360netlab/DGA

From VT: Looks like a TID DGA

suqitian opened this issue · 1 comments

  • MD5:
    11846ad0916e66a25defcf41b676d0f7
  • VT link
  • Brief
    Run it in Cuckoo once more, got the same DNS queries.
    It should be a time independent DGA.
  • DNS queries from Cuckoo sandbox
    zizybilyxu.com
    gikupilah.com
    muhopohucyqu.com
    wygibodubowu.com
    pegabafifid.com
    tijusenenoqije.com
    ralexezoj.com
    gakenofod.com
    rexiqarifotoq.com
    xyvenuvewa.com
    peqokasyzato.com
    radososaxuw.com
    xalybaron.com
    wavipixibuno.com
    hupugivuz.com
    liqevesagis.com
    qysudipiboza.com
    vyqivaneh.com
    gygokelara.com
    wyduzylys.com
    mysupigaqyme.com
    zilebelywa.com
    zypomamuzosa.com
    ypyrezaba.com
    litubibam.com
    vehyraceke.com
    qajivehucewupo.com
    pakakywuseleri.com
    nylujusofo.com
    pubyhixasuhu.com
    gyravatimak.com
    zotaziweboxe.com
    pykolujij.com
    xibipijuxoj.com
    wumytaxuboly.com
    ydijajyb.com
    laxesepaweno.com
    fugegewulevu.com
    tevisuwapucumu.com
    sirakapofeti.com
    zenevakyfa.com
    pifajeniwyt.com
    cuhucupivu.com
    sumuryvynuh.com
    tuwynaropotit.com
    cikipihigilani.com
    waliwetixybuk.com
    tixirukemosa.com
    myfofeviqilo.com
    xaqygacatewuk.com
    cadyfahirecyci.com
    dazixydecamur.com
    tepucazij.com
    dolagomosu.com
    jicylegavade.com
    bumucewafypevy.com
    igotiroda.com
    utuhubolype.com
    ykilyxagesop.com
    ygywiguxake.com

Hardcoded domains.
Uncompressed domain in sub_005B9B41 function.