Skip to content
Some results of my DGA reversing efforts
Python C
Branch: master
Clone or download
Latest commit bd12b13 Dec 6, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
banjori initial commit Aug 31, 2015
chinad chinad dga Jan 13, 2017
corebot DGA of Suppobox (two wordlists provided, there are at least two more) Oct 23, 2015
dircrypt initial commit Aug 31, 2015
dnschanger New DGA: DNSChanger/Alureon Jan 10, 2016
fobber DGA of Fobber (two versions) Sep 11, 2015
gozi
kraken The two DGAs of Kraken alias Oderoor alias Bobax. Two seeds for each … Dec 22, 2015
locky Add locky seeds 7773, 7743 Jul 13, 2016
murofet new seed Sep 19, 2016
mydoom new ramnit seed Nov 8, 2019
necurs new Shiotob seed Aug 30, 2017
newgoz initial commit Aug 31, 2015
nymaim cleanup Jul 19, 2019
nymaim2 DGA of Nymaim v2 Apr 29, 2018
padcrypt PadCrypt v2.2.97.0, thx to Lawrence Abrams (@BleepinComputer) and Ma… Mar 6, 2016
pitou Pitou README added to explain the strange output Apr 10, 2019
pizd cleanup Jul 19, 2019
proslikefan Added generalized version of the Proslikefan DGA. Jun 17, 2016
pushdo DGA of Pushdo Dec 6, 2019
pykspa cleanup Jul 19, 2019
qadars seeds should be ordered Aug 3, 2017
qakbot DGA of Qakbot Feb 24, 2016
qsnatch added second version Nov 11, 2019
ramdo Ramdo Sep 27, 2017
ramnit new ramnit seed Nov 25, 2019
ranbyus new ranbyus seed Jul 14, 2016
reconyc DGA of Reconyc. Uses unpredictable seeding, but might still be intere… Jul 19, 2019
shiotob new Shiotob seed Aug 30, 2017
simda initial commit Aug 31, 2015
sisron link to blog post Jun 2, 2016
suppobox example domains for the word list 3 Dec 17, 2015
symmi initial commit Aug 31, 2015
tempedreve time-dependent Tempedreve DGA May 9, 2017
tinba add more seeds to the Tinba DGA Aug 8, 2017
unknown_malware new DGA of unknown malware Sep 27, 2017
unnamed_downloader new DGA from unnamed downloader Sep 19, 2016
unnamed_javascript_dga Added generalized version of the Proslikefan DGA. Jun 17, 2016
vawtrak new vawtrak variants Jan 13, 2017
LICENSE Initial commit Aug 31, 2015
README.md DGA of Pushdo Dec 6, 2019

README.md

Domain Generation Algorithms

Domain Generation Algorithms (DGAs) of Malware reimplemented in Python.

Overview

banjori (aka MultiBanker 2, BankPatch(er))

Links

Example Domains

  • earnestnessbiophysicalohax.com
  • kwtoestnessbiophysicalohax.com
  • rvcxestnessbiophysicalohax.com
  • hjbtestnessbiophysicalohax.com
  • txmoestnessbiophysicalohax.com
  • agekestnessbiophysicalohax.com
  • dbzwestnessbiophysicalohax.com
  • sgjxestnessbiophysicalohax.com
  • igjyestnessbiophysicalohax.com
  • zxahestnessbiophysicalohax.com
chinad

Links

Example Domains

  • 8f6bacmw30xxv6sc.cn
  • 486txu3yjly0xcmz.ru
  • xmi6x8zg9rkanmyo.info
  • spy1jhdbmvt2ueva.net
  • evybt5gtf2tprvbi.info
  • 7qbys97e3pcw262c.info
  • kz89iy97c7n7vbur.biz
  • zmkvvlsvkbffnuez.ru
  • tr1yy6lxtry1gsts.biz
  • mfq6uwq3p2hvc8zn.cn
corebot

Links

Example Domains

  • lkhylm0mhyfuhg.ddns.net
  • s63234wluv5v365bwp5.ddns.net
  • afe6mfy23xcxgfa.ddns.net
  • 7rsl1f34sfq0oj3jwvmfa6c.ddns.net
  • ir7l3po0gjy8ypqjm8o.ddns.net
  • 3lgrupwdivsfm2w4kng2iha.ddns.net
  • i8a0q2wdu8otulkfylo2gdq.ddns.net
  • kh1her76avy0qnelivijwd1.ddns.net
  • ubgp1f1han7lu410eh5.ddns.net
  • uliry8knadmpmdm4wti6oro.ddns.net
dircrypt

Links

Example Domains

  • rauggyguyp.com
  • llullzza.com
  • mluztamhnngwgh.com
  • mycojenxktsmozzthdv.com
  • inbxvqkegoyapgv.com
  • furiararji.com
  • zrkdvzjhse.com
  • wyuhdsdttczd.com
  • hpaxgpkteomjaxywwelr.com
  • mydojltbqjnwailyyoa.com
dnschanger (aka Alureon)

Links

Example Domains

  • aktklyvbiu.com
  • zgimjzlnrl.com
  • tcfejerekw.com
  • tfaunnjmxt.com
  • ydvlfpkguw.com
fobber (aka Tinba v3)

Example Domains

  • vhkintjtksyxgjrzz.net
  • btpnxlsfdqbhzazyx.net
  • ukfmknjdenthvktgc.net
  • qupxsrhrmuoinqrit.net
  • gjsbydmrpfzsmnfiu.net
  • indpstqbetcpcqprx.net
  • gwrdmhyjfcpcutmhp.net
  • bwnzcyypcbmnlpfsw.net
  • twkpwfuecvvzcincq.net
  • pdwfuxgnahmgsxhit.net
gozi (aka Ursnif, Snifula, Papras)

Links

Example Domains

  • quodpresidentemaxsagit.com
  • pertantumfitusu.com
  • indulgentiarumlicet.com
  • moriblasphemianegocii.com
  • ptribueretnossetnonin.com
  • nonsicordinario.com
  • svivacpecunias.com
  • inestimabiler.com
  • ulpurgatoriopetrum.com
  • papacricognitisipro.com
kraken/v1 (aka Bobax, Oderoor)

Links

Example Domains

  • ibbwnhgh.mooo.com
  • rbqdxflojkj.mooo.com
  • smhburg.dyndns.org
  • bltjhzqp.dyndns.org
  • clwafrfuuxq.yi.org
  • cffxugijxn.yi.org
  • ivxcxbj.dynserv.com
  • etllejr.dynserv.com
  • otpxmk.mooo.com
  • ejfjyd.mooo.com
kraken/v2 (aka Bobax, Oderoor)

Links

Example Domains

  • xpdbwuimwag.com
  • nwpegpjtx.com
  • smmyuhxlt.net
  • xjvyvnzivvt.net
  • lvctmusxcyz.tv
  • lvctmusxcyz.tv
  • cjuszcfwo.cc
  • egbmbdey.cc
  • wjxaprgne.com
  • vxbuggxhrgi.com
locky

Links

Example Domains

  • gegjiimqmlgtdmk.tf
  • pccibcjncnhjn.yt
  • rddipikmrap.us
  • mmhmkqfc.be
  • vkcims.pm
  • qtysmobytagnrv.it
  • suhpqiumpjsv.ru
  • cscffbwbhs.uk
murofet/v1 (aka LICAT)

Links

Example Domains

  • giywswshrgxcvoqgvrkthmfa.ru
  • xaiqpbprgymbvrwmzgiyprgdsk.com
  • amgqgularpzxeapztxenbx.net
  • pfscijbmthyfiyjgergugtkbqyh.org
  • xglfcmsgorvwfilhmzlcxxvkfege.info
  • rcteqwkequojntibvfyfaluwh.biz
  • mjfqylbiaunffuaeunzdqdwscu.ru
  • qobeylpxgpfknlptukyddqvklztg.com
  • rgwgizukficdgetwsxovtcknwkfm.info
  • betgyaeswxorwcvsdezdupbmb.org
murofet/v2 (aka LICAT)

Links

Example Domains

  • cmqvvxtppnibli.biz
  • cmqvvxtppnibli.com
  • rloqpoiongsuwyq.net
  • rloqpoiongsuwyq.org
  • zsophzovtfor.info
  • zsophzovtfor.biz
  • nlifthjnbgnfweq.org
  • nlifthjnbgnfweq.com
  • hykpttqsxsmvkoc.info
  • hykpttqsxsmvkoc.org
murofet/v3 (aka LICAT)

Links

Example Domains

  • nxlya47huo61czerb18o51e11d30i55gycwe31lx.ru
  • jwdzptm69p62izcve41f22k37oyj16g63fqote11.com
  • p42p52nvd50izkqazaqe21lvo21pycqotp22e61.net
  • b28n40i25b68gte41o61dwc19htc29jwgxiqfzbr.org
  • ktirhsn50kzc49b58cyf32fwh14h64dzgxiqcz.info
  • bre41hvc29kri15ewpwdsazjyn40p52kwe21gw.biz
  • n30mwhsoxfqe51j56lunsg13o11hyd60ewf52nu.ru
  • hvcsjxd20mzm29d40nznunta27c29kyi55fun50.com
  • nzosg13oymzg63ntpxaro51btkvfyoshrk27.info
  • czfsn20exg53nzcqcrg43exf62b28p22pyd50lu.org
mydoom (aka Novarg, Mimail.R, Shimgapi)

Example Domains

  • qehspqnmrn.info
  • mmahaesqar.in
  • pwprhhnqqn.in
  • mrspmramrn.in
  • arphansaqh.com
  • hrhspsrenn.net
  • aepaaemrmn.com
  • wsaehwmnms.in
  • arwrseqssh.com
  • ewamspqwha.ws
necurs

Links

Example Domains

  • nccojqvabqvkiwhj.mx
  • hoedwwwywnmmbi.ac
  • aeaeneaoinf.mu
  • ccecggc.us
  • mfffpmgtplxbyagbtegh.com
  • thlxuwnadtdtsm.biz
  • edkomqpeufjyafccj.in
  • mxomklaqau.pw
  • nvutiptwteltin.tv
  • nhysbiomr.ir
newgoz (aka Gameover Zeus, Peer-to-Peer Zeus)

Links

Example Domains

  • xzz3ug32bale1uo60y7xj6rge.com
  • 1hyzmw3l2phycet88hzr2do34.net
  • 2ppq821cfem5m1mdua46pxg7bj.biz
  • unlm9w9l8upy1kdde0kba7ktf.org
  • 1ixhw3p1ncr3cf1pjfrpz14n1u0e.com
  • 1o460ktpdhna1k0lk3ecwujxn.net
  • 183t0wjzlthe51wigptk4rl29.org
  • 1i3ux5a1hj6ndqejmxone45g0v.net
  • 5mcdp71mbutpb1tglu0s4p0lrf.com
  • n3i5yn19w82vmmpxv1k1l4xrjg.org
nymaim

Example Domains

  • oftbpec.com
  • lotmpwyk.info
  • seikpwq.info
  • bcfatyltdvp.info
  • rfwstgy.com
  • hokybhnf.biz
  • evlovrxuw.net
  • mtzpbzbfvy.info
  • hacckgiakhl.com
  • mosmeuw.net
nymaim2

Links

Example Domains

  • surfaces-drawing.com
  • shaft-criterion.cc
  • stops-hash.id
  • unitsknowledge.com
  • wiredgraph.tm
  • timelydesignation.co
  • stablelikely.ch
  • stainless-loan.lk
  • wagon-documents.sc
  • trainerprocessors.tk
padcrypt

Links

Example Domains

  • elkfcfnacacmofdf.com
  • mkmeeefncfnfdmbm.de
  • ffcdcnbmmnaeddcd.com
  • ddkfodnaadmbmofo.co.uk
  • efneboaodnmbecoa.co
  • bafomkfalcfcdkom.info
  • onlmcddadnacfclc.com
  • dcfmddfbobkmafma.com
  • lmmfdccmnnfnmfdl.co
  • kcknconmceeemlnm.com
pitou

Links

Example Domains

  • --------------+
  • koohoavab.net |
  • koohoavac.net |
  • koohoavad.net |
  • koohoavaf.net |
  • koohoavag.net |
  • koohoavah.net |
  • koohoavaj.net |
  • koohoavak.net |
  • koohoaval.net |
pizd

Links

Example Domains

  • difficultnearly.net
  • dollarnearly.net
  • difficultpossible.net
  • dollarpossible.net
  • eearlynation.net
  • escapenation.net
  • eearlypleasure.net
  • escapepleasure.net
  • eearlynearly.net
  • escapenearly.net
proslikefan

Links

Example Domains

  • flarvcpk.eu
  • stjneohiod.biz
  • vcevvkc.se
  • qylptiin.info
  • bsvisbttr.com
  • hjiknr.net
  • arpeiezki.org
  • gobqca.ru
  • tivqfahrmxdl.in
  • smutloo.name
pushdo

Example Domains

  • weafokuggeir.kz
  • sictemuborug.kz
  • cirpicficj.kz
  • geijanmap.kz
  • fuxhuxsabi.kz
  • siclisozdokq.kz
  • sozcoqnafrex.kz
  • qeobifups.kz
  • cokoqdeah.kz
  • latqafbuxwic.kz
pykspa/improved

Links

Example Domains

  • uammskmq.org
  • jqplflktas.info
  • rybwtr.net
  • uyznvxlof.info
  • gakcmqiw.com
  • wewsvat.net
  • owhadwkskevw.net
  • nkndlzhjgrpc.info
  • isypszqe.net
  • joebbaamoyt.info
pykspa/precursor

Links

Example Domains

  • llfwhgn.com
  • guqqkaiq.biz
  • wctymo.net
  • lovfjsfox.com
  • oruhbanansnan.cc
  • mkncjk.biz
  • yunonsuiwcymao.net
  • yxpojufqbex.com
  • qhxgzufqbex.cc
  • yywiywiq.biz
qadars

Links

Example Domains

  • jk9enwhansl2.org
  • sdqfodmf81m7.net
  • 5uro1uzspejk.net
  • ub4hinsduf0p.net
  • zs9ijo1er81u.com
  • 0t67c5arw9yf.net
  • lev41encha38.net
  • 67k1q3c1mr8x.org
  • 7w1yf49irk5m.net
  • gdunwhq7s9qb.org
qakbot

Links

Example Domains

  • bqkrtxgkmriwsiwcngtivpx.info
  • jdtmfupdyueqeldvhsjzdvzob.net
  • guhmpoxzivhba.com
  • nqqxqhuacaqhzurde.org
  • lgqsqgpqzijwid.info
  • ykolyecdcyk.biz
  • ztvflnxqzpxvpfobv.biz
  • zqrmkpivrbxccawozqwqpfzh.org
  • iqyqwhntrxfeq.org
  • ftadkbomxlnsib.info
qsnatch

Links

Example Domains

  • t2q2r.cf
  • gc9nz.tk
  • 07tvvc.com
  • 7ubqo.ml
  • 53bcm.de
  • 6zltf.rocks
  • hv7uv.mx
  • nypno.biz
  • qkzccy.net
  • rassb.cn
ramnit

Links

Example Domains

  • knpqxlxcwtlvgrdyhd.com
  • nvlyffua.com
  • hgyudheedieibxy.com
  • anrylixwcbnjopdd.com
  • vrndmdrdrjoff.com
  • jhghrlufoh.com
  • tqjhvylf.com
  • hufqifjq.com
  • itktxexjghvvxa.com
  • ppyblaohb.com
ranbyus/may

Links

Example Domains

  • ikwoqkwuajpbyx.com
  • niukpdrluwlfox.pw
  • rcnxisuibbadng.in
  • wbqtidjvsdiwee.me
  • jrdyumcieyipnv.cc
  • yvyfwikedfxitk.su
  • tviurcntxylxnj.tw
  • lycyrvfcemepfm.net
  • epddeukdimbpft.com
  • trbhxhmbsikoaq.pw
ranbyus/september

Links

Example Domains

  • jxbdxeyxttdmcjagi.me
  • iqmadgybfhnrssadm.cc
  • gdoldaognceaedkke.su
  • jnbnyrmxmpblfgstk.tw
  • ucjetnyaitygjidva.net
  • jejocqwtcbtuymvao.com
  • stuctjsqfxghcesyw.pw
  • gfidctymbxiaqyuyk.in
  • ojrqwrlhesfshawva.me
  • bqjqvwwjirftwkjel.cc
reconyc

This DGA has unpredictable seeding, i.e., it uses GetTickCount as the seed. I still list the DGA as it might be useful for testing or training DGA detection algorithms.

Example Domains

  • E5zHail0Mw.com
  • gabbvK2o6s.com
  • CumpP2A4d7.com
  • 5eswmwNQyF.com
  • lExfSzyuwP.com
  • JZpESGsPFF.com
  • UmIaRnijeT.com
  • sHr0xE9Idm.com
  • nYcEX7wlCF.com
  • VCiZNQXwpO.com
shiotob (aka Urlzone, Bebloh)

Links

Example Domains

  • wtipubctwiekhir.net
  • rwmu35avqo12tqc.com
  • rskb5bsfhm2fk5h.net
  • rbp9pprrxgflut9.com
  • zzxeyzgy45yy2a.net
  • e3oa4wglvd21xa.com
  • mqmq1hvmtxzjv.net
  • pd4o4wu24vimn.com
  • tlmrzvpbpsqsb.net
  • pbmnz59uzndpo.com
simda (aka Shiz)

Links

Example Domains

  • gatyfus.com
  • lyvyxor.com
  • vojyqem.com
  • qetyfuv.com
  • puvyxil.com
  • gahyqah.com
  • lyryfyd.com
  • vocyzit.com
  • qegyqaq.com
  • purydyv.com
sisron (aka TOMB, Win32/Agent.WRQ, Trojan.Scar)

Links

Example Domains

  • mdiwnjiwmtya.com
  • mdewnjiwmtya.com
  • mzewntiwmtya.com
  • mzawntiwmtya.com
  • mjkwntiwmtya.com
  • mjgwntiwmtya.com
  • mjcwntiwmtya.com
  • mjywntiwmtya.com
  • mjuwntiwmtya.com
  • mjqwntiwmtya.com
suppobox

Links

Example Domains

  • journey
  • destroy
  • against
  • night
  • within
  • effort
  • street
  • better
  • husband
  • little
symmi

Links

Example Domains

  • ogovugtuipawi.ddns.net
  • afowkaupbabe.ddns.net
  • ipkureleakm.ddns.net
  • hegiruqo.ddns.net
  • luimreim.ddns.net
  • tiakqukoahuvu.ddns.net
  • loelkuanduur.ddns.net
  • agdehukoev.ddns.net
  • giagkuekorla.ddns.net
  • leufiroqipomu.ddns.net
tempedreve

Links

Example Domains

  • dlbebsga.net
  • enqbgrmt.com
  • xjlwpfnk.info
  • ebabkjcx.org
  • hvisietg.net
  • svyjglen.com
  • glknxfgq.info
  • adoduloh.org
  • jgrxrxwh.net
  • ctmrgbmz.com
tinba (aka TinyBanker, Zusy)

Links

Example Domains

  • blackfreeqazyio.cc
  • nvfowikhevmy.com
  • nvfowikhevmy.net
  • nvfowikhevmy.in
  • nvfowikhevmy.ru
  • sjhuqlwrqhqx.com
  • sjhuqlwrqhqx.net
  • sjhuqlwrqhqx.in
  • sjhuqlwrqhqx.ru
  • pxqgonyogeee.com
unknown_malware

Example Domains

  • albdfhln.com
  • alcgkown.com
  • aldjpvqt.com
  • alemuown.com
  • alfpmrnq.org
  • algspvqt.org
  • alhvrytw.org
  • aliyuown.org
  • aljnwpyo.org
  • alkpmrnq.net
unnamed_downloader

Example Domains

  • ddknt.github.io
  • ddktn.github.io
  • ddnkt.github.io
  • ddntk.github.io
  • ddtkn.github.io
  • ddtnk.github.io
  • dkdnt.github.io
  • dkdtn.github.io
  • dkndt.github.io
  • dkntd.github.io
unnamed_javascript_dga

Links

Example Domains

  • rxxeqcoy.cc
  • kmymbyzd.co
  • cfukbzbmg.eu
  • sblwtafc.cc
  • lqdoacat.co
  • dplmjcjic.eu
  • ttukaiwjdx.cc
  • meimklqh.co
  • enmxqcxhtl.eu
  • unmias.cc
vawtrak

Links

Example Domains

  • usahwutle.com
  • folocnam.com
  • awumsah.com
  • edorwufli.com
  • misocgutlah.com
  • edarwotda.com
  • melarwetdic.com
  • usucnitdohg.com
  • regomseh.com
  • osicnumd.com
You can’t perform that action at this time.