search

360netlab / DGA

Suspicious DGA from PDNS and Sandbox.
MIT License
182 stars 35 forks source link

From VT: A length of 9-14, a-z, tlds: [com], the second new seed of FakeAV. #17

Closed suqitian closed 7 years ago

suqitian commented 8 years ago

844b63a2db8e7df1de2cc934a420aec4

suqitian commented 8 years ago

The list of all domains, 301 in total. badodybeqyk.com bakagunaxepo.com bapyrejecak.com bexekogyluzus.com bipuwyqojivu.com bisyvoqyxymyqi.com bitigamot.com bosuwiqexise.com boxiganuw.com bucyguwored.com bumucewafypevy.com buqajoqunely.com burigiqesulaja.com bybozuromyvi.com cadyfahirecyci.com cafidylyjilox.com carehulugy.com ceguwemiz.com cemidujiset.com cibabewytyl.com cigivasepuxy.com cikipihigilani.com ciquqamod.com cizubejiwoma.com colixyniqak.com cudokopipi.com cuhucupivu.com cupototog.com curixycihig.com cyzufuzuzasa.com dabuvusato.com daqocokidepo.com datigefacu.com dawurowydafa.com dazixydecamur.com dehozykato.com dimowonido.com divinemeb.com dixyxykuledypo.com dolagomosu.com dubacobimude.com dunysinykesiti.com duvexofejox.com duvizazuz.com dyhatujen.com dytilicojame.com dyxavehovi.com fahibyfihovawe.com fajomowiqy.com fapyrypumumuva.com faremewumasebe.com faxilujome.com fehylohuxek.com fget-career.com fijijeqipif.com fitevejetety.com fivulaxavys.com fopykybybydy.com fosimoxexora.com fugegewulevu.com fuhocogupyneko.com fujoresaw.com fuqikabyko.com fynaguzyjer.com fyvamomadebet.com gacemugutil.com galahikeve.com gefexepoj.com gexopetoqoco.com gihunoholo.com gixihylite.com gokiqoliroc.com gotyhudesu.com gyravatimak.com gyxanobevywog.com hamobamaduro.com hepekekejepuvo.com herovidacege.com hiropyfeha.com hobolamitajy.com hogosozupuf.com homuvuhyhoh.com hoqavazikececo.com huvukeqiju.com huzatifizama.com hyviwysoqizege.com hyvixemuhykoh.com jacumegekij.com jamizekuxilufo.com jetuqaroxos.com jetytozis.com jexelabexomeco.com jibiravebapof.com jicylegavade.com jididoraw.com jisoqamyse.com jitemeboza.com johigijito.com jotomumehyn.com jowusytuhowa.com jujiwyqakexyq.com jukecoruvut.com juqesumycuz.com juqupybocuto.com juwaqeler.com juxukupyzemi.com jymepidesipe.com jynogobefukor.com jyxirafyhulora.com kawyhezypo.com kaxygakiduw.com kecewepin.com kecolefecozi.com kibemevul.com kiqevinarelo.com kurinyfybex.com kuvufemawygu.com kykicumiz.com kysymysafamy.com lajogitytudaxo.com lapimiheqowok.com laqygudumowa.com lawujocot.com laxesepaweno.com laxigypopetaju.com lecuvubaja.com ledejalyri.com leducivudadyj.com lejicolyxudy.com lekecamenobe.com lerizesax.com liqugamezono.com litubibam.com litypacuxava.com liwajohiboby.com lonekucog.com lugecunecaxez.com marihuqavigyt.com maweqigot.com mehyqibugyluf.com menusadyryraru.com mexigawarynode.com mijokoquvon.com mofydymalyp.com monamakib.com moxopurarite.com mujinibugemiju.com mupesatupukyqi.com mydihynybihy.com myfofeviqilo.com nefopuhix.com nekomavyn.com nigyruqyn.com nipoloquv.com nivemalybyhi.com nobimopizijy.com nurulicovy.com nyharucukom.com nylujusofo.com nymemuhoseran.com nynevyxaz.com nysytiver.com pavahikexu.com pecocojuhep.com pejexagyb.com pezugejomimoz.com pifajeniwyt.com pivysegocide.com piwetyzififa.com pobazepukatyc.com podojykofogu.com pogorecywihira.com pomalekon.com pomexyposenebi.com pozefybop.com pozemoxehyt.com pukukadajex.com pyduhomyc.com pykolujij.com pylabarywip.com qacibekuzy.com qajivehucewupo.com qazomequguca.com qibahovybicu.com qiwewepynide.com qojijixiwidaz.com qoxomyjomaj.com qozohyhobuci.com qukocacilogoti.com qupasebyve.com qurybojalyfa.com qygitofafo.com qyrakiboveh.com repavukoqipez.com requzunigiver.com resufewanepexu.com retisuqat.com ricogodobekax.com rigugijaxus.com rijucyvybumyka.com rivymyzudu.com roromavice.com rotehyhidixa.com rucyfozod.com rukizypufygejy.com ruxovadix.com ruzevomazowa.com ryjybytokew.com ryqytobogociw.com rytaxywika.com sacunifupacamy.com samajuqurej.com sapucuwumaser.com saqutuhopyqej.com sasoxizyriw.com sefigecusotemi.com sexajuruvesik.com sirakapofeti.com sisawylum.com socawycerumyxi.com sojepyjek.com sopyqatuc.com sumuryvynuh.com suzyvupukunepu.com sysigicigisav.com tawunohitix.com tedowyhubal.com tekefihamib.com tepucazij.com tesipohycuco.com tevisuwapucumu.com tibaciwof.com titagetudo.com tixirukemosa.com todizubosox.com tudidawajyvaf.com tufykyjoki.com tuhyvejawat.com tupasupihel.com tuwexanafucir.com tuwynaropotit.com tykisarokuxesy.com vakatesumuhor.com valanofajo.com vaporenegiqi.com vecyvasibi.com vudehebaviwod.com vusysogirebymy.com vuvamewakoq.com vuvodiguqewuxe.com vydusajere.com vyqivaneh.com wacumohuqos.com waliwetixybuk.com wekabamysugamy.com wepomagidysaky.com weriloxoro.com wihoraqite.com wisigudyniqixo.com witywypihag.com woboqewehuzu.com wokikywalonez.com wokykevob.com woxoqehed.com wudicofez.com wuhefifyfaqexi.com wumolidejypo.com wumytaxuboly.com wunoqakydorovy.com wybuzyrywovaj.com wycecikodovi.com wyduzylys.com xaqygacatewuk.com xecuhuziqys.com xedycekycimohu.com xedyvagyxut.com xegunider.com xekisowymudix.com xesopusacezeb.com xibumesaf.com xifikyziqog.com xikicyxew.com xipagymofi.com xomapehyni.com xucysasowebaty.com xuryfacaqy.com xuwawuwybohym.com xylahavowi.com xymasehyfi.com zagohitapuzog.com zagucapomup.com zagyzeduhyb.com zaqewoqake.com zelabuhib.com zenevakyfa.com zificefydyn.com zogovuwex.com zopyralor.com zypomamuzosa.com zywufoqovy.com zyxecipidi.com

suqitian commented 8 years ago

All the malware samples which have the same behaviours, 121 in total. 844b63a2db8e7df1de2cc934a420aec4 a31affab69f60e9c19ffd61b3abc4c7f b7d3dcc524cbafb2afaa961b222a95cb bf3d27482900a257ef0e81dec5c48646 4d16f1fb86428bdb0f279387378c4cb8 7ea5d90fe6aa41cb845dc6ff6340dd8b bf96c20a8e3bdcb60359bc4dd962ebdf cd3c47dddd28b4a304a6acd66e03f1bd 01fe582fc4f95f9680e4a2c2b86770e2 4ff5cfa24bedd35d8cfc0a931d9c7b11 9105936690975eb990c1f5836747d068 ddffd92ec3a0fb3daa52846561b1ef5e e64662884f67503905a9e7cb61d71b75 eef780ccc282bc24797edd9ab9e2d185 24a3025ef9e6995037796905ebf64958 3c75431da58397dc7d98249862bfc8bd 996305c8d4ccb1145945d4c1ee2d4dd6 e2f7d324d292a7733d4e512bcc2bc05a e6a88e554b2be9aee240502dbdb47b00 3c773171b23b5903c020888f9808a1fd aa07c0458b61d8d37fcefd92449f7052 5fa4276d5bf6bd877816193c0b6c5eb5 70d5b5e8c4605db85e1f666dac5165ac 8a58ba6e379b46265c9e38702c8ba66c b48fe4d436f6a0a8d9812a3085916632 d249b386c142ca698aa8e310b734dbc2 d574252a33a578889962312072d3997b ec4761c8dde1d26244deb45033b4d2b1 1b2864d8c981178d205ae6f3549cf9f4 6e0ac05d61f4b8da002190cfed49a6a8 9339f48f48d292b7df7a8776ca368a66 9a78039072e48ff34bd84d7bfaf3c9f5 aeaca8e4c7c2b780a040a0e36c5f9e72 aed9c6af136370e3cbccec1c3061529c b52fa5623ec8040a69c56514b30e90fb c3dbda0e7bdb3d63731a874ac60015a1 6911cf410c6a2026d817b05e37dc4eaf 8454e4afaed95e4a270b1a1cb6b7fe1a 91141f377d9989ae7cce71e590f6c325 c49a787a7e30f470adc9ad7c07da85ef cf20fbad2951ca68e47d999439884740 337c3db40b12f57fdfcfbb40a1faaf9f 6d7138cfa0d5c5dce49b055a74a87f04 8b655db4135c762592f6c7bb3ec689d8 b355dfc19d1257f7d760322fc26c5981 be93b30011b5604b6d2e77d95acad25b d5e92f61fb76953c660ec258498f8363 ecb860d3570e6cc194d3aa7ebb2ee67f 31db8a3b984ce2538b6c58f7bb26232d 4a817531ff47075744ca8f139aaebf78 58e284bdf189950aa3f75898da6b3416 8ca76ddc8d7a090a6994b52d8c19d8ac 93c6d7905bf97e62cfc127328554e644 a54a925d4d5616e1919a35edb0d618e4 df6b899874dd7612340effc8e5c91977 f0d1e0e3978bf79c493abd130635bb02 0264f65079fc13226e6253f607e1ed0f 3bfb52f4867b33533e6f4f46762f6767 3d434cadce25906d68dafc9ff2e62f9c 3e9dec2b76c77eddc9a7d322d362af26 4137ea4453560b8928cdddea755f9960 4ec0e81ca3652b3837e50bbd80492224 6bb8e9b8dbdf63556786a87c8ee5f033 81d57d2b06cf7e1fb718df5837f74ed5 82b74ae40bb4bb7f9aefc84b3222cfcb 8fbcde935f6f97d560dca2cd5da47993 a82ed512d0498536544279512a059b63 ac32a748d7adb331823320d8c4fe5a7a cb08cadf67200606bfa4723cccc48778 cf677675f951ebb24cfd5fa7a8e8445e deff17da613be0a2c7679981fbe48f86 fd6c8c1a82e8fe1b78d978a41bd82677 120e304ce2f0b1f5b8318cbb578c296a 2e41c5d3d41a690206b9d51fea85ac0e 9adcc0763414d2eca63be712e176ffd0 bd4ae83af1ea5cf95791d4811efc193e d951a92be08dd2425ddc07e02a3d2654 ed25eb383d543b7d791cad124159931c 036cce6cf80dbe63d3603e9d74cd9370 094a3fa36a22d60b7f892dea33ae1fa7 17fbbda919906bafcdd5c174dae06c3c 345036f4dbeaeecbfc7180c9001d956b 923908aab63b8d6f98398e775adfa0a1 e322447ace124b3238352138ebe6b209 fa9fc392aa212198f5d4444917b80c58 19347ff7d95467145ea098fd56559f66 22409e28e1fbcd9c87723814778e70a4 28b537b8f781ddb2aaab4d52a052c73b 2a626185455b483fcf925e07cabf9ed8 303073f5cc424aee7e2195f4b36674ac 62a52064a9a58c9942546b7f6299bf13 6364bcc72669d24aad5b0e733692fa0d 752d1506efc7c5e9f74b18424fcd7e59 7dc0dfef87c1842f985fb88726ced384 824305045009a11ddb6fe459e3a47d01 8c20d143303847f6e04a3d109b699165 909811a6966f0622e3c3c4333c6c7f4f 919e4c024ef1fb1602e13d11e366e830 9b9093721764ceb6b33170f656059878 a83faacc9946d97fd96f2b531a86d43c aeeb498c2e38ea47e6aaec07a5d5a5ba af8cf0dde996e078d1da94930809951a b57954cb3d4fe3f6b9c040261e153ec7 b606059691474582d537a210f7128fde c8269a64c61e26b652abbc977305a4ac e17b826900909a9035dc0c3d7f0c5383 e82eeedddbb03117f062e1e92416cb63 eed1492594f2fd781283e26c5538215c efba68b8cd779f7856dd070e8ddf66d1 fdcddb371f8d9d9fee96f4dbbee04d91 26cdea129548aaaa19a4de4c2e025d48 96b4023035ee867fe308f3b42d918a75 aa2111da9477ce20515ecac8798abb39 c5ef49b857085f05133d4cacd84bcbf6 ca5bc1b60ba996f3fc2684e580c0c385 e6ff8962853c6df9b9dbe42cb450ebe6 37bf40dff8ea6b2e317b0edec917d0e2 48aa3e2d56d16cc84c1e4e48381b7e77 4a433794087d4869a881917bc7527465 80a8b0890e082e75e67a8748b0bc3940 a98fbc3ca1c8cf6cfa71f5ca138eba84

suqitian commented 7 years ago

Not DGA. Hardcoded domain in sample.