# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: cardinalrat, carpdownloader, evilnum

# Reference: https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

affiliatecollective.club
dropinbox.host
dropinbox.pw
spotmacro.online
spotoption.pw
dropinbox.host
dropinbox.pw
spotmacro.online

# Reference: https://twitter.com/Bank_Security/status/1258129110569758720
# Reference: https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html
# Reference: https://otx.alienvault.com/pulse/5eb2dc5032b006e9c9387051

http://139.28.37.63
http://185.62.190.89
http://185.62.190.218

# Reference: https://otx.alienvault.com/pulse/5f073c9a9607e5b2719938ef

http://139.28.39.165
http://176.107.176.237
http://45.9.239.50
ama-prime-client.com
faxing-mon.best
lvsys.com
win640.com

# Reference: https://github.com/eset/malware-ioc/tree/master/evilnum

http://185.20.186.75
http://185.61.137.141
http://185.62.189.210
adobe.com.kz
d2nz6secq3489l.cloudfront.net

# Reference: https://twitter.com/h2jazi/status/1390326242151444483
# Reference: https://twitter.com/h2jazi/status/1390326245225861123
# Reference: https://www.virustotal.com/gui/file/f79c2e89479533085c5a01e6585c29415e3349a36da5d7b831c2dfc364542248/detection
# Reference: https://www.virustotal.com/gui/file/9a2c9b14c79da0583066a335ffbac5afbc152f8a1cbf53a38e5f4f118d38d8fe/detection

speednet.fun

# Generic

/tran/check.php?id=
