wiynq.mp
yshcnqopiuz.pw
This sample dropped a file: C:\WINDOWS\system32\rmass.exe. Run it and kill the process tree again and again, some suspicious DGA domains would be captured by Wireshark.

From PDNS: A fix length of 7, a-z. tlds: [ru, com]

A cluster from PDNS, look like DGA:
pop.atbmbqy.ru
pop.avzeenn.ru
pop.axqiitr.ru
pop.axsesol.ru
pop.axtllfe.ru
pop.ayazssi.ru
pop.aymkobiqx.com
pop.bgjtwltjm.com
pop.bnxqqyjey.com
pop.bpkhpqq.ru
pop.busyzboor.com
pop.bzretpwbi.com
pop.consultinginc.ru
pop.cpegnjp.ru
pop.cpltrmhvw.com
pop.ctuiwslxa.com
pop.ctwljzq.ru
pop.eaiiecw.ru
pop.ecbspeg.ru
pop.eckxyvxuo.com
pop.eebgghfs.ru
pop.eejovgiwp.com
pop.eemwhuiyq.com
pop.einlbzpaw.com
pop.ejcvqnhqq.com
pop.ekiqyun.ru
pop.etvnzswkt.com
pop.etyrmcain.com
pop.euxpcth.ru
pop.evyqzlc.ru
pop.evzyuhzjt.com
pop.eybfitfev.com
pop.eyeyofu.ru
pop.faxxrtrck.com
pop.fmfmlnkfz.com
pop.fmnjafp.ru
pop.fnyswnkvk.com
pop.foinbymai.com
pop.fqayzag.ru
pop.fqcyuitma.com
pop.ftlalitzk.com
pop.futnctici.com
pop.gglwjgz.ru
pop.ghbzfbftq.com
pop.guepcvzsr.com
pop.gzjjprkuf.com
pop.gzuglsssx.com
pop.hbyqvjzha.com
pop.hiznnvmvu.com
pop.hjysyxo.ru
pop.hlzrcohxk.com
pop.hoivnno.ru
pop.hoxzxeuzk.com
pop.hrfomio.ru
pop.htcahgw.ru
pop.hwrcmsr.ru
pop.iatybkkar.com
pop.ifzsrlfew.com
pop.ilcoyfb.ru
pop.ilhbyto.ru
pop.imvhhht.ru
pop.inqmzqvxx.com
pop.ioeajlk.ru
pop.iqtzchf.ru
pop.itfutureclub.ru
pop.itobhao.ru
pop.iuezhkq.ru
pop.iuvoeauzy.com
pop.iywjiyxur.com
pop.jciuzam.ru
pop.jiomqnk.ru
pop.jkkjymtb.com
pop.jqcnoab.ru
pop.jwfslgh.ru
pop.jwzuyjyk.ru
pop.jywgybvhe.com
pop.kcwloqp.ru
pop.ketnxrsck.com
pop.kfcqyyhks.com
pop.kgbqfkr.ru
pop.klhrsjhor.com
pop.knlscwy.ru
pop.kpoxavz.ru
pop.ktqqaowqt.com
pop.kvwkwxxeo.com
pop.lccnpri.ru
pop.lcqqhkgzj.com
pop.lhoggcq.ru
pop.lkxxvyx.ru
pop.lliziyr.ru
pop.lltiufg.ru
pop.lojcajs.ru
pop.lqcloywqm.com
pop.lqtmgjw.ru
pop.lrloeyb.ru
pop.lvwmabhxu.com
pop.lxsrvwk.ru
pop.mabtmqg.ru
pop.mfyitli.ru
pop.mhytswh.ru
pop.mibjkib.ru
pop.mquwkqo.ru
pop.mswteam.ru
pop.mwvthng.ru
pop.mxnextt.ru
pop.nbfysuh.ru
pop.nnzrwmt.ru
pop.npjahwj.ru
pop.nuyftxn.ru
pop.nvuebzo.ru
pop.nyuiejknj.com
pop.nywkpib.ru
pop.oavgzofqu.com
pop.ocesuej.ru
pop.ogikgxq.ru
pop.ojantlj.ru
pop.oysjskg.ru
pop.pfzgiof.ru
pop.pjepesjxg.com
pop.pjhzure.ru
pop.pnxfuag.ru
pop.ppohnqab.com
pop.prbmgxklr.com
pop.prqoton.ru
pop.qlmkxqlx.com
pop.qmgvfoxcn.com
pop.qnqcwlj.ru
pop.qnqmniznm.com
pop.qopntzvzc.com
pop.qstopsi.ru
pop.qujwlgt.ru
pop.qzibngc.ru
pop.rbpqvbeny.com
pop.rcuraaqje.com
pop.riyfoawpx.com
pop.rntriwf.ru
pop.ronjyfj.ru
pop.rrplviaoy.com
pop.rxwanetgo.com
pop.rzhheil.ru
pop.skbqrtc.ru
pop.sokwxrzyr.com
pop.sqcokri.ru
pop.srpfrgvvm.com
pop.srzbytt.ru
pop.sxazgprlz.com
pop.tbyrzhrkv.com
pop.thelove740.ru
pop.tmubkvpyk.com
pop.tpalenc.ru
pop.tpelpgxfu.com
pop.trrppxw.ru
pop.tsjvtaj.ru
pop.ttkpugnbu.com
pop.tuvxubocs.com
pop.tvugttl.ru
pop.tyfriyl.ru
pop.tzcyqrb.ru
pop.tzsfbic.ru
pop.ubjgljalg.com
pop.ucnanrzjn.com
pop.uglkfimyh.com
pop.ugmwkjeio.com
pop.uhsuifbyi.com
pop.ukmsske.ru
pop.umesejx.ru
pop.uquklrxvq.com
pop.uvieegpuz.com
pop.vbstthxbc.com
pop.vhnnbcqyw.com
pop.vijvseapa.com
pop.vindustry.ru
pop.vivfcpmzj.com
pop.vkcqbeszm.com
pop.vojzqms.ru
pop.vrcjhvaov.com
pop.vsifjchzu.com
pop.vtatbbx.ru
pop.w8start.ru
pop.wbultnili.com
pop.wgcapsioe.com
pop.whxwcavvg.com
pop.wirqivabl.com
pop.wjpqpuc.ru
pop.wshcqvjzv.com
pop.wshxzmlbc.com
pop.xbziiasm.com
pop.xhmwmlubs.com
pop.xlhbxeoru.com
pop.xonpqigw.ru
pop.xosecjxic.com
pop.xppqcnjjr.com
pop.xzrrlfx.ru
pop.ygbtzrhwi.com
pop.ynkfplonq.com
pop.yofopcwyc.com
pop.ypjrmoigz.com
pop.ypkpwkyrp.com
pop.ypqctjbwk.com
pop.zfzhpps.ru
pop.zhrelfk.ru
pop.zimbbth.ru
pop.zogswipri.com
pop.zrwolqp.ru
pop.zrxtugb.ru
pop.zymkela.ru
pop.zyokzzwvi.com
pop.zzuxqcw.ru

From VT: A new key of Murofet V2?

MD5
6d0f3196e91f8ae640791d5bb0d466b7
Some domains generated on Sep 09, 2016
enlwmlrnnrwghtzo.info
fjshqslnctjjih.com
fjshqslnctjjih.net
fnqpwtpnqjrelr.com
fnqpwtpnqjrelr.info
fokilqnsjounrky.net
fokilqnsjounrky.org
fwiwunhysiobknow.com
fwiwunhysiobknow.org
gbrykvuhjyswps.com
gbrykvuhjyswps.org
gdsyglrssgouivot.com
gdsyglrssgouivot.info
ggmvhppkztszqus.biz
ggmvhppkztszqus.info
gresqpvwthsrcoho.biz
gresqpvwthsrcoho.com
gwkokphtoqkpphnt.com
gwkokphtoqkpphnt.net
gxnxtrdljnhvpb.com
gxnxtrdljnhvpb.org
hlmgmsjpckypfto.net
hlmgmsjpckypfto.org
hnrkreqknieipzs.com
hnrkreqknieipzs.info
hoqunoctsxlirmt.info
hoqunoctsxlirmt.org
hpgyloqmkfgieltk.info
hpgyloqmkfgieltk.org
htuntitiwlxjtn.biz
htuntitiwlxjtn.com
hvekvijjuprlscl.net
hvekvijjuprlscl.org
jolgbxtlovrtmnrq.biz
jolgbxtlovrtmnrq.info
jpxhnfzphfqvpooj.com

From VT: A length of 9-14, a-z, tlds: [com], the fifth new seed of FakeAV?

MD5
0e51266ec0937ed0d6036449958c3c00
Domains
Check the list below
Also time independent DGA

From sandbox: The DGA of MyDoom

MD5
5ca475be33c4cb2117837310c43446c0
Domains generated on 2019/01/03 in the sandbox

qammswnqrn.info
eawesnrrhs.ws
rqmprewqns.org
wpmsewhnmh.in
rhhwmqqsqh.org
hsnmqqhpna.net
nmmmsaqpmh.us
wppnhmqssr.in
qamnewnrrn.info
heswwrahna.net
qhnppspnma.info
wawwrwqaqh.in
rsrapqrwna.org
eprqerqwns.ws
rnrswahmsa.org
hnqrsapmnn.net
narpqrehqs.us
mppqprmnnr.in
arshsernqa.com
wrerrqpseh.in
rhhhaqanan.org
mnnhwehhsr.in
neepnmhqrn.us
wnhraasnsh.in
asnenehqsa.com
mqwnqqqeeh.in
anqphrhenn.com
hneapamsqh.net
ahneneqamn.com
wmhmqsqsqa.in
arremamwwa.com
hpmespenrn.net
nnesearqra.us
mrrmwsewnn.in
neqehapwhn.us
ewaspmnssh.ws
awrapnpaqn.com
hepeamqrpn.net
prpmaawpsn.in
wrrehreama.in

From VT: A length of 9-14, a-z, tlds: [com], the second new seed of FakeAV.

844b63a2db8e7df1de2cc934a420aec4

Domains
see the list of all domains below
It should be a time independent DGA

From VT: A new seed of Tinba?

MD5
3982e0ec334b596158f221fc7635f49a
Link to VT
Sample of Domains
jijfghqqkspf.com
gojhwfkdltwk.com
llwolmnogxws.com
cniuybkpjfnu.com
lmeronigeqpn.com
dvygnnchwboe.com
utpklmeefdkp.com
dofilmejmgqm.com
nrebebqttsev.com
bccivrfvwxhs.com
jchhgvngxskx.com
jloijuyylglo.com
bbcdffsdiiqr.com
komhkslxlfun.com
edcjmejornmx.com
kghknfghbson.com
eiqhpmnmtlgx.com
orkoxhbowgcm.com
ddbedgnoqvwo.com
cbcmpowggsch.com
lluehrbjohov.com
clhgeebbebjx.com
jcbjkstunwqd.com
jiuhihieoqve.com
ghgbvwtirqji.com
eddnoyxdybdx.com
kgcbgkiqqltw.com
eimxxybswwuo.com
oopdjrckhmkr.com
dcgfedfitdry.com

From VT: A length of 5-14, a-z. tlds: ['cc', 'cx', 'mp', 'museum', 'nu', 'ph', 'pw', 'tk', 'tv', 'ws']

MD5
896d8c518470635f058139ece63b34b1
Domains:
bsxhrdaqpadhw.ph
cavsftjttyegx.ph
cebsdnm.ph
clswrmzviuhy.tv
crzhpdbeovb.mp
dlkhzl.ph
dsuzm.tv
ekyisucvkdu.nu
fpcaekbpy.nu
gopprodymo.ph
hbngloeusaaud.tk
hdnthoafgeun.cc
hqikqw.ws
hxmwhn.pw
jhbzeenwufvm.tk
jyhvkibuije.tv
ktsrw.ws
lpelywltlfk.pw
nckqhrmyqseh.ws
nkllesg.ph
nnlkogw.pw
nwkeqbbw.museum
ooecuz.ws
pdkfbxedem.tv
pvgsxfcrapzbke.ph
quozsund.mp
rfbpfcvbzwh.mp
rpoeq.nu
rpvthjjwtakt.nu
rybeuvrbhy.mp
rzafwgompiei.ph
toxnaimlaql.mp
uojdyg.mp
uwcfsbubbn.pw
vkczrtmvgyy.tv
vmpqla.pw
wgttayutl.tk
wwdnnznktvbyc.cx
xcbpsxh.mp
xcptikslxtv.tv
xeoaxmdg.cc
xqfuwcxsssgwaq.ph
ycusmgky.cx
zajxq.nu
Today, try to run the file in Cuckoo and VirtualBox again, but only one different domain was generated each time

From PDNS: A fix length of 16, hexadecimal notation, prefixed with www, tlds:[club, com, info, xyz]

A suspicious DGA clusters from PDNS
Not match MD5 in sandbox
Domains on 04/06/2018

www.0a602dbf756707d8.club
www.0a602dbf756707d8.com
www.0a602dbf756707d8.info
www.0a602dbf756707d8.xyz
www.0b66aa92e92796e9.club
www.0b66aa92e92796e9.com
www.0b66aa92e92796e9.info
www.0b66aa92e92796e9.xyz
www.18466cbd27ac0f02.club
www.18466cbd27ac0f02.com
www.18466cbd27ac0f02.info
www.18466cbd27ac0f02.xyz
www.1a4359bcba934e34.club
www.1a4359bcba934e34.com
www.1a4359bcba934e34.info
www.1a4359bcba934e34.xyz
www.21c37eca1c25c7c9.club
www.21c37eca1c25c7c9.com
www.21c37eca1c25c7c9.info
www.21c37eca1c25c7c9.xyz
www.2644c32e2b80fc53.club
www.2644c32e2b80fc53.com
www.2644c32e2b80fc53.info
www.2644c32e2b80fc53.xyz
www.2731f402d9364823.club
www.2731f402d9364823.com
www.2731f402d9364823.info
www.2731f402d9364823.xyz
www.276208fd0a79f72d.club
www.276208fd0a79f72d.com
www.276208fd0a79f72d.info
www.276208fd0a79f72d.xyz
www.4e9f6219a005ffcf.club
www.4e9f6219a005ffcf.com
www.4e9f6219a005ffcf.info
www.4e9f6219a005ffcf.xyz
www.634700e10afef1ba.club
www.634700e10afef1ba.com
www.634700e10afef1ba.info
www.634700e10afef1ba.xyz
www.69bce106391d119d.club
www.69bce106391d119d.com
www.69bce106391d119d.info
www.69bce106391d119d.xyz
www.74efe4a7a5a53d23.club
www.74efe4a7a5a53d23.com
www.74efe4a7a5a53d23.info
www.74efe4a7a5a53d23.xyz
www.90d01b9d24b7b6ff.club
www.90d01b9d24b7b6ff.com
www.90d01b9d24b7b6ff.info
www.90d01b9d24b7b6ff.xyz
www.92480fee5b0842a5.club
www.92480fee5b0842a5.com
www.92480fee5b0842a5.info
www.92480fee5b0842a5.xyz
www.947f3a5cde356c24.club
www.947f3a5cde356c24.com
www.947f3a5cde356c24.info
www.947f3a5cde356c24.xyz
www.94e0adcb93307da4.club
www.94e0adcb93307da4.com
www.94e0adcb93307da4.info
www.94e0adcb93307da4.xyz
www.969d9483005c1be2.club
www.969d9483005c1be2.com
www.969d9483005c1be2.info
www.969d9483005c1be2.xyz
www.98f2222be13e51cd.club
www.98f2222be13e51cd.com
www.98f2222be13e51cd.info
www.98f2222be13e51cd.xyz
www.9d0b86bea95e938d.club
www.9d0b86bea95e938d.com
www.9d0b86bea95e938d.info
www.9d0b86bea95e938d.xyz
www.a57bed81b0fa440b.club
www.a57bed81b0fa440b.com
www.a57bed81b0fa440b.info
www.a57bed81b0fa440b.xyz
www.dbf12c592353da25.club
www.dbf12c592353da25.com
www.dbf12c592353da25.info
www.dbf12c592353da25.xyz
www.f672b9ccd0b762df.club
www.f672b9ccd0b762df.com
www.f672b9ccd0b762df.info
www.f672b9ccd0b762df.xyz

From 360 Sandbox: A fix length of 12, a-x, tlds: [com, in, net, ru]. Looks like a new seed of Tinba.

MD5
7ae39dd4aa29005d4eac155b83b7689e
Example of domains
dksmdvjfgpwt.com
dksmdvjfgpwt.in
dksmdvjfgpwt.net
dksmdvjfgpwt.ru
dns.msftncsi.com
ebcfuwemulkk.com
ebcfuwemulkk.in
ebcfuwemulkk.net
ebcfuwemulkk.ru
ehidpbbpxxxs.com
ehidpbbpxxxs.in
ehidpbbpxxxs.net
ehidpbbpxxxs.ru
epsrfollswdw.com
epsrfollswdw.in
epsrfollswdw.net
epsrfollswdw.ru
It should be the DGA of Tinba.

Random domains from Chrome

These domains are often accompanied with "isatap.*" or "wapd.*".
Source code at intranet_redirect_detector.cc.
So the Length of SLD is 7-15.

 // Start three fetchers on random hostnames.
  for (size_t i = 0; i < 3; ++i) {
    std::string url_string("http://");
    // We generate a random hostname with between 7 and 15 characters.
    const int num_chars = base::RandInt(7, 15);
    for (int j = 0; j < num_chars; ++j)
      url_string += ('a' + base::RandInt(0, 'z' - 'a'));
    GURL random_url(url_string + '/');
    std::unique_ptr<net::URLFetcher> fetcher = net::URLFetcher::Create(
        random_url, net::URLFetcher::HEAD, this, traffic_annotation);
    // We don't want these fetches to affect existing state in the profile.
    fetcher->SetLoadFlags(net::LOAD_DISABLE_CACHE |
                          net::LOAD_DO_NOT_SAVE_COOKIES |
                          net::LOAD_DO_NOT_SEND_COOKIES |
                          net::LOAD_DO_NOT_SEND_AUTH_DATA);
    fetcher->SetRequestContext(g_browser_process->system_request_context());
    fetcher->Start();
    net::URLFetcher* fetcher_ptr = fetcher.get();
    fetchers_[fetcher_ptr] = std::move(fetcher);
  }

Maybe generate three domains per hour.
Copy "chrome://net-internals/#dns" into Chrome address bar, I saw something like this.

Hostname	Family	Addresses	Expires
gypqzwgfzykdv	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 15:09:50.104
ocypnqxhtcuy	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 15:09:50.106
ojiunnm	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 15:09:50.107
eupziohh	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 16:09:51.233
kbhwwbxhyxsvbb	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 16:09:51.233
vgfsnohsnqeyeg	IPV4	error: -105 (ERR_NAME_NOT_RESOLVED)	2017-05-03 16:09:51.234

The DGA of Vidro

MD5
c41a86e735944a6ec0b2268e89d02ae3
VT analysis
Domains generated on 2016/10/09
rcmauito.dyndns.org
oxhfifdtsp.net
vcblwmoxnl.com
jxsuqajadqe.com
dxvrkjy.dyndns.org
ccyoctjwj.net
ndkcaponuvsf.com
bybkudu.com
idvqyku.dyndns.org
tehoggkwbd.net
qypwmhejay.net
uyeiowzs.dyndns.org
aeoqmnvfx.dyndns.org
cztkypubdzyf.com
wzmisyzs.dyndns.org
gflsieq.com
pescerpomekh.com
wcvbgvws.com
hziwqufksie.net
igttmgqfc.com
vfzekikxjm.net
hcgpeqbkojn.dyndns.org
ngivollorwkk.net
scsdcmrbzkrk.net
oafywbatoa.dyndns.org
vhxxyehxfobd.dyndns.org
jarnuwgaarw.net
ohavsxm.net
uacbcsvs.com
zhmjqtrg.com
bfwhqzfw.dyndns.org
ydpgidcawtf.dyndns.org
pbozanbjw.dyndns.org
gijlwam.net
tgfhucgxxo.dyndns.org
femsokxjs.com
abznyjqbrbpy.net
migycrhonxt.dyndns.org
nddrkhwtl.com
hjsmacnfi.net
bivkuvcwbg.com
letuubs.net
udaegoss.net
zkkcepyg.net
aexgmfnboche.dyndns.org
okzogti.dyndns.org
tjnayydxtq.com
sfqwqincvmaq.dyndns.org
gfeismykkug.com
ukwackdxbzk.com
nfbuydtth.net
mlergneojjm.com
bltdirywyh.net
egklcguky.net
flhokwj.dyndns.org
smltmezxp.net
tgzxuuo.dyndns.org
gidlgsukgw.net
ahgzabjbknqt.com
qorvwxvxut.dyndns.org
xmafoijf.dyndns.org
nianczqtd.dyndns.org
ygniwzzbse.com
yjlbkvvbofhm.net
riozeok.com
monkujaopkv.net
emxhkpf.com
xoyycegg.com
knutqgayxac.net
lhrnyxptv.dyndns.org
znifslug.dyndns.org
fnghocfpisxu.com
ejsegmqkvy.dyndns.org
tjxqiql.com

From VT: A new seed of Dircrypt?

MD5
8dce388365ba4ddd516a744c677d41e9
Domains
aecsztodxcauezvwv.com
agqkgrttm.com
dkpcztxjhlmgppzrd.com
erajimtnghuqfdgnhj.com
ftxtknedryvgywsmchm.com
gcaocxscewiemvhggl.com
gxcmyvpmuuxoluzdenhr.com
hbyxpqjkm.com
hrbkzpoytss.com
injhsmedkkvjktwgmz.com
iufmmhtfuglkewvyrira.com
jzyskusvwwpnykoi.com
khtpzsuzpbaforbsqoqt.com
lvbikxjfrzrofxzn.com
ngntxyqih.com
ntaeqknhxehkadis.com
pbxfdvizihgcv.com
qmeuxytpxbf.com
xbrsttwgaomaxapjpa.com
zwmobkxpbcwddexzh.com
Details in VT
File has been identified by at least ten Antiviruses on VirusTotal as malicious, and one of the keywords is "Dircrypt".

A new seed of Murofet

MD5
6f8ba741c1968083265346bff7e9533b
VT analysis
Domains captured in my virtual machine, 2016-12-01.
khuqyehgqtpuzzjd.com
rfcvjqgzlmmesuq.com
osrlrwsymmlutoq.biz
osrlrwsymmlutoq.com
hqognriumjzuqyi.info
hqognriumjzuqyi.org
klowmxgxhmriurli.net
klowmxgxhmriurli.biz
rxsptmbnuxzdxby.info
rxsptmbnuxzdxby.com
motipehktnnfigl.net
...

From VT：2 new seeds of Murofet

MD5
f9c7354cd1cddac87e23783369af585c
VT analysis
Domains on 2018-01-29

aouotztjyhqfyte.com
aouotztjyhqfyte.org
edsvmmkxelwws.biz
edsvmmkxelwws.info
hsmpxjllqdrqjymp.biz
hsmpxjllqdrqjymp.info
idqitwnirrmjrndn.com
idqitwnirrmjrndn.net
inlomnhpstizqonm.com
inlomnhpstizqonm.net
iofhsqfrtmtzskps.com
iofhsqfrtmtzskps.info
kffownxzwvozvel.com
kffownxzwvozvel.org
kgjtxvnrxwpxxekw.net
kgjtxvnrxwpxxekw.org
kkqzijwkpqphsq.net
kkqzijwkpqphsq.org
kqynjnvlqonocuv.com
kqynjnvlqonocuv.net
...

From VT: Another key of Murofet V2?

MD5
3e3970e3cee006e85be1256f710571fc
Some domains generated on Sep 26, 2016
gdnptvhipopoiqtl.com
igqnhwthenhwyl.biz
igqnhwthenhwyl.info
kgrewtfplxomdsi.com
kgrewtfplxomdsi.info
lsnbpomdxpnprsje.com
lsnbpomdxpnprsje.net
MD5 has been identified by VirusTotal as Murofet
Differ from issue #11

360netlab / dga Goto Github PK

dga's Introduction

DGA

Index

dga's People

Contributors

Stargazers

Watchers

Forkers

dga's Issues

Recommend Projects

Recommend Topics

Recommend Org