# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shelltea, powersniff

# Reference: http://blog.morphisec.com/security-alert-fin8-is-back
# Reference: https://otx.alienvault.com/pulse/5cfe69a12dbf3290f262bfba

cdn-amaznet.club
reservecdn.pro
telemetry.host
telemerty-cdn-cloud.host
wsuswin10.us
104.193.252.162:443
37.1.204.87:443

# Reference: https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf

# POWERSNIFF C2 DOMAINS

vseflijkoindex.net
vortexclothings.biz
unkerdubsonics.org
popskentown.com

# SHELLTEA C2 DOMAINS

neofilgestunin.org
verfgainling.net
straubeoldscles.org
olohvikoend.org
menoograskilllev.net
asojinoviesder.org

# Reference: https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/
# Reference: https://otx.alienvault.com/pulse/5d372fa407ebb8017386ea36

ashkidiore.org
asilofsen.net
druhanostex.net
kapintarama.net
manrodoerkes.org
moreflorecast.org
nduropasture.net
preploadert.net
subarnakan.org
troxymuntisex.org

# Reference: http://click.broadcasts.visa.com/xfm/?30761/0/0624013ddc6f39785bf56d504f3b812e/
# Reference: https://otx.alienvault.com/pulse/5df2a079d801c25e0a68d90e

diolucktrens.org
fraserdolx.org

# Reference: https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/
# Reference: https://www.virustotal.com/gui/domain/ns.akamai1811.com/relations
# Reference: https://www.virustotal.com/gui/file/2d311d46eb32389faa6ef72ed7126b63401c9071a57cb91a70f4c50815dc82fd/detection

akamai1811.com
ns.akamai1811.com

# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf

192-129-189-73.sslip.io
192-129-189-73.sslip.io
198-46-140-52.sslip.io
us-west.com
