DGA


Changelog

2017-10-17 :

+15 new seeds of Ramnit. Extracted from CERT.PL blog, thanks for sharing.

2017-09-20 :

+1 new family CCleaner. Thanks to 360CERT.

2017-08-28 :

+2 new seeds of Tinba.

2017-08-23 :

+2 new seeds of Tinba.

+4 new seeds of Dircrypt.

2017-08-14 :

+1 new family XshellGhost. Details in issue #38.

2017-07-27 :

+3 new seeds of Locky.

2017-06-30 :

+1 new seed of Ramnit.

2017-05-18 :

+1 new seed of Padcrypt. Details in issue #34.

+1 new family Padcrypt. The Python code comes from baderj's Github, thanks for sharing.

2017-05-11 :

+1 new seed of Locky. Extracted from Nominum blog, thanks for sharing.

2017-05-04 :

+1 new seed of Qadars.

+1 new seeds of Simda.

+1 new seed of Tinba.

2017-04-13 :

+1 new seed of Qadars.

+2 new seeds of Simda.

+1 new seed of Ramnit.

2017-04-11 :

+1 new family Blackhole.

2017-03-21 :

+1 new family Matsnu.

2017-03-09 :

+37 seeds of Locky. Thanks to John Bambenek for providing these Locky V3 seeds.

2017-03-07 :

+1 new family Emotet.

+1 new seed of Locky.

+1 new seed of Nymaim.

+1 new seed of Ramnit.

2017-02-23 :

+1 new seed of Qadars.

2017-01-20 :

+3 new seeds of Ramnit; +1 new seed of Tinba.

2017-01-18 :

+1 new seeds of Locky.

+1 new seed of Qadars.

+1 new seed of Nymaim.

2017-01-06 :

+2 new seeds of Shifu; +1 new seed of Murofet.

2017-01-05 :

+7 new seeds of Tinba; +3 new seeds of Banjori.

2017-01-04 :

+25 new seeds of Banjori.

2016-12-30 :

+1 new family Gspy and 2 seeds.

+6 new seeds of Tinba.

+1 new family Tofsee. The implementation comes from GovCERT.ch blog, thanks for sharing.

2016-12-22 :

+1 new family Vidro. Details in issue #31.

2016-12-16 :

+1 new seed of Mirai.

2016-12-12 :

+1 new family Mirai. More details, please go to our blog: Now Mirai Has DGA Feature Built in.

2016-12-02 :

+1 new seed of Murofet. Details in issue #30.

2016-11-29 :

+16 new seeds of Rovnix. Bruteforce reverse engineering these Rovnix seeds, through PDNS clues.

2016-11-25 :

+1 new seed of Rovnix; +3 new seeds of Locky

2016-11-23 :

+1 new family Rovnix

2016-11-15 :

+1 new seed of Qadars; +1 new seed of Tinba; +1 new family Vawtrak and 2 seeds

2016-11-11 :

+1 new seed of Locky v3

2016-11-10 :

+1 new version of Suppobox. For more details, please go to issue #29 at Github

2016-11-08 :

+1 new seeds of Banjori and opened issue #28 for more details

2016-11-07 :

+1 new seeds of Necurs

2016-11-04 :

+4 new seeds of Nymaim

2016-10-28 :

+2 new seeds of Qadars

+1 new seeds of Gameover

2016-10-27 :

+4 new seeds of Simda

2016-10-26 :

+4 new seeds of Tinba

2016-10-24 :

+1 new family Chinad and updated details in issue 1

2016-10-14 :

+1 new seed of Simda and updated details of this seed in issue 3

2016-10-11 :

+1 new seed of Murofet and updated details of this seed in issue 11

2016-10-10 :

+1 new seed of Ranbyus

Opened issue 27 for some details of this new seed

2016-09-28 :

+new family Ranbyus and 3 seeds

2016-09-26 :

opened issues 26 at Github

2016-09-22 :

+1 new seed of Banjori

opened 4 new issues at Github

2016-09-21 :

+2 new seeds of Tinba

opened 5 new issues at Github

2016-09-13 :

+new family Murofet

2016-09-08 :

+new family Proslikefan

2016-09-06 :

+new family Cryptolocker

2016-09-01 :

+new family Qadars

...

bamital

tld: [co.cc, cz.cc, info, org]
sld: Like md5 hash value; 26 domains per day
time dependent: Yes
e.g:
cd8f66549913a78c5a8004c82bcf6b01.info
aa24603b0defd57ebfef34befde16370.cz.cc
5e6efdd674c134ddb2a7a2e3c603cc14.org
download: bamital.txt

banjori

tld: Same as seed domain
sld: Only change the first 4 letters of the seed domain; 2196 or 15372 domains in total
time dependent: No
e.g:
earnestnessbiophysicalohax.com
kwtoestnessbiophysicalohax.com
rvcxestnessbiophysicalohax.com
download: banjori.txt

blackhole

tld: [ru]
sld: Fix length of 16, a-z, 2 domains per day
time dependent: Yes
e.g:
mkjdkbwuxcnuxtqd.ru
ppxhzopqbiykuucv.ru
tmlrjxvvrvkyxofn.ru
download: blackhole.txt

ccleaner

tld: [com]
sld: A length of 11-13, mix a-f and 0-9; 1 domain per month
time dependent: Yes
e.g:
ab1145b758c30.com
ab890e964c34.com
ab3d685a0c37.com
download: ccleaner.txt

chinad

tld: [com, org, net, biz, info, ru, cn]
sld: A fix length of 16, mix a-z and 0-9; 1000 domains per day
time dependent: Yes
e.g:
qowhi81jvoid4j0m.biz
29cqdf6obnq462yv.com
5qip6brukxyf9lhk.ru
download: chinad.txt

conficker

conficker.a

tld: [com, net, org, info, biz]
sld: A length of 5-11, a-z chars; 250 domains per day
time dependent: Yes
e.g:
gfedo.info
ydqtkptuwsa.org
bnnkqwzmy.biz
download: conficker.txt

conficker.b

tld: [cc, cn, ws, com, net, org, info, biz]
sld: A length of 5-11, a-z chars; 250 domains per day
time dependent: Yes
e.g:
glrmwqh.net
ibymtpyd.info
bxyozfikd.ws

cryptolocker

tld: [com, net, biz, ru, org, co.uk, info]
sld: A length of 12-15, a-y; 1000 domains per week
time dependent: Yes
e.g:
nvjwoofansjbh.ru
qgrkvevybtvckik.org
eqmbcmgemghxbcj.co.uk
download: cryptolocker.txt

dircrypt

tld: [com]
sld: A length of 8-20, a-z chars; 30 domains in total
time dependent: No
e.g:
rauggyguyp.com
mycojenxktsmozzthdv.com
hpaxgpkteomjaxywwelr.com
download: dircrypt.txt

dyre

tld: [cc, ws, to, in, hk, cn, tk, so]
sld: Fix length of 34, 1 char[a-z] + 33 characters from SHA256; 1000 domains per day
time dependent: Yes
e.g:
l54c2e21e80ba5471be7a8402cffb98768.so
wdd7ee574106a84807a601beb62dd851f0.hk
jaa12148a5831a5af92aa1d8fe6059e276.ws
download: dyre.txt

emotet

tld: [eu]
sld: Fix length of 16, a-y; 96 new domains per day
time dependent: Yes
e.g:
grdawgrcwegpjaoo.eu
mcfpeqbotiwxfxqu.eu
adgxwxhqsegnrsih.eu
download: emotet.txt

fobber

fobber_v1

tld: [net]
sld: Fix length of 17, a-z; 300 domains in total
time dependent: No
e.g:
zzwzzqmihkfdevymi.net
twkpwfuecvvzcincq.net
oasmavkjmcxctdkit.net
download: fobber.txt

fobber_v2

tld: [com]
sld: Fix length of 10, a-z; 300 domains in total
time dependent: No
e.g:
fmrehxdqmf.com
aqihsbqhwl.com
sxtolapbbm.com

gameover

tld: [com, org, biz, net]
sld: A length of 20-28, mix a-z and 0-9; 1000 domains per day
time dependent: Yes
e.g:
14dtuor1aubbmjhgup7915tlinc.net
2id0lapmam6w1799w7315zaqj5.com
uhjmkm1i7oih11i3wxl71kcf7x6.org
download: gameover.txt

gspy

tld: [net|info], depend on seed
sld: Fix length of 16, hexadecimal notation; 50 domains in total
time dependent: No
e.g:
484b072f94637588.net
3164168f83658393.net
abfb8a26a85ff915.info
download: gspy.txt

locky

locky_v1

tld: [ru, pw, eu, in, yt, pm, us, fr, de, it, be, uk, nl, tf]
sld: A length of 5-15, a-y; 6 domains per two days
time dependent: Yes
e.g:
lpfpdovapot.ru
yffgcbcmffuaus.pw
tdgwenunlerl.tf
download: locky.txt

locky_v2

tld: [ru, pw, eu, in, yt, pm, us, fr, de, it, be, uk, nl, tf]
sld: A length of 5-15, a-y; 8 domains per two days
time dependent: Yes
e.g:
nspxuqqsb.de
qidvccmulectbc.yt
ralqmyajrtuffli.pm

locky_v3

tld: [ru, info, biz, click, su, work, pl, org, pw, xyz]
sld: A length of 7-17, a-y; 12 domains per two days
time dependent: Yes
e.g:
uxesqomhp.ru
btqeesfxslmmhumv.xyz
itqjkdhhtnmw.click

madmax

tld: [com, org, info, net]
sld: Fix length of 10, mix a-z and 0-9, prefixed with www; 1 domain per week
time dependent: Yes
e.g:
www.avuhtrgawe.org
www.s82r4luxrw.com
www.9varj35nsb.net
download: madmax.txt

matsnu

tld: [com]
sld: Combined 2~3 words from two predefined dictionaries; 10 new domains per day
time dependent: Yes
e.g:
world-bite-care.com
activitypossess.com
mattermiss-type.com
download: matsnu.txt

mirai

tld: [tech, online, support]
sld: Fix length of 12, a-y; at most 1 domain per day
time dependent: Yes
e.g:
divitpvjexxh.tech
xvrvdsuhphjg.online
ycydknpltoff.support
download: mirai.txt

murofet

tld: [biz, info, org, net, com]
sld: A length of 8-16, a-z; 1020 domains per day
time dependent: Yes
e.g:
uqiqvqylwlhutwvh.info
hwpouvoxrtsdb.org
vwuqskjnuorzwy.net
download: murofet.txt

necurs

tld: [tj, in, jp, tw, ac, cm, la, mn, so, sh, sc, nu, nf, mu, ms, mx, ki, im, cx, cc, tv, bz, me, eu, de, ru, co, su, pw, kz, sx, us, ug, ir, to, ga, com, net, org, biz, xxx, pro, bit]
sld: A length of 7-21, a-y; 2048 domains per three days
time dependent: Yes
e.g:
wiyqgyiwgm.ga
otenbmgbpuskiasvehxm.ki
mgvnbuxoab.su
download: necurs.txt

nymaim

tld: [com, org, biz, net, info, ru, in, xyz, pw]
sld: A length of 5-12, a-z; 30|128 domains per day
time dependent: Yes
e.g:
onrfza.info
zzayzoabsi.net
msfctioj.biz
download: nymaim.txt

padcrypt

tld: [com, co.uk, de, org, net, eu, info, online, co, cc, website, tk, ga]
sld: A fix length of 16, [abcdefklmno]; 24 or 72 domains per day
time dependent: Yes
e.g:
mdadbfcmnelbfbac.website
adbbfbdnddbodacd.online
nnfbcfbdeacnabca.de
download: padcrypt.txt

proslikefan

tld: [eu, biz, se, info, com, net, org, ru, in, name]
sld: A length of 6-13, a-z; 100 domains per day
time dependent: Yes
e.g:
nuipkjqarq.in
batvyct.name
ucjxkkdl.eu
download: proslikefan.txt

pykspa

pykspa_v1

tld: [biz, com, net, org, info, cc]
sld: A length of 6-15, a-z; 5000 domains per two days
time dependent: Yes
e.g:
agadss.biz
ynrvwgfqbex.org
ssegsguiwcymao.biz
download: pykspa.txt

pykspa_v2_fake

tld: [com, net, org, info]
sld: A length of 6-12, a-z; 800 domains per day
time dependent: Yes
e.g:
xipbnmewshm.com
vgzmmusmr.org
fuvqigsobkt.info

pykspa_v2_real

tld: [com, net, org, info]
sld: A length of 6-12, a-z; 200 domains per nearly 20 days
time dependent: Yes
e.g:
zyvitnfjqobf.net
kwukwsgcyemi.org
qzutfvvmvs.info

qadars

tld: [com, org, net]
sld: Fix length of 12, mix a-z and 0-9; 200 domains per week
time dependent: Yes
e.g:
4lazgdincdaf.org
lmjwd6fs9ur4.com
3slanc9aj4hy.net
download: qadars.txt

ramnit

tld: [com]
sld: A length of 8-19, a-y; 500|1000 domains in total, depend on seed
time dependent: No
e.g:
jrkaxdlkvhgsiyknhw.com (seed 01)
mtsoexdphaqliva.com (seed 02)
knpqxlxcwtlvgrdyhd.com (seed 03)
download: ramnit.txt

ranbyus

tld: [in, me, cc, su, tw, net, com, pw, org]
sld: A fix length of 14|17, a-y; 40 new domains per day
time dependent: Yes
e.g:
oswwsbsmibofdi.net
nslxbdyiofityx.com
pnejirjyxjmycx.pw
download: ranbyus.txt

rovnix

tld: [ru, com, net, biz, cn]
sld: A fix length of 18, mix a-z and 1-8; Generated 10000 domains, actually infinity in theory
time dependent: No
e.g:
rc7thuhy8agn43zzgi.biz
aby71fqwc3ai12wseh.com
lryja5lrm835m7byr8.ru
download: rovnix.txt

shifu

tld: [info]
sld: Fix length of 7, a-y; 1000 domains in total
time dependent: No
e.g:
urkaelt.info
nqqxqdg.info
rsymdhk.info
download: shifu.txt

simda

tld: [eu | com | info], depend on seed
sld: The length of SLD depend on seed, mix ["eyuioa"] and ["qwrtpsdfghjklzxcvbnmv"]; the number of domains in total range from 1500 to 2500 in general
time dependent: No
e.g:
digivehusyd.eu (seed 01)
puvecyq.info (seed 02)
lymylur.com (seed 03)
download: simda.txt

suppobox

suppobox_v1

tld: [net]
sld: Combined two words from the wordlist; ~254 domains per day
time dependent: Yes
e.g:
sharmainewestbrook.net (from wordlist 3)
tablethirteen.net (from wordlist 2)
childrencatch.net (from wordlist 1)
download: suppobox.txt

suppobox_v2

tld: [net, ru]
sld: Combined two words from the wordlist; ~783 domains per day
time dependent: Yes
e.g:
stephaniebernadine.ru (from wordlist 3)
arivenice.ru (from wordlist 2)
thinkgoodbye.ru (from wordlist 1)

symmi

tld: [ddns.net]
sld: A length of 8-15, mix ["aeiouy"] and ["bcdfghklmnpqrstvwxz"]; 64 domains per half of month
time dependent: Yes
e.g:
ikogrihaa.ddns.net
ukbounapimusamx.ddns.net
kuinechivuonlo.ddns.net
download: symmi.txt

tempedreve

tld: [net, org, info, com]
sld: A length of 7-11, a-z; 204 domains in total
time dependent: No
e.g:
mjmlivmvulk.com
ahskjnrhueg.net
qpedefirs.org
download: tempedreve.txt

tinba

tld: variant, depend on seed
sld: Fix length of 12, a - y;100 | 200 | 1000 domains in total, depend on seed
time dependent: No
e.g:
nvfowikhevmy.com
oykjietwrmlw.ru
oqxvkgnpxhyi.in
download: tinba.txt

tofsee

tld: [biz, ch]
sld: Fix length of 7, a-z; 20 domains per week
time dependent: Yes
e.g:
dqhdqhd.biz
dqgdqga.ch
dqgdqgj.biz
download: tofsee.txt

vawtrak

tld: variant, depend on seed
sld: A length of 7-11, a-z; 150 domains in total
time dependent: No
e.g:
kdcbwvehop.top
wxcjqzqp.top
fwxcrqdsrs.ru
download: vawtrak.txt

vidro

tld: [dyndns.org, com, net]
sld: A length of 7-12, a-z; 100 domains per week
time dependent: Yes
e.g:
jfxetiogrvo.dyndns.org
ckdypldcxi.com
ilaalsylt.net
download: vidro.txt

virut

tld: [com]
sld: Fix length of 6, a-z; 10000 domains per day
time dependent: Yes
e.g:
hgznsb.com
yvvioe.com
zuzmoq.com
download: virut.txt

xshellghost

tld: [com]
sld: A length of 10-15, a-z; 1 domain per month
time dependent: Yes
e.g:
huxerorebmzir.com
nylalobghyhirgh.com
zgjevclifqpexor.com
download: xshellghost.txt

Want to make contributions?

Our DGA Detecting System sifts through our massive pdns data and malware samples for the latest suspicious DGAs in real time. And we come across interesting domain names and/or MD5 samples all the time.

We would encourage fellow security researchers to provide their insights and contribute their ideas on our GitHub Repo , where we list some of the uncertain dns and md5 samples for further analysis.