# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports
# Reference: https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool

kaiserfranz.cc
irc.kaiserfranz.cc
/ziggy_spread

# Reference: https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
# Reference: https://www.virustotal.com/gui/file/1aaf7bc48ff75e870db4fe6ec0b3ed9d99876d7e2fb3d5c4613cca92bbb95e1b/detection
# Reference: https://otx.alienvault.com/pulse/5f3aa1e047a40112d69f524d

6z5yegpuwg2j4len.tor2web.su
dockerupdate.anondns.net
sayhi.bplace.net
teamtnt.red
teamtntisback.anondns.net

# Reference: https://otx.alienvault.com/pulse/5f58ff8e319f59c6e46496b1
# Reference: https://www.virustotal.com/gui/file/0742efecbd7af343213a50cc5fd5cd2f8475613cfe6fb51f4296a7ec4533940d/detection

85.214.149.236:443

# Reference: https://techcommunity.microsoft.com/t5/azure-security-center/teamtnt-activity-targets-weave-scope-deployments/ba-p/1645968
# Reference: https://otx.alienvault.com/pulse/5f5925486084399c89bda0ba
# Reference: https://www.virustotal.com/gui/domain/rhuancarlos.inforgeneses.inf.br/detection

rhuancarlos.inforgeneses.inf.br

# Reference: https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/
# Reference: https://otx.alienvault.com/pulse/5f7b7cfff93fa60ed6fd4ff4

/BLACK-T/setup/
/BLACK-T/beta
/BLACK-T/CleanUpThisBox
/BLACK-T/SetUpTheBLACK-T
/BLACK-T/SystemMod
/SetUpTheBLACK-T
/only_for_stats/dup.php

# Reference: https://twitter.com/r3dbU7z/status/1351256623814205441

sampwn.anondns.net
/SamPwn

# Reference: https://twitter.com/r3dbU7z/status/1350479393135734787
# Reference: https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques
# Reference: https://otx.alienvault.com/pulse/6007314fbb9b9daf8afc505c

http://45.9.150.36
borg.wtf

# Reference: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
# Reference: otx.alienvault.com/pulse/601ad65bb1f0c3f6116d20ab/

123.245.9.147:6667
13.245.9.147:6667
164.68.106.96:6667
62.234.121.105:6667

# Reference: https://www.lacework.com/8220-gangs-recent-use-of-custom-miner-and-botnet/
# Reference: https://otx.alienvault.com/pulse/60a81875fa39fe6dbbe6f7d1

irc.do-dear.com

# Reference: https://unit42.paloaltonetworks.com/docker-honeypot/
# Reference: https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
# Reference: https://otx.alienvault.com/pulse/60b0cd1697da17aefe01db85
# Reference: https://otx.alienvault.com/pulse/60bdfb172c85862f931deced
# Reference: https://www.virustotal.com/gui/ip-address/45.9.148.85/relations

http://45.9.148.35
irc.borg.wtf
irc.teamtnt.red
irc03.teamtnt.red
ircbd.anondns.net
pacu.borg.wtf
xmrigdashboard.anondns.net

# Reference: https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/
# Reference: https://otx.alienvault.com/pulse/60bf9746b81c47f6658b7e1a

projectbluebeam.anondns.net

# Reference: https://twitter.com/SethKingHi/status/1412729582751420419

http://185.142.239.128

# Reference: https://blog.netlab.360.com/wei-xie-kuai-xun-teamtntxin-huo-dong-tong-guo-gan-ran-wang-ye-wen-jian-ti-gao-chuan-bo-neng-li/
# Reference: https://otx.alienvault.com/pulse/610ce11da606a4c5c78b28a3
# Reference: https://www.virustotal.com/gui/ip-address/194.147.114.20/relations

htxreceive.top
pubzone.htxreceive.top
oracle.htxreceive.top
/htx-i.$
/htx-i.arc
/htx-i.arcle-hs38
/htx-i.arm
/htx-i.arm4
/htx-i.arm4l
/htx-i.arm4t
/htx-i.arm4tl
/htx-i.arm4tll
/htx-i.arm5
/htx-i.arm5l
/htx-i.arm5n
/htx-i.arm6
/htx-i.arm64
/htx-i.arm6l
/htx-i.arm7
/htx-i.arm7l
/htx-i.arm8
/htx-i.armv4
/htx-i.armv4l
/htx-i.armv5l
/htx-i.armv6
/htx-i.armv61
/htx-i.armv6l
/htx-i.armv7l
/htx-i.dbg
/htx-i.exploit
/htx-i.i4
/htx-i.i486
/htx-i.i586
/htx-i.i6
/htx-i.i686
/htx-i.kill
/htx-i.m68
/htx-i.m68k
/htx-i.mips
/htx-i.mips64
/htx-i.mipseb
/htx-i.mipsel
/htx-i.mpsl
/htx-i.pcc
/htx-i.powerpc
/htx-i.powerpc-440fp
/htx-i.powerppc
/htx-i.ppc
/htx-i.pp-c
/htx-i.ppc2
/htx-i.ppc440
/htx-i.ppc440fp
/htx-i.root
/htx-i.root32
/htx-i.sh
/htx-i.sh4
/htx-i.sparc
/htx-i.spc
/htx-i.ssh4
/htx-i.x32
/htx-i.x32_64
/htx-i.x64
/htx-i.x86
/htx-i.x86_32
/htx-i.x86_64
/s3f715/

# Reference: https://twitter.com/t0001100000/status/1446048755577458694
# Reference: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
# Reference: https://www.virustotal.com/gui/file/fe3c5c4f94b90619f7385606dfb86b6211b030efe19b49c12ead507c8156507a/detection
# Reference: https://www.virustotal.com/gui/file/0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19/detection

http://45.9.148.182
51.79.226.64:8080
85.214.149.236:443
chimaera.cc
dl1.chimaera.cc
irc.chimaera.cc
/chimaera.cc
/chimaera.cc_Version2.c
/GRABBER_aws-cloud.sh
/GRABBER_aws-cloud2.sh
/GRABBER_google-cloud.sh
/MOUNTSPLOIT_V2.sh.txt
/TeamTNTbot.c
/TeamTNT.sh
/TNT_gpu.c
