# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: splinter

# Reference: https://github.com/BishopFox/sliver
# Reference: https://www.virustotal.com/gui/file/1c9cc7108392ca716a522ccfc93c15724fb18bafe8350301c2ced04803aa4040/detection

201.137.231.132:8888
letshack.ddns.net

# Reference: https://twitter.com/1ZRR4H/status/1450913137352392712
# Reference: https://pastebin.com/ZpsxzLZc
# Reference: https://www.malware-traffic-analysis.net/2021/10/20/index.html
# Reference: https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity

http://101.35.159.51
http://104.236.118.101
http://104.236.43.106
http://106.12.207.117
http://111.90.147.236
http://135.181.104.26
http://157.245.14.195
http://157.245.93.17
http://161.97.142.232
http://164.90.232.157
http://176.223.165.145
http://18.163.111.123
http://182.92.189.18
http://185.10.68.232
http://206.72.200.121
http://3.239.175.166
http://35.192.9.111
http://45.79.202.162
http://51.178.46.134
http://52.24.190.27
http://62.171.184.87
http://64.52.111.48
http://85.93.2.78
101.35.159.51:443
104.236.118.101:443
104.236.43.106:443
106.12.207.117:443
111.90.147.236:443
135.181.104.26:443
157.245.14.195:443
157.245.93.17:443
161.97.142.232:443
164.90.232.157:443
176.223.165.145:443
18.163.111.123:443
182.92.189.18:443
185.10.68.232:443
206.72.200.121:443
3.239.175.166:443
35.192.9.111:443
45.79.202.162:443
51.178.46.134:443
52.24.190.27:443
62.171.184.87:443
64.52.111.48:443
85.93.2.78:443
101.35.159.51:8080
104.236.118.101:8080
104.236.43.106:8080
106.12.207.117:8080
111.90.147.236:8080
135.181.104.26:8080
157.245.14.195:8080
157.245.93.17:8080
161.97.142.232:8080
164.90.232.157:8080
176.223.165.145:8080
18.163.111.123:8080
182.92.189.18:8080
185.10.68.232:8080
206.72.200.121:8080
3.239.175.166:8080
35.192.9.111:8080
45.79.202.162:8080
51.178.46.134:8080
52.24.190.27:8080
62.171.184.87:8080
64.52.111.48:8080
85.93.2.78:8080
ruwejo.com

# Reference: https://twitter.com/Max_Mal_/status/1500447223217278980
# Reference: https://www.virustotal.com/gui/file/7f0deab21a3773295319e7a0afca1bea792943de0041e22523eb0d61a1c155e2/detection
# Reference: https://www.virustotal.com/gui/file/d8241e046cb9efcfa7ce733249d580eacff996d8669adbe71019eedafb696a55/detection
# Reference: https://www.virustotal.com/gui/file/2190a7d8d7eafd4af56b01d9a828ab2dc553a804ccda4c291dce51ce01da81f8/detection
# Reference: https://www.virustotal.com/gui/file/1f95397c4634f3348f3001a02eab269148f4c08271c2e2461905a4359f7c4761/detection
# Reference: https://www.virustotal.com/gui/file/08137096b85a3a2611249bb57ba9ace4e8efc9ba28cfddd8557edc3e11e9690c/detection

176.113.115.107:8888
193.27.228.127:8888

# Reference: https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/
# Reference: https://otx.alienvault.com/pulse/62c6baa44e2fdd526623016c
# Reference: https://www.virustotal.com/gui/file/d9bba1cfca6b1d20355ce08eda37d6d0bca8cb8141073b699000d05025510dcc/detection
# Reference: https://www.virustotal.com/gui/file/eb383824d0aae1b561c42f6709ce0d9f1c39ad8d7a743709f1080b8dc5985cfe/detection
# Reference: https://www.virustotal.com/gui/file/7831806172857a563d7b4789acddc98fc11763aaf3cedf937630b4a9dce31419/detection
# Reference: https://www.virustotal.com/gui/file/4cc4d170209897ce52093a13e2b5a27405efaeb9be1f8e1aaf93226e3451d110/detection
# Reference: https://www.virustotal.com/gui/file/29bb22553c16b32057b30c240b30e2f4fe107d9ccfb6b2d0dbece6f41a2419d6/detection

http://46.137.201.254
46.137.201.254:8001
46.137.201.254:8888

# Reference: https://twitter.com/ESETresearch/status/1547943632455364609
# Referecne: https://twitter.com/ESETresearch/status/1547944027957260292
# Reference: https://www.virustotal.com/gui/file/1f6af8e1e04288ce01039927d7f693c38af78378718138702edc68cf3fa6979c/detection
# Reference: https://www.virustotal.com/gui/file/d75d569a20442043eff9946a269ccc2a27c0e4eb33e0f0dbeac48b4ac65400c0/detection

saleforces-it.com
saleforces.s3-accelerate.amazonaws.com

# Reference: https://twitter.com/malwrhunterteam/status/1559639717146251271
# Reference: https://www.virustotal.com/gui/file/57d005ffd8d8e09f822470dd09982dabd13706580fb78c8398242626b4f97f8a/detection

sj-analytics.com

# Reference: https://www.malware-traffic-analysis.net/2022/08/30/index.html
# Reference: https://twitter.com/malware_traffic/status/1564727055304069130

65.20.115.15:8557

# Reference: https://twitter.com/fr0s7_/status/1567449023992184832
# Reference: https://www.virustotal.com/gui/file/1142ba812887fb309a6d4e8a6b14205b80eff6d95ac067d6fd807e65b343cf7d/detection

23.82.140.230:8888
vomonavopo.com

# Reference: https://twitter.com/MichalKoczwara/status/1580643176188350465

195.211.198.113:31337

# Reference: https://twitter.com/MichalKoczwara/status/1580683916939530240
# Reference: https://www.virustotal.com/gui/file/17df554651962ebb1424a549ddc43f2a7e0e25a571ddfe454393b4f413261296/detection

http://44.201.81.167

# Reference: https://twitter.com/r3dbU7z/status/1582932022859026432

ondemand-9839.ske.psydev.eu
dashboard.ondemand-9839.ske.psydev.eu
identity.ondemand-9839.ske.psydev.eu

# Reference: https://twitter.com/MichalKoczwara/status/1591050511125712897
# Reference: https://tria.ge/221111-psjzrsab4z/behavioral1

150.242.219.35:8080

# Reference: https://twitter.com/MichalKoczwara/status/1591185624933060608

143.110.214.130:8080
18.190.153.173:8080
65.108.227.57:9999

# Reference: https://twitter.com/h2jazi/status/1599882699195711489
# Reference: https://twitter.com/h2jazi/status/1601231407334166528
# Reference: https://www.virustotal.com/gui/file/3272bfc6ad54f1162db8c01f0621e295068ac363cb8b5f98b179920c47138de2/detection

23.94.131.51:8888
batrn.com
kmatv.com

# Reference: https://twitter.com/MichalKoczwara/status/1603014021791227905

103.215.127.5:8000

# Reference: https://twitter.com/MichalKoczwara/status/1603709696405225472
# Reference: https://www.virustotal.com/gui/file/92876bc30ecc2493710d8e0f714a8d12277a3208139d26bc85e12839129fd4f1/detection

http://13.48.204.226
13.48.204.226:443
13.48.204.226:8082

# Reference: https://twitter.com/MichalKoczwara/status/1606996714006749186

89.147.111.80:8000

# Reference: https://twitter.com/IronNetTR/status/1615355762598973441

hax0x.win
missbare.com
pt-ccs.com
cs.hax0x.win
rsgr-login.missbare.com
us1-bwh.milktea.info

# Reference: https://twitter.com/r3dbU7z/status/1627205584108896256
# Reference: https://www.virustotal.com/gui/file/31e21a23b571fb59b029dbf521ba63302aff87a9de53f16e5e2599060f168805/detection

154.38.161.223:443
154.38.161.223:8888

# Reference: https://asec.ahnlab.com/en/47088/
# Reference: https://otx.alienvault.com/pulse/63e25c5cbc100230953c2d2e

61.155.8.2:81
