domain_generation_algorithms
domain_generation_algorithms copied to clipboard
baderj
Some results of my DGA reversing efforts
Domain Generation Algorithms
Domain Generation Algorithms (DGAs) of Malware reimplemented in Python.
Overview
banjori (aka MultiBanker 2, BankPatch(er))
Links
Example Domains
- earnestnessbiophysicalohax.com
- kwtoestnessbiophysicalohax.com
- rvcxestnessbiophysicalohax.com
- hjbtestnessbiophysicalohax.com
- txmoestnessbiophysicalohax.com
- agekestnessbiophysicalohax.com
- dbzwestnessbiophysicalohax.com
- sgjxestnessbiophysicalohax.com
- igjyestnessbiophysicalohax.com
- zxahestnessbiophysicalohax.com
bazarbackdoor (aka BazarLoader Team9Backdoor))
Links
- https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/
- https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/
- https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/
Example Domains
Real DGA:
- adegjkaiggjm.bazar
- eehhjmejjhjo.bazar
- dehiildjjiin.bazar
- ceeiklcjgikn.bazar
- dceikkdhgikm.bazar
- bfehjmbkghjo.bazar
- adegjmaiggjo.bazar
- dchiikdhjiim.bazar
- efehikekghim.bazar
- bdhhjkbijhjm.bazar
Buggy DGA: -_fdgimzkfgio.bazaar -e`bfkieedfkk.bazaar -efdgikekfgim.bazaar -]begimzgggio.bazaar -bbbfhlbgdfhn.bazaar -^ehikizjjikk.bazaar -aechimajehio.bazaar -]defiizigfik.bazaar -``geiizeieik.bazaar -degfjkdjifjm.bazaar
chinad
Links
Example Domains
- 8f6bacmw30xxv6sc.cn
- 486txu3yjly0xcmz.ru
- xmi6x8zg9rkanmyo.info
- spy1jhdbmvt2ueva.net
- evybt5gtf2tprvbi.info
- 7qbys97e3pcw262c.info
- kz89iy97c7n7vbur.biz
- zmkvvlsvkbffnuez.ru
- tr1yy6lxtry1gsts.biz
- mfq6uwq3p2hvc8zn.cn
corebot
Links
Example Domains
- lkhylm0mhyfuhg.ddns.net
- s63234wluv5v365bwp5.ddns.net
- afe6mfy23xcxgfa.ddns.net
- 7rsl1f34sfq0oj3jwvmfa6c.ddns.net
- ir7l3po0gjy8ypqjm8o.ddns.net
- 3lgrupwdivsfm2w4kng2iha.ddns.net
- i8a0q2wdu8otulkfylo2gdq.ddns.net
- kh1her76avy0qnelivijwd1.ddns.net
- ubgp1f1han7lu410eh5.ddns.net
- uliry8knadmpmdm4wti6oro.ddns.net
dircrypt
Links
Example Domains
- rauggyguyp.com
- llullzza.com
- mluztamhnngwgh.com
- mycojenxktsmozzthdv.com
- inbxvqkegoyapgv.com
- furiararji.com
- zrkdvzjhse.com
- wyuhdsdttczd.com
- hpaxgpkteomjaxywwelr.com
- mydojltbqjnwailyyoa.com
dnschanger (aka Alureon)
Links
Example Domains
- aktklyvbiu.com
- zgimjzlnrl.com
- tcfejerekw.com
- tfaunnjmxt.com
- ydvlfpkguw.com
fobber (aka Tinba v3)
Example Domains
- vhkintjtksyxgjrzz.net
- btpnxlsfdqbhzazyx.net
- ukfmknjdenthvktgc.net
- qupxsrhrmuoinqrit.net
- gjsbydmrpfzsmnfiu.net
- indpstqbetcpcqprx.net
- gwrdmhyjfcpcutmhp.net
- bwnzcyypcbmnlpfsw.net
- twkpwfuecvvzcincq.net
- pdwfuxgnahmgsxhit.net
fosniw
Example Domains
- app2.winsoft0.com
- app2.winsoft1.com
- app2.winsoft2.com
- app2.winsoft3.com
- app2.winsoft4.com
- app2.winsoft5.com
- app2.winsoft6.com
- app2.winsoft7.com
- app2.winsoft8.com
- app2.winsoft9.com
gozi (aka Ursnif, Snifula, Papras)
Links
Example Domains
- quodpresidentemaxsagit.com
- pertantumfitusu.com
- indulgentiarumlicet.com
- moriblasphemianegocii.com
- ptribueretnossetnonin.com
- nonsicordinario.com
- svivacpecunias.com
- inestimabiler.com
- ulpurgatoriopetrum.com
- papacricognitisipro.com
kraken/v1 (aka Bobax, Oderoor)
Links
Example Domains
- ibbwnhgh.mooo.com
- rbqdxflojkj.mooo.com
- smhburg.dyndns.org
- bltjhzqp.dyndns.org
- clwafrfuuxq.yi.org
- cffxugijxn.yi.org
- ivxcxbj.dynserv.com
- etllejr.dynserv.com
- otpxmk.mooo.com
- ejfjyd.mooo.com
kraken/v2 (aka Bobax, Oderoor)
Links
Example Domains
- xpdbwuimwag.com
- nwpegpjtx.com
- smmyuhxlt.net
- xjvyvnzivvt.net
- lvctmusxcyz.tv
- lvctmusxcyz.tv
- cjuszcfwo.cc
- egbmbdey.cc
- wjxaprgne.com
- vxbuggxhrgi.com
locky
Links
Example Domains
- gegjiimqmlgtdmk.tf
- pccibcjncnhjn.yt
- rddipikmrap.us
- mmhmkqfc.be
- vkcims.pm
- qtysmobytagnrv.it
- suhpqiumpjsv.ru
- cscffbwbhs.uk
m0yv
Links
Time independent version in dga.py, time-dependent version in dga-td.py.
Example Domains
- pywolwnvd.biz
- ssbzmoy.biz
- cvgrf.biz
- npukfztj.biz
- przvgke.biz
- zlenh.biz
- knjghuig.biz
- uhxqin.biz
- anpmnmxo.biz
- lpuegx.biz
monerodownloader
Example Domains
- 31b4bd31fg1x2.org
- 31b4bd31fg1x2.tickets
- 31b4bd31fg1x2.blackfriday
- 31b4bd31fg1x2.hosting
- 31b4bd31fg1x2.feedback
- 3f8c8079fd4c5.org
- 3f8c8079fd4c5.tickets
- 3f8c8079fd4c5.blackfriday
- 3f8c8079fd4c5.hosting
- 3f8c8079fd4c5.feedback
murofet/v1 (aka LICAT)
Links
Example Domains
- giywswshrgxcvoqgvrkthmfa.ru
- xaiqpbprgymbvrwmzgiyprgdsk.com
- amgqgularpzxeapztxenbx.net
- pfscijbmthyfiyjgergugtkbqyh.org
- xglfcmsgorvwfilhmzlcxxvkfege.info
- rcteqwkequojntibvfyfaluwh.biz
- mjfqylbiaunffuaeunzdqdwscu.ru
- qobeylpxgpfknlptukyddqvklztg.com
- rgwgizukficdgetwsxovtcknwkfm.info
- betgyaeswxorwcvsdezdupbmb.org
murofet/v2 (aka LICAT)
Links
Example Domains
- cmqvvxtppnibli.biz
- cmqvvxtppnibli.com
- rloqpoiongsuwyq.net
- rloqpoiongsuwyq.org
- zsophzovtfor.info
- zsophzovtfor.biz
- nlifthjnbgnfweq.org
- nlifthjnbgnfweq.com
- hykpttqsxsmvkoc.info
- hykpttqsxsmvkoc.org
murofet/v3 (aka LICAT)
Links
Example Domains
- nxlya47huo61czerb18o51e11d30i55gycwe31lx.ru
- jwdzptm69p62izcve41f22k37oyj16g63fqote11.com
- p42p52nvd50izkqazaqe21lvo21pycqotp22e61.net
- b28n40i25b68gte41o61dwc19htc29jwgxiqfzbr.org
- ktirhsn50kzc49b58cyf32fwh14h64dzgxiqcz.info
- bre41hvc29kri15ewpwdsazjyn40p52kwe21gw.biz
- n30mwhsoxfqe51j56lunsg13o11hyd60ewf52nu.ru
- hvcsjxd20mzm29d40nznunta27c29kyi55fun50.com
- nzosg13oymzg63ntpxaro51btkvfyoshrk27.info
- czfsn20exg53nzcqcrg43exf62b28p22pyd50lu.org
mydoom (aka Novarg, Mimail.R, Shimgapi)
Example Domains
- qehspqnmrn.info
- mmahaesqar.in
- pwprhhnqqn.in
- mrspmramrn.in
- arphansaqh.com
- hrhspsrenn.net
- aepaaemrmn.com
- wsaehwmnms.in
- arwrseqssh.com
- ewamspqwha.ws
necurs
Links
Example Domains
- nccojqvabqvkiwhj.mx
- hoedwwwywnmmbi.ac
- aeaeneaoinf.mu
- ccecggc.us
- mfffpmgtplxbyagbtegh.com
- thlxuwnadtdtsm.biz
- edkomqpeufjyafccj.in
- mxomklaqau.pw
- nvutiptwteltin.tv
- nhysbiomr.ir
newgoz (aka Gameover Zeus, Peer-to-Peer Zeus)
Links
Example Domains
- xzz3ug32bale1uo60y7xj6rge.com
- 1hyzmw3l2phycet88hzr2do34.net
- 2ppq821cfem5m1mdua46pxg7bj.biz
- unlm9w9l8upy1kdde0kba7ktf.org
- 1ixhw3p1ncr3cf1pjfrpz14n1u0e.com
- 1o460ktpdhna1k0lk3ecwujxn.net
- 183t0wjzlthe51wigptk4rl29.org
- 1i3ux5a1hj6ndqejmxone45g0v.net
- 5mcdp71mbutpb1tglu0s4p0lrf.com
- n3i5yn19w82vmmpxv1k1l4xrjg.org
nymaim
Example Domains
- oftbpec.com
- lotmpwyk.info
- seikpwq.info
- bcfatyltdvp.info
- rfwstgy.com
- hokybhnf.biz
- evlovrxuw.net
- mtzpbzbfvy.info
- hacckgiakhl.com
- mosmeuw.net
nymaim2
Links
Example Domains
- surfaces-drawing.com
- shaft-criterion.cc
- stops-hash.id
- unitsknowledge.com
- wiredgraph.tm
- timelydesignation.co
- stablelikely.ch
- stainless-loan.lk
- wagon-documents.sc
- trainerprocessors.tk
padcrypt
Links
Example Domains
- elkfcfnacacmofdf.com
- mkmeeefncfnfdmbm.de
- ffcdcnbmmnaeddcd.com
- ddkfodnaadmbmofo.co.uk
- efneboaodnmbecoa.co
- bafomkfalcfcdkom.info
- onlmcddadnacfclc.com
- dcfmddfbobkmafma.com
- lmmfdccmnnfnmfdl.co
- kcknconmceeemlnm.com
pitou
Links
Example Domains
- --------------+
- koohoavab.net |
- koohoavac.net |
- koohoavad.net |
- koohoavaf.net |
- koohoavag.net |
- koohoavah.net |
- koohoavaj.net |
- koohoavak.net |
- koohoaval.net |
pizd
Links
Example Domains
- difficultnearly.net
- dollarnearly.net
- difficultpossible.net
- dollarpossible.net
- eearlynation.net
- escapenation.net
- eearlypleasure.net
- escapepleasure.net
- eearlynearly.net
- escapenearly.net
proslikefan
Links
Example Domains
- flarvcpk.eu
- stjneohiod.biz
- vcevvkc.se
- qylptiin.info
- bsvisbttr.com
- hjiknr.net
- arpeiezki.org
- gobqca.ru
- tivqfahrmxdl.in
- smutloo.name
pushdo
Example Domains
- weafokuggeir.kz
- sictemuborug.kz
- cirpicficj.kz
- geijanmap.kz
- fuxhuxsabi.kz
- siclisozdokq.kz
- sozcoqnafrex.kz
- qeobifups.kz
- cokoqdeah.kz
- latqafbuxwic.kz
pykspa/improved
Links
Example Domains
- uammskmq.org
- jqplflktas.info
- rybwtr.net
- uyznvxlof.info
- gakcmqiw.com
- wewsvat.net
- owhadwkskevw.net
- nkndlzhjgrpc.info
- isypszqe.net
- joebbaamoyt.info
pykspa/precursor
Links
Example Domains
- llfwhgn.com
- guqqkaiq.biz
- wctymo.net
- lovfjsfox.com
- oruhbanansnan.cc
- mkncjk.biz
- yunonsuiwcymao.net
- yxpojufqbex.com
- qhxgzufqbex.cc
- yywiywiq.biz
qadars
Links
Example Domains
- jk9enwhansl2.org
- sdqfodmf81m7.net
- 5uro1uzspejk.net
- ub4hinsduf0p.net
- zs9ijo1er81u.com
- 0t67c5arw9yf.net
- lev41encha38.net
- 67k1q3c1mr8x.org
- 7w1yf49irk5m.net
- gdunwhq7s9qb.org
qakbot
Links
Example Domains
- bqkrtxgkmriwsiwcngtivpx.info
- jdtmfupdyueqeldvhsjzdvzob.net
- guhmpoxzivhba.com
- nqqxqhuacaqhzurde.org
- lgqsqgpqzijwid.info
- ykolyecdcyk.biz
- ztvflnxqzpxvpfobv.biz
- zqrmkpivrbxccawozqwqpfzh.org
- iqyqwhntrxfeq.org
- ftadkbomxlnsib.info
qsnatch
Links
Example Domains
- t2q2r.cf
- gc9nz.tk
- 07tvvc.com
- 7ubqo.ml
- 53bcm.de
- 6zltf.rocks
- hv7uv.mx
- nypno.biz
- qkzccy.net
- rassb.cn
ramnit
Links
Example Domains
- knpqxlxcwtlvgrdyhd.com
- nvlyffua.com
- hgyudheedieibxy.com
- anrylixwcbnjopdd.com
- vrndmdrdrjoff.com
- jhghrlufoh.com
- tqjhvylf.com
- hufqifjq.com
- itktxexjghvvxa.com
- ppyblaohb.com
ranbyus/may
Links
Example Domains
- ikwoqkwuajpbyx.com
- niukpdrluwlfox.pw
- rcnxisuibbadng.in
- wbqtidjvsdiwee.me
- jrdyumcieyipnv.cc
- yvyfwikedfxitk.su
- tviurcntxylxnj.tw
- lycyrvfcemepfm.net
- epddeukdimbpft.com
- trbhxhmbsikoaq.pw
ranbyus/september
Links
Example Domains
- jxbdxeyxttdmcjagi.me
- iqmadgybfhnrssadm.cc
- gdoldaognceaedkke.su
- jnbnyrmxmpblfgstk.tw
- ucjetnyaitygjidva.net
- jejocqwtcbtuymvao.com
- stuctjsqfxghcesyw.pw
- gfidctymbxiaqyuyk.in
- ojrqwrlhesfshawva.me
- bqjqvwwjirftwkjel.cc
reconyc
This DGA has unpredictable seeding, i.e., it uses GetTickCount as the seed. I still list the DGA as it might be useful for testing or training DGA detection algorithms.
Example Domains
- E5zHail0Mw.com
- gabbvK2o6s.com
- CumpP2A4d7.com
- 5eswmwNQyF.com
- lExfSzyuwP.com
- JZpESGsPFF.com
- UmIaRnijeT.com
- sHr0xE9Idm.com
- nYcEX7wlCF.com
- VCiZNQXwpO.com
sharkbot
Example Domains
- 64f30398ecda3bbf.xyz
- f008fc473fddedc4.live
- cfbadaf0cd7b0ac3.com
- b8d28386413029fe.store
- 99c485497c079a09.info
- 6d54b683fc2cc58f.top
- abb7547058fef9fb.net
shiotob (aka Urlzone, Bebloh)
Links
Example Domains
- wtipubctwiekhir.net
- rwmu35avqo12tqc.com
- rskb5bsfhm2fk5h.net
- rbp9pprrxgflut9.com
- zzxeyzgy45yy2a.net
- e3oa4wglvd21xa.com
- mqmq1hvmtxzjv.net
- pd4o4wu24vimn.com
- tlmrzvpbpsqsb.net
- pbmnz59uzndpo.com
simda (aka Shiz)
Links
Example Domains
- gatyfus.com
- lyvyxor.com
- vojyqem.com
- qetyfuv.com
- puvyxil.com
- gahyqah.com
- lyryfyd.com
- vocyzit.com
- qegyqaq.com
- purydyv.com
sisron (aka TOMB, Win32/Agent.WRQ, Trojan.Scar)
Links
Example Domains
- mdiwnjiwmtya.com
- mdewnjiwmtya.com
- mzewntiwmtya.com
- mzawntiwmtya.com
- mjkwntiwmtya.com
- mjgwntiwmtya.com
- mjcwntiwmtya.com
- mjywntiwmtya.com
- mjuwntiwmtya.com
- mjqwntiwmtya.com
suppobox
Links
Example Domains
- journey
- destroy
- against
- night
- within
- effort
- street
- better
- husband
- little
symmi
Links
Example Domains
- ogovugtuipawi.ddns.net
- afowkaupbabe.ddns.net
- ipkureleakm.ddns.net
- hegiruqo.ddns.net
- luimreim.ddns.net
- tiakqukoahuvu.ddns.net
- loelkuanduur.ddns.net
- agdehukoev.ddns.net
- giagkuekorla.ddns.net
- leufiroqipomu.ddns.net
tempedreve
Links
Example Domains
- dlbebsga.net
- enqbgrmt.com
- xjlwpfnk.info
- ebabkjcx.org
- hvisietg.net
- svyjglen.com
- glknxfgq.info
- adoduloh.org
- jgrxrxwh.net
- ctmrgbmz.com
tinba (aka TinyBanker, Zusy)
Links
Example Domains
- blackfreeqazyio.cc
- nvfowikhevmy.com
- nvfowikhevmy.net
- nvfowikhevmy.in
- nvfowikhevmy.ru
- sjhuqlwrqhqx.com
- sjhuqlwrqhqx.net
- sjhuqlwrqhqx.in
- sjhuqlwrqhqx.ru
- pxqgonyogeee.com
tufik
Example Domains
- dbqwpmpnruesywj.com
- qxxmubfleztlnkx.com
- rrnywowqgmjvnltg.com
- rqnjdvzpsmbuw.com
- utoiopxjrphvoiy.org
- ttoouemmimnxnmj.com
- nmjsoourllgveecj.org
- juprvzxqotonvvs.biz
- nmjsoourllgveecj.biz
- dotqwjmhqlushjlo.biz
unknown_malware
Example Domains
- albdfhln.com
- alcgkown.com
- aldjpvqt.com
- alemuown.com
- alfpmrnq.org
- algspvqt.org
- alhvrytw.org
- aliyuown.org
- aljnwpyo.org
- alkpmrnq.net
unnamed_downloader
Example Domains
- ddknt.github.io
- ddktn.github.io
- ddnkt.github.io
- ddntk.github.io
- ddtkn.github.io
- ddtnk.github.io
- dkdnt.github.io
- dkdtn.github.io
- dkndt.github.io
- dkntd.github.io
unnamed_javascript_dga
Links
Example Domains
- rxxeqcoy.cc
- kmymbyzd.co
- cfukbzbmg.eu
- sblwtafc.cc
- lqdoacat.co
- dplmjcjic.eu
- ttukaiwjdx.cc
- meimklqh.co
- enmxqcxhtl.eu
- unmias.cc
vawtrak
Links
Example Domains
- usahwutle.com
- folocnam.com
- awumsah.com
- edorwufli.com
- misocgutlah.com
- edarwotda.com
- melarwetdic.com
- usucnitdohg.com
- regomseh.com
- osicnumd.com
xmrig_genesis (a XMRig malware using the bitcoin genesis block as seed))
Example Domains
- 1d78e50d.com
- 1d78e50d.net
- 1d78e50d.org
- 1d78e50d.duckdns.org
- 2b04216f.com
- 2b04216f.net
- 2b04216f.org
- 2b04216f.duckdns.org
- 2e1d985c.com
- 2e1d985c.net
zloader
Links
Example Domains
- gdurfdsywubjaaqcqhrh.com
- vudktykcecigekhtwwqn.com
- jcaofaekffeojktmpdax.com
- iiphrhkculpnubvvxnbh.com
- bjdbpgbjdyredhfyvpie.com
- wramitvqeojecedajxoj.com
- ohyjybhogoeoabjqvpie.com
- fscqtelyeogmxudotlao.com
- nsdtxvnwtxjwphbuqffe.com
- bohchavtvhbejwcmekvo.com
baderj