# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.secureworks.com/research/gozi

/cgi-bin/certs.cgi

# Reference: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:Win32/Ursnif.gen!F

/system/prinimalka.py/forms
/system/prinimalka.py/options
/system/prinimalka.py/command

# Reference: https://ae.norton.com/security_response/print_writeup.jsp?docid=2009-060121-0427-99

/system/prinimalka.py/options
/cgi-bin/trash.py

# Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2009-January/001818.html

/cgi-bin/pstore.cgi
/cgi-bin/forms.cgi
/cgi-bin/ss.cgi

# Reference: https://marc.info/?l=emerging-sigs&m=135206981711334&w=2

pull.assisback.com

# Reference: https://twitter.com/VK_Intel/status/1045830804545298434
# Reference: https://pastebin.com/cDz5dvMx

a1.umpalok.at/rpc
api.leproeg.at/rpc
app.nytronex.at/rpc
cd.ioptool.at/rpc
chat.freemon.at/rpc
doom.matr.at/rpc
fr.aporen.at/rpc
io.upcu100.at/rpc
mahono.cn/rpc
m.umpalok.at/rpc
ops.twidix.at/rpc
qqq.matr.at/rpc
sq.dreemkol.at/rpc
tri.umpalok.at/rpc
tt.zicino.at/rpc
win.zicino.at/rpc

# Reference: https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html

api.galio.at/wpapi
app.tohio.at/wpapi
az.popdel.at/wpapi
harent.cn/wpapi
inc.robatop.at/wpapi
in.ledal.at/wpapi
io.ledal.at/wpapi
login.cdrome.at/wpapi
poi.robatop.at/wpapi
scr.tohio.at/wpapi
ssl.lottos.at/wpapi
torafy.cn/wpapi
yraco.cn/wpapi
4fsq3wnmms6xqybt.onion/wpapi
em2eddryi6ptkcnh.onion/wpapi
nap7zb4gtnzwmxsv.onion/wpapi
t7yz3cihrrzalznq.onion/wpapi

# Reference: https://twitter.com/campuscodi/status/1039531511144431616
# Reference: https://marcoramilli.blogspot.com/2018/08/hacking-hacker-stopping-big-botnet.html

1000numbers.com
batterygator.com
beard-style.com
englandlistings.com
next.gardenforyou.org
pomidom.com
pool.jfklandscape.com
pool.thefutureiskids.com
romanikustop.space
securitytransit.site
sssloop.host
sssloop.space
upsvarizones.space

# Reference: https://twitter.com/VK_Intel/status/1047033551957504003
# Reference: https://pastebin.com/aMgJJc5D

admin.doriton.at/wpapi
api.rendes.at/wpapi
app.strikeapple.at/wpapi
doc.rendes.at/wpapi
ht.letosos.at/wpapi
io.ledalco.at/wpapi
in.ledalco.at/wpapi
mp.musicdance.at/wpapi
psi.patrons.at/wpapi
rest.relonter.at/wpapi
vi.relonter.at/wpapi

# Reference: https://twitter.com/VK_Intel/status/1048068456082432000

loadbirthdaymoveproper1x4v.com

# Reference: https://twitter.com/VK_Intel/status/1105578215605764096

polkanidog.website

# Reference: https://twitter.com/VK_Intel/status/1072254720755068928

akamaicln.com
aplatmesse.com
nowerdleat.com
touggledle.com

# Reference: https://twitter.com/VK_Intel/status/1048068456082432000

loadbirthdaymoveproper1x4v.com

# Reference: https://twitter.com/VK_Intel/status/1017946476389888000

cojnqwjenqwe.com
woudausdnw.com

# Reference: https://twitter.com/Racco42/status/1102896181011795969

/about/conservative.php

# Reference: https://twitter.com/abuse_ch/status/1072117868555366400

black-transsexual-hardcore.com

# Reference: https://twitter.com/James_inthe_box/status/1109090277380116480

investingfutureram.ac.ug

# Reference: https://twitter.com/James_inthe_box/status/1113102849313988611

api.sorna.at
beetfeetlife.bit
supp.rivier.at

# Reference: https://twitter.com/makflwana/status/1037120013574914048

aclassshades.net

# Reference: https://twitter.com/makflwana/status/1034320489500401664

aclassshades.com

# Reference: https://twitter.com/makflwana/status/1033935638830010368

basedplants.net

# Reference: https://twitter.com/VK_Intel/status/1114477236890083329

t97uoquintengbnia.company
koo89iiignatius.com
s45ooallison.com

# Reference: https://twitter.com/VK_Intel/status/1118143457292320769

ptl8sb.xyz
jrosinaiabbigail.com
xdanialsx.info

# Generic callback

/wpapi
