# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: Echelon, DarkStealer

# Reference: https://twitter.com/ViriBack/status/1260367262399246336
# Reference: https://www.virustotal.com/gui/file/7c9f7e4307f0bd7f269476cc181792aa4d75c5ce84dc22fc0feb73def814c8f1/detection
# Reference: https://app.any.run/tasks/9dcf3d5b-8e9d-46a6-a6c1-32b47a075d10/
# Reference: https://app.any.run/tasks/337c1087-f994-4912-ab11-2a827e689e4d/

# nagano-19599.herokussl.com  # Note: CNAME of legitimate api.ipify.org

# Reference: https://twitter.com/3xp0rtblog/status/1295291062374866944 (# DarkStealer, fork of Echelon)
# Reference: https://app.any.run/tasks/5da0536a-5665-4989-9b82-3bede782d8a6/

ifreegive.ga

# Reference: https://twitter.com/James_inthe_box/status/1313832984303157250
# Reference: https://app.any.run/tasks/5ddfb57a-bc6b-42bb-a042-f906e5a2cabb/
# Reference: https://www.virustotal.com/gui/file/bc7900c1440c578c0dc0de73889755bbbf9e43026d8beafe83dbdc5d76dd6a62/detection

http://193.56.28.228

# Generic

/api.php?chatid=
/sendDocument?chat_id=
/webpanel-ele/inc/bc4514100d55a6.php
/webpanel-ele/inc/
/bc4514100d55a6.php
/webpanel-nana/inc/337aea9edeb1f9.php
/webpanel-nana/inc/
/337aea9edeb1f9.php