<

 

Prometei

Prometei v3 botnet is of medium size, with approximately 10,000 infected systems worldwide.
The geographical distribution of infected systems shows a uniform distribution proportional to the population of the countries, with traffic captured from 155 countries.
C&C servers constantly change with DGA methods

 

BazarBackdoor version 1

BazarBackdoor (also known as BazarLoader or Team9 Backdoor) is an alternate dev of the dreaded TrickBot Trojan.
NOTICE: DGA are changing each month.
Thanks to Johannes Bader for reversing and implementing the DGA

 

BazarBackdoor version 2

BazarBackdoor Version 2 is another DGA version
NOTICE: DGA are using special characters... it is normal !
Thanks to Johannes Bader for reversing and implementing the DGA

 

Zombie Necurs

Necurs botnet is an historical network previously used for the distribution of Locky ransomware and Dridex, but today distributes some other malwares
C&C servers are numerous and uses DGA.

 

Nymaim

Nymaim gained banking capabilities and information stealer
C&C servers infrastructures use fast-flux networks and DGA techniques are used.

 

Zombie CoreBot

CoreBot is a rather sophisticated banking malware and information stealer
C&C servers are numerous and CoreBot uses DGA.

 

Chinad

Chinad activities are commonly downloading/uploading files, dropping other malware into the infected system.
Its C&C servers become unstable detected with DGA methods

 

Qakbot

Qakbot uses powerful information-stealing features to spy on users’ banking activity and defraud them of large sums of money.
C&C servers constantly change with DGA methods

 

zloader

Zloader is a part of Sphinx banking Trojan.
ZLoader has resurfaced to take advantage of government relief payments amid COVID-19 to use DGA techniques

 

PiZd

PiZd is an important botnet. Its implant has over 1000 variants.
Variants use DGA to access to C&C servers

 

newGOZ

Some mutations of the original Gamover constently appeared dubbed newGOZ..
The new DGA technique is not related to the original GameOver Zeus but bears some resemblance.
DGA are used to keep updated implants through on C&C servers

 

Pitou

Pitou is a spambot using anti sandbox features and Domain Generation Algorithm for C&C discovering (thanks to @viql for analysis & code)

 

Tempedreve part of Ursnif family

Tempedreve arrives on a system as a file dropped by other malware using daily Domain Generation Algorithm for its C&C

 

TeleRU

TeleRU is the first observed Android APK related DGA.
Thanks to Liang Jinjin for reversing and implementing the DGA

 

Qadars

Qadars is a botnet targeting EU victims to execute spy action's of users' banks accounts.
Qadars may also infects an Android mobile device, it can monitor all user activity and hijack text messaging, Facebook users, online sports betting users, and e-commerce.
C&C servers constantly change with DGA methods

 

Matsnu

Matsnu botnet uses DGA that pulls nouns and verbs from a built-in list of more than 1,300 words to form domains that are 24-character phrases.
DGA method generates each 24 hours new domains

 

PadCrypt

Padcrypt is a ransomware. Each day, new domains are used.
Attachments are applying one of DGA daily list

 

Proslikefan

Proslikefan is a worm script. It sends exfiltration datas to daily new domains.
The newest domains are using DGA techniques.

 

Locky

Locky ransomware has incorporated a domain name generating algorithm to improve the resilience of the command-and-control (C&C) communications.
DGA techniques given how the malware is regularly updated with new functionality incorporating new attack techniques.

 

Pykspa

Pykspa is a worm that accesses the list of Skype contacts and sends a chat message to each contact.
It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).

 

Ranbyus

Ranbyus bypasses payment transaction signing and authentication with smartcard devices.
It also extracts personal user information from banking/payment softwares and sends to remote servers by using a Domain Generation Algorithms (DGA).

 

Murofet

Murofet aka.LICAT, has relatioships with the ZeuS.
It uses a Domain Generation Algorithm (DGA) to determine the current C2 domain names. Thanks to Johannes Bader for DGA reversing

 

Sisron

Sisron is a financial fraud and identity theft botnet. Infrastructures has been sinkholed, but on some victim's activities continue to work.
Domain Generation Algorithms (DGA) are simple but should be good to continue to survey. Thanks to Johannes Bader for DGA reversing

 

Symmi

Symmi is a botnet that has some functionalities to open a back door on the compromised computer. It lets to download malicious files.
Domain Generation Algorithms (DGA) lets Symmi to send and receive informations and malwares.

 

MyDoom Botnet

MyDoom has several methods of impacts, but main attacks are DDOS
MyDoom uses DGA for its P2P communications but also some Command and Control Server

 

Conficker

Version A, B, C stay alive!
Most of hosts are sinkholed, but the infection stays

 

--------------------------------------------------------------------------------
Open Source Real Time Malware Information Version 1.0
Sharing Is Caring !
Copyleft 2020 - No rights reserved
Keywords Bot Invaders , Botnet Tracker, Malware, Domain Name, IOC, Domain generation algorithms, DGA