Copy disabled (too large)
Download .txt
Showing preview only (43,776K chars total). Download the full file to get everything.
Repository: stamparm/maltrail
Branch: master
Commit: 9659b81af316
Files: 3047
Total size: 41.2 MB
Directory structure:
gitextract_hq1cpac0/
├── .gitattributes
├── .github/
│ ├── CODE_OF_CONDUCT.md
│ ├── CONTRIBUTING.md
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ ├── feature_request.md
│ │ └── questions-and-support.md
│ └── workflows/
│ └── docker-release.yml
├── .gitignore
├── CHANGELOG
├── CITATION.cff
├── LICENSE
├── README.md
├── SECURITY.md
├── core/
│ ├── __init__.py
│ ├── addr.py
│ ├── attribdict.py
│ ├── colorized.py
│ ├── common.py
│ ├── compat.py
│ ├── datatype.py
│ ├── enums.py
│ ├── httpd.py
│ ├── ignore.py
│ ├── log.py
│ ├── parallel.py
│ ├── settings.py
│ ├── trailsdict.py
│ └── update.py
├── docker/
│ ├── Dockerfile
│ ├── README.md
│ ├── docker-compose.yml
│ └── start.sh
├── fail2ban/
│ └── maltrail.conf.example
├── html/
│ ├── README.txt
│ ├── css/
│ │ ├── main.css
│ │ └── media.css
│ ├── index.html
│ ├── js/
│ │ ├── demo.js
│ │ ├── errorhandler.js
│ │ ├── main.js
│ │ └── thirdparty.ccs
│ └── robots.txt
├── maltrail-sensor.service
├── maltrail-server.service
├── maltrail.conf
├── misc/
│ ├── bogon_ranges.txt
│ ├── cdn_ranges.txt
│ ├── ignore_events.txt
│ ├── logo.xcf
│ ├── precommit-hook
│ ├── server.pem
│ ├── ua.txt
│ ├── whitelist.txt
│ └── worst_asns.txt
├── plugins/
│ ├── __init__.py
│ ├── peek.py
│ └── strings.py
├── requirements.txt
├── sensor.py
├── server.py
├── thirdparty/
│ ├── __init__.py
│ ├── odict/
│ │ ├── __init__.py
│ │ └── ordereddict.py
│ └── six/
│ └── __init__.py
└── trails/
├── custom/
│ ├── __init__.py
│ └── dprk.txt
├── feeds/
│ ├── __init__.py
│ ├── abuseipdb.py
│ ├── alienvault.py
│ ├── atmos.py
│ ├── badips.py
│ ├── binarydefense.py
│ ├── bitcoinnodes.py
│ ├── blackbook.py
│ ├── blackholemonster.py
│ ├── blocklist.py
│ ├── botscout.py
│ ├── bruteforceblocker.py
│ ├── ciarmy.py
│ ├── cleantalk.py
│ ├── cobaltstrike.py
│ ├── cybercrimetracker.py
│ ├── dataplane.py
│ ├── dshieldip.py
│ ├── emergingthreatsbot.py
│ ├── emergingthreatscip.py
│ ├── emergingthreatsdns.py
│ ├── fareit.py
│ ├── feodotrackerip.py
│ ├── gpfcomics.py
│ ├── greensnow.py
│ ├── ipnoise.py
│ ├── maxmind.py
│ ├── minerchk.py
│ ├── myip.py
│ ├── openphish.py
│ ├── palevotracker.py
│ ├── policeman.py
│ ├── ransomwaretrackerdns.py
│ ├── ransomwaretrackerip.py
│ ├── ransomwaretrackerurl.py
│ ├── rutgers.py
│ ├── sblam.py
│ ├── scriptzteam.py
│ ├── socksproxy.py
│ ├── sslproxies.py
│ ├── statics.py
│ ├── torproject.py
│ ├── trickbot.py
│ ├── turris.py
│ ├── urlhaus.py
│ ├── viriback.py
│ ├── zeustrackermonitor.py
│ └── zeustrackerurl.py
└── static/
├── __init__.py
├── malicious/
│ ├── 365stealer_phishtool.txt
│ ├── 404_tds.txt
│ ├── abcsoup.txt
│ ├── adaptix_c2.txt
│ ├── alchimist_c2.txt
│ ├── alexus_spamtool.txt
│ ├── anarchy_c2.txt
│ ├── android_goldoson.txt
│ ├── android_hiddad.txt
│ ├── araneida.txt
│ ├── arl.txt
│ ├── bad_proxy.txt
│ ├── bad_script.txt
│ ├── bad_service.txt
│ ├── bitrixcore.txt
│ ├── black_tds.txt
│ ├── brc4.txt
│ ├── brchecker.txt
│ ├── browser_locker.txt
│ ├── c2_panel.txt
│ ├── caldera_c2.txt
│ ├── chromekatz.txt
│ ├── cloakndagger_c2.txt
│ ├── contador_spamtool.txt
│ ├── coreimpact.txt
│ ├── covenant.txt
│ ├── cyberstrikeai.txt
│ ├── deimos_c2.txt
│ ├── domain_shadowing.txt
│ ├── ek_angler.txt
│ ├── ek_bottle.txt
│ ├── ek_capesand.txt
│ ├── ek_clearfake.txt
│ ├── ek_fallout.txt
│ ├── ek_generic.txt
│ ├── ek_grandsoft.txt
│ ├── ek_greenflash.txt
│ ├── ek_kaixin.txt
│ ├── ek_landupdate808.txt
│ ├── ek_magnitude.txt
│ ├── ek_neutrino.txt
│ ├── ek_nuclear.txt
│ ├── ek_purplefox.txt
│ ├── ek_radio.txt
│ ├── ek_rig.txt
│ ├── ek_rogueraticate.txt
│ ├── ek_router.txt
│ ├── ek_scamclub.txt
│ ├── ek_shade.txt
│ ├── ek_spelevo.txt
│ ├── ek_trillium.txt
│ ├── ek_underminer.txt
│ ├── ek_vextrio.txt
│ ├── ek_zphp.txt
│ ├── elf_reversessh.txt
│ ├── errtraffic_tds.txt
│ ├── evilginx.txt
│ ├── filebroser.txt
│ ├── generic_tds.txt
│ ├── ghostshell_c2.txt
│ ├── gophish.txt
│ ├── hak5cloud_c2.txt
│ ├── havoc.txt
│ ├── help_tds.txt
│ ├── install_capital.txt
│ ├── install_cube.txt
│ ├── interactsh.txt
│ ├── katyabot.txt
│ ├── keitaro_tds.txt
│ ├── khepri_c2.txt
│ ├── ligolo_tunnel.txt
│ ├── magentocore.txt
│ ├── merlin_c2.txt
│ ├── metasploit.txt
│ ├── mini_c2.txt
│ ├── modxcore.txt
│ ├── moneybadgers_tds.txt
│ ├── msau_autouploader.txt
│ ├── mythic.txt
│ ├── nameless_c2.txt
│ ├── nighthawk.txt
│ ├── nimplant.txt
│ ├── openxcore.txt
│ ├── parrot_tds.txt
│ ├── perfaudcore.txt
│ ├── perswaysion.txt
│ ├── phonyc2.txt
│ ├── pinnaclecore.txt
│ ├── prestacore.txt
│ ├── prometheus_tds.txt
│ ├── proxychanger.txt
│ ├── psransom_c2.txt
│ ├── pushbug.txt
│ ├── pyramid_c2.txt
│ ├── python_byob.txt
│ ├── redguard.txt
│ ├── redwarden.txt
│ ├── robloxcore.txt
│ ├── rogue_dns.txt
│ ├── savvyseahorse_tds.txt
│ ├── scareware.txt
│ ├── shellcodec2.txt
│ ├── sliver.txt
│ ├── sms_flooder.txt
│ ├── socgholish.txt
│ ├── spiderlabs_responder.txt
│ ├── supershell_c2.txt
│ ├── supremebot.txt
│ ├── sutra_tds.txt
│ ├── swat_c2.txt
│ ├── telekopye_scamtool.txt
│ ├── upx_tds.txt
│ ├── villian_c2.txt
│ ├── viper.txt
│ ├── woof.txt
│ ├── wp_inject.txt
│ ├── wraithnet.txt
│ ├── xiebroc2.txt
│ ├── xsender_spamtool.txt
│ ├── xtramailer_spamtool.txt
│ └── zoro_c2.txt
├── malware/
│ ├── 0bj3ctivity.txt
│ ├── 0debug.txt
│ ├── 0ktapus.txt
│ ├── 0mega.txt
│ ├── 0xthief.txt
│ ├── 123.txt
│ ├── 1312.txt
│ ├── 1336.txt
│ ├── 1ms0rry.txt
│ ├── 404.txt
│ ├── 411.txt
│ ├── 44caliber.txt
│ ├── 4l4md4r_ransomware.txt
│ ├── 8base.txt
│ ├── 9002.txt
│ ├── a310.txt
│ ├── aabquerys.txt
│ ├── ab.txt
│ ├── aboc.txt
│ ├── absent.txt
│ ├── acbackdoor.txt
│ ├── acridrain.txt
│ ├── activeagent.txt
│ ├── adrozek.txt
│ ├── advisorbot.txt
│ ├── adwind.txt
│ ├── adylkuzz.txt
│ ├── adzok.txt
│ ├── aegis.txt
│ ├── aeroblade.txt
│ ├── afrodita.txt
│ ├── agaadex.txt
│ ├── againstthewest.txt
│ ├── agartha.txt
│ ├── agenttesla.txt
│ ├── agniane.txt
│ ├── aguijon.txt
│ ├── ailock_ransomware.txt
│ ├── ailurophile.txt
│ ├── airbot.txt
│ ├── akey.txt
│ ├── akira.txt
│ ├── album.txt
│ ├── aldibot.txt
│ ├── alina.txt
│ ├── allakore.txt
│ ├── almalocker.txt
│ ├── almashreq.txt
│ ├── alpha.txt
│ ├── alphav.txt
│ ├── amadey.txt
│ ├── amatera.txt
│ ├── amavaldo.txt
│ ├── amend_miner.txt
│ ├── ammyyrat.txt
│ ├── amnesia.txt
│ ├── amnesiarat.txt
│ ├── anchor.txt
│ ├── android_abstractemu.txt
│ ├── android_acecard.txt
│ ├── android_actionspy.txt
│ ├── android_adrd.txt
│ ├── android_ahmythrat.txt
│ ├── android_airavat.txt
│ ├── android_ajina.txt
│ ├── android_albiriox.txt
│ ├── android_alienspy.txt
│ ├── android_andichap.txt
│ ├── android_androrat.txt
│ ├── android_antidot.txt
│ ├── android_anubis.txt
│ ├── android_arsinkrat.txt
│ ├── android_arspam.txt
│ ├── android_asacub.txt
│ ├── android_autolycos.txt
│ ├── android_awspy.txt
│ ├── android_backflash.txt
│ ├── android_badbox.txt
│ ├── android_bankbot.txt
│ ├── android_bankun.txt
│ ├── android_basbanke.txt
│ ├── android_basebridge.txt
│ ├── android_besyria.txt
│ ├── android_bigpanzi.txt
│ ├── android_bingomod.txt
│ ├── android_blackrock.txt
│ ├── android_blankbot.txt
│ ├── android_boomslang.txt
│ ├── android_boxer.txt
│ ├── android_brokewell.txt
│ ├── android_buhsam.txt
│ ├── android_busygasper.txt
│ ├── android_calibar.txt
│ ├── android_callerspy.txt
│ ├── android_camscanner.txt
│ ├── android_cerberus.txt
│ ├── android_cherryblos.txt
│ ├── android_chuli.txt
│ ├── android_circle.txt
│ ├── android_claco.txt
│ ├── android_clayrat.txt
│ ├── android_clickfraud.txt
│ ├── android_cometbot.txt
│ ├── android_cookiethief.txt
│ ├── android_coolreaper.txt
│ ├── android_copycat.txt
│ ├── android_counterclank.txt
│ ├── android_coyote.txt
│ ├── android_craxrat.txt
│ ├── android_crocodilus.txt
│ ├── android_cyberwurx.txt
│ ├── android_darkshades.txt
│ ├── android_dendoroid.txt
│ ├── android_dougalek.txt
│ ├── android_droidbot.txt
│ ├── android_droidjack.txt
│ ├── android_droidkungfu.txt
│ ├── android_droidlock.txt
│ ├── android_eaglemsgspy.txt
│ ├── android_eaglespy.txt
│ ├── android_enesoluty.txt
│ ├── android_ermac.txt
│ ├── android_escobar.txt
│ ├── android_eventbot.txt
│ ├── android_ewalls.txt
│ ├── android_ewind.txt
│ ├── android_exobot.txt
│ ├── android_exodus.txt
│ ├── android_exprespam.txt
│ ├── android_facestealer.txt
│ ├── android_fakeapp.txt
│ ├── android_fakebanco.txt
│ ├── android_fakedown.txt
│ ├── android_fakeinst.txt
│ ├── android_fakelog.txt
│ ├── android_fakemart.txt
│ ├── android_fakemrat.txt
│ ├── android_fakeneflic.txt
│ ├── android_fakesecsuit.txt
│ ├── android_fanta.txt
│ ├── android_fantasyhub.txt
│ ├── android_feabme.txt
│ ├── android_fleckpe.txt
│ ├── android_flexispy.txt
│ ├── android_flubot.txt
│ ├── android_fluhorse.txt
│ ├── android_fobus.txt
│ ├── android_fraudbot.txt
│ ├── android_friend.txt
│ ├── android_frogblight.txt
│ ├── android_frogonal.txt
│ ├── android_funkybot.txt
│ ├── android_fvncbot.txt
│ ├── android_gabas.txt
│ ├── android_geinimi.txt
│ ├── android_generic.txt
│ ├── android_geost.txt
│ ├── android_ghostbatrat.txt
│ ├── android_ghostpush.txt
│ ├── android_ghostspy.txt
│ ├── android_gigabud.txt
│ ├── android_ginmaster.txt
│ ├── android_ginp.txt
│ ├── android_gmaster.txt
│ ├── android_gnews.txt
│ ├── android_goatrat.txt
│ ├── android_godwon.txt
│ ├── android_golddigger.txt
│ ├── android_golddream.txt
│ ├── android_goldencup.txt
│ ├── android_golfspy.txt
│ ├── android_gonesixty.txt
│ ├── android_goontact.txt
│ ├── android_gplayed.txt
│ ├── android_gustuff.txt
│ ├── android_gymdrop.txt
│ ├── android_gypte.txt
│ ├── android_handda.txt
│ ├── android_henbox.txt
│ ├── android_hermit.txt
│ ├── android_herodotus.txt
│ ├── android_hornbill.txt
│ ├── android_hydra.txt
│ ├── android_ibanking.txt
│ ├── android_iconosys.txt
│ ├── android_joker.txt
│ ├── android_jsmshider.txt
│ ├── android_kbuster.txt
│ ├── android_kemoge.txt
│ ├── android_klopatra.txt
│ ├── android_landfall.txt
│ ├── android_lazarus.txt
│ ├── android_ligarat.txt
│ ├── android_lockdroid.txt
│ ├── android_lotoor.txt
│ ├── android_lovetrap.txt
│ ├── android_lunabot.txt
│ ├── android_malbus.txt
│ ├── android_malibot.txt
│ ├── android_mandrake.txt
│ ├── android_masterfred.txt
│ ├── android_maxit.txt
│ ├── android_mazar.txt
│ ├── android_megasrat.txt
│ ├── android_mellat.txt
│ ├── android_mmrat.txt
│ ├── android_mobok.txt
│ ├── android_mobstspy.txt
│ ├── android_monokle.txt
│ ├── android_nativeworm.txt
│ ├── android_ngate.txt
│ ├── android_notcompatible.txt
│ ├── android_oblivionrat.txt
│ ├── android_oneclickfraud.txt
│ ├── android_opfake.txt
│ ├── android_oscorp.txt
│ ├── android_ozotshielder.txt
│ ├── android_pakchat.txt
│ ├── android_parcel.txt
│ ├── android_pareto.txt
│ ├── android_pekkarat.txt
│ ├── android_perseus.txt
│ ├── android_phantom.txt
│ ├── android_phonespy.txt
│ ├── android_pikspam.txt
│ ├── android_pixpirate.txt
│ ├── android_pjapps.txt
│ ├── android_pjobrat.txt
│ ├── android_playpraetor.txt
│ ├── android_promptspy.txt
│ ├── android_protospy.txt
│ ├── android_qdplugin.txt
│ ├── android_qwizzserial.txt
│ ├── android_raddex.txt
│ ├── android_rafelrat.txt
│ ├── android_ransomware.txt
│ ├── android_ratmilad.txt
│ ├── android_ratseller.txt
│ ├── android_redalert.txt
│ ├── android_regon.txt
│ ├── android_remotecode.txt
│ ├── android_repane.txt
│ ├── android_residentbat.txt
│ ├── android_riltok.txt
│ ├── android_roamingmantis.txt
│ ├── android_rocinante.txt
│ ├── android_roidsec.txt
│ ├── android_rotexy.txt
│ ├── android_salvador.txt
│ ├── android_samsapo.txt
│ ├── android_sandrorat.txt
│ ├── android_selfmite.txt
│ ├── android_shadowvoice.txt
│ ├── android_shahilrat.txt
│ ├── android_sharkbot.txt
│ ├── android_shopper.txt
│ ├── android_simbad.txt
│ ├── android_simplocker.txt
│ ├── android_skullkey.txt
│ ├── android_smsfactory.txt
│ ├── android_sndapps.txt
│ ├── android_sparkkitty.txt
│ ├── android_spinok.txt
│ ├── android_spynote.txt
│ ├── android_spysolrrat.txt
│ ├── android_spytekcell.txt
│ ├── android_stels.txt
│ ├── android_surxrat.txt
│ ├── android_svpeng.txt
│ ├── android_swanalitics.txt
│ ├── android_teabot.txt
│ ├── android_teelog.txt
│ ├── android_telerat.txt
│ ├── android_tetus.txt
│ ├── android_tgtoxic.txt
│ ├── android_th33ht.txt
│ ├── android_thamera.txt
│ ├── android_thiefbot.txt
│ ├── android_tonclank.txt
│ ├── android_torec.txt
│ ├── android_triada.txt
│ ├── android_uracto.txt
│ ├── android_usbcleaver.txt
│ ├── android_vapor.txt
│ ├── android_viceleaker.txt
│ ├── android_vmvol.txt
│ ├── android_vo1d.txt
│ ├── android_vultur.txt
│ ├── android_windseeker.txt
│ ├── android_wirex.txt
│ ├── android_wolfrat.txt
│ ├── android_wpeeper.txt
│ ├── android_xavirad.txt
│ ├── android_xbot007.txt
│ ├── android_xenomorph.txt
│ ├── android_xerxes.txt
│ ├── android_xhelper.txt
│ ├── android_xploitspy.txt
│ ├── android_ynrk.txt
│ ├── android_z3core.txt
│ ├── android_zertsecurity.txt
│ ├── android_ztorg.txt
│ ├── andromeda.txt
│ ├── androxgh0st.txt
│ ├── anel.txt
│ ├── anivia.txt
│ ├── anonrat.txt
│ ├── anonvnc.txt
│ ├── antarctica.txt
│ ├── antefrigus.txt
│ ├── antibot.txt
│ ├── antigravityrat.txt
│ ├── anubis.txt
│ ├── anubis_ransomware.txt
│ ├── anuna.txt
│ ├── aotera.txt
│ ├── apocalypse.txt
│ ├── apossec.txt
│ ├── apt_12.txt
│ ├── apt_17.txt
│ ├── apt_18.txt
│ ├── apt_1877team.txt
│ ├── apt_23.txt
│ ├── apt_27.txt
│ ├── apt_30.txt
│ ├── apt_33.txt
│ ├── apt_37.txt
│ ├── apt_38.txt
│ ├── apt_45.txt
│ ├── apt_48.txt
│ ├── apt_5.txt
│ ├── apt_60.txt
│ ├── apt_68.txt
│ ├── apt_73.txt
│ ├── apt_aoqindragon.txt
│ ├── apt_appin.txt
│ ├── apt_aridviper.txt
│ ├── apt_atlascross.txt
│ ├── apt_babar.txt
│ ├── apt_babyshark.txt
│ ├── apt_badmagic.txt
│ ├── apt_bahamut.txt
│ ├── apt_banishedkitten.txt
│ ├── apt_barium.txt
│ ├── apt_batshadow.txt
│ ├── apt_bisonal.txt
│ ├── apt_bitter.txt
│ ├── apt_blackgear.txt
│ ├── apt_blacktech.txt
│ ├── apt_bladedfeline.txt
│ ├── apt_blindeagle.txt
│ ├── apt_bloodywolf.txt
│ ├── apt_bluenoroff.txt
│ ├── apt_blueprint.txt
│ ├── apt_bookworm.txt
│ ├── apt_boteam.txt
│ ├── apt_buhtrap.txt
│ ├── apt_cadetblizzard.txt
│ ├── apt_calypso.txt
│ ├── apt_camarodragon.txt
│ ├── apt_caracalkitten.txt
│ ├── apt_carbonspider.txt
│ ├── apt_carderbee.txt
│ ├── apt_careto.txt
│ ├── apt_casper.txt
│ ├── apt_cdt.txt
│ ├── apt_chafer.txt
│ ├── apt_chamelgang.txt
│ ├── apt_charmingkitten.txt
│ ├── apt_cleaver.txt
│ ├── apt_cloudatlas.txt
│ ├── apt_cloudwizard.txt
│ ├── apt_cobaltdickens.txt
│ ├── apt_codoso.txt
│ ├── apt_coldriver.txt
│ ├── apt_coldwastrel.txt
│ ├── apt_commentcrew.txt
│ ├── apt_copykittens.txt
│ ├── apt_cosmicduke.txt
│ ├── apt_crimsoncollective.txt
│ ├── apt_cyberav3ngers.txt
│ ├── apt_cyberbit.txt
│ ├── apt_dalbit.txt
│ ├── apt_darkcaracal.txt
│ ├── apt_darkhotel.txt
│ ├── apt_darkhydrus.txt
│ ├── apt_darkpink.txt
│ ├── apt_darkriver.txt
│ ├── apt_deadlykiss.txt
│ ├── apt_deathstalker.txt
│ ├── apt_desertfalcon.txt
│ ├── apt_dnspionage.txt
│ ├── apt_docless.txt
│ ├── apt_domestickitten.txt
│ ├── apt_donot.txt
│ ├── apt_downex.txt
│ ├── apt_dragonok.txt
│ ├── apt_driftingcloud.txt
│ ├── apt_duke.txt
│ ├── apt_dunequixote.txt
│ ├── apt_dustspecter.txt
│ ├── apt_dustsquad.txt
│ ├── apt_earthberberoka.txt
│ ├── apt_earthestries.txt
│ ├── apt_earthhundun.txt
│ ├── apt_earthkrahang.txt
│ ├── apt_earthkurma.txt
│ ├── apt_earthwendigo.txt
│ ├── apt_egomaniac.txt
│ ├── apt_energeticbear.txt
│ ├── apt_equationgroup.txt
│ ├── apt_evapiks.txt
│ ├── apt_evasivepanda.txt
│ ├── apt_ezq.txt
│ ├── apt_familiarfeeling.txt
│ ├── apt_ferociouskitten.txt
│ ├── apt_finfisher.txt
│ ├── apt_flame.txt
│ ├── apt_flaxtyphoon.txt
│ ├── apt_flightnight.txt
│ ├── apt_flyingyeti.txt
│ ├── apt_forumtroll.txt
│ ├── apt_fruityarmor.txt
│ ├── apt_gallmaker.txt
│ ├── apt_gamaredon-1.txt
│ ├── apt_gamaredon.txt
│ ├── apt_gaza.txt
│ ├── apt_ghostemperor.txt
│ ├── apt_glasses.txt
│ ├── apt_golddragon.txt
│ ├── apt_goldenbird.txt
│ ├── apt_goldenjackal.txt
│ ├── apt_goldenrat.txt
│ ├── apt_goldmelody.txt
│ ├── apt_goldmouse.txt
│ ├── apt_gorgon.txt
│ ├── apt_gothicpanda.txt
│ ├── apt_grayling.txt
│ ├── apt_greenspot.txt
│ ├── apt_gref.txt
│ ├── apt_greyenergy.txt
│ ├── apt_groundbait.txt
│ ├── apt_group5.txt
│ ├── apt_hackingteam.txt
│ ├── apt_hafnium.txt
│ ├── apt_hangover.txt
│ ├── apt_hellhounds.txt
│ ├── apt_hermit.txt
│ ├── apt_hezirash.txt
│ ├── apt_higaisa.txt
│ ├── apt_hogfish.txt
│ ├── apt_icefog.txt
│ ├── apt_icepeony.txt
│ ├── apt_imperialkitten.txt
│ ├── apt_indigozebra.txt
│ ├── apt_indra.txt
│ ├── apt_inedibleochotense.txt
│ ├── apt_infy.txt
│ ├── apt_innaput.txt
│ ├── apt_irn2.txt
│ ├── apt_ironhusky.txt
│ ├── apt_irontiger.txt
│ ├── apt_isoon.txt
│ ├── apt_judgmentpanda.txt
│ ├── apt_kapeka.txt
│ ├── apt_karakurt.txt
│ ├── apt_kasablanka.txt
│ ├── apt_ke3chang.txt
│ ├── apt_keyboy.txt
│ ├── apt_kimsuky.txt
│ ├── apt_kun3.txt
│ ├── apt_lazarus.txt
│ ├── apt_lazyscripter.txt
│ ├── apt_leafminer.txt
│ ├── apt_librarianghouls.txt
│ ├── apt_longhorn.txt
│ ├── apt_longnosedgoblin.txt
│ ├── apt_lotusblossom.txt
│ ├── apt_luckycat.txt
│ ├── apt_luminousmoth.txt
│ ├── apt_lyceum.txt
│ ├── apt_machete.txt
│ ├── apt_malkamak.txt
│ ├── apt_marbleddust.txt
│ ├── apt_menupass.txt
│ ├── apt_mercenaryamanda.txt
│ ├── apt_middleeast.txt
│ ├── apt_middlefloor.txt
│ ├── apt_miniduke.txt
│ ├── apt_mirrorface.txt
│ ├── apt_modifiedelephant.txt
│ ├── apt_motorbeacon.txt
│ ├── apt_moustachedbouncer.txt
│ ├── apt_mudcarp.txt
│ ├── apt_muddywater.txt
│ ├── apt_murenshark.txt
│ ├── apt_mustangpanda.txt
│ ├── apt_naikon.txt
│ ├── apt_nettraveler.txt
│ ├── apt_newsbeef.txt
│ ├── apt_newspenguin.txt
│ ├── apt_nighteagle.txt
│ ├── apt_noisybear.txt
│ ├── apt_noname05716.txt
│ ├── apt_novispy.txt
│ ├── apt_obsmogwai.txt
│ ├── apt_oceanlotus.txt
│ ├── apt_oilalpha.txt
│ ├── apt_oilrig.txt
│ ├── apt_onyxsleet.txt
│ ├── apt_opera1er.txt
│ ├── apt_packrat.txt
│ ├── apt_paperwerewolf.txt
│ ├── apt_paragon.txt
│ ├── apt_patchwork.txt
│ ├── apt_peepingtitle.txt
│ ├── apt_pegasus.txt
│ ├── apt_pittytiger.txt
│ ├── apt_pkplug.txt
│ ├── apt_platinum.txt
│ ├── apt_poisonneedles.txt
│ ├── apt_pokingthebear.txt
│ ├── apt_polonium.txt
│ ├── apt_potao.txt
│ ├── apt_predator.txt
│ ├── apt_punishingowl.txt
│ ├── apt_purplehaze.txt
│ ├── apt_putterpanda.txt
│ ├── apt_q015.txt
│ ├── apt_q12.txt
│ ├── apt_q27.txt
│ ├── apt_quarian.txt
│ ├── apt_quasar.txt
│ ├── apt_rainbowhyena.txt
│ ├── apt_rampantkitten.txt
│ ├── apt_rancor.txt
│ ├── apt_reaper.txt
│ ├── apt_redbaldknight.txt
│ ├── apt_redfoxtrot.txt
│ ├── apt_redjuliett.txt
│ ├── apt_rednovember.txt
│ ├── apt_redoctober.txt
│ ├── apt_redwolf.txt
│ ├── apt_rnexus.txt
│ ├── apt_rocketman.txt
│ ├── apt_rusticweb.txt
│ ├── apt_saguaro.txt
│ ├── apt_sandman.txt
│ ├── apt_sandworm.txt
│ ├── apt_sauron.txt
│ ├── apt_scanbox.txt
│ ├── apt_scarletmimic.txt
│ ├── apt_scieron.txt
│ ├── apt_seaflower.txt
│ ├── apt_sectora05.txt
│ ├── apt_shamoon.txt
│ ├── apt_sharppanda.txt
│ ├── apt_shiqiang.txt
│ ├── apt_sidewinder.txt
│ ├── apt_silence.txt
│ ├── apt_silencerlion.txt
│ ├── apt_silentlynx.txt
│ ├── apt_simbaa.txt
│ ├── apt_skycloak.txt
│ ├── apt_snowman.txt
│ ├── apt_sobaken.txt
│ ├── apt_sofacy.txt
│ ├── apt_spacepirates.txt
│ ├── apt_stealthfalcon.txt
│ ├── apt_stolenpencil.txt
│ ├── apt_stonedrill.txt
│ ├── apt_stonefly.txt
│ ├── apt_strongpity.txt
│ ├── apt_stuxnet.txt
│ ├── apt_ta2101.txt
│ ├── apt_ta240524.txt
│ ├── apt_ta410.txt
│ ├── apt_ta416.txt
│ ├── apt_ta428.txt
│ ├── apt_ta555.txt
│ ├── apt_ta5918.txt
│ ├── apt_tag22.txt
│ ├── apt_tag28.txt
│ ├── apt_tajmahal.txt
│ ├── apt_tealkurma.txt
│ ├── apt_telebots.txt
│ ├── apt_tempperiscope.txt
│ ├── apt_temptingcedar.txt
│ ├── apt_tengyunsnake.txt
│ ├── apt_thewizards.txt
│ ├── apt_tibet.txt
│ ├── apt_tick.txt
│ ├── apt_tidrone.txt
│ ├── apt_tinyscouts.txt
│ ├── apt_toddycat.txt
│ ├── apt_tortoiseshell.txt
│ ├── apt_transparenttribe.txt
│ ├── apt_triangulation.txt
│ ├── apt_turla.txt
│ ├── apt_tvrms.txt
│ ├── apt_twistedpanda.txt
│ ├── apt_unc1151.txt
│ ├── apt_unc215.txt
│ ├── apt_unc2190.txt
│ ├── apt_unc2447.txt
│ ├── apt_unc2452.txt
│ ├── apt_unc2465.txt
│ ├── apt_unc2529.txt
│ ├── apt_unc2565.txt
│ ├── apt_unc2596.txt
│ ├── apt_unc2814.txt
│ ├── apt_unc2970.txt
│ ├── apt_unc3500.txt
│ ├── apt_unc3535.txt
│ ├── apt_unc3886.txt
│ ├── apt_unc3890.txt
│ ├── apt_unc3966.txt
│ ├── apt_unc4108.txt
│ ├── apt_unc4166.txt
│ ├── apt_unc4191.txt
│ ├── apt_unc4210.txt
│ ├── apt_unc4221.txt
│ ├── apt_unc4553.txt
│ ├── apt_unc4841.txt
│ ├── apt_unc4899.txt
│ ├── apt_unc4990.txt
│ ├── apt_unc5174.txt
│ ├── apt_unc5221.txt
│ ├── apt_unc5537.txt
│ ├── apt_unc5792.txt
│ ├── apt_unc5812.txt
│ ├── apt_unc5952.txt
│ ├── apt_unc6293.txt
│ ├── apt_unc6353.txt
│ ├── apt_unc6691.txt
│ ├── apt_unc961.txt
│ ├── apt_unclassified.txt
│ ├── apt_ush.txt
│ ├── apt_vajraeleph.txt
│ ├── apt_venomspider.txt
│ ├── apt_vicesociety.txt
│ ├── apt_viciouspanda.txt
│ ├── apt_voidarachne.txt
│ ├── apt_voidblizzard.txt
│ ├── apt_volatilecedar.txt
│ ├── apt_weakestlink.txt
│ ├── apt_webky.txt
│ ├── apt_whitecompany.txt
│ ├── apt_wickedpanda.txt
│ ├── apt_windshift.txt
│ ├── apt_wintervivern.txt
│ ├── apt_wirte.txt
│ ├── apt_wuqiongdong.txt
│ ├── apt_xdspy.txt
│ ├── apt_xpath.txt
│ ├── aptlock_ransomware.txt
│ ├── arachna_ransomware.txt
│ ├── arackus.txt
│ ├── arcane.txt
│ ├── arcanedoor.txt
│ ├── arcrypter.txt
│ ├── arcusmedia.txt
│ ├── arec.txt
│ ├── areses.txt
│ ├── argonauts.txt
│ ├── arkana.txt
│ ├── arkanix.txt
│ ├── arkei.txt
│ ├── arrowrat.txt
│ ├── artemisrat.txt
│ ├── artro.txt
│ ├── arvin.txt
│ ├── aspire.txt
│ ├── asruex.txt
│ ├── astarionrat.txt
│ ├── astaroth.txt
│ ├── astrobot.txt
│ ├── astrolocker.txt
│ ├── asyncrat.txt
│ ├── athenagorat.txt
│ ├── athenahttp.txt
│ ├── atilla.txt
│ ├── atlantida.txt
│ ├── atm_dispcash.txt
│ ├── atmos.txt
│ ├── atomlogger.txt
│ ├── atomsilo.txt
│ ├── atroposia.txt
│ ├── attor.txt
│ ├── aurora.txt
│ ├── aurotun.txt
│ ├── autoit.txt
│ ├── avaddon.txt
│ ├── avalanche.txt
│ ├── avast_ransomware.txt
│ ├── avemaria.txt
│ ├── avoslocker.txt
│ ├── avrecon.txt
│ ├── axespec.txt
│ ├── axile.txt
│ ├── axolotl.txt
│ ├── axpergle.txt
│ ├── aybo.txt
│ ├── azorult.txt
│ ├── aztro.txt
│ ├── babadeda.txt
│ ├── babmote.txt
│ ├── babuk.txt
│ ├── babybot.txt
│ ├── babyduck.txt
│ ├── babylonrat.txt
│ ├── bachosens.txt
│ ├── backnet.txt
│ ├── backoff.txt
│ ├── badblock.txt
│ ├── badiis.txt
│ ├── badrabbit.txt
│ ├── balamid.txt
│ ├── baldr.txt
│ ├── balkanrat.txt
│ ├── bamital.txt
│ ├── bananasulfate.txt
│ ├── bandit.txt
│ ├── bandook.txt
│ ├── bankapol.txt
│ ├── bankerclip.txt
│ ├── bankerflux.txt
│ ├── bankiacry.txt
│ ├── bankpatch.txt
│ ├── banload.txt
│ ├── banprox.txt
│ ├── banwarum.txt
│ ├── barkio.txt
│ ├── barys.txt
│ ├── batloader.txt
│ ├── bayrob.txt
│ ├── bazarloader.txt
│ ├── bbtok.txt
│ ├── bby.txt
│ ├── bbz.txt
│ ├── beamwinhttp.txt
│ ├── beapy.txt
│ ├── bear.txt
│ ├── beast_ransomware.txt
│ ├── bedep.txt
│ ├── beebone.txt
│ ├── belesn_ransomware.txt
│ ├── belonard.txt
│ ├── benzona.txt
│ ├── bert.txt
│ ├── bestafera.txt
│ ├── betabot.txt
│ ├── bezigaterat.txt
│ ├── bianlian.txt
│ ├── bifrost.txt
│ ├── biskvit.txt
│ ├── bitbyte.txt
│ ├── bitpaymer.txt
│ ├── bitrat.txt
│ ├── bitshifter.txt
│ ├── bitstealer.txt
│ ├── blackbasta.txt
│ ├── blackbyte.txt
│ ├── blackdolphin.txt
│ ├── blackfield.txt
│ ├── blackhole.txt
│ ├── blackhunt.txt
│ ├── blackkingdom.txt
│ ├── blacklotus.txt
│ ├── blackmagic.txt
│ ├── blackmatter.txt
│ ├── blackmoon.txt
│ ├── blacknet.txt
│ ├── blacknevas.txt
│ ├── blacknixrat.txt
│ ├── blacknote.txt
│ ├── blackrat.txt
│ ├── blackreaperrat.txt
│ ├── blackrota.txt
│ ├── blackshades.txt
│ ├── blackshadow.txt
│ ├── blackshrantac.txt
│ ├── blacksquid.txt
│ ├── blackstrike.txt
│ ├── blacksuit_ransomware.txt
│ ├── blacktor.txt
│ ├── blackwater.txt
│ ├── blackworm.txt
│ ├── blankgrabber.txt
│ ├── blaze.txt
│ ├── blister.txt
│ ├── blitz.txt
│ ├── blockbuster.txt
│ ├── bloody.txt
│ ├── bloored.txt
│ ├── bluebananarat.txt
│ ├── bluebot.txt
│ ├── bluebox.txt
│ ├── bluecrab.txt
│ ├── bluefox.txt
│ ├── bluesky.txt
│ ├── blx.txt
│ ├── bobax.txt
│ ├── bofamet.txt
│ ├── bolek.txt
│ ├── bolik.txt
│ ├── bomber.txt
│ ├── bonaci.txt
│ ├── bondat.txt
│ ├── bondnet.txt
│ ├── bonsoir.txt
│ ├── boolka.txt
│ ├── bootkitty.txt
│ ├── borr.txt
│ ├── boryptgrab.txt
│ ├── bot_asus.txt
│ ├── bot_mikrotik.txt
│ ├── boteye.txt
│ ├── boxclipper.txt
│ ├── bozokrat.txt
│ ├── bqtlock_ransomware.txt
│ ├── braincipher.txt
│ ├── braodo.txt
│ ├── bravox_ransomware.txt
│ ├── brbbot.txt
│ ├── bredolab.txt
│ ├── breut.txt
│ ├── brontok.txt
│ ├── bronzestarlight.txt
│ ├── brookrat.txt
│ ├── bropass.txt
│ ├── brotherhood.txt
│ ├── brushaloader.txt
│ ├── bsloader.txt
│ ├── bubnix.txt
│ ├── bucriv.txt
│ ├── buer.txt
│ ├── bughatch.txt
│ ├── bulehero.txt
│ ├── bundlebot.txt
│ ├── bunitu.txt
│ ├── bunnyloader.txt
│ ├── buran.txt
│ ├── buterat.txt
│ ├── butter.txt
│ ├── byakugan.txt
│ ├── cabinetrat.txt
│ ├── cactus.txt
│ ├── cactustorch.txt
│ ├── caesar.txt
│ ├── calfbot.txt
│ ├── camerashy.txt
│ ├── can.txt
│ ├── cannibalrat.txt
│ ├── capturatela.txt
│ ├── carberp.txt
│ ├── cardinalrat.txt
│ ├── carnavalheist.txt
│ ├── casbaneiro.txt
│ ├── cashrat.txt
│ ├── caspersec.txt
│ ├── cassiopeia.txt
│ ├── cattore.txt
│ ├── ccleaner_backdoor.txt
│ ├── ceidpagelock.txt
│ ├── celestial.txt
│ ├── centurion.txt
│ ├── cephalus.txt
│ ├── cerber.txt
│ ├── cerbfyne.txt
│ ├── cerbu.txt
│ ├── cereals.txt
│ ├── certishell.txt
│ ├── cgnrat.txt
│ ├── chainshot.txt
│ ├── changeup.txt
│ ├── chanitor.txt
│ ├── chaos_ransomware.txt
│ ├── chaosc2.txt
│ ├── chaosrat.txt
│ ├── chasebot.txt
│ ├── cherryloader.txt
│ ├── cheshire.txt
│ ├── chewbacca.txt
│ ├── chicxulub.txt
│ ├── chimerabot.txt
│ ├── chimneysweep.txt
│ ├── chinachopper.txt
│ ├── chinoxy.txt
│ ├── chisbur.txt
│ ├── chort.txt
│ ├── chromelevator.txt
│ ├── chromeloader.txt
│ ├── chthonic.txt
│ ├── ciadoor.txt
│ ├── cicada3301.txt
│ ├── cinasquel.txt
│ ├── cinobi.txt
│ ├── ciphbit.txt
│ ├── cipherforce.txt
│ ├── cirenegrat.txt
│ ├── cleanup.txt
│ ├── clearwater.txt
│ ├── clientmeshrat.txt
│ ├── clipsa.txt
│ ├── cloak_ransomware.txt
│ ├── clop.txt
│ ├── cloudeye.txt
│ ├── cloudstalker.txt
│ ├── cmdstealer.txt
│ ├── coalabot.txt
│ ├── cobalt.txt
│ ├── cobaltstrike-1.txt
│ ├── cobaltstrike-2.txt
│ ├── cobaltstrike.txt
│ ├── cobianrat.txt
│ ├── cobint.txt
│ ├── coderware_ransomware.txt
│ ├── coffeeloader.txt
│ ├── coinbasecartel.txt
│ ├── coinloader.txt
│ ├── cold.txt
│ ├── colibriloader.txt
│ ├── collector.txt
│ ├── cometer.txt
│ ├── conficker.txt
│ ├── conti.txt
│ ├── contopee.txt
│ ├── cookiest.txt
│ ├── cooming.txt
│ ├── corebot.txt
│ ├── cosmicstrand.txt
│ ├── cotxrat.txt
│ ├── countloader.txt
│ ├── couponarific.txt
│ ├── cova.txt
│ ├── crackonosh.txt
│ ├── crapsomware.txt
│ ├── cratedepression.txt
│ ├── crazyhunter.txt
│ ├── creal.txt
│ ├── criakl.txt
│ ├── cridex.txt
│ ├── crilock.txt
│ ├── cring.txt
│ ├── cripto.txt
│ ├── crmstealer.txt
│ ├── crosslock.txt
│ ├── cry0_ransomware.txt
│ ├── cryakl.txt
│ ├── crylocker.txt
│ ├── cryp70n1c0d3.txt
│ ├── cryptbb_ransomware.txt
│ ├── cryptbot.txt
│ ├── cryptfile2.txt
│ ├── cryptinfinite.txt
│ ├── cryptn8_ransomware.txt
│ ├── cryptnet.txt
│ ├── crypto24.txt
│ ├── cryptoclippy.txt
│ ├── cryptocroc.txt
│ ├── cryptodefense.txt
│ ├── cryptolocker.txt
│ ├── cryptoshield.txt
│ ├── cryptowall.txt
│ ├── cryptxxx.txt
│ ├── cryrig_miner.txt
│ ├── crystealer.txt
│ ├── csharpstreamerrat.txt
│ ├── ctblocker.txt
│ ├── cuba.txt
│ ├── cube.txt
│ ├── cutwail.txt
│ ├── cybergaterat.txt
│ ├── cyberstealer.txt
│ ├── cylance.txt
│ ├── cypress.txt
│ ├── cythosia.txt
│ ├── d0glun_ransomware.txt
│ ├── d1onis.txt
│ ├── d4rk4rmy.txt
│ ├── dailyscriptlet.txt
│ ├── daixin.txt
│ ├── damoclis.txt
│ ├── dan0n_ransomware.txt
│ ├── danabot.txt
│ ├── dangerous.txt
│ ├── danji.txt
│ ├── daolpu.txt
│ ├── darkangels.txt
│ ├── darkcloud.txt
│ ├── darkddoser.txt
│ ├── darkeye.txt
│ ├── darkgate.txt
│ ├── darkhole.txt
│ ├── darkirc.txt
│ ├── darkleak.txt
│ ├── darkloader.txt
│ ├── darkmoon.txt
│ ├── darkpower.txt
│ ├── darkrat.txt
│ ├── darkshell.txt
│ ├── darkshinigamis.txt
│ ├── darkside.txt
│ ├── darktortilla.txt
│ ├── darkvault.txt
│ ├── darkvision.txt
│ ├── darkvnc.txt
│ ├── darkware.txt
│ ├── darkwatchman.txt
│ ├── darkylock.txt
│ ├── darth.txt
│ ├── datacarry.txt
│ ├── datakeeper.txt
│ ├── dataleak_ransomware.txt
│ ├── dcrat.txt
│ ├── deadbolt.txt
│ ├── deadglyph.txt
│ ├── deadnetbot.txt
│ ├── deathlocker.txt
│ ├── deedrat.txt
│ ├── defray.txt
│ ├── defru.txt
│ ├── deftloader.txt
│ ├── delfloader.txt
│ ├── delshad.txt
│ ├── deltastealer.txt
│ ├── denizkizi.txt
│ ├── denonia.txt
│ ├── deprimon.txt
│ ├── derialock.txt
│ ├── dero_miner.txt
│ ├── desckvbrat.txt
│ ├── desolator.txt
│ ├── destiny.txt
│ ├── destory.txt
│ ├── destruktor.txt
│ ├── detroie.txt
│ ├── devilshadow.txt
│ ├── devilstongue.txt
│ ├── devman.txt
│ ├── dexter.txt
│ ├── dexwarerat.txt
│ ├── dharma.txt
│ ├── diablorat.txt
│ ├── diamondfoxrat.txt
│ ├── diavlo.txt
│ ├── diavol.txt
│ ├── diddy.txt
│ ├── diez.txt
│ ├── dimnie.txt
│ ├── dior.txt
│ ├── dircrypt.txt
│ ├── dirtjump.txt
│ ├── discordgrabber.txt
│ ├── dmalocker.txt
│ ├── dmsniff.txt
│ ├── dmsspy.txt
│ ├── dnsbirthday.txt
│ ├── dnschanger.txt
│ ├── dnstrojan.txt
│ ├── dockerhub_malrepos.txt
│ ├── doenerium.txt
│ ├── dofoil.txt
│ ├── doge.txt
│ ├── dohdoor.txt
│ ├── domen.txt
│ ├── donex.txt
│ ├── donut.txt
│ ├── dopplepaymer.txt
│ ├── doraemon.txt
│ ├── dorifel.txt
│ ├── dorkbot.txt
│ ├── dorshel.txt
│ ├── dorv.txt
│ ├── dotrunpex.txt
│ ├── doublefinger.txt
│ ├── doubleguns.txt
│ ├── doubleloader.txt
│ ├── dracula.txt
│ ├── dragonforce.txt
│ ├── drahma.txt
│ ├── drapion.txt
│ ├── dread.txt
│ ├── dreamc2.txt
│ ├── dridex.txt
│ ├── drill_ransomware.txt
│ ├── drillapp.txt
│ ├── drokbk.txt
│ ├── dropnak.txt
│ ├── droppitch.txt
│ ├── dslog.txt
│ ├── dtstealer.txt
│ ├── dualtoy.txt
│ ├── duckrat.txt
│ ├── ducktail.txt
│ ├── dupzom.txt
│ ├── duri.txt
│ ├── dursg.txt
│ ├── dustrat.txt
│ ├── duvet.txt
│ ├── dynamicrat.txt
│ ├── dyreza.txt
│ ├── eaglerat.txt
│ ├── easy.txt
│ ├── easypeasy.txt
│ ├── ebola.txt
│ ├── echelon.txt
│ ├── echida.txt
│ ├── eddie.txt
│ ├── edgeguard.txt
│ ├── egregor.txt
│ ├── ekiparat.txt
│ ├── eldorado_ransomware.txt
│ ├── electronbot.txt
│ ├── electrorat.txt
│ ├── elf_abcbot.txt
│ ├── elf_aidra.txt
│ ├── elf_amcsh.txt
│ ├── elf_amnesiark.txt
│ ├── elf_asnarok.txt
│ ├── elf_autocolor.txt
│ ├── elf_b1txor20.txt
│ ├── elf_bigviktor.txt
│ ├── elf_billgates.txt
│ ├── elf_blueshell.txt
│ ├── elf_boldmove.txt
│ ├── elf_cdrthief.txt
│ ├── elf_chalubo.txt
│ ├── elf_chinaz.txt
│ ├── elf_coinminer.txt
│ ├── elf_cronrat.txt
│ ├── elf_darkradiation.txt
│ ├── elf_darlloz.txt
│ ├── elf_ddosman.txt
│ ├── elf_disgomoji.txt
│ ├── elf_diskwiper.txt
│ ├── elf_dofloo.txt
│ ├── elf_doki.txt
│ ├── elf_ekoms.txt
│ ├── elf_emptiness.txt
│ ├── elf_evilgnome.txt
│ ├── elf_ewdoor.txt
│ ├── elf_facefish.txt
│ ├── elf_fodcha.txt
│ ├── elf_fontonlake.txt
│ ├── elf_freakout.txt
│ ├── elf_fritzfrog.txt
│ ├── elf_gafgyt.txt
│ ├── elf_generic.txt
│ ├── elf_gobrat.txt
│ ├── elf_gotitan.txt
│ ├── elf_groundhog.txt
│ ├── elf_h2miner.txt
│ ├── elf_hajime.txt
│ ├── elf_heh.txt
│ ├── elf_hellobot.txt
│ ├── elf_hiatusrat.txt
│ ├── elf_hiddenwasp.txt
│ ├── elf_hideseek.txt
│ ├── elf_hodin.txt
│ ├── elf_httpsd.txt
│ ├── elf_icnanker.txt
│ ├── elf_insekt.txt
│ ├── elf_iotreaper.txt
│ ├── elf_ipstorm.txt
│ ├── elf_kaiji.txt
│ ├── elf_kaiten.txt
│ ├── elf_kfos.txt
│ ├── elf_kmsdbot.txt
│ ├── elf_kobalos.txt
│ ├── elf_krane.txt
│ ├── elf_krasue.txt
│ ├── elf_labrat.txt
│ ├── elf_lady.txt
│ ├── elf_manx.txt
│ ├── elf_mayhem.txt
│ ├── elf_melofee.txt
│ ├── elf_mirai.txt
│ ├── elf_mokes.txt
│ ├── elf_moobot.txt
│ ├── elf_mumblehard.txt
│ ├── elf_ngioweb.txt
│ ├── elf_nkabuse.txt
│ ├── elf_nspps.txt
│ ├── elf_openssh_backdoorkit.txt
│ ├── elf_pacha.txt
│ ├── elf_pasteminer.txt
│ ├── elf_patpooty.txt
│ ├── elf_perfctl.txt
│ ├── elf_pgmem.txt
│ ├── elf_pink.txt
│ ├── elf_pinscan.txt
│ ├── elf_platypus.txt
│ ├── elf_plox.txt
│ ├── elf_powerghost.txt
│ ├── elf_prism.txt
│ ├── elf_pumakit.txt
│ ├── elf_qbot.txt
│ ├── elf_ransomware.txt
│ ├── elf_redxor.txt
│ ├── elf_rekoobe.txt
│ ├── elf_roboto.txt
│ ├── elf_routex.txt
│ ├── elf_rudedevil.txt
│ ├── elf_shelldos.txt
│ ├── elf_shikata.txt
│ ├── elf_shikitega.txt
│ ├── elf_sidewalk.txt
│ ├── elf_skidmap.txt
│ ├── elf_slexec.txt
│ ├── elf_smargaft.txt
│ ├── elf_speakup.txt
│ ├── elf_specter.txt
│ ├── elf_sshdoor.txt
│ ├── elf_sshscan.txt
│ ├── elf_symbiote.txt
│ ├── elf_teamtnt.txt
│ ├── elf_themoon.txt
│ ├── elf_torii.txt
│ ├── elf_tshgod.txt
│ ├── elf_tunpot.txt
│ ├── elf_voidlink.txt
│ ├── elf_vpnfilter.txt
│ ├── elf_vtflooder.txt
│ ├── elf_xbash.txt
│ ├── elf_xdr33.txt
│ ├── elf_xnote.txt
│ ├── elf_xorddos.txt
│ ├── elpman.txt
│ ├── elysium.txt
│ ├── emansrepo.txt
│ ├── embargo.txt
│ ├── emdivi.txt
│ ├── emmenhtal.txt
│ ├── emogen.txt
│ ├── emotet.txt
│ ├── empirerat.txt
│ ├── enc_ransomware.txt
│ ├── engrwiz.txt
│ ├── entropy.txt
│ ├── ep918_ransomware.txt
│ ├── epsilon.txt
│ ├── epsteinrat.txt
│ ├── erbium.txt
│ ├── eredel.txt
│ ├── escelar.txt
│ ├── esfur.txt
│ ├── especter.txt
│ ├── esquele.txt
│ ├── eternalblue.txt
│ ├── eternalrocks.txt
│ ├── eternity.txt
│ ├── everest.txt
│ ├── evilbunny.txt
│ ├── evilextractor.txt
│ ├── evilgrab.txt
│ ├── evilnominatus.txt
│ ├── evilnum.txt
│ ├── evilproxy.txt
│ ├── evilstealer.txt
│ ├── evoltinpos.txt
│ ├── evrial.txt
│ ├── exa.txt
│ ├── exela.txt
│ ├── exitium.txt
│ ├── exorcist.txt
│ ├── exoticloader.txt
│ ├── expiro.txt
│ ├── extenbro.txt
│ ├── eyespy.txt
│ ├── fahis.txt
│ ├── fakben.txt
│ ├── fakeadobe.txt
│ ├── fakeapp.txt
│ ├── fakeav.txt
│ ├── fakebat.txt
│ ├── fakeran.txt
│ ├── faketicketer.txt
│ ├── fantazyaloader.txt
│ ├── fantom.txt
│ ├── fareit.txt
│ ├── farfli.txt
│ ├── faria.txt
│ ├── farseer.txt
│ ├── fastloader.txt
│ ├── fatherrat.txt
│ ├── fbi_ransomware.txt
│ ├── fbstealer.txt
│ ├── fbtime.txt
│ ├── felixhttp.txt
│ ├── fenix.txt
│ ├── fenixrat.txt
│ ├── ffdroider.txt
│ ├── ficker.txt
│ ├── fiexp.txt
│ ├── fignotok.txt
│ ├── filemess.txt
│ ├── filespider.txt
│ ├── filsh.txt
│ ├── fin12.txt
│ ├── fin4.txt
│ ├── fin6.txt
│ ├── fin7.txt
│ ├── fin8.txt
│ ├── fin9.txt
│ ├── finderbot.txt
│ ├── findpos.txt
│ ├── firebird.txt
│ ├── flesh.txt
│ ├── fletchen.txt
│ ├── fletchen_ransomware.txt
│ ├── flocker.txt
│ ├── floxif.txt
│ ├── fnumbot.txt
│ ├── fobber.txt
│ ├── fog_ransomware.txt
│ ├── formbook.txt
│ ├── fourteenhi.txt
│ ├── fox.txt
│ ├── frag_ransomware.txt
│ ├── frankenstein.txt
│ ├── frat.txt
│ ├── fraudload.txt
│ ├── fredy.txt
│ ├── fruitfly.txt
│ ├── ftcode.txt
│ ├── fudcrypt.txt
│ ├── fujinama.txt
│ ├── fukuworm.txt
│ ├── funksec.txt
│ ├── fusionloader.txt
│ ├── fynloski.txt
│ ├── fysna.txt
│ ├── gamania.txt
│ ├── gamapos.txt
│ ├── gandcrab.txt
│ ├── gaudox.txt
│ ├── gauss.txt
│ ├── gbot.txt
│ ├── gdlockersec.txt
│ ├── gehenna.txt
│ ├── gelsemium.txt
│ ├── generic.txt
│ ├── generic_cwprce.txt
│ ├── generic_follina.txt
│ ├── generic_log4shell.txt
│ ├── generic_miner.txt
│ ├── generic_proxynotshell.txt
│ ├── generic_ransomware.txt
│ ├── generic_stealer.txt
│ ├── genesis_ransomware.txt
│ ├── gentlemen.txt
│ ├── germanwiper.txt
│ ├── gh0stbins.txt
│ ├── gh0strat.txt
│ ├── ghost_miner.txt
│ ├── ghostbot.txt
│ ├── ghostdns.txt
│ ├── ghostengine.txt
│ ├── ghostlocker.txt
│ ├── ghostposter.txt
│ ├── ghostredirector.txt
│ ├── giftedcrook.txt
│ ├── ginzo.txt
│ ├── gippers.txt
│ ├── glassworm.txt
│ ├── glitchpos.txt
│ ├── global_ransomware.txt
│ ├── glock.txt
│ ├── glorysprout.txt
│ ├── glove.txt
│ ├── glupteba.txt
│ ├── goblinrat.txt
│ ├── gobotkr.txt
│ ├── gobrut.txt
│ ├── godlua.txt
│ ├── godrat.txt
│ ├── godzilla.txt
│ ├── gokeylogger.txt
│ ├── goldbrute.txt
│ ├── goldenspy.txt
│ ├── golroted.txt
│ ├── gomet.txt
│ ├── good_ransomware.txt
│ ├── goodwill_ransomware.txt
│ ├── goomba.txt
│ ├── gootkit.txt
│ ├── gopix.txt
│ ├── gorat.txt
│ ├── gored.txt
│ ├── gotham.txt
│ ├── grager.txt
│ ├── grand.txt
│ ├── grandamisha.txt
│ ├── grandmonty.txt
│ ├── grandoreiro.txt
│ ├── gravityrat.txt
│ ├── greamerat.txt
│ ├── greenblood.txt
│ ├── greenstone.txt
│ ├── gremlin.txt
│ ├── grief.txt
│ ├── grimagent.txt
│ ├── grimbolt.txt
│ ├── grmsk.txt
│ ├── grobrat.txt
│ ├── grokpy.txt
│ ├── groooboor.txt
│ ├── groove.txt
│ ├── growtopia.txt
│ ├── gruntstager.txt
│ ├── gtbot.txt
│ ├── guloader.txt
│ ├── gunra.txt
│ ├── gupti_miner.txt
│ ├── gypsyteam.txt
│ ├── h1n1.txt
│ ├── habitsrat.txt
│ ├── hacked_3cx.txt
│ ├── hacked_apkpure.txt
│ ├── hacked_chromecrxext.txt
│ ├── hacked_ciscosslvpn.txt
│ ├── hacked_cms8000.txt
│ ├── hacked_codecov.txt
│ ├── hacked_comm100.txt
│ ├── hacked_dependabot.txt
│ ├── hacked_dnspy.txt
│ ├── hacked_f5.txt
│ ├── hacked_fdm.txt
│ ├── hacked_fortinac.txt
│ ├── hacked_githubrepos.txt
│ ├── hacked_globalprotect.txt
│ ├── hacked_healthcheck.txt
│ ├── hacked_keepass.txt
│ ├── hacked_log4j.txt
│ ├── hacked_mint.txt
│ ├── hacked_monero.txt
│ ├── hacked_moveit.txt
│ ├── hacked_netweaversap.txt
│ ├── hacked_nginx.txt
│ ├── hacked_npmrepos.txt
│ ├── hacked_openvsxext.txt
│ ├── hacked_pygrata.txt
│ ├── hacked_pypirepos.txt
│ ├── hacked_pytorch.txt
│ ├── hacked_saltstack.txt
│ ├── hacked_solarwinds.txt
│ ├── hacked_trivy.txt
│ ├── hacked_trustwallet.txt
│ ├── hacked_uaparserjs.txt
│ ├── hacked_vsixext.txt
│ ├── hacked_whlext.txt
│ ├── hacking_team.txt
│ ├── hadestealer.txt
│ ├── haibonbay.txt
│ ├── hamaetot.txt
│ ├── handala.txt
│ ├── hannibal.txt
│ ├── harnig.txt
│ ├── haron.txt
│ ├── havanacrypt.txt
│ ├── hawkball.txt
│ ├── hawkeye.txt
│ ├── hekworm.txt
│ ├── hellcat.txt
│ ├── helldown_ransomware.txt
│ ├── hellokitty.txt
│ ├── helloxd.txt
│ ├── hellsdaysec.txt
│ ├── helompy.txt
│ ├── hennessy.txt
│ ├── hermeticwiper.txt
│ ├── hexon.txt
│ ├── hiddenbee.txt
│ ├── hiddenbeer.txt
│ ├── hiddentear.txt
│ ├── hiloti.txt
│ ├── hinired.txt
│ ├── hitler_ransomware.txt
│ ├── hive_ransomware.txt
│ ├── hiverat.txt
│ ├── holdthismoney.txt
│ ├── hollow_miner.txt
│ ├── holygh0st.txt
│ ├── holyghost.txt
│ ├── honeybee.txt
│ ├── hoplight.txt
│ ├── hotarus.txt
│ ├── houdini.txt
│ ├── hunters_ransomware.txt
│ ├── huntpos.txt
│ ├── hvncrat.txt
│ ├── hydracrypt.txt
│ ├── hydseven.txt
│ ├── hzrat.txt
│ ├── i2prat.txt
│ ├── icarus.txt
│ ├── icebreaker.txt
│ ├── icedid.txt
│ ├── icefire.txt
│ ├── icerat.txt
│ ├── icexloader.txt
│ ├── iconloader.txt
│ ├── igb_ransomware.txt
│ ├── imbetter.txt
│ ├── imddos.txt
│ ├── imminentrat.txt
│ ├── immortal.txt
│ ├── imncrew.txt
│ ├── inari.txt
│ ├── inc_ransomware.txt
│ ├── indexsinas.txt
│ ├── indone_miner.txt
│ ├── infinilate.txt
│ ├── infinityrat.txt
│ ├── injecto.txt
│ ├── innfirat.txt
│ ├── insomnia.txt
│ ├── interlock-1.txt
│ ├── interlock.txt
│ ├── interstellar.txt
│ ├── investimer.txt
│ ├── invisimole.txt
│ ├── ios_glasscage.txt
│ ├── ios_keyraider.txt
│ ├── ios_muda.txt
│ ├── ios_oneclickfraud.txt
│ ├── ios_realtimespy.txt
│ ├── ios_specter.txt
│ ├── ios_xcodeghost.txt
│ ├── ipikabot.txt
│ ├── iris.txt
│ ├── iron.txt
│ ├── ismdoor.txt
│ ├── isodisk.txt
│ ├── ispy.txt
│ ├── isr.txt
│ ├── ixware.txt
│ ├── j_ransomware.txt
│ ├── jackpos.txt
│ ├── jacksbot.txt
│ ├── jaff.txt
│ ├── janelarat.txt
│ ├── janeleiro.txt
│ ├── jaska.txt
│ ├── jasmin.txt
│ ├── jasperloader.txt
│ ├── javali.txt
│ ├── javaloader.txt
│ ├── javarat.txt
│ ├── jedobot.txt
│ ├── jerryrat.txt
│ ├── jester.txt
│ ├── jigsaw.txt
│ ├── jinxloader.txt
│ ├── jrat.txt
│ ├── jripbot.txt
│ ├── jshellrat.txt
│ ├── jsoutprox.txt
│ ├── jspspy.txt
│ ├── juice.txt
│ ├── junos_jmagic.txt
│ ├── jupyter.txt
│ ├── justaskjacky.txt
│ ├── k8steal.txt
│ ├── kairos.txt
│ ├── kamasers.txt
│ ├── kapahyku.txt
│ ├── karkoff.txt
│ ├── karma.txt
│ ├── karstorat.txt
│ ├── kasidet.txt
│ ├── katz.txt
│ ├── kawalocker.txt
│ ├── kazakrat.txt
│ ├── kazu_ransomware.txt
│ ├── kazy.txt
│ ├── kbot.txt
│ ├── kegotip.txt
│ ├── kelihos.txt
│ ├── kelvinsec.txt
│ ├── kematian.txt
│ ├── kentloader.txt
│ ├── keres.txt
│ ├── kernelbot.txt
│ ├── keybase.txt
│ ├── khonsari_ransomware.txt
│ ├── khrat.txt
│ ├── kidotai.txt
│ ├── kief.txt
│ ├── killrabbit.txt
│ ├── killsec.txt
│ ├── killua.txt
│ ├── kingslayer.txt
│ ├── kingsman.txt
│ ├── kittykatkrew.txt
│ ├── kjw0rm.txt
│ ├── klingon.txt
│ ├── knotweed.txt
│ ├── koadic.txt
│ ├── koi.txt
│ ├── kolab.txt
│ ├── konni.txt
│ ├── koobface.txt
│ ├── korplug.txt
│ ├── kortex.txt
│ ├── kovter.txt
│ ├── kpot.txt
│ ├── kradellsh.txt
│ ├── kraken.txt
│ ├── kraziomel.txt
│ ├── kromagent.txt
│ ├── kronos.txt
│ ├── krown.txt
│ ├── krugbot.txt
│ ├── krypt_ransomware.txt
│ ├── kryptocibule.txt
│ ├── kryptos_ransomware.txt
│ ├── kuago_miner.txt
│ ├── kuiper_ransomware.txt
│ ├── kulekmoko.txt
│ ├── kupidon.txt
│ ├── kutaki.txt
│ ├── kwampirsrat.txt
│ ├── kyber_ransomware.txt
│ ├── l0rdix.txt
│ ├── ladon.txt
│ ├── lambda_ransomware.txt
│ ├── lampion.txt
│ ├── lanfiltrator.txt
│ ├── lapdogs.txt
│ ├── laplasclipper.txt
│ ├── latentbot.txt
│ ├── latot.txt
│ ├── latrodectus.txt
│ ├── laurent.txt
│ ├── lazagne.txt
│ ├── laziok.txt
│ ├── lcy.txt
│ ├── ldpinch.txt
│ ├── leaknet_ransomware.txt
│ ├── leaktheanalyst.txt
│ ├── ledger_backdoor.txt
│ ├── legion_loader.txt
│ ├── lemonduck_miner.txt
│ ├── leprechaun.txt
│ ├── lethic.txt
│ ├── lgoogloader.txt
│ ├── lightning.txt
│ ├── lilith.txt
│ ├── limerat.txt
│ ├── linkc_ransomware.txt
│ ├── linkoptimizer.txt
│ ├── litehttp.txt
│ ├── liushen.txt
│ ├── loadpcbanker.txt
│ ├── lockbit.txt
│ ├── lockdata.txt
│ ├── locky.txt
│ ├── lodarat.txt
│ ├── lodeinfo.txt
│ ├── logx.txt
│ ├── lokibot.txt
│ ├── lokidoor.txt
│ ├── lokilock.txt
│ ├── lokirat.txt
│ ├── lokorrito.txt
│ ├── lolkek_ransomware.txt
│ ├── lollipop.txt
│ ├── lolnek.txt
│ ├── loocipher.txt
│ ├── loopbackrat.txt
│ ├── lorenz.txt
│ ├── losabel.txt
│ ├── lostdoorrat.txt
│ ├── loud_miner.txt
│ ├── ltx.txt
│ ├── lu0bot.txt
│ ├── luca.txt
│ ├── lucidoor.txt
│ ├── lucifer.txt
│ ├── lucky.txt
│ ├── luminositylinkrat.txt
│ ├── lummac2.txt
│ ├── lunalock.txt
│ ├── lunar.txt
│ ├── luoxk.txt
│ ├── lust.txt
│ ├── luxnetrat.txt
│ ├── lv_ransomware.txt
│ ├── m00nd3v.txt
│ ├── m1nus273_ransomware.txt
│ ├── m8220_miner.txt
│ ├── madliberator.txt
│ ├── madmxshell.txt
│ ├── mado_miner.txt
│ ├── maggie.txt
│ ├── magicpos.txt
│ ├── magniber.txt
│ ├── majikpos.txt
│ ├── mallox.txt
│ ├── mambashim.txt
│ ├── mamo.txt
│ ├── mamona.txt
│ ├── manabot.txt
│ ├── mancsyn.txt
│ ├── mandaph.txt
│ ├── maplebot.txt
│ ├── maranhao.txt
│ ├── marap.txt
│ ├── mardom.txt
│ ├── marketo.txt
│ ├── markopolo.txt
│ ├── marmoolak.txt
│ ├── marsjoke.txt
│ ├── masad.txt
│ ├── maskgram.txt
│ ├── mass_miner.txt
│ ├── masslogger.txt
│ ├── mastermana.txt
│ ├── matanbuchus.txt
│ ├── matrix.txt
│ ├── matrixmax.txt
│ ├── matsnu.txt
│ ├── mauri_ransomware.txt
│ ├── mave.txt
│ ├── maze.txt
│ ├── mbc_ransomware.txt
│ ├── mdrop.txt
│ ├── meatball.txt
│ ├── mebroot.txt
│ ├── medbot.txt
│ ├── medusa.txt
│ ├── medusahttp.txt
│ ├── medusalocker.txt
│ ├── megacortex.txt
│ ├── megalodonhttprat.txt
│ ├── megaopac.txt
│ ├── megumin.txt
│ ├── mehcrypter.txt
│ ├── mekotio.txt
│ ├── mena_ransomware.txt
│ ├── meow.txt
│ ├── mercurybot.txt
│ ├── meris.txt
│ ├── merkspy.txt
│ ├── mespinoza.txt
│ ├── mestep.txt
│ ├── meta.txt
│ ├── metador.txt
│ ├── metadrain.txt
│ ├── metaencryptor.txt
│ ├── metamorfo.txt
│ ├── mewsei.txt
│ ├── microstealer.txt
│ ├── midas.txt
│ ├── midie.txt
│ ├── mielit.txt
│ ├── miga_ransomware.txt
│ ├── migo_miner.txt
│ ├── milkman.txt
│ ├── milkyboy.txt
│ ├── millionware.txt
│ ├── mimus.txt
│ ├── minas_miner.txt
│ ├── minedoor.txt
│ ├── mingloa.txt
│ ├── minotaur.txt
│ ├── mint.txt
│ ├── mintsloader.txt
│ ├── miragefox.txt
│ ├── mirai_stealer.txt
│ ├── misogow.txt
│ ├── mist.txt
│ ├── mitglieder.txt
│ ├── miuref.txt
│ ├── mixshell.txt
│ ├── mnubot.txt
│ ├── mocker.txt
│ ├── modelorat.txt
│ ├── modirat.txt
│ ├── modpipe.txt
│ ├── modpos.txt
│ ├── momo33333.txt
│ ├── moneymessage.txt
│ ├── monkey_ransomware.txt
│ ├── monolith.txt
│ ├── monsterinstall.txt
│ ├── montysthree.txt
│ ├── moonlight.txt
│ ├── moonriserat.txt
│ ├── moontag.txt
│ ├── moorat.txt
│ ├── morpheus.txt
│ ├── morto.txt
│ ├── morty.txt
│ ├── mosaicregressor.txt
│ ├── moserpass.txt
│ ├── moses.txt
│ ├── mosquito.txt
│ ├── mostererat.txt
│ ├── mosucker.txt
│ ├── mountlocker.txt
│ ├── mozart.txt
│ ├── mranon.txt
│ ├── mrb_miner.txt
│ ├── mrstealer.txt
│ ├── ms13089_ransomware.txt
│ ├── mstealer.txt
│ ├── msupedge.txt
│ ├── mufila.txt
│ ├── muggle.txt
│ ├── mumbai.txt
│ ├── muse_miner.txt
│ ├── mydata_ransomware.txt
│ ├── mydoom.txt
│ ├── mykings_miner.txt
│ ├── mylobot.txt
│ ├── mysticalnet.txt
│ ├── n13v_ransomware.txt
│ ├── n2019cov.txt
│ ├── n3tw0rm.txt
│ ├── n3xtrat.txt
│ ├── nampohyu.txt
│ ├── nanocore.txt
│ ├── napolar.txt
│ ├── narniarat.txt
│ ├── nasir.txt
│ ├── nbot.txt
│ ├── necrobot.txt
│ ├── necurs.txt
│ ├── neko.txt
│ ├── nelsy.txt
│ ├── nemeot.txt
│ ├── nemesis.txt
│ ├── nemezida_ransomware.txt
│ ├── nemty.txt
│ ├── nemucod.txt
│ ├── neojit.txt
│ ├── neonwallet.txt
│ ├── neptune.txt
│ ├── neptunerat.txt
│ ├── nerbian.txt
│ ├── neshuta.txt
│ ├── nestrat.txt
│ ├── netbounce.txt
│ ├── netbus.txt
│ ├── netdooka.txt
│ ├── netloader.txt
│ ├── netsupport.txt
│ ├── netwalker.txt
│ ├── netwire.txt
│ ├── neuron.txt
│ ├── neurorat.txt
│ ├── neus.txt
│ ├── neutrino.txt
│ ├── nevada_ransomware.txt
│ ├── newbot.txt
│ ├── newddosbot.txt
│ ├── newpos.txt
│ ├── newsrat.txt
│ ├── nex.txt
│ ├── nexlogger.txt
│ ├── nextmind.txt
│ ├── nexus.txt
│ ├── nhattuanblrat.txt
│ ├── nicerat.txt
│ ├── nigelthorn.txt
│ ├── nightingale.txt
│ ├── nightshadec2.txt
│ ├── nightsky.txt
│ ├── nightspire.txt
│ ├── nikki.txt
│ ├── nionspy.txt
│ ├── nitol.txt
│ ├── nitro.txt
│ ├── nitrogen.txt
│ ├── nivdort.txt
│ ├── njrat-1.txt
│ ├── njrat.txt
│ ├── nocry.txt
│ ├── nodersok.txt
│ ├── nodestealer.txt
│ ├── noescape.txt
│ ├── nokoyawa.txt
│ ├── nomercy.txt
│ ├── nonbolqu.txt
│ ├── noodlophile.txt
│ ├── nopyfy.txt
│ ├── norddragonscan.txt
│ ├── normaldaki.txt
│ ├── notrobin.txt
│ ├── nova_ransomware.txt
│ ├── novahttp.txt
│ ├── novaloader.txt
│ ├── novasentinel.txt
│ ├── novel_miner.txt
│ ├── novobot.txt
│ ├── novter.txt
│ ├── novu.txt
│ ├── now.txt
│ ├── nozelesn.txt
│ ├── nsabuff_miner.txt
│ ├── ntstealer.txt
│ ├── nucleartor.txt
│ ├── nuggetphantom.txt
│ ├── nullbulge.txt
│ ├── nullmixer.txt
│ ├── numando.txt
│ ├── nuqel.txt
│ ├── nworm.txt
│ ├── nwt.txt
│ ├── nymaim.txt
│ ├── nymeria.txt
│ ├── oapt_ransomware.txt
│ ├── obliquerat.txt
│ ├── obscura.txt
│ ├── obscurebat.txt
│ ├── observer.txt
│ ├── octalyn.txt
│ ├── octopus.txt
│ ├── octopuz.txt
│ ├── octorat.txt
│ ├── odcodc.txt
│ ├── oddball.txt
│ ├── odyssey.txt
│ ├── offendium.txt
│ ├── offloader.txt
│ ├── oficla.txt
│ ├── olymploader.txt
│ ├── olympus.txt
│ ├── omegaloader.txt
│ ├── oneclik.txt
│ ├── onepercent.txt
│ ├── onionpoison.txt
│ ├── onkods.txt
│ ├── optima.txt
│ ├── orca_rasnomware.txt
│ ├── orchard.txt
│ ├── orcusrat.txt
│ ├── originbot.txt
│ ├── orion_ransomware.txt
│ ├── oriongrabber.txt
│ ├── osiris_ransomware.txt
│ ├── oski.txt
│ ├── ospreypr.txt
│ ├── ostap.txt
│ ├── osx_atomic.txt
│ ├── osx_banshee.txt
│ ├── osx_bundlore.txt
│ ├── osx_cheana.txt
│ ├── osx_chillyhell.txt
│ ├── osx_clipstealer.txt
│ ├── osx_coinminer.txt
│ ├── osx_coldroot.txt
│ ├── osx_cthulhu.txt
│ ├── osx_dazzlespy.txt
│ ├── osx_fakeapp.txt
│ ├── osx_flashback.txt
│ ├── osx_generic.txt
│ ├── osx_gmera.txt
│ ├── osx_godoor.txt
│ ├── osx_hashbreaker.txt
│ ├── osx_imuler.txt
│ ├── osx_jokerspy.txt
│ ├── osx_jscorerunner.txt
│ ├── osx_keranger.txt
│ ├── osx_keydnap.txt
│ ├── osx_keysteal.txt
│ ├── osx_linker.txt
│ ├── osx_lol.txt
│ ├── osx_loselose.txt
│ ├── osx_m1.txt
│ ├── osx_macma.txt
│ ├── osx_macmeow.txt
│ ├── osx_macspy.txt
│ ├── osx_mami.txt
│ ├── osx_mokes.txt
│ ├── osx_mughthesec.txt
│ ├── osx_nova.txt
│ ├── osx_osaminer.txt
│ ├── osx_phexiabot.txt
│ ├── osx_proton.txt
│ ├── osx_proxy.txt
│ ├── osx_pureland.txt
│ ├── osx_readerupdate.txt
│ ├── osx_realst.txt
│ ├── osx_rustdoor.txt
│ ├── osx_salgorea.txt
│ ├── osx_shlayer.txt
│ ├── osx_thiefquest.txt
│ ├── osx_trikster.txt
│ ├── osx_updateagent.txt
│ ├── osx_wirelurker.txt
│ ├── osx_xcodespy.txt
│ ├── osx_xcsset.txt
│ ├── osx_zuru.txt
│ ├── ovidiy.txt
│ ├── owowa.txt
│ ├── oxtarat.txt
│ ├── oyster.txt
│ ├── p2pinfect.txt
│ ├── padcrypt.txt
│ ├── palevo.txt
│ ├── palmerworm.txt
│ ├── pandabanker.txt
│ ├── pandora.txt
│ ├── panteganarat.txt
│ ├── panther.txt
│ ├── paradoxrat.txt
│ ├── parallax.txt
│ ├── parasitesnatcher.txt
│ ├── patchbrowse.txt
│ ├── patriot.txt
│ ├── pay2key.txt
│ ├── paycrypt.txt
│ ├── payload_ransomware.txt
│ ├── payloadbin.txt
│ ├── payoutsking.txt
│ ├── paysafecard.txt
│ ├── pcastle_miner.txt
│ ├── pcshare.txt
│ ├── pdfjsc.txt
│ ├── peaklight.txt
│ ├── pear_ransomware.txt
│ ├── pearl.txt
│ ├── pennywise.txt
│ ├── pepperat.txt
│ ├── peppyrat.txt
│ ├── perl_shellbot.txt
│ ├── perseusrat.txt
│ ├── petya.txt
│ ├── pghost.txt
│ ├── phantom.txt
│ ├── phantomrat.txt
│ ├── phasebot.txt
│ ├── phemedrone.txt
│ ├── philadelphia.txt
│ ├── phoenix.txt
│ ├── phoenix_miner.txt
│ ├── phorpiex.txt
│ ├── photo_miner.txt
│ ├── phpstudyghost.txt
│ ├── phpw_ransomware.txt
│ ├── phxi.txt
│ ├── phytob.txt
│ ├── picgoo.txt
│ ├── pickai.txt
│ ├── pift.txt
│ ├── pinkslipbot.txt
│ ├── pipka.txt
│ ├── piratematryoshka.txt
│ ├── piritebot.txt
│ ├── pixpirate.txt
│ ├── plague.txt
│ ├── planet.txt
│ ├── plasmarat.txt
│ ├── playboy_ransomware.txt
│ ├── plead.txt
│ ├── pleasereadme_ransomware.txt
│ ├── plugx.txt
│ ├── plurox.txt
│ ├── plutocrypt.txt
│ ├── plutos.txt
│ ├── pocorat.txt
│ ├── poetrat.txt
│ ├── poisonivy.txt
│ ├── polaredge.txt
│ ├── ponmocup.txt
│ ├── poppingeagle.txt
│ ├── portstarter.txt
│ ├── poshcoder.txt
│ ├── pots.txt
│ ├── poullight.txt
│ ├── poverty.txt
│ ├── powelike.txt
│ ├── powerpool.txt
│ ├── powershell_injector.txt
│ ├── powershell_ransomware.txt
│ ├── powershell_smbghost.txt
│ ├── powerworm.txt
│ ├── powmet.txt
│ ├── prash.txt
│ ├── prat.txt
│ ├── prctrlrat.txt
│ ├── predatory.txt
│ ├── pripyat_miner.txt
│ ├── privatecrypt.txt
│ ├── privateloader.txt
│ ├── proced.txt
│ ├── prolificpuma.txt
│ ├── prometei.txt
│ ├── propagate.txt
│ ├── prorat.txt
│ ├── proslikefan.txt
│ ├── prostoclipper.txt
│ ├── prostoloader.txt
│ ├── protonbot.txt
│ ├── prowli.txt
│ ├── proxyback.txt
│ ├── proxycb.txt
│ ├── prysmax.txt
│ ├── pryx_ransomware.txt
│ ├── psixbot.txt
│ ├── pswstealer.txt
│ ├── pulsarrat.txt
│ ├── punisher_ransomware.txt
│ ├── punisherrat.txt
│ ├── pupyrat.txt
│ ├── purecrypter.txt
│ ├── purelogs.txt
│ ├── purplefox.txt
│ ├── purpleurchin.txt
│ ├── purplewave.txt
│ ├── pushdo.txt
│ ├── puzzlemaker.txt
│ ├── pxabot.txt
│ ├── pycstealer.txt
│ ├── pykspa.txt
│ ├── pyleet.txt
│ ├── pylocky.txt
│ ├── pypi_backdoor.txt
│ ├── pyrogenic.txt
│ ├── pysa_ransomware.txt
│ ├── python_appxpy.txt
│ ├── python_brost.txt
│ ├── python_extrack.txt
│ ├── python_injector.txt
│ ├── python_killmbr.txt
│ ├── python_memento.txt
│ ├── python_w4sp.txt
│ ├── python_xwo.txt
│ ├── pyxierat.txt
│ ├── qakbot.txt
│ ├── qarallaxrat.txt
│ ├── qdoor.txt
│ ├── qeallerrat.txt
│ ├── qilin.txt
│ ├── qiulong.txt
│ ├── qlocker.txt
│ ├── qnodeservice.txt
│ ├── qqcookie.txt
│ ├── qrat.txt
│ ├── quad7.txt
│ ├── quadagent.txt
│ ├── quadream.txt
│ ├── quantloader.txt
│ ├── quantum_ransomware.txt
│ ├── quasarrat.txt
│ ├── qudox.txt
│ ├── quickbooks.txt
│ ├── qukart.txt
│ ├── qulab.txt
│ ├── qwert_miner.txt
│ ├── r2015.txt
│ ├── raasberry.txt
│ ├── raccoon.txt
│ ├── radar_ransomware.txt
│ ├── radx.txt
│ ├── ragnar.txt
│ ├── ragnarok.txt
│ ├── rainstealer.txt
│ ├── rajump.txt
│ ├── rakhni.txt
│ ├── rakhni_ransomware.txt
│ ├── ralord.txt
│ ├── ramdo.txt
│ ├── ramnit.txt
│ ├── ramp.txt
│ ├── ranion.txt
│ ├── ransirac.txt
│ ├── ransomblog.txt
│ ├── ransomcartel.txt
│ ├── ransomcortex.txt
│ ├── ransomed.txt
│ ├── ransomexx.txt
│ ├── ransomhouse.txt
│ ├── ransomhub.txt
│ ├── ranzy.txt
│ ├── rapid.txt
│ ├── raptrain.txt
│ ├── rarog.txt
│ ├── rasprobin.txt
│ ├── rat369.txt
│ ├── ratel.txt
│ ├── raticate.txt
│ ├── ratty.txt
│ ├── raven.txt
│ ├── rawld_ransomware.txt
│ ├── razy.txt
│ ├── rdpbrutebot.txt
│ ├── reactorbot.txt
│ ├── reaver.txt
│ ├── red_ransomware.txt
│ ├── redalpha.txt
│ ├── reddot_ransomware.txt
│ ├── reddriver.txt
│ ├── rediswannamine.txt
│ ├── redline.txt
│ ├── redsip.txt
│ ├── redtail_miner.txt
│ ├── reductor.txt
│ ├── ref3927.txt
│ ├── ref7707.txt
│ ├── remcos.txt
│ ├── remexirat.txt
│ ├── remotexrat.txt
│ ├── renocide.txt
│ ├── retroc2rat.txt
│ ├── revcoderat.txt
│ ├── revengerat.txt
│ ├── reveton.txt
│ ├── revetrat.txt
│ ├── reynolds.txt
│ ├── rhadamanthys.txt
│ ├── rhysida.txt
│ ├── rift.txt
│ ├── rilide.txt
│ ├── rincux.txt
│ ├── riseloader.txt
│ ├── risen_ransomware.txt
│ ├── risepro.txt
│ ├── rmsrat.txt
│ ├── robinhood.txt
│ ├── rocco.txt
│ ├── rocketx.txt
│ ├── rogue_ransomware.txt
│ ├── rombertik.txt
│ ├── rook_ransomware.txt
│ ├── rootteam.txt
│ ├── rovnix.txt
│ ├── royal_ransomware.txt
│ ├── rozena.txt
│ ├── rransom.txt
│ ├── rsockstun.txt
│ ├── rtm.txt
│ ├── rtm_ransomware.txt
│ ├── rubella.txt
│ ├── ruby_backdoor.txt
│ ├── ruftar.txt
│ ├── runforestrun.txt
│ ├── runsomewares.txt
│ ├── rust_injector.txt
│ ├── rustock.txt
│ ├── rusty.txt
│ ├── rustylocker.txt
│ ├── ryuk.txt
│ ├── saefkorat.txt
│ ├── safepay.txt
│ ├── saferat.txt
│ ├── sage.txt
│ ├── saintbot.txt
│ ├── sakabota.txt
│ ├── sakari.txt
│ ├── sakula.txt
│ ├── sakurel.txt
│ ├── salat.txt
│ ├── sality.txt
│ ├── samorat.txt
│ ├── samsam.txt
│ ├── sanny.txt
│ ├── santa.txt
│ ├── sapphire.txt
│ ├── sarcoma.txt
│ ├── satacom.txt
│ ├── satana.txt
│ ├── satancd.txt
│ ├── sathurbot.txt
│ ├── scanbox.txt
│ ├── scarab.txt
│ ├── schwarzesonne.txt
│ ├── scranos.txt
│ ├── scylla.txt
│ ├── sdbot.txt
│ ├── sdrop.txt
│ ├── seaduke.txt
│ ├── sealrat.txt
│ ├── secpo.txt
│ ├── sectoprat.txt
│ ├── sefnit.txt
│ ├── sekhmet.txt
│ ├── selfdel.txt
│ ├── sembmarine.txt
│ ├── sendsafe.txt
│ ├── sensayq.txt
│ ├── seroxenrat.txt
│ ├── serpent.txt
│ ├── setcoderat.txt
│ ├── seth_ransomware.txt
│ ├── severe.txt
│ ├── sfile_ransomware.txt
│ ├── shadow_ransomware.txt
│ ├── shadowbyte.txt
│ ├── shadownet.txt
│ ├── shadowrat.txt
│ ├── shadowsyndicate.txt
│ ├── shadowtechrat.txt
│ ├── shadypanda.txt
│ ├── shalom.txt
│ ├── sharkstealer.txt
│ ├── shelby.txt
│ ├── shellresetrat.txt
│ ├── shelma.txt
│ ├── shifu.txt
│ ├── shimrat.txt
│ ├── shinysp1d3r.txt
│ ├── shiotob.txt
│ ├── shkolota.txt
│ ├── shurl0ckr.txt
│ ├── shylock.txt
│ ├── sicari_ransomware.txt
│ ├── siegedsec.txt
│ ├── siesta.txt
│ ├── silent.txt
│ ├── silent_ransomware.txt
│ ├── silentbrute.txt
│ ├── silentcrypto_miner.txt
│ ├── silentroute.txt
│ ├── silentsyncrat.txt
│ ├── silly.txt
│ ├── silverfox.txt
│ ├── silverterrier.txt
│ ├── simayrat.txt
│ ├── simda.txt
│ ├── sinkhole_360netlab.txt
│ ├── sinkhole_abuse.txt
│ ├── sinkhole_arbor.txt
│ ├── sinkhole_bitdefender.txt
│ ├── sinkhole_bitsight.txt
│ ├── sinkhole_blacklab.txt
│ ├── sinkhole_bomccss.txt
│ ├── sinkhole_botnethunter.txt
│ ├── sinkhole_cabal.txt
│ ├── sinkhole_certgovau.txt
│ ├── sinkhole_certpl.txt
│ ├── sinkhole_certtr.txt
│ ├── sinkhole_certua.txt
│ ├── sinkhole_changeip.txt
│ ├── sinkhole_checkpoint.txt
│ ├── sinkhole_cirtdk.txt
│ ├── sinkhole_cncert.txt
│ ├── sinkhole_collector.txt
│ ├── sinkhole_conficker.txt
│ ├── sinkhole_cryptolocker.txt
│ ├── sinkhole_cydef.txt
│ ├── sinkhole_devilish.txt
│ ├── sinkhole_dnssinkhole.txt
│ ├── sinkhole_doombringer.txt
│ ├── sinkhole_drweb.txt
│ ├── sinkhole_dynadot.txt
│ ├── sinkhole_dyre.txt
│ ├── sinkhole_farsight.txt
│ ├── sinkhole_fbizeus.txt
│ ├── sinkhole_fireeye.txt
│ ├── sinkhole_fitsec.txt
│ ├── sinkhole_fnord.txt
│ ├── sinkhole_fraunhofer.txt
│ ├── sinkhole_gamaredon.txt
│ ├── sinkhole_gameoverzeus.txt
│ ├── sinkhole_georgiatech.txt
│ ├── sinkhole_gladtech.txt
│ ├── sinkhole_hyas.txt
│ ├── sinkhole_infosecjp.txt
│ ├── sinkhole_kaspersky.txt
│ ├── sinkhole_kryptoslogic.txt
│ ├── sinkhole_menupass.txt
│ ├── sinkhole_microsoft.txt
│ ├── sinkhole_noip.txt
│ ├── sinkhole_nowdns.txt
│ ├── sinkhole_oceanlotus.txt
│ ├── sinkhole_opendns.txt
│ ├── sinkhole_paloalto.txt
│ ├── sinkhole_rsa.txt
│ ├── sinkhole_scarletshark.txt
│ ├── sinkhole_secureworks.txt
│ ├── sinkhole_securityscorecard.txt
│ ├── sinkhole_sekoia.txt
│ ├── sinkhole_shadowserver.txt
│ ├── sinkhole_sidnlabs.txt
│ ├── sinkhole_sinkdns.txt
│ ├── sinkhole_sobaken.txt
│ ├── sinkhole_sofacy.txt
│ ├── sinkhole_spamandabuse.txt
│ ├── sinkhole_sugarbucket.txt
│ ├── sinkhole_sunburst.txt
│ ├── sinkhole_supportintel.txt
│ ├── sinkhole_switch.txt
│ ├── sinkhole_tech.txt
│ ├── sinkhole_tsway.txt
│ ├── sinkhole_turla.txt
│ ├── sinkhole_unknown.txt
│ ├── sinkhole_vicheck.txt
│ ├── sinkhole_virustracker.txt
│ ├── sinkhole_vittalia.txt
│ ├── sinkhole_wapacklabs.txt
│ ├── sinkhole_xaayda.txt
│ ├── sinkhole_xlab.txt
│ ├── sinkhole_xyz.txt
│ ├── sinkhole_yourtrap.txt
│ ├── sinkhole_zinkhole.txt
│ ├── sinobi.txt
│ ├── sirkeira.txt
│ ├── skeeyah.txt
│ ├── skidrat.txt
│ ├── skynet.txt
│ ├── skyper.txt
│ ├── sleepyduck.txt
│ ├── slenfbot.txt
│ ├── slnya_ransomware.txt
│ ├── sload.txt
│ ├── slopoly.txt
│ ├── slothfulmedia.txt
│ ├── slserver.txt
│ ├── slub.txt
│ ├── slug_ransomware.txt
│ ├── smallnetrat.txt
│ ├── smartloader.txt
│ ├── smert_ransomware.txt
│ ├── smokebot.txt
│ ├── smokeloader.txt
│ ├── smsfakesky.txt
│ ├── snatch.txt
│ ├── sneakystrike.txt
│ ├── snifula.txt
│ ├── snslocker.txt
│ ├── sockrat.txt
│ ├── socksbot.txt
│ ├── sodapop.txt
│ ├── sodinokibi.txt
│ ├── sohanad.txt
│ ├── solarsys.txt
│ ├── sombrat.txt
│ ├── somnirecords.txt
│ ├── sonoko.txt
│ ├── sonoyuncu.txt
│ ├── sorano.txt
│ ├── sorena.txt
│ ├── sorrygomaster.txt
│ ├── sorvepotel.txt
│ ├── sosihvncrat.txt
│ ├── soul.txt
│ ├── soulsearcher.txt
│ ├── spacebears.txt
│ ├── sparkycarp.txt
│ ├── sparta.txt
│ ├── specter.txt
│ ├── spectra.txt
│ ├── spectre.txt
│ ├── spicerat.txt
│ ├── spideybot.txt
│ ├── spock.txt
│ ├── spook.txt
│ ├── sporacrypt.txt
│ ├── spybotpos.txt
│ ├── spyeye.txt
│ ├── spygaterat.txt
│ ├── spypress.txt
│ ├── squidloader.txt
│ ├── squirrelwaffle.txt
│ ├── sqzrframework480.txt
│ ├── stabuniq.txt
│ ├── stanley.txt
│ ├── stantinko.txt
│ ├── statc.txt
│ ├── stealerium.txt
│ ├── stealit.txt
│ ├── stealzilla.txt
│ ├── steamreplacer.txt
│ ├── steamstealer.txt
│ ├── steelfox.txt
│ ├── stely.txt
│ ├── stih.txt
│ ├── stilachirat.txt
│ ├── stinger.txt
│ ├── stlfun.txt
│ ├── stomida.txt
│ ├── stop_ransomware.txt
│ ├── storm2603.txt
│ ├── stormkitty.txt
│ ├── stormous_ransomware.txt
│ ├── strela.txt
│ ├── strictor.txt
│ ├── stripedfly.txt
│ ├── strrat.txt
│ ├── sugar_ransomware.txt
│ ├── sukalogger.txt
│ ├── suncrypt.txt
│ ├── superbearrat.txt
│ ├── supremebot.txt
│ ├── surfer.txt
│ ├── surtr.txt
│ ├── susafone.txt
│ ├── susvsex.txt
│ ├── svcreadyrat.txt
│ ├── svcstealer.txt
│ ├── svproxy.txt
│ ├── swaetrat.txt
│ ├── swamprat.txt
│ ├── sykipot.txt
│ ├── sylavriu.txt
│ ├── symmi.txt
│ ├── symmiware.txt
│ ├── synack.txt
│ ├── syndicasec.txt
│ ├── synolocker.txt
│ ├── sys01.txt
│ ├── sysc32cmd.txt
│ ├── syscon.txt
│ ├── sysjoker.txt
│ ├── sysrat.txt
│ ├── sysrvhello_miner.txt
│ ├── systembc.txt
│ ├── systemd_miner.txt
│ ├── sysworm.txt
│ ├── t1087.txt
│ ├── t34loader.txt
│ ├── ta2541.txt
│ ├── ta2552.txt
│ ├── ta2726.txt
│ ├── ta2727.txt
│ ├── ta401.txt
│ ├── ta4557.txt
│ ├── ta505.txt
│ ├── ta558.txt
│ ├── ta569.txt
│ ├── ta581.txt
│ ├── ta829.txt
│ ├── tables.txt
│ ├── taidoor.txt
│ ├── targetcompany.txt
│ ├── taskmasters.txt
│ ├── taurus.txt
│ ├── tdss.txt
│ ├── teambot.txt
│ ├── teamspy.txt
│ ├── teamxxx.txt
│ ├── teerac.txt
│ ├── telebot.txt
│ ├── telegrab.txt
│ ├── telemetr.txt
│ ├── tellyouthepass.txt
│ ├── tempheretic.txt
│ ├── tengu_ransomware.txt
│ ├── termite.txt
│ ├── terracotta.txt
│ ├── teslacrypt.txt
│ ├── tetrade.txt
│ ├── tevrinox.txt
│ ├── tflower.txt
│ ├── tgrcri0045.txt
│ ├── thanos.txt
│ ├── therat.txt
│ ├── thirdeye.txt
│ ├── thorc2.txt
│ ├── threeam_ransomware.txt
│ ├── thrower.txt
│ ├── thunderfox.txt
│ ├── tibs.txt
│ ├── tikiloader.txt
│ ├── tinba.txt
│ ├── tinyloader.txt
│ ├── tinynuke.txt
│ ├── tinypos.txt
│ ├── tipikit.txt
│ ├── tispy.txt
│ ├── titan.txt
│ ├── tobor.txt
│ ├── tofsee.txt
│ ├── tokgrabber.txt
│ ├── tookps.txt
│ ├── toponev.txt
│ ├── tor_backdoor.txt
│ ├── torctrat.txt
│ ├── torpig.txt
│ ├── torrentlocker.txt
│ ├── tovkater.txt
│ ├── transferloader.txt
│ ├── trat.txt
│ ├── travle.txt
│ ├── treasurehunter.txt
│ ├── trickbot.txt
│ ├── trinity.txt
│ ├── triumphloader.txt
│ ├── troldesh.txt
│ ├── tron.txt
│ ├── trox.txt
│ ├── truebot.txt
│ ├── tscookie.txt
│ ├── tsundere.txt
│ ├── tuhkit.txt
│ ├── tupym.txt
│ ├── turkojanrat.txt
│ ├── tvrat.txt
│ ├── tvspy.txt
│ ├── typhon.txt
│ ├── uat7290.txt
│ ├── uboatrat.txt
│ ├── ubomb.txt
│ ├── udpos.txt
│ ├── udprat.txt
│ ├── ufr.txt
│ ├── ultibot.txt
│ ├── underground.txt
│ ├── unicorn.txt
│ ├── unidentrat.txt
│ ├── unk_ransomware.txt
│ ├── unruy.txt
│ ├── up007.txt
│ ├── upatre.txt
│ ├── urausy.txt
│ ├── ursaloader.txt
│ ├── ursnif.txt
│ ├── utopia.txt
│ ├── vacban.txt
│ ├── vadokrist.txt
│ ├── vaggen.txt
│ ├── vaimalandra.txt
│ ├── valak.txt
│ ├── valleyrat.txt
│ ├── vanhelsing.txt
│ ├── vanir.txt
│ ├── varenyky.txt
│ ├── vawtrak.txt
│ ├── vbcheman.txt
│ ├── vbrat.txt
│ ├── vect_ransomware.txt
│ ├── vector.txt
│ ├── veety.txt
│ ├── vektorx.txt
│ ├── venom.txt
│ ├── venus.txt
│ ├── venusrat.txt
│ ├── verblecon.txt
│ ├── vespygrabber.txt
│ ├── vespyrat.txt
│ ├── vetra.txt
│ ├── vexion.txt
│ ├── vfokx.txt
│ ├── vidar.txt
│ ├── viknok.txt
│ ├── vikro.txt
│ ├── vilerat.txt
│ ├── vinderuf.txt
│ ├── violetrat.txt
│ ├── vipersoftx.txt
│ ├── virobot.txt
│ ├── virtubot.txt
│ ├── virtum.txt
│ ├── virusrat.txt
│ ├── virut.txt
│ ├── vittalia.txt
│ ├── vizom.txt
│ ├── vjw0rm.txt
│ ├── vncrat.txt
│ ├── vobfus.txt
│ ├── void.txt
│ ├── volk.txt
│ ├── vollgar.txt
│ ├── voltaire.txt
│ ├── vshell.txt
│ ├── vssdestroy.txt
│ ├── vulturi.txt
│ ├── vundo.txt
│ ├── vvs.txt
│ ├── vxrat.txt
│ ├── vystealer.txt
│ ├── wacatac.txt
│ ├── waledac.txt
│ ├── wallyshack.txt
│ ├── wanna_miner.txt
│ ├── wannacry.txt
│ ├── wannamine.txt
│ ├── wapobi.txt
│ ├── waprox.txt
│ ├── warezov.txt
│ ├── warlock.txt
│ ├── warmcookie.txt
│ ├── wasabiseed.txt
│ ├── wastedlocker.txt
│ ├── watchdog_miner.txt
│ ├── wavebys.txt
│ ├── weaxor_ransomware.txt
│ ├── webcobra.txt
│ ├── webffrat.txt
│ ├── wecorl.txt
│ ├── wecoym.txt
│ ├── weecnaw.txt
│ ├── westeal.txt
│ ├── weyhro.txt
│ ├── whipweave.txt
│ ├── whispergate.txt
│ ├── whitelock.txt
│ ├── whiteshadow.txt
│ ├── whitesnake.txt
│ ├── wholocked_ransomware.txt
│ ├── wickrme.txt
│ ├── wifistealer.txt
│ ├── wikiloader.txt
│ ├── wildfire.txt
│ ├── wildpressure.txt
│ ├── wincirrat.txt
│ ├── wingo.txt
│ ├── winnti.txt
│ ├── wip26.txt
│ ├── wiseremote.txt
│ ├── wndred.txt
│ ├── wofeksad.txt
│ ├── wograt.txt
│ ├── wolfresearch.txt
│ ├── wolphv.txt
│ ├── woodyrat.txt
│ ├── woozlist.txt
│ ├── wpbrutebot.txt
│ ├── wtracker.txt
│ ├── wwolves.txt
│ ├── xadupi.txt
│ ├── xanthe_miner.txt
│ ├── xaparo.txt
│ ├── xavierera.txt
│ ├── xaview.txt
│ ├── xctdoor.txt
│ ├── xehook.txt
│ ├── xenorat.txt
│ ├── xenos.txt
│ ├── xenotix.txt
│ ├── xfiles.txt
│ ├── xhunt.txt
│ ├── xillen.txt
│ ├── xinglocker.txt
│ ├── xinof.txt
│ ├── xorium.txt
│ ├── xp95.txt
│ ├── xpay.txt
│ ├── xploder.txt
│ ├── xshark.txt
│ ├── xtbl.txt
│ ├── xtrat.txt
│ ├── xworm.txt
│ ├── yanisma.txt
│ ├── yanluowang.txt
│ ├── yenibot.txt
│ ├── yibackdoor.txt
│ ├── yimfoca.txt
│ ├── yorotrooper.txt
│ ├── yoursqldumps.txt
│ ├── ytstealer.txt
│ ├── yurei.txt
│ ├── z0miner.txt
│ ├── zaletelly.txt
│ ├── zardoor.txt
│ ├── zbbx.txt
│ ├── zcrypt.txt
│ ├── zegost.txt
│ ├── zemot.txt
│ ├── zenar_miner.txt
│ ├── zenrat.txt
│ ├── zephyrloader.txt
│ ├── zeroaccess.txt
│ ├── zerolockersec.txt
│ ├── zeropadypt.txt
│ ├── zerotolerance.txt
│ ├── zetarink.txt
│ ├── zeus.txt
│ ├── zgrat.txt
│ ├── zharkbot.txt
│ ├── zherotee.txt
│ ├── zhong.txt
│ ├── zlader.txt
│ ├── zloader.txt
│ ├── zlob.txt
│ ├── zlugin.txt
│ ├── zombieboy.txt
│ ├── zombrari.txt
│ ├── zonidel.txt
│ ├── zoomer.txt
│ ├── zstealer.txt
│ ├── zusy.txt
│ ├── zxshell.txt
│ ├── zyklon.txt
│ └── zzsteal.txt
├── mass_scanner.txt
├── mass_scanner_cidr.txt
└── suspicious/
├── android_pua.txt
├── anonymous_web_proxy.txt
├── bad_history.txt
├── bad_wpad.txt
├── blockchain_dns.txt
├── computrace.txt
├── connectwise.txt
├── crypto_mining.txt
├── dns_tunneling_service.txt
├── dnspod.txt
├── domain.txt
├── dprk_silivaccine.txt
├── dynamic_domain.txt
├── free_web_hosting.txt
├── i2p.txt
├── ipinfo.txt
├── meshagent.txt
├── nezha_rmmtool.txt
├── onion.txt
├── osx_pua.txt
├── parking_site.txt
├── port_proxy.txt
├── pua.txt
├── simplehelp.txt
├── superfish.txt
├── suspended_domain.txt
├── web_shells.txt
└── xenarmor.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
*.py text eol=lf
*.txt text eol=lf
*.csv text eol=lf
*.js text eol=lf
*.ccs text eol=lf
*.css text eol=lf
*.html text eol=lf
*.conf text eol=lf
*.md text eol=lf
*.pem text eol=lf
================================================
FILE: .github/CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
maltrail.dev@gmail.com.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.
================================================
FILE: .github/CONTRIBUTING.md
================================================
# Contributing to Maltrail
## Reporting bugs
**Bug reports are welcome**!
Please report all bugs on the [issue tracker](https://github.com/stamparm/maltrail/issues).
If you have a security related report, take a time to read [Reporting Maltrail Security Vulnerability](https://github.com/stamparm/maltrail/blob/master/SECURITY.md) policy.
### Guidelines
* Before you submit a bug report, search both [open](https://github.com/stamparm/maltrail/issues?q=is%3Aopen+is%3Aissue) and [closed](https://github.com/stamparm/maltrail/issues?q=is%3Aissue+is%3Aclosed) issues to make sure the issue has not come up before.
* Make sure you can reproduce the bug with the latest release version of Maltrail.
* Your report should give detailed instructions on how to reproduce the problem. If Maltrail raises an unhandled exception, the entire traceback is needed. Details of the unexpected behaviour are welcome too. A small test case is ideal to have.
* If you are making an enhancement request (RFE, feature request), lay out the rationale for the feature you are requesting. Describe why would proposed feature be useful.
## Submitting code changes
All code contributions are greatly appreciated. First off, clone the [Git repository](https://github.com/stamparm/maltrail), read the [User's manual](https://github.com/stamparm/maltrail/blob/master/README.md) and the [Wiki pages](https://github.com/stamparm/maltrail/wiki) carefully, go through the code yourself and [drop us an email](mailto:maltrail.dev@gmail.com) if you are having a hard time grasping its structure and meaning.
Our preferred method of patch submission is via a Git [pull request](https://help.github.com/articles/using-pull-requests).
Many [people](https://github.com/stamparm/maltrail/graphs/contributors) have contributed in different ways to the Maltrail development. See also the Maltrail's ["Thank you" list](https://github.com/stamparm/maltrail#thank-you).
### Guidelines
In order to maintain consistency and readability throughout the code, we ask that you adhere to the following instructions:
* Each patch should make one logical change.
* Avoid tabbing, use four blank spaces instead.
* Before you put time into a non-trivial patch, it is worth discussing it privately by [email](mailto:maltrail.dev@gmail.com).
* Do not change style on numerous files in one single pull request, we can [discuss](mailto:maltrail.dev@gmail.com) about those before doing any major restyling, but be sure that personal preferences not having a strong support in [PEP 8](http://www.python.org/dev/peps/pep-0008/) will likely to be rejected.
* Make changes on less than five files per single pull request - there is rarely a good reason to have more than five files changed on one pull request, as this dramatically increases the review time required to land (commit) any of those pull requests.
* Style that is too different from main branch will be ''adapted'' by the developers side.
* Do not touch anything inside `thirdparty/` folder.
## Maltrail trails contribution
All contributions to static trails (adding new Maltrail detections, fixing false positives, updating whitelist, etc) are greatly appreciated. Before you submit a contribution to Maltrail detection trails database, take a time to read respective auxiliary articles in Maltrail's Wiki:
* [Trail classes](https://github.com/stamparm/maltrail/wiki/Trail-classes) - Information about different classes of trails.
* [Specific detections](https://github.com/stamparm/maltrail/wiki/Specific-detections) - Information about Maltrail specific detections.
* [Maltrail trails structure](https://github.com/stamparm/maltrail/wiki/Maltrail-trails-structure) - Information about Maltrail trails structure.
* [Maltrail trails base format](https://github.com/stamparm/maltrail/wiki/Maltrail-trails-base-format) - Information about Maltrail trails base format.
* [Maltrail detection nuances](https://github.com/stamparm/maltrail/wiki/Maltrail-detection-nuances) - Information about Maltrail detection nuances.
* [Maltrail trails contribution](https://github.com/stamparm/maltrail/wiki/Maltrail-trails-contribution) - Information about Maltrail trails contribution.
## Licensing
By submitting code contributions to the Maltrail developers or via Git pull request, checking them into the Maltrail source code repository, it is understood (unless you specify otherwise) that you are offering the Maltrail copyright holders the unlimited, non-exclusive right to reuse, modify, and relicense the code. This is important because the inability to relicense code has caused devastating problems for other software projects. If you wish to specify special license conditions of your contributions, just say so when you send them.
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve Maltrail
title: "[BUG]"
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**How To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Environment:**
- Device: [e.g. Linux-based device, OPNSense plugin]
- OS: [Linux, *BSD]
- Type of Maltrail installation: [e.g. ```git clone``` command]
- Problematic Maltrail component: [e.g. server, sensor, web-interface]
- Maltrail version: [e.g. 0.59]
- ```python-pcapy-ng``` version: [e.g. 1.0.9]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for Maltrail project
title: "[Feature Request]"
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/ISSUE_TEMPLATE/questions-and-support.md
================================================
---
name: Questions and Support
about: General topics. Questions and Support.
title: "[Questions and Support]"
labels: ''
assignees: ''
---
**Question**
Put your question on Maltrail's functionality.
**Support**
Put descrption of an issue you have with Maltrail settings up.
================================================
FILE: .github/workflows/docker-release.yml
================================================
name: Build and Push Docker Image on Tag
on:
push:
tags:
- '*'
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract tag name
id: vars
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: Build Docker image
run: |
docker build -f docker/Dockerfile -t ghcr.io/${{ github.repository_owner }}/maltrail:${{ env.TAG }} .
- name: Push Docker image
run: |
docker push ghcr.io/${{ github.repository_owner }}/maltrail:${{ env.TAG }}
- name: Tag and push image as latest
if: success()
run: |
docker tag ghcr.io/${{ github.repository_owner }}/maltrail:${{ env.TAG }} ghcr.io/${{ github.repository_owner }}/maltrail:latest
docker push ghcr.io/${{ github.repository_owner }}/maltrail:latest
================================================
FILE: .gitignore
================================================
*.py[cod]
*~
Pipfile*
docker-compose.override.yml
================================================
FILE: CHANGELOG
================================================
# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission
#################################################################
# Maltrail Changelog File #
#################################################################
[+] Added functionality
[-] Deleted functionality
[!] Bug fixing
[=] Minor update or changed functionality
#################################################################
- Version 1.2 -> 1.3 (Upcoming release)
- Version 1.1 -> 1.2 (01 Mar 2026)
[+] FAIL2BAN_ALLOWLIST is implemented (Issue #19386)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 1.0 -> 1.1 (01 Feb 2026)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.88 -> 1.0 (01 Jan 2026)
[=] Multiple updates and optimizations for regular static trails and the whitelist
[=] Major version is updated
[=] Project historical data trimmed, ~ 420Mb freed
- Version 0.87 -> 0.88 (01 Dec 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.86 -> 0.87 (01 Nov 2025)
[=] "potential sql injection" heur is improved (Issue #19356)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.85 -> 0.86 (01 Oct 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.84 -> 0.85 (01 Sep 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.83 -> 0.84 (01 Aug 2025)
[=] Multiple improvements for Maltrail in Docker (Issues #19323, #19325)
[=] Multiple updates and optimizations for regular static trails and the whitelist
[-] Removing defunct blacklist (Issue #19339)
- Version 0.82 -> 0.83 (01 Jul 2025)
[!] Fix the bug of self-stored XSS in aliases (Issue #19321)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.81 -> 0.82 (01 Jun 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.80 -> 0.81 (01 May 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.79 -> 0.80 (01 Apr 2025)
[!] Fix the bug of using a custom path configuration file (Issue #19304)
[=] Multiple updates and optimizations for regular static trails and the whitelist
[-] Removing defunct blacklist (Issue #19305)
- Version 0.78 -> 0.79 (01 Mar 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.77 -> 0.78 (01 Feb 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.76 -> 0.77 (01 Jan 2025)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.75 -> 0.76 (01 Dec 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.74 -> 0.75 (01 Nov 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.73 -> 0.74 (01 Oct 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.72 -> 0.73 (01 Sep 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.71 -> 0.72 (01 Aug 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.70 -> 0.71 (01 Jul 2024)
[=] Maltrail docker container run is improved (Issue #19260)
[=] php-inj detection is improved (Issue #19262)
[=] Python 3.12 compability is improved (Issue #19257)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.69 -> 0.70 (01 Jun 2024)
[=] cruzit feed URL changed (Issue #19253)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.68 -> 0.69 (01 May 2024)
[+] Support of simpleton IPv6 bogon address handling was added
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.68 -> 0.69 (01 May 2024)
[+] Support of simpleton IPv6 bogon address handling was added
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.67 -> 0.68 (01 Apr 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.66 -> 0.67 (01 Mar 2024)
[=] Handling usage of pcapy lib instead of pcapy-ng is improved (Issue #19242)
[=] Fixed /server.py and /sensor.py restart in docker container (Issue #19243)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.65 -> 0.66 (01 Feb 2024)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.64 -> 0.65 (01 Jan 2024)
[+] Customisable blacklists via BLACKLIST option in /maltrail.conf file (Issue #19230)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.63 -> 0.64 (01 Dec 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.62 -> 0.63 (01 Nov 2023)
[=] FAIL2BAN_REGEX and REMOTE_SEVERITY_REGEX options were updated to handle "potential iot-malware download" heur (Issue #19207)
[=] Abuseipdb feed was updated (Issue #19208)
[=] "potential remote code execution" heur for CVE-2016-0545 detection is updated (Issue #19210)
[=] "potential remote code execution" heur is updated for MacOS process list tracking in HTTP POST-req (Issue #19214)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.61 -> 0.62 (01 Oct 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
[=] Updates for mass_scanner and worst_asns trails
- Version 0.60 -> 0.61 (01 Sep 2023)
[!] Workaround to have working searx server (Issue #19199)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.59 -> 0.60 (01 Aug 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.58 -> 0.59 (01 Jul 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.57 -> 0.58 (01 Jun 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.56 -> 0.57 (01 May 2023)
[!] Fixed login page GUI issue for mobile devices (Issue #19153)
[!] Fixed incorrect parsing of ViriBack feed (Issue #19154)
[=] Added new descriptions in "Specific detections" Wiki chapter
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.55 -> 0.56 (01 Apr 2023)
[=] Minor update for /feeds/emergingthreatsdns.py (Issue #19147)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.54 -> 0.55 (01 Mar 2023)
[!] Fixed unauthenticated OS command injection vulnerability in http.py (Issue #19146)
[=] Minor update for _process_packet func in sensor (Issue #19129)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.53 -> 0.54 (01 Feb 2023)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.52 -> 0.53 (01 Jan 2023)
[-] Defunct 360-netlab feeds were deleted (Issue #19138)
[=] "potential data leakage" heur is improved
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.51 -> 0.52 (01 Dec 2022)
[=] "potential iot-malware download" heur is improved
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.50 -> 0.51 (01 Nov 2022)
[+] New Wiki pages are added
[!] Fixed deadlock of Docker output to stdout (Issue #19121)
[!] Definition of network interfaces is improved (Issue #19123)
[!] Fixed regex for /360bigviktor.py feed (Issue #19124)
[!] Fixed syscalls handling (Issue #19125)
[=] "potential remote code execution" heuristic is improved
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.49 -> 0.50 (01 Oct 2022)
[=] "potential remote code execution" heur for CVE-2022-30190 detection is updated
[=] "Maltrail detection nuances" wiki-page is updated
[=] "Trail classes" wiki-page is updated
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.48 -> 0.49 (01 Sep 2022)
[!] Fixed row rendering in UI (Issue #19109)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.47 -> 0.48 (01 Aug 2022)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.46 -> 0.47 (01 Jul 2022)
[+] "potential ssti injection" heuristic is added (CVE-2022-26134)
[=] "potential data leak" heuristic is improved
[=] "Trail-classes" wiki page is updated
[=] /requirements.txt file is updated (pcapy-ng)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.45 -> 0.46 (01 Jun 2022)
[+] New Wiki page is added
[=] "potential remote code execution" heuristic is improved (CVE-2022-1388)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.44 -> 0.45 (01 May 2022)
[+] systemd-based realization for Maltrail sensor.py, server.py and ipset/iptables ban-list (dedicated repo) have added
[+] New Wiki pages are added
[=] "potential remote code execution" heuristic is improved (detection for Java-related RCE stuff)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.43 -> 0.44 (01 Apr 2022)
[=] "potential remote code execution" heuristic is improved
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.42 -> 0.43 (01 Mar 2022)
[=] "potential remote code execution" heuristic is improved
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.41 -> 0.42 (01 Feb 2022)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.40 -> 0.41 (01 Jan 2022)
[+] "potential remote code execution" heuristic is extended for log4j/log4shell (CVE-2021-44228) vulnerability detection
[+] "generic_log4shell.txt" and "hacked_log4j.txt" trails were added for log4j/log4shell (CVE-2021-44228) vulnerability static detection
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.39 -> 0.40 (01 Dec 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.38 -> 0.39 (01 Nov 2021)
[=] "potential directory traversal" heuristic is extended
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.37 -> 0.38 (03 Oct 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.36 -> 0.37 (02 Sep 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.35 -> 0.36 (02 Aug 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.34 -> 0.35 (04 Jul 2021)
[+] Added the prototype of heur for potential web scanning attempts
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.33 -> 0.34 (10 Jun 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.32 -> 0.33 (10 Jun 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.31 -> 0.32 (10 May 2021)
[!] Fixed PR_END_OF_FILE_ERROR bug, when using HTTPS for Maltrail's server (Issue #16217)
[!] Fixed bug with TLSv1_2_METHOD (Issue #16250)
[+] Added displaying real IP behind Cloudflare's one (Issue #20)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.30 -> 0.31 (01 Apr 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.29 -> 0.30 (01 Mar 2021)
[=] Multiple updates and optimizations for regular static trails and the whitelist
- Version 0.28 -> 0.29 (01 Feb 2021)
[+] Two new UI features (hide threat and report false positive options)
[+] Auto-refresh for Maltrail web-page (/?refresh=N, where N in seconds. Issue #624)
[+] Maltrail demo pages are released: maltraildemo.github.io
[=] Multiple updates and optimizations for regular static trails and the whitelist
[=] Potential DNS changer heur is improved
[+] Implemented colorized console output
[=] Minor style revamp and improved look and feel on mobile phones
[-] Memory check is removed
[+] Added info for proper Maltrail citation (/CITATION.cff)
[=] Added starting and ending times to console output
- Version 0.27 -> 0.28 (01 Jan 2021)
[+] Implementing support for LOGSTASH_SERVER (Logs in JSON format)
[+] Implementing REMOTE_SEVERITY_REGEX (Issue #13251)
[=] Sensor is able to get started without server (Issue #6020)
[=] Multiple updates and optimizations for regular static trails and the whitelist
================================================
FILE: CITATION.cff
================================================
# YAML 1.2
---
cff-version: "1.1.0"
message: "If you use this software, please cite it using these metadata."
doi: 10.23721/100/1503924
title: "Maltrail - Malicious traffic detection system"
authors:
-
family-names: Stampar
given-names: Miroslav
orcid: "https://orcid.org/0000-0002-2662-5469"
-
family-names: Kasimov
given-names: Mikhail
abstract: "Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists"
date-released: 2014-12-04
repository-code: "https://github.com/stamparm/maltrail"
license: MIT
...
================================================
FILE: LICENSE
================================================
The MIT License (MIT)
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
[](https://www.python.org/) [](https://github.com/stamparm/maltrail#license) [](https://x.com/maltrail)
## Content
- [Introduction](#introduction)
- [Architecture](#architecture)
- [Demo pages](#demo-pages)
- [Requirements](#requirements)
- [Quick start](#quick-start)
- [Administrator's guide](#administrators-guide)
- [Sensor](#sensor)
- [Server](#server)
- [User's guide](#users-guide)
- [Reporting interface](#reporting-interface)
- [Real-life cases](#real-life-cases)
- [Mass scans](#mass-scans)
- [Anonymous attackers](#anonymous-attackers)
- [Service attackers](#service-attackers)
- [Malware](#malware)
- [Suspicious domain lookups](#suspicious-domain-lookups)
- [Suspicious ipinfo requests](#suspicious-ipinfo-requests)
- [Suspicious direct file downloads](#suspicious-direct-file-downloads)
- [Suspicious HTTP requests](#suspicious-http-requests)
- [Port scanning](#port-scanning)
- [DNS resource exhaustion](#dns-resource-exhaustion)
- [Data leakage](#data-leakage)
- [False positives](#false-positives)
- [Best practice(s)](#best-practices)
- [License](#license)
- [Sponsors](#sponsors)
- [Developers](#developers)
- [Presentations](#presentations)
- [Publications](#publications)
- [Blacklist](#blacklist)
- [Thank you](#thank-you)
- [Third-party integrations](#third-party-integrations)
## Introduction
**Maltrail** is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where a trail can be anything from a domain name (e.g. `zvpprsensinaix.com` for [Banjori](https://bin.re/blog/the-dga-of-banjori/) malware), URL (e.g. `hXXp://109.162.38.120/harsh02.exe` for known malicious [executable](https://www.virustotal.com/en/file/61f56f71b0b04b36d3ef0c14bbbc0df431290d93592d5dd6e3fffcc583ec1e12/analysis/)), IP address (e.g. `185.130.5.231` for known attacker) or HTTP User-Agent header value (e.g. `sqlmap` for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware).
The following (black)lists (i.e. feeds) are being utilized:
```
360bigviktor, 360chinad, 360conficker, 360cryptolocker, 360gameover,
360locky, 360necurs, 360suppobox, 360tofsee, 360virut, abuseipdb, alienvault,
atmos, badips, bitcoinnodes, blackbook, blocklist, botscout,
bruteforceblocker, ciarmy, cobaltstrike, cruzit, cybercrimetracker,
dataplane, dshieldip, emergingthreatsbot, emergingthreatscip,
emergingthreatsdns, feodotrackerip, gpfcomics, greensnow, ipnoise,
kriskinteldns, kriskintelip, malc0de, malwaredomainlistdns, malwaredomains,
maxmind, minerchk, myip, openphish, palevotracker, policeman, pony,
proxylists, proxyrss, proxyspy, ransomwaretrackerdns, ransomwaretrackerip,
ransomwaretrackerurl, riproxies, rutgers, sblam, socksproxy, sslbl,
sslproxies, talosintelligence, torproject, trickbot, turris, urlhaus,
viriback, vxvault, zeustrackermonitor, zeustrackerurl, etc.
```
As for static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):
```
1ms0rry, 404, 9002, aboc, absent, ab, acbackdoor, acridrain, activeagent,
adrozek, advisorbot, adwind, adylkuzz, adzok, afrodita, agaadex, agenttesla,
aldibot, alina, allakore, almalocker, almashreq, alpha, alureon, amadey,
amavaldo, amend_miner, ammyyrat, android_acecard, android_actionspy,
android_adrd, android_ahmythrat, android_alienspy, android_andichap,
android_androrat, android_anubis, android_arspam, android_asacub,
android_backflash, android_bankbot, android_bankun, android_basbanke,
android_basebridge, android_besyria, android_blackrock, android_boxer,
android_buhsam, android_busygasper, android_calibar, android_callerspy,
android_camscanner, android_cerberus, android_chuli, android_circle,
android_claco, android_clickfraud, android_cometbot, android_cookiethief,
android_coolreaper, android_copycat, android_counterclank, android_cyberwurx,
android_darkshades, android_dendoroid, android_dougalek, android_droidjack,
android_droidkungfu, android_enesoluty, android_eventbot, android_ewalls,
android_ewind, android_exodus, android_exprespam, android_fakeapp,
android_fakebanco, android_fakedown, android_fakeinst, android_fakelog,
android_fakemart, android_fakemrat, android_fakeneflic, android_fakesecsuit,
android_fanta, android_feabme, android_flexispy, android_fobus,
android_fraudbot, android_friend, android_frogonal, android_funkybot,
android_gabas, android_geinimi, android_generic, android_geost,
android_ghostpush, android_ginmaster, android_ginp, android_gmaster,
android_gnews, android_godwon, android_golddream, android_goldencup,
android_golfspy, android_gonesixty, android_goontact, android_gplayed,
android_gustuff, android_gypte, android_henbox, android_hiddad,
android_hydra, android_ibanking, android_joker, android_jsmshider,
android_kbuster, android_kemoge, android_ligarat, android_lockdroid,
android_lotoor, android_lovetrap, android_malbus, android_mandrake,
android_maxit, android_mobok, android_mobstspy, android_monokle,
android_notcompatible, android_oneclickfraud, android_opfake,
android_ozotshielder, android_parcel, android_phonespy, android_pikspam,
android_pjapps, android_qdplugin, android_raddex, android_ransomware,
android_redalert, android_regon, android_remotecode, android_repane,
android_riltok, android_roamingmantis, android_roidsec, android_rotexy,
android_samsapo, android_sandrorat, android_selfmite, android_shadowvoice,
android_shopper, android_simbad, android_simplocker, android_skullkey,
android_sndapps, android_spynote, android_spytekcell, android_stels,
android_svpeng, android_swanalitics, android_teelog, android_telerat,
android_tetus, android_thiefbot, android_tonclank, android_torec,
android_triada, android_uracto, android_usbcleaver, android_viceleaker,
android_vmvol, android_walkinwat, android_windseeker, android_wirex,
android_wolfrat, android_xavirad, android_xbot007, android_xerxes,
android_xhelper, android_xploitspy, android_z3core, android_zertsecurity,
android_ztorg, andromeda, antefrigus, antibot, anubis, anuna, apocalypse,
apt_12, apt_17, apt_18, apt_23, apt_27, apt_30, apt_33, apt_37, apt_38,
apt_aridviper, apt_babar, apt_bahamut, etc.
```
## Architecture
Maltrail is based on the **Traffic** -> **Sensor** <-> **Server** <-> **Client** architecture. **Sensor**(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing **Traffic** for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) **Server** where they are being stored inside the appropriate logging directory (i.e. `LOG_DIR` described in the *Configuration* section). If **Sensor** is being run on the same machine as **Server** (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. `LOG_SERVER` described in the *Configuration* section).
**Server**'s primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the ["Fat client"](https://en.wikipedia.org/wiki/Fat_client) architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the **Client**, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.
Note: **Server** component can be skipped altogether, and just use the standalone **Sensor**. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.
## Demo pages
Fully functional demo pages with collected real-life threats can be found [here](https://maltraildemo.github.io/).
## Requirements
To run Maltrail properly, [Python](https://www.python.org/download/) **2.6**, **2.7** or **3.x** is required on \*nix/BSD system, together with installed [pcapy-ng](https://pypi.org/project/pcapy-ng/) package.
**NOTE:** Please use ```pcapy-ng```. The older ```pcapy``` library is deprecated and causes issues in Python 3 environments. [Examples](https://github.com/stamparm/maltrail/issues?q=label%3Apcapy-ng-related+is%3Aclosed).
- **Sensor** component requires at least 1GB of RAM to run in single-process mode or more if run in multiprocessing mode, depending on the value used for option `CAPTURE_BUFFER`. Additionally, **Sensor** component (in the general case) requires administrative/root privileges.
- **Server** component does not have any special requirements.
## Quick start
The following set of commands should get your Maltrail **Sensor** up and running (out of the box with default settings and monitoring interface "any"):
- For **Ubuntu/Debian**
```sh
sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool
sudo pip3 install pcapy-ng
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python3 sensor.py
```
- For **SUSE/openSUSE**
```sh
sudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool
sudo pip3 install pcapy-ng
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python3 sensor.py
```
Don't forget to put interfaces in promiscuous mode as needed:
```sh
for dev in $(ifconfig | grep mtu | grep -Eo '^\w+'); do ifconfig $dev promisc; done
```
To start the (optional) **Server** on same machine, open a new terminal and execute the following:
```sh
[[ -d maltrail ]] || git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
python server.py
```
- For **Docker**
Currently only the server is available as a container image.
Start the container with `docker run`:
```sh
# Build image
# Start the server
docker run -d --name maltrail --restart=unless-stopped -p 8338:8338/tcp -p 8337:8337/udp -v /etc/maltrail.conf:/opt/maltrail/maltrail.conf:ro ghcr.io/stamparm/maltrail:latest
# Update the image regularly
docker stop maltrail
docker pull ghcr.io/stamparm/maltrail:latest
docker start maltrail
```
If you need a fixed version, change the `docker run` command to not start `ghcr.io/stamparm/maltrail:latest` but for example `ghcr.io/stamparm/maltrail:0.84`
... or with `docker compose`:
```sh
# For both
docker compose up -d
# Update image regularly
docker compose down --remove-orphans
docker compose build
docker compose up -d
```
Don't edit the `docker-compose.yml` file directly, as this will be overwritten by `git pull`. Instead, copy it to `docker-compose.override.yml` and edit that file; it is included in this repo's `.gitignore`.
To test that everything is up and running execute the following:
```sh
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
```
Also, to test the capturing of DNS traffic you can try the following:
```sh
nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
```
To stop **Sensor** and **Server** instances (if running in background) execute the following:
```sh
sudo pkill -f sensor.py
pkill -f server.py
```
Access the reporting interface (i.e. **Client**) by visiting the http://127.0.0.1:8338 (default credentials: `admin:changeme!`) from your web browser:
## Administrator's guide
### Sensor
Sensor's configuration can be found inside the `maltrail.conf` file's section `[Sensor]`:
If option `USE_MULTIPROCESSING` is set to `true` then all CPU cores will be used. One core will be used only for packet capture (with appropriate affinity, IO priority and nice level settings), while other cores will be used for packet processing. Otherwise, everything will be run on a single core. Option `USE_FEED_UPDATES` can be used to turn off the trail updates from feeds altogether (and just use the provided static ones). Option `UPDATE_PERIOD` contains the number of seconds between each automatic trails update (Note: default value is set to `86400` (i.e. one day)) by using definitions inside the `trails` directory (Note: both **Sensor** and **Server** take care of the trails update). Option `CUSTOM_TRAILS_DIR` can be used by user to provide location of directory containing the custom trails (`*.txt`) files.
Option `USE_HEURISTICS` turns on heuristic mechanisms (e.g. `long domain name (suspicious)`, `excessive no such domain name (suspicious)`, `direct .exe download (suspicious)`, etc.), potentially introducing false positives. Option `CAPTURE_BUFFER` presents a total memory (in bytes or percentage of total physical memory) to be used in case of multiprocessing mode for storing packet capture in a ring buffer for further processing by non-capturing processes. Option `MONITOR_INTERFACE` should contain the name of the capturing interface. Use value `any` to capture from all interfaces (if OS supports this). Option `CAPTURE_FILTER` should contain the network capture (`tcpdump`) filter to skip the uninteresting packets and ease the capturing process. Option `SENSOR_NAME` contains the name that should be appearing inside the events `sensor_name` value, so the event from one sensor could be distinguished from the other. If option `LOG_SERVER` is set, then all events are being sent remotely to the **Server**, otherwise they are stored directly into the logging directory set with option `LOG_DIR`, which can be found inside the `maltrail.conf` file's section `[All]`. In case that the option `UPDATE_SERVER` is set, then all the trails are being pulled from the given location, otherwise they are being updated from trails definitions located inside the installation itself.
Options `SYSLOG_SERVER` and/or `LOGSTASH_SERVER` can be used to send sensor events (i.e. log data) to non-Maltrail servers. In case of `SYSLOG_SERVER`, event data will be sent in CEF (*Common Event Format*) format to UDP (e.g. Syslog) service listening at the given address (e.g. `192.168.2.107:514`), while in case of `LOGSTASH_SERVER` event data will be sent in JSON format to UDP (e.g. Logstash) service listening at the given address (e.g. `192.168.2.107:5000`).
Example of event data being sent over UDP is as follows:
- For option `SYSLOG_SERVER` (Note: `LogSeverity` values are 0 (for low), 1 (for medium) and 2 (for high)):
```Dec 24 15:05:55 beast CEF:0|Maltrail|sensor|0.27.68|2020-12-24|andromeda (malware)|2|src=192.168.5.137 spt=60453 dst=8.8.8.8 dpt=53 trail=morphed.ru ref=(static)```
- For option `LOGSTASH_SERVER`:
```{"timestamp": 1608818692, "sensor": "beast", "severity": "high", "src_ip": "192.168.5.137", "src_port": 48949, "dst_ip": "8.8.8.8", "dst_port": 53, "proto": "UDP", "type": "DNS", "trail": "morphed.ru", "info": "andromeda (malware)", "reference": "(static)"}```
When running the sensor (e.g. `sudo python sensor.py`) for the first time and/or after a longer period of non-running, it will automatically update the trails from trail definitions (Note: stored inside the `trails` directory). After the initialization, it will start monitoring the configured interface (option `MONITOR_INTERFACE` inside the `maltrail.conf`) and write the events to either the configured log directory (option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) or send them remotely to the logging/reporting **Server** (option `LOG_SERVER`).
Detected events are stored inside the **Server**'s logging directory (i.e. option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) in easy-to-read CSV format (Note: whitespace ' ' is used as a delimiter) as single line entries consisting of: `time` `sensor` `src_ip` `src_port` `dst_ip` `dst_port` `proto` `trail_type` `trail` `trail_info` `reference` (e.g. `"2015-10-19 15:48:41.152513" beast 192.168.5.33 32985 8.8.8.8 53 UDP DNS 0000mps.webpreview.dsl.net malicious siteinspector.comodo.com`):
### Server
Server's configuration can be found inside the `maltrail.conf` section `[Server]`:
Option `HTTP_ADDRESS` contains the web server's listening address (Note: use `0.0.0.0` to listen on all interfaces). Option `HTTP_PORT` contains the web server's listening port. Default listening port is set to `8338`. If option `USE_SSL` is set to `true` then `SSL/TLS` will be used for accessing the web server (e.g. `https://192.168.6.10:8338/`). In that case, option `SSL_PEM` should be pointing to the server's private/cert PEM file.
Subsection `USERS` contains user's configuration settings. Each user entry consists of the `username:sha256(password):UID:filter_netmask(s)`. Value `UID` represents the unique user identifier, where it is recommended to use values lower than 1000 for administrative accounts, while higher value for non-administrative accounts. The part `filter_netmask(s)` represents the comma-delimited hard filter(s) that can be used to filter the shown events depending on the user account(s). Default entry is as follows:
Option `UDP_ADDRESS` contains the server's log collecting listening address (Note: use `0.0.0.0` to listen on all interfaces), while option `UDP_PORT` contains listening port value. If turned on, when used in combination with option `LOG_SERVER`, it can be used for distinct (multiple) **Sensor** <-> **Server** architecture.
Option `FAIL2BAN_REGEX` contains the regular expression (e.g. `attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download|spammer|mass scanner`) to be used in `/fail2ban` web calls for extraction of today's attacker source IPs. This allows the usage of IP blocking mechanisms (e.g. `fail2ban`, `iptables` or `ipset`) by periodic pulling of blacklisted IP addresses from remote location. Example usage would be the following script (e.g. run as a `root` cronjob on a minute basis):
```sh
#!/bin/bash
ipset -q flush maltrail
ipset -q create maltrail hash:net
for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done
iptables -I INPUT -m set --match-set maltrail src -j DROP
```
Option `BLACKLIST` allows to build regular expressions to apply on one field. For each rule, the syntax is : `<field> <control> <regexp>` where :
* `field` indicates the field to compare, it can be: `src_ip`,`src_port`,`dst_ip`,`dst_port`,`protocol`,`type`,`trail` or `filter`.
* `control` can be either `~` for *matches* or `!~` for *doesn't match*
* `regexp` is the regular expression to apply to the field.
Chain another rule with the `and` keyword (the `or` keyword is not supported, just add a line for this).
You can use the keyword `BLACKLIST` alone or add a name : `BLACKLIST_NAME`. In the latter case, the url will be : `/blacklist/name`
For example, the following will build an out blacklist for all traffic from another source than `192.168.0.0/16` to destination port `SSH` or matching the filters `scan` or `known attacker`
```
BLACKLIST_OUT
src_ip !~ ^192.168. and dst_port ~ ^22$
src_ip !~ ^192.168. and filter ~ scan
src_ip !~ ^192.168. and filter ~ known attacker
BLACKLIST_IN
src_ip ~ ^192.168. and filter ~ malware
```
The way to build ipset blacklist is the same (see above) except that URLs will be `/blacklist/in` and `/blacklist/out` in our example.
Same as for **Sensor**, when running the **Server** (e.g. `python server.py`) for the first time and/or after a longer period of non-running, if option `USE_SERVER_UPDATE_TRAILS` is set to `true`, it will automatically update the trails from trail definitions (Note: stored inside the `trails` directory). Its basic function is to store the log entries inside the logging directory (i.e. option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) and provide the web reporting interface for presenting those same entries to the end-user (Note: there is no need to install the 3rd party web server packages like Apache):
## User's guide
### Reporting interface
When entering the **Server**'s reporting interface (i.e. via the address defined by options `HTTP_ADDRESS` and `HTTP_PORT`), user will be presented with the following authentication dialog. User has to enter the proper credentials that have been set by the server's administrator inside the configuration file `maltrail.conf` (Note: default credentials are `admin:changeme!`):
Once inside, user will be presented with the following reporting interface:
The top part holds a sliding timeline (Note: activated after clicking the current date label and/or the calendar icon ) where user can select logs for past events (Note: mouse over event will trigger display of tooltip with approximate number of events for current date). Dates are grouped by months, where 4 month period of data are displayed inside the widget itself. However, by using the provided slider (i.e. ) user can easily access events from previous months.
Once clicking the date, all events for that particular date should be loaded and represented by the client's web browser. Depending on number of events and the network connection speed, loading and display of logged events could take from couple of seconds, up to several minutes (e.g. 100,000 events takes around 5 seconds in total). For the whole processing time, animated loader will be displayed across the disabled user interface:
Middle part holds a summary of displayed events. `Events` box represents total number of events in a selected 24-hour period, where red line represents IP-based events, blue line represents DNS-based events and yellow line represents URL-based events. `Sources` box represents number of events per top sources in form of a stacked column chart, with total number of sources on top. `Threats` box represents percentage of top threats in form of a pie chart (Note: gray area holds all threats having each <1% in total events), with total number of threats on top. `Trails` box represents percentage of top trails in form of a pie chart (Note: gray area holds all trails having each <1% in total events), with total number of trails on top. Each of those boxes are active, hence the click on one of those will result with a more detailed graph.
Bottom part holds a condensed representation of logged events in form of a paginated table. Each entry holds details for a single threat (Note: uniquely identified by a pair `(src_ip, trail)` or `(dst_ip, trail)` if the `src_ip` is the same as the `trail` as in case of attacks coming from the outside):
Column `threat` holds threat's unique ID (e.g. `85fdb08d`) and color (Note: extruded from the threat's ID), `sensor` holds sensor name(s) where the event has been triggered (e.g. `blitvenica`), `events` holds total number of events for a current threat, `severity` holds evaluated severity of threat (Note: calculated based on values in `info` and `reference` columns, prioritizing malware generated traffic), `first_seen` holds time of first event in a selected (24h) period (e.g. `06th 08:21:54`), `last_seen` holds time of last event in a selected (24h) period (e.g. `06th 15:21:23`), `sparkline` holds a small sparkline graph representing threat's activity in selected period, `src_ip` holds source IP(s) of a threat (e.g. `99.102.41.102`), `src_port` holds source port(s) (e.g. `44556, 44589, 44601`), `dst_ip` holds destination IP(s) (e.g. `213.202.100.28`), `dst_port` holds destination port(s) (e.g. `80 (HTTP)`), `proto` holds protocol(s), (e.g. `TCP`), `trail` holds a blacklisted (or heuristic) entry that triggered the event(s), `info` holds more information about the threat/trail (e.g. `known attacker` for known attacker's IP addresses or `ipinfo` for known IP information service commonly used by malware during a startup), `reference` holds a source of the blacklisted entry (e.g. `(static)` for static trails or `myip.ms` for a dynamic feed retrieved from that same source) and `tags` holds user defined tags for a given trail (e.g. `APT28`).
When moving mouse over `src_ip` and `dst_ip` table entries, information tooltip is being displayed with detailed reverse DNS and WHOIS information (Note: [RIPE](http://www.ripe.net/) is the information provider):
Event details (e.g. `src_port`, `dst_port`, `proto`, etc.) that differ inside same threat entry are condensed in form of a bubble icon (i.e. ). This is performed to maintain a usable reporting interface with as few rows as possible. Moving mouse over such icon will result in a display of an information tooltip with all items held (e.g. all port numbers being scanned by `attacker`):
Clicking on one such icon will open a new dialog containing all stored items (Note: in their uncondensed form) ready to be Copy-Paste(d) for further analysis:
When hovering mouse pointer over the threat's trail for couple of seconds it will result in a frame consisted of results using the trail as a search term performed against [searX](https://searx.nixnet.services/) search engine. In lots of cases, this provides basic information about the threat itself, eliminating the need for user to do the manual search for it. In upper right corner of the opened frame window there are two extra buttons. By clicking the first one (i.e. ), the resulting frame will be opened inside the new browser's tab (or window), while by clicking the second one (i.e. ) will immediately close the frame (Note: the same action is achieved by moving the mouse pointer outside the frame borders):
For each threat there is a column `tag` that can be filled with arbitrary "tags" to closely describe all threats sharing the same trail. Also, it is a great way to describe threats individually, so all threats sharing the same tag (e.g. `yahoo`) could be grouped out later:
### Real-life cases
In the following section some of the "usual suspects" scenarios will be described through the real-life cases.
#### Mass scans
Mass scans are a fairly common phenomenon where individuals and/or organizations give themselves a right to scan the whole 0.0.0.0/0 IP range (i.e. whole Internet) on a daily basis, with disclaimer where they say that if you don't like it then you should contact them privately to be skipped from future scans.
To make stuff worse, organizations as [Shodan](https://www.shodan.io/) and [ZoomEye](http://www.zoomeye.org) give all results freely available (to other potential attackers) through their search engine. In the following screenshots you'll see details of Shodan scans in one single day.
Here is a reverse DNS and WHOIS lookup of the "attacker"'s address:
When hovering mouse pointer over the `trail` column's content (IP address), you'll be presented with the search results from [searX](https://searx.nixnet.services/) where you'll be able to find more information about the "attacker":
In the `dst_ip` column, if you have a large organization, you'll be presented with large list of scanned IP addresses:
In the `dst_port` column you'll be able to see all ports that have been scanned by such mass scans:
In other similar situations you'll see the same behaviour, coming from blacklisted individual attacker(s) (in this case by [cinsscore.com](http://cinsscore.com/)):
One more common behaviour is scanning of the whole 0.0.0.0/0 IP range (i.e. Internet) in search for one particular port (e.g. TCP port 443 when [Heartbleed](http://heartbleed.com/) has been found). In the following screenshot you'll find one such case for previously blacklisted attacker(s) (in this case by [alienvault.com](http://alienvault.com) and two other blacklists) targeting the UDP port 5060 (i.e. SIP) in search for [misconfigured VoIP devices](https://isc.sans.edu/diary/Targeting+VoIP%3A+Increase+in+SIP+Connections+on+UDP+port+5060/9193):
#### Anonymous attackers
To spot the potential attackers hidden behind the [Tor](https://www.torproject.org/) anonymity network, Maltrail utilizes publicly available lists of Tor exit nodes. In the following screenshot you'll see a case where potential attacker has been utilizing the Tor network to access the web target (over HTTP) in our organization's range in suspicious way (total 171 connection requests in 10 minutes):
#### Service attackers
Fairly similar case to the previous one is when previously blacklisted attacker tries to access particular (e.g. non-HTTP(s)) service in our organization's range in rather suspicious way (i.e. total 1513 connection attempts in less than 15 minutes):
If we enter the `ssh attacker` to the `Filter` field, we'll be able to see all similar occurrences for that day, but in this case for port 22 (i.e. SSH):
#### Malware
In case of connection attempts coming from infected computers inside our organization toward already known C&C servers, you'll be able to find threats similar to the following (in this case [Beebone](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Beebone)):
In case of DNS requests containing known [DGA](https://en.wikipedia.org/wiki/Domain_generation_algorithm) domain names, threat will be shown like (in this case [Necurs](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Necurs)):
In the following case file downloads from blacklisted (in this case by [malwarepatrol.net](https://malwarepatrol.net/)) URL(s) have occurred:
If we enter the particular malware name (in this case [Ramnit](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRamnit)) into the `Filter` field, only threats that are known to be linked to this malware will be filtered in (showing you all affected internal computers):
More generally, if we enter the `malware` into the `Filter` field, all threats that have been found by malware(-related) trails (e.g. `IP` addresses) will be filtered in:
#### Suspicious domain lookups
Maltrail uses the static list of TLD [domains](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/domain.txt) that are known to be commonly involved in suspicious activities. Most such [TLD](https://en.wikipedia.org/wiki/Top-level_domain) domains are coming from free domain registrars (e.g. [Freenom](http://www.freenom.com)), hence they should be under greater scrutiny. In the following screenshot we can find a case where one such TLD domain `.cm` has been used by unknown malware using the [DGA](https://en.wikipedia.org/wiki/Domain_generation_algorithm) algorithm to contact its [C&C](https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-%28c-c%29-server) server(s):
There are also cases when perfectly valid TLD domains (e.g. `.ru`) are used for suspicious activities, such in this case (e.g. `long domain name (suspicious)`) where the domains are obviously DGA generated by unknown malware:
Maltrail uses static [list](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/dynamic_domain.txt) of so-called "dynamic domains" that are often used in suspicious activities (e.g. for malware C&C servers that often change the destination's IP addresses):
Also, Maltrail uses static [list](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/onion.txt) of "onion"-related domains that are also often used in suspicious activities (e.g. malware contacting C&C servers by using Tor2Web service(s)):
In case of old and/or obsolete malware that sits undetected on organization's infected internal computers, there is often a "phenomenon" where malware continuously tries to contact the long dead C&C server's domain without any DNS resolution. Hence, those kind of (potential) threats will be marked as `excessive no such domain (suspicious)`:
In case that one trail is responsible for too many threats (e.g. in case of fake source IPs like in DNS amplification attacks), all similar threats will be grouped under a single `flood` threat (Note: threat's ID will be marked with suffix `F0`), like in the following example:
#### Suspicious ipinfo requests
Lots of malware uses some kind of `ipinfo` service (e.g. [ipinfo.io](http://ipinfo.io)) to find out the victim's Internet IP address. In case of regular and especially in out-of-office hours, those kind of requests should be closely monitored, like in the following example:
By using filter `ipinfo` all potentially infected computers in our organization's range can be listed that share this kind of suspicious behaviour:
#### Suspicious direct file downloads
Maltrail tracks all suspicious direct file download attempts (e.g. `.apk`, `.bin`, `.class`, `.chm`, `.dll`, `.egg`, `.exe`, `.hta`, `.hwp`, `.lnk`, `.ps1`, `.scr`, `.sct`, `.wbk` and `.xpi` file extensions). This can trigger lots of false positives, but eventually could help in reconstruction of the chain of infection (Note: legitimate service providers, like Google, usually use encrypted HTTPS to perform this kind of downloads):
#### Suspicious HTTP requests
In case of suspicious requests coming from outer web application security scanners (e.g. searching for SQLi, XSS, LFI, etc. vulnerabilities) and/or the internal user malicious attempts toward unknown web sites, threats like the following could be found (real case of attackers trying to exploit Joomla! CMS CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 [vulnerabilities](https://blog.sucuri.net/2015/10/joomla-3-4-5-released-fixing-a-serious-sql-injection-vulnerability.html)):
In following example, web application vulnerability scan has been marked as "suspicious":
If we click on the bubble icon (i.e. ) for details and copy paste the whole content to a textual file, we'll be able to see all suspicious HTTP requests:
In the following screenshot, a run of popular SQLi vulnerability tool [sqlmap](https://github.com/sqlmapproject/sqlmap/) can be found inside our logs:
#### Port scanning
In case of too many connection attempts toward considerable amount of different TCP ports, Maltrail will warn about the potential port scanning, as a result of its heuristic mechanism detection. In the following screenshot such warning(s) can be found for a run of popular port scanning tool [nmap](https://nmap.org/):
#### DNS resource exhaustion
One popular DDoS attack against the web server(s) infrastructure is the resource exhaustion of its (main) DNS server by making valid DNS recursion queries for (pseudo)random subdomain names (e.g. `abpdrsguvjkyz.www.dedeni.com`):
#### Data leakage
Miscellaneous programs (especially mobile-based) present malware(-like) behaviour where they send potentially sensitive data to the remote beacon posts. Maltrail will try to capture such behaviour like in the following example:
#### False positives
Like in all other security solutions, Maltrail is prone to "[false positives](https://en.wikipedia.org/wiki/False_positives_and_false_negatives)". In those kind of cases, Maltrail will (especially in case of `suspicious` threats) record a regular user's behaviour and mark it as malicious and/or suspicious. In the following example it can be seen that a blacklist feed provider `blocklist.de` marked regular Google server as `attacker`(s), resulting with the following threat:
By hovering mouse over the trail, frame with results from [searX](https://searx.nixnet.services/) search show that this is (most probably) a regular Google's server:
As another example, access to regular `.work` domains (popular TLD for malicious purposes) resulted with the following threat:
Nevertheless, administrator(s) should invest some extra time and check (with other means) whether the "suspicious" means malicious or not, as in the following example:
## Best practice(s)
1. Install Maltrail:
- On **Ubuntu/Debian**
```sh
sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool
sudo pip3 install pcapy-ng
cd /tmp
git clone --depth 1 https://github.com/stamparm/maltrail.git
sudo mv /tmp/maltrail /opt
sudo chown -R $USER:$USER /opt/maltrail
```
- On **SUSE/openSUSE**
```sh
sudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool
sudo pip3 install pcapy-ng
cd /tmp
git clone --depth 1 https://github.com/stamparm/maltrail.git
sudo mv /tmp/maltrail /opt
sudo chown -R $USER:$USER /opt/maltrail
```
2. Set working environment:
```sh
sudo mkdir -p /var/log/maltrail
sudo mkdir -p /etc/maltrail
sudo cp /opt/maltrail/maltrail.conf /etc/maltrail
sudo nano /etc/maltrail/maltrail.conf
```
3. Set running environment:
* `crontab -e # autostart server & periodic update`
```
*/5 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'server.py')" ]; then : ; else python3 /opt/maltrail/server.py -c /etc/maltrail/maltrail.conf; fi
0 1 * * * cd /opt/maltrail && git pull
```
* `sudo crontab -e # autostart sensor & periodic restart`
```
*/1 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'sensor.py')" ]; then : ; else python3 /opt/maltrail/sensor.py -c /etc/maltrail/maltrail.conf; fi
2 1 * * * /usr/bin/pkill -f maltrail
```
4. Enable as systemd services (Linux only):
```sh
sudo cp /opt/maltrail/maltrail-sensor.service /etc/systemd/system/maltrail-sensor.service
sudo cp /opt/maltrail/maltrail-server.service /etc/systemd/system/maltrail-server.service
sudo systemctl daemon-reload
sudo systemctl start maltrail-server.service
sudo systemctl start maltrail-sensor.service
sudo systemctl enable maltrail-server.service
sudo systemctl enable maltrail-sensor.service
systemctl status maltrail-server.service && systemctl status maltrail-sensor.service
```
**Note**: ```/maltrail-sensor.service``` can be started as dedicated service without pre-started ```/maltrail-server.service```. This is useful for case, when ```/maltrail-server.service``` is installed and works on another machine in you network environment.
## License
This software is provided under a MIT License. See the accompanying [LICENSE](https://github.com/stamparm/maltrail/blob/master/LICENSE) file for more information.
## Sponsors
* [Sansec](https://sansec.io/) (2024-2025)
* [Sansec](https://sansec.io/) (2020-2021)
## Developers
* Miroslav Stampar ([@stamparm](https://github.com/stamparm))
* Mikhail Kasimov ([@MikhailKasimov](https://github.com/MikhailKasimov))
## Presentations
* 47th TF-CSIRT Meeting, Prague (Czech Republic), 2016 ([slides](https://www.terena.org/activities/tf-csirt/meeting47/M.Stampar-Maltrail.pdf))
## Publications
* Detect attacks on your network with Maltrail, Linux Magazine, 2022 ([Annotation](https://www.linux-magazine.com/Issues/2022/258/Maltrail))
* Best Cyber Threat Intelligence Feeds ([SilentPush Review, 2022](https://www.silentpush.com/blog/best-cyber-threat-intelligence-feeds))
* Research on Network Malicious Traffic Detection System Based on Maltrail ([Nanotechnology Perceptions, ISSN 1660-6795, 2024](https://nano-ntp.com/index.php/nano/article/view/1915/1497))
## Blacklist
* Maltrail's daily updated blacklist of malware-related domains can be found [here](https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt). It is based on trails found at [trails/static/malware](trails/static/malware) and can be safely used for DNS traffic blocking purposes.
## Thank you
* Thomas Kristner
* Eduardo Arcusa Les
* James Lay
* Ladislav Baco (@laciKE)
* John Kristoff (@jtkdpu)
* Michael Münz (@mimugmail)
* David Brush
* @Godwottery
* Chris Wild (@briskets)
* Keith Irwin (@ki9us)
* Simon Szustkowski (@simonszu)
## Third-party integrations
* [FreeBSD Port](https://www.freshports.org/security/maltrail)
* [OPNSense Gateway Plugin](https://github.com/opnsense/plugins/pull/1257)
* [D4 Project](https://www.d4-project.org/2019/09/25/maltrail-integration.html)
* [BlackArch Linux](https://github.com/BlackArch/blackarch/blob/master/packages/maltrail/PKGBUILD)
* [Validin LLC](https://x.com/ValidinLLC/status/1719666086390517762)
* [Maltrail Add-on for Splunk](https://splunkbase.splunk.com/app/7211)
* [Maltrail decoder and rules for Wazuh](https://github.com/MikhailKasimov/maltrail-wazuh-decoder-and-rules)
* [GScan](https://github.com/grayddq/GScan) <sup>1</sup>
* [MalwareWorld](https://www.malwareworld.com/) <sup>1</sup>
* [oisd | domain blocklist](https://oisd.nl/?p=inc) <sup>1</sup>
* [NextDNS](https://github.com/nextdns/metadata/blob/e0c9c7e908f5d10823b517ad230df214a7251b13/security/threat-intelligence-feeds.json) <sup>1</sup>
* [NoTracking](https://github.com/notracking/hosts-blocklists/blob/master/SOURCES.md) <sup>1</sup>
* [OWASP Mobile Audit](https://github.com/mpast/mobileAudit#environment-variables) <sup>1</sup>
* [Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/12b07370674238fa4281fc7989b34decc2e08876) <sup>1</sup>
* [pfBlockerNG-devel](https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_feeds.json) <sup>1</sup>
* [Sansec eComscan](https://sansec.io/kb/about-ecomscan/ecomscan-license)<sup>1</sup>
* [Palo Alto Networks Cortex XSOAR](https://xsoar.pan.dev/docs/reference/integrations/github-maltrail-feed)<sup>2</sup>
<sup>1</sup> Using (only) trails
<sup>2</sup> Connector to trails (only)
================================================
FILE: SECURITY.md
================================================
---
title: Maltrail Security Vulnerability Reports
category: contributing
layout: default
SPDX-License-Identifier: MIT
---
## Reporting Maltrail Security Vulnerability
Maltrail team appreciates your efforts on discovering security vulnerabilities in [Maltrail](https://github.com/stamparm/maltrail): Malicious traffic detection system.
If you discover a Maltrail security vulnerability, we'd appreciate a non-public disclosure. Maltrail team developers can be contacted privately on the **maltrail.vulns[@]gmail.com** email address.
The disclosure of discovered security vulnerability will be coordinated with Maltrail team.
Maltrail's [issues tracker](https://github.com/stamparm/maltrail/issues) and [pull requests tracker](https://github.com/stamparm/maltrail/pulls) are fully public.
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| All versions | :white_check_mark: |
================================================
FILE: core/__init__.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
pass
================================================
FILE: core/addr.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
import re
from core.compat import xrange
def addr_to_int(value):
_ = value.split('.')
return (int(_[0]) << 24) + (int(_[1]) << 16) + (int(_[2]) << 8) + int(_[3])
def int_to_addr(value):
return '.'.join(str(value >> n & 0xff) for n in (24, 16, 8, 0))
def make_mask(bits):
return 0xffffffff ^ (1 << 32 - bits) - 1
def compress_ipv6(address):
zeros = re.findall("(?:0000:)+", address)
if zeros:
address = address.replace(sorted(zeros, key=lambda _: len(_))[-1], ":", 1)
address = re.sub(r"(\A|:)0+(\w)", r"\g<1>\g<2>", address)
if address == ":1":
address = "::1"
return address
# Note: socket.inet_ntop not available everywhere (Reference: https://docs.python.org/2/library/socket.html#socket.inet_ntop)
def inet_ntoa6(packed_ip):
_ = packed_ip.hex() if hasattr(packed_ip, "hex") else packed_ip.encode("hex")
return compress_ipv6(':'.join(_[i:i + 4] for i in xrange(0, len(_), 4)))
def expand_range(value):
retval = []
value = value.strip()
match = re.match(r"(\d+\.\d+\.\d+\.\d+)/(\d+)", value)
if match:
prefix, mask = match.groups()
mask = int(mask)
assert(mask <= 32)
start_int = addr_to_int(prefix) & make_mask(mask)
end_int = start_int | ((1 << 32 - mask) - 1)
if 0 <= end_int - start_int <= 65536:
address = start_int
while start_int <= address <= end_int:
retval.append(int_to_addr(address))
address += 1
elif '-' in value:
start, end = value.split('-')
start_int, end_int = addr_to_int(start), addr_to_int(end)
current = start_int
while start_int <= current <= end_int:
retval.append(int_to_addr(current))
current += 1
else:
retval.append(value)
return retval
def addr_port(addr, port):
if ':' in addr and '.' not in addr:
retval = "[%s]:%s" % (addr.strip("[]"), port)
else:
retval = "%s:%s" % (addr, port)
return retval
================================================
FILE: core/attribdict.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
class AttribDict(dict):
def __getattr__(self, name):
return self.get(name)
def __setattr__(self, name, value):
self[name] = value
================================================
FILE: core/colorized.py
================================================
#!/usr/bin/env python
import os
import re
import sys
from core.enums import BACKGROUND
from core.enums import COLOR
from core.enums import SEVERITY
IS_TTY = hasattr(sys.stdout, "fileno") and os.isatty(sys.stdout.fileno())
class ColorizedStream:
def __init__(self, original):
self._original = original
self._log_colors = {'i': COLOR.LIGHT_BLUE, '!': COLOR.LIGHT_YELLOW, '*': COLOR.LIGHT_CYAN, 'x': COLOR.BOLD_LIGHT_RED, '?': COLOR.LIGHT_YELLOW, 'o': COLOR.BOLD_WHITE, '+': COLOR.BOLD_LIGHT_GREEN, '^': COLOR.BOLD_LIGHT_GREEN}
self._severity_colors = {SEVERITY.LOW: COLOR.BOLD_LIGHT_CYAN, SEVERITY.MEDIUM: COLOR.BOLD_LIGHT_YELLOW, SEVERITY.HIGH: COLOR.BOLD_LIGHT_RED}
self._type_colors = {"DNS": BACKGROUND.BLUE, "UA": BACKGROUND.MAGENTA, "IP": BACKGROUND.RED, "URL": BACKGROUND.YELLOW, "HTTP": BACKGROUND.GREEN, "IPORT": BACKGROUND.RED}
self._info_colors = {"malware": COLOR.LIGHT_RED, "suspicious": COLOR.LIGHT_YELLOW, "malicious": COLOR.YELLOW}
def write(self, text):
match = re.search(r"\A(\s*)\[(.)\]", text)
if match and match.group(2) in self._log_colors:
text = text.replace(match.group(0), "%s[%s%s%s]" % (match.group(1), self._log_colors[match.group(2)], match.group(2), COLOR.RESET), 1)
if "Maltrail (" in text:
text = re.sub(r"\((sensor|server)\)", lambda match: "(%s%s%s)" % ({"sensor": COLOR.BOLD_LIGHT_GREEN, "server": COLOR.BOLD_LIGHT_MAGENTA}[match.group(1)], match.group(1), COLOR.RESET), text)
text = re.sub(r"https?://[\w.:/?=]+", lambda match: "%s%s%s%s" % (COLOR.BLUE, COLOR.UNDERLINE, match.group(0), COLOR.RESET), text)
if "Usage: " in text:
text = re.sub(r"(.*Usage: )(.+)", r"\g<1>%s\g<2>%s" % (COLOR.BOLD_WHITE, COLOR.RESET), text)
if text.startswith('"2'):
text = re.sub(r"(TCP|UDP|ICMP) ([A-Z]+)", lambda match: "%s %s%s%s" % (match.group(1), self._type_colors.get(match.group(2), COLOR.WHITE), match.group(2), COLOR.RESET), text)
text = re.sub(r'"([^"]+)"', r'"%s\g<1>%s"' % (COLOR.LIGHT_GRAY, COLOR.RESET), text, count=1)
text = re.sub(r"\((malware|suspicious|malicious)\)", lambda match: "(%s%s%s)" % (self._info_colors.get(match.group(1), COLOR.WHITE), match.group(1), COLOR.RESET), text)
text = re.sub(r"\(([^)]+)\)", lambda match: "(%s%s%s)" % (COLOR.LIGHT_GRAY, match.group(1), COLOR.RESET) if match.group(1) not in self._info_colors else match.group(0), text)
for match in re.finditer(r"[^\w]'([^']+)'", text): # single-quoted
text = text.replace("'%s'" % match.group(1), r"'%s%s%s'" % (COLOR.LIGHT_GRAY, match.group(1), COLOR.RESET))
self._original.write("%s" % text)
def flush(self):
self._original.flush()
def init_output():
if IS_TTY:
sys.stderr = ColorizedStream(sys.stderr)
sys.stdout = ColorizedStream(sys.stdout)
================================================
FILE: core/common.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import csv
import gzip
import io
import os
import re
import sqlite3
import sys
import zipfile
import zlib
from core.addr import addr_to_int
from core.addr import int_to_addr
from core.compat import xrange
from core.settings import config
from core.settings import BOGON_IPS
from core.settings import BOGON_RANGES
from core.settings import CHECK_CONNECTION_URL
from core.settings import CDN_RANGES
from core.settings import IPCAT_SQLITE_FILE
from core.settings import IS_WIN
from core.settings import MAX_HELP_OPTION_LENGTH
from core.settings import STATIC_IPCAT_LOOKUPS
from core.settings import TIMEOUT
from core.settings import UNICODE_ENCODING
from core.settings import USER_AGENT
from core.settings import WHITELIST
from core.settings import WHITELIST_RANGES
from core.settings import WORST_ASNS
from core.trailsdict import TrailsDict
from thirdparty import six
from thirdparty.six.moves import urllib as _urllib
_ipcat_cache = {}
def retrieve_content(url, data=None, headers=None):
"""
Retrieves page content from given URL
"""
try:
req = _urllib.request.Request("".join(url[i].replace(' ', "%20") if i > url.find('?') else url[i] for i in xrange(len(url))), data, headers or {"User-agent": USER_AGENT, "Accept-encoding": "gzip, deflate"})
resp = _urllib.request.urlopen(req, timeout=TIMEOUT)
retval = resp.read()
encoding = resp.headers.get("Content-Encoding")
if encoding:
if encoding.lower() == "deflate":
data = io.BytesIO(zlib.decompress(retval, -15))
elif encoding.lower() == "gzip":
data = gzip.GzipFile("", "rb", 9, io.BytesIO(retval))
retval = data.read()
except Exception as ex:
retval = ex.read() if hasattr(ex, "read") else (get_ex_message(ex) or "")
if url.startswith("https://") and isinstance(retval, str) and "handshake failure" in retval:
return retrieve_content(url.replace("https://", "http://"), data, headers)
retval = retval or b""
if six.PY3 and isinstance(retval, bytes):
retval = retval.decode(UNICODE_ENCODING, errors="replace")
return retval
def fetch_headers(url, timeout=10):
class _NoRedirect(_urllib.request.HTTPRedirectHandler):
def redirect_request(self, req, fp, code, msg, headers, newurl):
return None # prevents following; urllib raises HTTPError for 3xx
_NO_REDIRECT_OPENER = _urllib.request.build_opener(_NoRedirect())
req = _urllib.request.Request(url, headers={"User-Agent": USER_AGENT}, method="HEAD")
try:
with _NO_REDIRECT_OPENER.open(req, timeout=timeout) as resp:
return dict(resp.headers.items())
except _urllib.error.HTTPError as e:
if e.code in (301, 302, 303, 307, 308):
return dict(e.headers.items())
raise
def ipcat_lookup(address):
if not address:
return None
if not _ipcat_cache:
for name in STATIC_IPCAT_LOOKUPS:
for value in STATIC_IPCAT_LOOKUPS[name]:
if "-" in value:
start, end = value.split('-')
start_int, end_int = addr_to_int(start), addr_to_int(end)
current = start_int
while start_int <= current <= end_int:
_ipcat_cache[int_to_addr(current)] = name
current += 1
else:
_ipcat_cache[value] = name
if address in _ipcat_cache:
retval = _ipcat_cache[address]
else:
retval = ""
if os.path.isfile(IPCAT_SQLITE_FILE):
with sqlite3.connect(IPCAT_SQLITE_FILE, isolation_level=None) as conn:
cursor = conn.cursor()
try:
_ = addr_to_int(address)
cursor.execute("SELECT name FROM ranges WHERE start_int <= ? AND end_int >= ?", (_, _))
_ = cursor.fetchone()
retval = str(_[0]) if _ else retval
except:
raise ValueError("[x] invalid IP address '%s'" % address)
_ipcat_cache[address] = retval
return retval
def worst_asns(address):
if not address:
return None
try:
_ = addr_to_int(address)
for prefix, mask, name in WORST_ASNS.get(address.split('.')[0], {}):
if _ & mask == prefix:
return name
except (IndexError, ValueError):
pass
return None
def cdn_ip(address):
if not address:
return False
try:
_ = addr_to_int(address)
for prefix, mask in CDN_RANGES.get(address.split('.')[0], {}):
if _ & mask == prefix:
return True
except (IndexError, ValueError):
pass
return False
def bogon_ip(address):
if not address:
return False
try:
_ = addr_to_int(address)
for prefix, mask in BOGON_RANGES.get(address.split('.')[0], {}):
if _ & mask == prefix:
return True
except (IndexError, ValueError):
pass
if address in BOGON_IPS:
return True
return False
def check_sudo():
"""
Checks for root privileges
"""
check = None
if not IS_WIN:
if getattr(os, "geteuid"):
check = os.geteuid() == 0
else:
import ctypes
check = ctypes.windll.shell32.IsUserAnAdmin()
return check
def extract_zip(filename, path=None):
_ = zipfile.ZipFile(filename, 'r')
_.extractall(path)
def get_regex(items):
head = {}
for item in sorted(items):
current = head
for char in item:
if char not in current:
current[char] = {}
current = current[char]
current[""] = {}
def process(current):
if not current:
return ""
if not any(current[_] for _ in current):
if len(current) > 1:
items = []
previous = None
start = None
for _ in sorted(current) + [six.unichr(65535)]:
if previous is not None:
if ord(_) == ord(previous) + 1:
pass
else:
if start != previous:
if start == '0' and previous == '9':
items.append(r"\d")
else:
items.append("%s-%s" % (re.escape(start), re.escape(previous)))
else:
items.append(re.escape(previous))
start = _
if start is None:
start = _
previous = _
return ("[%s]" % "".join(items)) if len(items) > 1 or '-' in items[0] else "".join(items)
else:
return re.escape(list(current.keys())[0])
else:
return ("(?:%s)" if len(current) > 1 else "%s") % ('|'.join("%s%s" % (re.escape(_), process(current[_])) for _ in sorted(current))).replace('|'.join(str(_) for _ in xrange(10)), r"\d")
regex = process(head).replace(r"(?:|\d)", r"\d?")
return regex
def check_connection():
return len(retrieve_content(CHECK_CONNECTION_URL) or "") > 0
def check_whitelisted(trail):
if trail in WHITELIST:
return True
if trail and trail[0].isdigit():
try:
_ = addr_to_int(trail)
for prefix, mask in WHITELIST_RANGES:
if _ & mask == prefix:
return True
except (IndexError, ValueError):
pass
return False
def load_trails(quiet=False):
if not quiet:
print("[i] loading trails...")
retval = TrailsDict()
if os.path.isfile(config.TRAILS_FILE):
try:
with open(config.TRAILS_FILE, "r") as f:
reader = csv.reader(f, delimiter=',', quotechar='\"')
for row in reader:
if row and len(row) == 3:
trail, info, reference = row
if not check_whitelisted(trail):
retval[trail] = (info, reference)
except Exception as ex:
sys.exit("[!] something went wrong during trails file read '%s' ('%s')" % (config.TRAILS_FILE, ex))
if not quiet:
_ = len(retval)
try:
_ = '{0:,}'.format(_)
except:
pass
print("[i] %s trails loaded" % _)
return retval
def get_text(value):
retval = value
if six.PY2:
try:
retval = str(retval)
except:
pass
else:
if isinstance(value, six.binary_type):
retval = value.decode(UNICODE_ENCODING, errors="replace")
return retval
def get_ex_message(ex):
retval = None
if getattr(ex, "message", None):
retval = ex.message
elif getattr(ex, "msg", None):
retval = ex.msg
elif getattr(ex, "args", None):
for candidate in ex.args[::-1]:
if isinstance(candidate, six.string_types):
retval = candidate
break
if retval is None:
retval = str(ex)
return retval
def is_local(address):
return re.search(r"\A(127|10|172\.[13][0-9]|192\.168)\.", address or "") is not None
def patch_parser(parser):
# Dirty hack to display longer options without breaking into two lines
if hasattr(parser, "formatter"):
def _(self, *args):
retval = parser.formatter._format_option_strings(*args)
if len(retval) > MAX_HELP_OPTION_LENGTH:
retval = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retval
return retval.capitalize()
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser)
else:
def _format_action_invocation(self, action):
retval = self.__format_action_invocation(action)
if len(retval) > MAX_HELP_OPTION_LENGTH:
retval = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - self._indent_increment)) % retval
return retval.capitalize()
parser.formatter_class.__format_action_invocation = parser.formatter_class._format_action_invocation
parser.formatter_class._format_action_invocation = _format_action_invocation
================================================
FILE: core/compat.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
import sys
if sys.version_info >= (3, 0):
xrange = range
else:
xrange = xrange
================================================
FILE: core/datatype.py
================================================
#!/usr/bin/env python
from thirdparty.odict import OrderedDict
# Reference: https://www.kunxi.org/2014/05/lru-cache-in-python
class LRUDict(object):
"""
This class defines the LRU dictionary
>>> foo = LRUDict(capacity=2)
>>> foo["first"] = 1
>>> foo["second"] = 2
>>> foo["third"] = 3
>>> "first" in foo
False
>>> "third" in foo
True
"""
def __init__(self, capacity):
self.capacity = capacity
self.cache = OrderedDict()
def __len__(self):
return len(self.cache)
def __contains__(self, key):
return key in self.cache
def __getitem__(self, key):
try:
value = self.cache.pop(key)
self.cache[key] = value
except:
value = None
return value
def get(self, key):
return self.__getitem__(key)
def __setitem__(self, key, value):
try:
self.cache.pop(key)
except KeyError:
if len(self.cache) >= self.capacity:
self.cache.popitem(last=False)
self.cache[key] = value
def set(self, key, value):
self.__setitem__(key, value)
def keys(self):
return self.cache.keys()
================================================
FILE: core/enums.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
import sys
from thirdparty import six
class _(type):
def __getattr__(self, attr):
return attr
@six.add_metaclass(_)
class TRAIL(object):
pass
if sys.version_info >= (3, 0):
class BLOCK_MARKER:
NOP = 0x00
READ = 0x01
WRITE = 0x02
END = 0xff
else:
class BLOCK_MARKER:
NOP = b'\x00'
READ = b'\x01'
WRITE = b'\x02'
END = b'\xff'
class PROTO:
TCP = "TCP"
UDP = "UDP"
ICMP = "ICMP"
class HTTP_HEADER:
ACCEPT = "Accept"
ACCEPT_CHARSET = "Accept-Charset"
ACCEPT_ENCODING = "Accept-Encoding"
ACCEPT_LANGUAGE = "Accept-Language"
AUTHORIZATION = "Authorization"
CACHE_CONTROL = "Cache-Control"
CONNECTION = "Connection"
CONTENT_ENCODING = "Content-Encoding"
CONTENT_LENGTH = "Content-Length"
CONTENT_RANGE = "Content-Range"
CONTENT_TYPE = "Content-Type"
CONTENT_SECURITY_POLICY = "Content-Security-Policy"
COOKIE = "Cookie"
EXPIRES = "Expires"
HOST = "Host"
IF_MODIFIED_SINCE = "If-Modified-Since"
LAST_MODIFIED = "Last-Modified"
LOCATION = "Location"
PRAGMA = "Pragma"
PROXY_AUTHORIZATION = "Proxy-Authorization"
PROXY_CONNECTION = "Proxy-Connection"
RANGE = "Range"
REFERER = "Referer"
SERVER = "Server"
SET_COOKIE = "Set-Cookie"
TRANSFER_ENCODING = "Transfer-Encoding"
URI = "URI"
USER_AGENT = "User-Agent"
VIA = "Via"
X_POWERED_BY = "X-Powered-By"
class CACHE_TYPE:
DOMAIN = 0
USER_AGENT = 1
PATH = 2
POST_DATA = 3
DOMAIN_WHITELISTED = 4
LOCAL_PREFIX = 4
class COLOR:
BLUE = "\033[34m"
BOLD_MAGENTA = "\033[35;1m"
BOLD_GREEN = "\033[32;1m"
BOLD_LIGHT_MAGENTA = "\033[95;1m"
LIGHT_GRAY = "\033[37m"
BOLD_RED = "\033[31;1m"
BOLD_LIGHT_GRAY = "\033[37;1m"
YELLOW = "\033[33m"
DARK_GRAY = "\033[90m"
BOLD_CYAN = "\033[36;1m"
LIGHT_RED = "\033[91m"
CYAN = "\033[36m"
MAGENTA = "\033[35m"
LIGHT_MAGENTA = "\033[95m"
LIGHT_GREEN = "\033[92m"
RESET = "\033[0m"
BOLD_DARK_GRAY = "\033[90;1m"
BOLD_LIGHT_YELLOW = "\033[93;1m"
BOLD_LIGHT_RED = "\033[91;1m"
BOLD_LIGHT_GREEN = "\033[92;1m"
LIGHT_YELLOW = "\033[93m"
BOLD_LIGHT_BLUE = "\033[94;1m"
BOLD_LIGHT_CYAN = "\033[96;1m"
LIGHT_BLUE = "\033[94m"
BOLD_WHITE = "\033[97;1m"
LIGHT_CYAN = "\033[96m"
BLACK = "\033[30m"
BOLD_YELLOW = "\033[33;1m"
BOLD_BLUE = "\033[34;1m"
GREEN = "\033[32m"
WHITE = "\033[97m"
BOLD_BLACK = "\033[30;1m"
RED = "\033[31m"
UNDERLINE = "\033[4m"
class BACKGROUND:
BLUE = "\033[44m"
LIGHT_GRAY = "\033[47m"
YELLOW = "\033[43m"
DARK_GRAY = "\033[100m"
LIGHT_RED = "\033[101m"
CYAN = "\033[46m"
MAGENTA = "\033[45m"
LIGHT_MAGENTA = "\033[105m"
LIGHT_GREEN = "\033[102m"
RESET = "\033[0m"
LIGHT_YELLOW = "\033[103m"
LIGHT_BLUE = "\033[104m"
LIGHT_CYAN = "\033[106m"
BLACK = "\033[40m"
GREEN = "\033[42m"
WHITE = "\033[107m"
RED = "\033[41m"
class SEVERITY:
NONE = "none"
LOW = "low"
MEDIUM = "medium"
HIGH = "high"
CRITICAL = "critical"
================================================
FILE: core/httpd.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import datetime
import glob
import gzip
import hashlib
import io
import json
import mimetypes
import os
import re
import socket
import subprocess
import sys
import threading
import time
import traceback
from core.addr import addr_to_int
from core.addr import int_to_addr
from core.addr import make_mask
from core.attribdict import AttribDict
from core.common import get_regex
from core.common import ipcat_lookup
from core.common import worst_asns
from core.compat import xrange
from core.enums import HTTP_HEADER
from core.settings import config
from core.settings import CONTENT_EXTENSIONS_EXCLUSIONS
from core.settings import DATE_FORMAT
from core.settings import DISABLED_CONTENT_EXTENSIONS
from core.settings import DISPOSED_NONCES
from core.settings import HTML_DIR
from core.settings import HTTP_TIME_FORMAT
from core.settings import IS_WIN
from core.settings import MAX_NOFILE
from core.settings import NAME
from core.settings import PING_RESPONSE
from core.settings import SESSION_COOKIE_NAME
from core.settings import SESSION_COOKIE_FLAG_SAMESITE
from core.settings import SESSION_EXPIRATION_HOURS
from core.settings import SESSION_ID_LENGTH
from core.settings import SESSIONS
from core.settings import UNAUTHORIZED_SLEEP_TIME
from core.settings import UNICODE_ENCODING
from core.settings import VERSION
from thirdparty import six
from thirdparty.six.moves import BaseHTTPServer as _BaseHTTPServer
from thirdparty.six.moves import http_client as _http_client
from thirdparty.six.moves import socketserver as _socketserver
from thirdparty.six.moves import urllib as _urllib
try:
# Reference: https://bugs.python.org/issue7980
# Reference: http://code-trick.com/python-bug-attribute-error-_strptime/
import _strptime
except ImportError:
pass
try:
import resource
resource.setrlimit(resource.RLIMIT_NOFILE, (MAX_NOFILE, MAX_NOFILE))
except:
pass
_fail2ban_cache = None
_fail2ban_key = None
_blacklist_cache = None
_blacklist_key = None
def start_httpd(address=None, port=None, join=False, pem=None):
"""
Starts HTTP server
"""
class ThreadingServer(_socketserver.ThreadingMixIn, _BaseHTTPServer.HTTPServer):
def server_bind(self):
self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
_BaseHTTPServer.HTTPServer.server_bind(self)
def finish_request(self, *args, **kwargs):
try:
_BaseHTTPServer.HTTPServer.finish_request(self, *args, **kwargs)
except:
if config.SHOW_DEBUG:
traceback.print_exc()
class SSLThreadingServer(ThreadingServer):
def __init__(self, server_address, pem, HandlerClass):
if six.PY2:
import OpenSSL # pyopenssl
ThreadingServer.__init__(self, server_address, HandlerClass)
for method in ("TLSv1_2_METHOD", "TLSv1_1_METHOD", "TLSv1_METHOD", "TLS_METHOD", "SSLv23_METHOD", "SSLv2_METHOD"):
if hasattr(OpenSSL.SSL, method):
ctx = OpenSSL.SSL.Context(getattr(OpenSSL.SSL, method))
break
ctx.use_privatekey_file(pem)
ctx.use_certificate_file(pem)
self.socket = OpenSSL.SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))
self.server_bind()
self.server_activate()
else:
import ssl
ThreadingServer.__init__(self, server_address, ReqHandler)
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain(pem, pem)
self.socket = ctx.wrap_socket(socket.socket(self.address_family, self.socket_type), server_side=True)
self.server_bind()
self.server_activate()
def shutdown_request(self, request):
try:
request.shutdown()
except:
pass
class ReqHandler(_BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")
params = {}
content = None
skip = False
if hasattr(self, "data"):
params.update(_urllib.parse.parse_qs(self.data))
if query:
params.update(_urllib.parse.parse_qs(query))
for key in params:
if params[key]:
params[key] = params[key][-1]
if path == '/':
path = "index.html"
path = path.strip('/')
extension = os.path.splitext(path)[-1].lower()
splitpath = path.split('/', 1)
if hasattr(self, "_%s" % splitpath[0]):
if len(splitpath) > 1:
params["subpath"] = splitpath[1]
content = getattr(self, "_%s" % splitpath[0])(params)
else:
path = path.replace('/', os.path.sep)
path = os.path.abspath(os.path.join(HTML_DIR, path)).strip()
if not os.path.isfile(path) and os.path.isfile("%s.html" % path):
path = "%s.html" % path
if any((config.IP_ALIASES,)) and self.path.split('?')[0] == "/js/main.js":
content = open(path, 'r').read()
content = re.sub(r"\bvar IP_ALIASES =.+", "var IP_ALIASES = {%s};" % ", ".join('"%s": "%s"' % (_.split(':', 1)[0].strip(), _.split(':', 1)[-1].strip()) for _ in config.IP_ALIASES), content)
if ".." not in os.path.relpath(path, HTML_DIR) and os.path.isfile(path) and (extension not in DISABLED_CONTENT_EXTENSIONS or os.path.split(path)[-1] in CONTENT_EXTENSIONS_EXCLUSIONS):
mtime = time.gmtime(os.path.getmtime(path))
if_modified_since = self.headers.get(HTTP_HEADER.IF_MODIFIED_SINCE)
if if_modified_since and extension not in (".htm", ".html"):
if_modified_since = [_ for _ in if_modified_since.split(';') if _.upper().endswith("GMT")][0]
if time.mktime(mtime) <= time.mktime(time.strptime(if_modified_since, HTTP_TIME_FORMAT)):
self.send_response(_http_client.NOT_MODIFIED)
self.send_header(HTTP_HEADER.CONNECTION, "close")
skip = True
if not skip:
content = content or open(path, "rb").read()
last_modified = time.strftime(HTTP_TIME_FORMAT, mtime)
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, mimetypes.guess_type(path)[0] or "application/octet-stream")
self.send_header(HTTP_HEADER.LAST_MODIFIED, last_modified)
# For CSP policy directives see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/
self.send_header(HTTP_HEADER.CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src * blob:; script-src 'self' 'unsafe-eval' https://stat.ripe.net; frame-src *; object-src 'none'; block-all-mixed-content;")
if os.path.basename(path) == "index.html":
content = re.sub(b'\\s*<script[^>]+src="js/demo\\.js"></script>', b'', content)
if extension not in (".htm", ".html"):
self.send_header(HTTP_HEADER.EXPIRES, "Sun, 17-Jan-2038 19:14:07 GMT") # Reference: http://blog.httpwatch.com/2007/12/10/two-simple-rules-for-http-caching/
self.send_header(HTTP_HEADER.CACHE_CONTROL, "max-age=3600, must-revalidate") # Reference: http://stackoverflow.com/a/5084555
else:
self.send_header(HTTP_HEADER.CACHE_CONTROL, "no-cache")
else:
self.send_response(_http_client.NOT_FOUND)
self.send_header(HTTP_HEADER.CONNECTION, "close")
content = '<!DOCTYPE html><html lang="en"><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL %s was not found on this server.</p></body></html>' % self.path.split('?')[0]
if content is not None:
if isinstance(content, six.text_type):
content = content.encode(UNICODE_ENCODING)
for match in re.finditer(b"<\\!(\\w+)\\!>", content):
name = match.group(1).decode(UNICODE_ENCODING)
_ = getattr(self, "_%s" % name.lower(), None)
if _:
content = self._format(content, **{name: _()})
if "gzip" in self.headers.get(HTTP_HEADER.ACCEPT_ENCODING, ""):
self.send_header(HTTP_HEADER.CONTENT_ENCODING, "gzip")
_ = six.BytesIO()
compress = gzip.GzipFile("", "w+b", 9, _)
compress._stream = _
compress.write(content)
compress.flush()
compress.close()
content = compress._stream.getvalue()
self.send_header(HTTP_HEADER.CONTENT_LENGTH, str(len(content)))
self.end_headers()
try:
if content:
self.wfile.write(content)
self.wfile.flush()
except:
pass
def do_POST(self):
length = self.headers.get(HTTP_HEADER.CONTENT_LENGTH)
data = self.rfile.read(int(length)).decode(UNICODE_ENCODING)
data = _urllib.parse.unquote_plus(data)
self.data = data
self.do_GET()
def get_session(self):
retval = None
cookie = self.headers.get(HTTP_HEADER.COOKIE)
if cookie:
match = re.search(r"%s\s*=\s*([^;]+)" % SESSION_COOKIE_NAME, cookie)
if match:
session = match.group(1)
if session in SESSIONS:
if SESSIONS[session].client_ip != self.client_address[0]:
pass
elif SESSIONS[session].expiration > time.time():
retval = SESSIONS[session]
else:
del SESSIONS[session]
if retval is None and not config.USERS:
retval = AttribDict({"username": "?"})
return retval
def delete_session(self):
cookie = self.headers.get(HTTP_HEADER.COOKIE)
if cookie:
match = re.search(r"%s=(.+)" % SESSION_COOKIE_NAME, cookie)
if match:
session = match.group(1)
if session in SESSIONS:
del SESSIONS[session]
def version_string(self):
return "%s/%s" % (NAME, self._version())
def end_headers(self):
if not hasattr(self, "_headers_ended"):
_BaseHTTPServer.BaseHTTPRequestHandler.end_headers(self)
self._headers_ended = True
def log_message(self, format, *args):
return
def finish(self):
try:
_BaseHTTPServer.BaseHTTPRequestHandler.finish(self)
except:
if config.SHOW_DEBUG:
traceback.print_exc()
def _version(self):
version = VERSION
try:
for line in open(os.path.join(os.path.dirname(__file__), "settings.py"), 'r'):
match = re.search(r'VERSION = "([^"]*)', line)
if match:
version = match.group(1)
break
except:
pass
return version
def _statics(self):
latest = max(glob.glob(os.path.join(os.path.dirname(__file__), "..", "trails", "static", "malware", "*.txt")), key=os.path.getmtime)
return "/%s" % datetime.datetime.fromtimestamp(os.path.getmtime(latest)).strftime(DATE_FORMAT)
def _logo(self):
if config.HEADER_LOGO:
retval = config.HEADER_LOGO
else:
retval = '<img src="images/mlogo.png" style="width: 25px">altrail'
return retval
def _format(self, content, **params):
if content:
for key, value in params.items():
content = content.replace(b"<!%s!>" % key.encode(UNICODE_ENCODING), value.encode(UNICODE_ENCODING))
return content
def _login(self, params):
valid = False
if params.get("username") and params.get("hash") and params.get("nonce"):
if params.get("nonce") not in DISPOSED_NONCES:
DISPOSED_NONCES.add(params.get("nonce"))
for entry in (config.USERS or []):
entry = re.sub(r"\s", "", entry)
username, stored_hash, uid, netfilter = entry.split(':')
try:
uid = int(uid)
except ValueError:
uid = None
if username == params.get("username"):
try:
if params.get("hash") == hashlib.sha256((stored_hash.strip() + params.get("nonce")).encode(UNICODE_ENCODING)).hexdigest():
valid = True
break
except:
if config.SHOW_DEBUG:
traceback.print_exc()
if valid:
_ = os.urandom(SESSION_ID_LENGTH)
session_id = _.hex() if hasattr(_, "hex") else _.encode("hex")
expiration = time.time() + 3600 * SESSION_EXPIRATION_HOURS
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
cookie = "%s=%s; expires=%s; path=/; HttpOnly" % (SESSION_COOKIE_NAME, session_id, time.strftime(HTTP_TIME_FORMAT, time.gmtime(expiration)))
if config.USE_SSL:
cookie += "; Secure"
if SESSION_COOKIE_FLAG_SAMESITE:
cookie += "; SameSite=strict"
self.send_header(HTTP_HEADER.SET_COOKIE, cookie)
if netfilter in ("", '*', "::", "0.0.0.0/0"):
netfilters = None
else:
addresses = set()
netmasks = set()
for item in set(re.split(r"[;,]", netfilter)):
item = item.strip()
if '/' in item:
_ = item.split('/')[-1]
if _.isdigit() and int(_) >= 16:
lower = addr_to_int(item.split('/')[0])
mask = make_mask(int(_))
upper = lower | (0xffffffff ^ mask)
while lower <= upper:
addresses.add(int_to_addr(lower))
lower += 1
else:
netmasks.add(item)
elif '-' in item:
_ = item.split('-')
lower, upper = addr_to_int(_[0]), addr_to_int(_[1])
while lower <= upper:
addresses.add(int_to_addr(lower))
lower += 1
elif re.search(r"\d+\.\d+\.\d+\.\d+", item):
addresses.add(item)
netfilters = netmasks
if addresses:
netfilters.add(get_regex(addresses))
SESSIONS[session_id] = AttribDict({"username": username, "uid": uid, "netfilters": netfilters, "mask_custom": config.ENABLE_MASK_CUSTOM and uid >= 1000, "expiration": expiration, "client_ip": self.client_address[0]})
else:
time.sleep(UNAUTHORIZED_SLEEP_TIME)
self.send_response(_http_client.UNAUTHORIZED)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
content = "Login %s" % ("success" if valid else "failed")
if not IS_WIN:
try:
subprocess.check_output(["logger", "-p", "auth.info", "-t", "%s[%d]" % (NAME.lower(), os.getpid()), "%s password for %s from %s port %s" % ("Accepted" if valid else "Failed", params.get("username"), self.client_address[0], self.client_address[1])], stderr=subprocess.STDOUT, shell=False)
except Exception:
if config.SHOW_DEBUG:
traceback.print_exc()
return content
def _logout(self, params):
self.delete_session()
self.send_response(_http_client.FOUND)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.LOCATION, "/")
def _whoami(self, params):
session = self.get_session()
username = session.username if session else ""
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
return username
def _check_ip(self, params):
session = self.get_session()
if session is None:
self.send_response(_http_client.UNAUTHORIZED)
self.send_header(HTTP_HEADER.CONNECTION, "close")
return None
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
try:
result_worst = worst_asns(params.get("address"))
if result_worst:
result_ipcat = result_worst
else:
_ = (ipcat_lookup(params.get("address")) or "").lower().split(' ')
result_ipcat = _[1] if _[0] == 'the' else _[0]
return ("%s" if not params.get("callback") else "%s(%%s)" % params.get("callback")) % json.dumps({"ipcat": result_ipcat, "worst_asns": str(result_worst is not None).lower()})
except:
if config.SHOW_DEBUG:
traceback.print_exc()
def _trails(self, params):
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
return open(config.TRAILS_FILE, "rb").read()
def _ping(self, params):
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
return PING_RESPONSE
def __is_fail2ban_allowed(self):
allowlist = getattr(config, "FAIL2BAN_ALLOWLIST", None)
if not allowlist:
return False # secure by default
# allowlist can be multi-line AttribDict list or string
if isinstance(allowlist, (list, tuple, set)):
items = []
for entry in allowlist:
items.extend([_.strip() for _ in re.split(r"[,\s;]+", str(entry)) if _.strip()])
else:
items = [_.strip() for _ in re.split(r"[,\s;]+", str(allowlist)) if _.strip()]
if not items:
return False
ip = self.client_address[0]
# IPv6? deny (low-hustle choice; avoids false-allow)
if ':' in ip and '.' not in ip:
return False
try:
ip_int = addr_to_int(ip)
except:
return False
for item in items:
if not item:
continue
# exact IPv4
if re.search(r"\A\d+\.\d+\.\d+\.\d+\Z", item):
if ip == item:
return True
continue
# IPv4 CIDR
m = re.match(r"\A(\d+\.\d+\.\d+\.\d+)/(\d+)\Z", item)
if m:
prefix, bits = m.group(1), int(m.group(2))
if 0 <= bits <= 32:
try:
if ip_int & make_mask(bits) == addr_to_int(prefix) & make_mask(bits):
return True
except:
pass
return False
def _fail2ban(self, params):
global _fail2ban_cache
global _fail2ban_key
if not self.__is_fail2ban_allowed():
self.send_response(_http_client.NOT_FOUND)
self.send_header(HTTP_HEADER.CONNECTION, "close")
return None
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
content = ""
key = int(time.time()) >> 3
if config.FAIL2BAN_REGEX:
try:
re.compile(config.FAIL2BAN_REGEX)
except re.error:
content = "invalid regular expression used in option FAIL2BAN_REGEX"
else:
if key == _fail2ban_key:
content = _fail2ban_cache
else:
result = set()
_ = os.path.join(config.LOG_DIR, "%s.log" % datetime.datetime.now().strftime("%Y-%m-%d"))
if os.path.isfile(_):
for line in open(_, "r"):
if re.search(config.FAIL2BAN_REGEX, line, re.I):
result.add(line.split()[3])
content = "\n".join(result)
_fail2ban_cache = content
_fail2ban_key = key
else:
content = "configuration option FAIL2BAN_REGEX not set"
return content
def _blacklist(self, params):
global _blacklist_cache
global _blacklist_key
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
bl_name = ""
if 'subpath' in params:
bl_name = "_%s" % params['subpath'].split('/')[0].upper()
content = ""
key = int(time.time()) >> 3
if "BLACKLIST%s" % bl_name in config:
try:
blacklist = []
for bl in config["BLACKLIST%s" % bl_name]:
rules = []
for e in bl.split(' and '):
f, n, p = e.strip().split(' ', 2)
regexp = [
[
'',
'',
'',
'src_ip',
'src_port',
'dst_ip',
'dst_port',
'protocol',
'type',
'trail',
'filter'
].index(f),
(n[0] == '!'),
re.compile(p, re.I)
]
rules.append(regexp)
blacklist.append(rules)
except Exception:
content = "invalid rule in option BLACKLIST%s" % bl_name
else:
if key == _blacklist_key:
content = _blacklist_cache
else:
result = set()
_ = os.path.join(config.LOG_DIR, "%s.log" % datetime.datetime.now().strftime("%Y-%m-%d"))
if os.path.isfile(_):
for line in open(_, "r"):
line = line.split(' ', 10)
for bl in blacklist:
failed = False
for f, n, r in bl:
if not (
(r.search(line[f]) is not None) ^ n
):
failed = True
break
if not failed:
result.add(line[3])
break
content = "\n".join(result)
_blacklist_cache = content
_blacklist_key = key
else:
content = "configuration option BLACKLIST%s not set" % bl_name
return content
def _events(self, params):
session = self.get_session()
if session is None:
self.send_response(_http_client.UNAUTHORIZED)
self.send_header(HTTP_HEADER.CONNECTION, "close")
return None
start, end, size, total = None, None, -1, None
content = None
log_exists = False
dates = params.get("date", "")
if ".." in dates:
pass
elif '_' not in dates:
try:
date = datetime.datetime.strptime(dates, "%Y-%m-%d").strftime("%Y-%m-%d")
event_log_path = os.path.join(config.LOG_DIR, "%s.log" % date)
if os.path.exists(event_log_path):
range_handle = open(event_log_path, "rb")
log_exists = True
except ValueError:
print("[!] invalid date format in request")
log_exists = False
else:
logs_data = ""
date_interval = dates.split("_", 1)
try:
start_date = datetime.datetime.strptime(date_interval[0], "%Y-%m-%d").date()
end_date = datetime.datetime.strptime(date_interval[1], "%Y-%m-%d").date()
for i in xrange(int((end_date - start_date).days) + 1):
date = start_date + datetime.timedelta(i)
event_log_path = os.path.join(config.LOG_DIR, "%s.log" % date.strftime("%Y-%m-%d"))
if os.path.exists(event_log_path):
log_handle = open(event_log_path, "rb")
logs_data += log_handle.read()
log_handle.close()
range_handle = io.BytesIO(logs_data)
log_exists = True
except ValueError:
print("[!] invalid date format in request")
log_exists = False
if log_exists:
range_handle.seek(0, 2)
total = range_handle.tell()
range_handle.seek(0)
if self.headers.get(HTTP_HEADER.RANGE):
match = re.search(r"bytes=(\d+)-(\d+)", self.headers[HTTP_HEADER.RANGE])
if match:
start, end = int(match.group(1)), int(match.group(2))
max_size = end - start + 1
end = min(total - 1, end)
size = end - start + 1
if start == 0 or not session.range_handle:
session.range_handle = range_handle
if session.netfilters is None and not session.mask_custom:
session.range_handle.seek(start)
self.send_response(_http_client.PARTIAL_CONTENT)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
self.send_header(HTTP_HEADER.CONTENT_RANGE, "bytes %d-%d/%d" % (start, end, total))
content = session.range_handle.read(size)
else:
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
buffer, addresses, netmasks, regex = io.StringIO(), set(), [], ""
for netfilter in session.netfilters or []:
if not netfilter:
continue
if '/' in netfilter:
netmasks.append(netfilter)
elif re.search(r"\A[\d.]+\Z", netfilter):
addresses.add(netfilter)
elif "\\." in netfilter:
regex = r"\b(%s)\b" % netfilter
else:
print("[!] invalid network filter '%s'" % netfilter)
return
for line in session.range_handle:
display = session.netfilters is None
ip = None
line = line.decode(UNICODE_ENCODING, "ignore")
if regex:
match = re.search(regex, line)
if match:
ip = match.group(1)
display = True
if not display and (addresses or netmasks):
for match in re.finditer(r"\b(\d+\.\d+\.\d+\.\d+)\b", line):
if not display:
ip = match.group(1)
else:
break
if ip in addresses:
display = True
break
elif netmasks:
for _ in netmasks:
prefix, mask = _.split('/')
if addr_to_int(ip) & make_mask(int(mask)) == addr_to_int(prefix):
addresses.add(ip)
display = True
break
if session.mask_custom and "(custom)" in line:
line = re.sub(r'("[^"]+"|[^ ]+) \(custom\)', "- (custom)", line)
if display:
if ",%s" % ip in line or "%s," % ip in line:
line = re.sub(r" ([\d.,]+,)?%s(,[\d.,]+)? " % re.escape(ip), " %s " % ip, line)
buffer.write(line)
if buffer.tell() >= max_size:
break
content = buffer.getvalue()
end = start + len(content) - 1
self.send_header(HTTP_HEADER.CONTENT_RANGE, "bytes %d-%d/%d" % (start, end, end + 1 + max_size * (len(content) >= max_size)))
if len(content) < max_size:
session.range_handle.close()
session.range_handle = None
if size == -1:
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "text/plain")
self.end_headers()
with range_handle as f:
while True:
data = f.read(io.DEFAULT_BUFFER_SIZE)
if not data:
break
else:
self.wfile.write(data)
else:
self.send_response(_http_client.OK) # instead of _http_client.NO_CONTENT (compatibility reasons)
self.send_header(HTTP_HEADER.CONNECTION, "close")
if self.headers.get(HTTP_HEADER.RANGE):
self.send_header(HTTP_HEADER.CONTENT_RANGE, "bytes 0-0/0")
return content
def _counts(self, params):
counts = {}
session = self.get_session()
if session is None:
self.send_response(_http_client.UNAUTHORIZED)
self.send_header(HTTP_HEADER.CONNECTION, "close")
return None
self.send_response(_http_client.OK)
self.send_header(HTTP_HEADER.CONNECTION, "close")
self.send_header(HTTP_HEADER.CONTENT_TYPE, "application/json")
match = re.search(r"\d+\-\d+\-\d+", params.get("from", ""))
if match:
min_ = datetime.datetime.strptime(match.group(0), DATE_FORMAT)
else:
min_ = datetime.datetime.fromtimestamp(0)
match = re.search(r"\d+\-\d+\-\d+", params.get("to", ""))
if match:
max_ = datetime.datetime.strptime(match.group(0), DATE_FORMAT)
else:
max_ = datetime.datetime.now()
min_ = min_.replace(hour=0, minute=0, second=0, microsecond=0)
max_ = max_.replace(hour=23, minute=59, second=59, microsecond=999999)
for filepath in sorted(glob.glob(os.path.join(config.LOG_DIR, "*.log"))):
filename = os.path.basename(filepath)
if not re.search(r"\A\d{4}-\d{2}-\d{2}\.log\Z", filename):
continue
try:
current = datetime.datetime.strptime(os.path.splitext(filename)[0], DATE_FORMAT)
except:
if config.SHOW_DEBUG:
traceback.print_exc()
else:
if min_ <= current <= max_:
timestamp = int(time.mktime(current.timetuple()))
size = os.path.getsize(filepath)
with open(filepath, "rb") as f:
content = f.read(io.DEFAULT_BUFFER_SIZE)
if size >= io.DEFAULT_BUFFER_SIZE:
total = 1.0 * (1 + content.count(b'\n')) * size / io.DEFAULT_BUFFER_SIZE
counts[timestamp] = int(round(total / 100.0) * 100)
else:
counts[timestamp] = content.count(b'\n')
return json.dumps(counts)
class SSLReqHandler(ReqHandler):
def setup(self):
self.connection = self.request
self.rfile = socket._fileobject(self.request, "rb", self.rbufsize)
self.wfile = socket._fileobject(self.request, "wb", self.wbufsize)
# IPv6 support
if ':' in (address or ""):
address = address.strip("[]")
_BaseHTTPServer.HTTPServer.address_family = socket.AF_INET6
# Reference: https://github.com/squeaky-pl/zenchmarks/blob/master/vendor/twisted/internet/tcp.py
_AI_NUMERICSERV = getattr(socket, "AI_NUMERICSERV", 0)
_NUMERIC_ONLY = socket.AI_NUMERICHOST | _AI_NUMERICSERV
_address = socket.getaddrinfo(address, int(port) if str(port or "").isdigit() else 0, 0, 0, 0, _NUMERIC_ONLY)[0][4]
else:
_address = (address or '', int(port) if str(port or "").isdigit() else 0)
try:
if pem:
server = SSLThreadingServer(_address, pem, SSLReqHandler)
else:
server = ThreadingServer(_address, ReqHandler)
except Exception as ex:
if "Address already in use" in str(ex):
sys.exit("[!] another instance already running")
elif "Name or service not known" in str(ex):
sys.exit("[!] invalid configuration value for 'HTTP_ADDRESS' ('%s')" % config.HTTP_ADDRESS)
elif "Cannot assign requested address" in str(ex):
sys.exit("[!] can't use configuration value for 'HTTP_ADDRESS' ('%s')" % config.HTTP_ADDRESS)
else:
raise
print("[i] starting HTTP%s server at http%s://%s:%d/" % ('S' if pem else "", 's' if pem else "", server.server_address[0], server.server_address[1]))
print("[^] running...")
if join:
server.serve_forever()
else:
thread = threading.Thread(target=server.serve_forever)
thread.daemon = True
thread.start()
================================================
FILE: core/ignore.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
# simple ignore rule mechanism configured by file 'misc/ignore_event.txt' and/or user defined `USER_IGNORELIST`
import re
from core.settings import config
from core.settings import IGNORE_EVENTS
def ignore_event(event_tuple):
retval = False
_, _, src_ip, src_port, dst_ip, dst_port, _, _, _, _, _ = event_tuple
if config.IGNORE_EVENTS_REGEX and re.search(config.IGNORE_EVENTS_REGEX, repr(event_tuple), re.I):
retval = True
for ignore_src_ip, ignore_src_port, ignore_dst_ip, ignore_dst_port in IGNORE_EVENTS:
if ignore_src_ip != '*' and ignore_src_ip != src_ip:
continue
if ignore_src_port != '*' and ignore_src_port != str(src_port):
continue
if ignore_dst_ip != '*' and ignore_dst_ip != dst_ip:
continue
if ignore_dst_port != '*' and ignore_dst_port != str(dst_port):
continue
retval = True
break
if retval and config.SHOW_DEBUG:
print("[i] ignore_event src_ip=%s, src_port=%s, dst_ip=%s, dst_port=%s" % (src_ip, src_port, dst_ip, dst_port))
return retval
================================================
FILE: core/log.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import datetime
import json
import os
import re
import signal
import socket
import sys
import threading
import time
import traceback
from core.common import check_whitelisted
from core.common import check_sudo
from core.compat import xrange
from core.enums import TRAIL
from core.settings import CEF_FORMAT
from core.settings import config
from core.settings import CONDENSE_ON_INFO_KEYWORDS
from core.settings import CONDENSED_EVENTS_FLUSH_PERIOD
from core.settings import DEFAULT_ERROR_LOG_PERMISSIONS
from core.settings import DEFAULT_EVENT_LOG_PERMISSIONS
from core.settings import HOSTNAME
from core.settings import NAME
from core.settings import TIME_FORMAT
from core.settings import UNICODE_ENCODING
from core.settings import VERSION
from core.ignore import ignore_event
from thirdparty.odict import OrderedDict
from thirdparty.six.moves import socketserver as _socketserver
_condensed_events = {}
_condensing_thread = None
_condensing_lock = threading.Lock()
_single_messages = set()
_thread_data = threading.local()
def create_log_directory():
if not os.path.isdir(config.LOG_DIR):
if not config.DISABLE_CHECK_SUDO and check_sudo() is False:
sys.exit("[!] please rerun with sudo/Administrator privileges")
os.makedirs(config.LOG_DIR, 0o755)
print("[i] using '%s' for log storage" % config.LOG_DIR)
def get_event_log_handle(sec, flags=os.O_APPEND | os.O_CREAT | os.O_WRONLY, reuse=True):
retval = None
localtime = time.localtime(sec)
_ = os.path.join(config.LOG_DIR, "%d-%02d-%02d.log" % (localtime.tm_year, localtime.tm_mon, localtime.tm_mday))
if not reuse:
if not os.path.exists(_):
open(_, "w+").close()
os.chmod(_, DEFAULT_EVENT_LOG_PERMISSIONS)
retval = os.open(_, flags)
else:
if _ != getattr(_thread_data, "event_log_path", None):
if getattr(_thread_data, "event_log_handle", None):
try:
os.close(_thread_data.event_log_handle)
except OSError:
pass
if not os.path.exists(_):
open(_, "w+").close()
os.chmod(_, DEFAULT_EVENT_LOG_PERMISSIONS)
_thread_data.event_log_path = _
_thread_data.event_log_handle = os.open(_thread_data.event_log_path, flags)
retval = _thread_data.event_log_handle
return retval
def get_error_log_handle(flags=os.O_APPEND | os.O_CREAT | os.O_WRONLY):
if not hasattr(_thread_data, "error_log_handle"):
_ = os.path.join(config.get("LOG_DIR") or os.curdir, "error.log")
if not os.path.exists(_):
open(_, "w+").close()
os.chmod(_, DEFAULT_ERROR_LOG_PERMISSIONS)
_thread_data.error_log_path = _
_thread_data.error_log_handle = os.open(_thread_data.error_log_path, flags)
return _thread_data.error_log_handle
def safe_value(value):
retval = str(value or '-')
if any(_ in retval for _ in (' ', '"')):
retval = "\"%s\"" % retval.replace('"', '""')
retval = re.sub(r"[\x0a\x0d]", " ", retval)
return retval
def flush_condensed_events(single=False):
while True:
if not single:
time.sleep(CONDENSED_EVENTS_FLUSH_PERIOD)
with _condensing_lock:
for key in _condensed_events:
condensed = False
events = _condensed_events[key]
first_event = events[0]
condensed_event = [_ for _ in first_event]
for i in xrange(1, len(events)):
current_event = events[i]
for j in xrange(3, 7): # src_port, dst_ip, dst_port, proto
if current_event[j] != condensed_event[j]:
condensed = True
if not isinstance(condensed_event[j], set):
condensed_event[j] = set((condensed_event[j],))
condensed_event[j].add(current_event[j])
if condensed:
for i in xrange(len(condensed_event)):
if isinstance(condensed_event[i], set):
condensed_event[i] = ','.join(str(_) for _ in sorted(condensed_event[i]))
log_event(condensed_event, skip_condensing=True)
_condensed_events.clear()
if single:
break
def log_event(event_tuple, packet=None, skip_write=False, skip_condensing=False):
global _condensing_thread
if _condensing_thread is None:
_condensing_thread = threading.Thread(target=flush_condensed_events)
_condensing_thread.daemon = True
_condensing_thread.start()
try:
sec, usec, src_ip, src_port, dst_ip, dst_port, proto, trail_type, trail, info, reference = event_tuple
if ignore_event(event_tuple):
return
if not (any(check_whitelisted(_) for _ in (src_ip, dst_ip)) and trail_type != TRAIL.DNS): # DNS requests/responses can't be whitelisted based on src_ip/dst_ip
if not skip_write:
localtime = "%s.%06d" % (time.strftime(TIME_FORMAT, time.localtime(int(sec))), usec)
if not skip_condensing:
if any(_ in info for _ in CONDENSE_ON_INFO_KEYWORDS):
with _condensing_lock:
key = (src_ip, trail)
if key not in _condensed_events:
_condensed_events[key] = []
_condensed_events[key].append(event_tuple)
return
current_bucket = sec // config.PROCESS_COUNT
if getattr(_thread_data, "log_bucket", None) != current_bucket: # log throttling
_thread_data.log_bucket = current_bucket
_thread_data.log_trails = set()
else:
if any(_ in _thread_data.log_trails for _ in ((src_ip, trail), (dst_ip, trail))):
return
else:
_thread_data.log_trails.add((src_ip, trail))
_thread_data.log_trails.add((dst_ip, trail))
event = "%s %s %s\n" % (safe_value(localtime), safe_value(config.SENSOR_NAME), " ".join(safe_value(_) for _ in event_tuple[2:]))
if not config.DISABLE_LOCAL_LOG_STORAGE:
handle = get_event_log_handle(sec)
os.write(handle, event.encode(UNICODE_ENCODING))
if config.LOG_SERVER:
if config.LOG_SERVER.count(':') > 1:
remote_host, remote_port = config.LOG_SERVER.replace('[', '').replace(']', '').rsplit(':', 1)
# Reference: https://github.com/squeaky-pl/zenchmarks/blob/master/vendor/twisted/internet/tcp.py
_AI_NUMERICSERV = getattr(socket, "AI_NUMERICSERV", 0)
_NUMERIC_ONLY = socket.AI_NUMERICHOST | _AI_NUMERICSERV
_address = socket.getaddrinfo(remote_host, int(remote_port) if str(remote_port or "").isdigit() else 0, 0, 0, 0, _NUMERIC_ONLY)[0][4]
else:
remote_host, remote_port = config.LOG_SERVER.split(':')
_address = (remote_host, int(remote_port))
s = socket.socket(socket.AF_INET if len(_address) == 2 else socket.AF_INET6, socket.SOCK_DGRAM)
s.sendto(("%s %s" % (sec, event)).encode(UNICODE_ENCODING), _address)
if config.SYSLOG_SERVER or config.LOGSTASH_SERVER:
severity = "medium"
if config.REMOTE_SEVERITY_REGEX:
match = re.search(config.REMOTE_SEVERITY_REGEX, info)
if match:
for _ in ("low", "medium", "high"):
if match.group(_):
severity = _
break
if config.SYSLOG_SERVER:
extension = "src=%s spt=%s dst=%s dpt=%s trail=%s ref=%s" % (src_ip, src_port, dst_ip, dst_port, trail, reference)
_ = CEF_FORMAT.format(syslog_time=time.strftime("%b %d %H:%M:%S", time.localtime(int(sec))), host=HOSTNAME, device_vendor=NAME, device_product="sensor", device_version=VERSION, signature_id=time.strftime("%Y-%m-%d", time.localtime(os.path.getctime(config.TRAILS_FILE))), name=info, severity={"low": 0, "medium": 1, "high": 2}.get(severity), extension=extension)
remote_host, remote_port = config.SYSLOG_SERVER.split(':')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(_.encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
if config.LOGSTASH_SERVER:
_ = OrderedDict((("timestamp", sec), ("sensor", HOSTNAME), ("severity", severity), ("src_ip", src_ip), ("src_port", src_port), ("dst_ip", dst_ip), ("dst_port", dst_port), ("proto", proto), ("type", trail_type), ("trail", trail), ("info", info), ("reference", reference)))
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
remote_host, remote_port = config.LOGSTASH_SERVER.split(':')
s.sendto(json.dumps(_).encode(UNICODE_ENCODING), (remote_host, int(remote_port)))
if (config.DISABLE_LOCAL_LOG_STORAGE and not any((config.LOG_SERVER, config.SYSLOG_SERVER))) or config.console:
sys.stderr.write(event)
sys.stderr.flush()
if config.plugin_functions:
for _ in config.plugin_functions:
_(event_tuple, packet)
except (OSError, IOError):
if config.SHOW_DEBUG:
traceback.print_exc()
def log_error(msg, single=False):
if single:
if msg in _single_messages:
return
else:
_single_messages.add(msg)
try:
handle = get_error_log_handle()
os.write(handle, ("%s %s\n" % (time.strftime(TIME_FORMAT, time.localtime()), msg)).encode(UNICODE_ENCODING))
except (OSError, IOError):
if config.SHOW_DEBUG:
traceback.print_exc()
def start_logd(address=None, port=None, join=False):
class ThreadingUDPServer(_socketserver.ThreadingMixIn, _socketserver.UDPServer):
pass
class UDPHandler(_socketserver.BaseRequestHandler):
def handle(self):
try:
data, _ = self.request
if data[0:1].isdigit(): # Note: regular format with timestamp in front
sec, event = data.split(b' ', 1)
else: # Note: naive format without timestamp in front
event_date = datetime.datetime.strptime(data[1:data.find(b'.')].decode(UNICODE_ENCODING), TIME_FORMAT)
sec = int(time.mktime(event_date.timetuple()))
event = data
if not event.endswith(b'\n'):
event = b"%s\n" % event
handle = get_event_log_handle(int(sec), reuse=False)
os.write(handle, event)
os.close(handle)
except:
if config.SHOW_DEBUG:
traceback.print_exc()
# IPv6 support
if ':' in (address or ""):
address = address.strip("[]")
_socketserver.UDPServer.address_family = socket.AF_INET6
# Reference: https://github.com/squeaky-pl/zenchmarks/blob/master/vendor/twisted/internet/tcp.py
_AI_NUMERICSERV = getattr(socket, "AI_NUMERICSERV", 0)
_NUMERIC_ONLY = socket.AI_NUMERICHOST | _AI_NUMERICSERV
_address = socket.getaddrinfo(address, int(port) if str(port or "").isdigit() else 0, 0, 0, 0, _NUMERIC_ONLY)[0][4]
else:
_address = (address or '', int(port) if str(port or "").isdigit() else 0)
server = ThreadingUDPServer(_address, UDPHandler)
print("[i] running UDP server at '%s:%d'" % (server.server_address[0], server.server_address[1]))
if join:
server.serve_forever()
else:
thread = threading.Thread(target=server.serve_forever)
thread.daemon = True
thread.start()
def set_sigterm_handler():
def handler(signum, frame):
log_error("SIGTERM")
raise SystemExit
if hasattr(signal, "SIGTERM"):
signal.signal(signal.SIGTERM, handler)
if __name__ != "__main__":
set_sigterm_handler()
================================================
FILE: core/parallel.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
import os
import struct
import threading
import time
from core.common import load_trails
from core.enums import BLOCK_MARKER
from core.settings import BLOCK_LENGTH
from core.settings import config
from core.settings import LOAD_TRAILS_RETRY_SLEEP_TIME
from core.settings import REGULAR_SENSOR_SLEEP_TIME
from core.settings import SHORT_SENSOR_SLEEP_TIME
from core.settings import trails
_timer = None
def read_block(buffer, i):
offset = i * BLOCK_LENGTH % config.CAPTURE_BUFFER
while True:
marker = buffer[offset]
if marker == BLOCK_MARKER.END:
return None
while marker == BLOCK_MARKER.WRITE:
time.sleep(SHORT_SENSOR_SLEEP_TIME)
marker = buffer[offset]
if marker == BLOCK_MARKER.END:
return None
buffer[offset] = BLOCK_MARKER.READ
buffer.seek(offset + 1)
length = struct.unpack("=H", buffer.read(2))[0]
retval = buffer.read(length)
if buffer[offset] == BLOCK_MARKER.READ:
break
buffer[offset] = BLOCK_MARKER.NOP
return retval
def write_block(buffer, i, block, marker=None):
offset = i * BLOCK_LENGTH % config.CAPTURE_BUFFER
while buffer[offset] == BLOCK_MARKER.READ:
time.sleep(SHORT_SENSOR_SLEEP_TIME)
buffer[offset] = BLOCK_MARKER.WRITE
buffer.seek(offset + 1)
buffer.write(struct.pack("=H", len(block)) + block)
buffer[offset] = marker or BLOCK_MARKER.NOP
def worker(buffer, n, offset, mod, process_packet):
"""
Worker process used in multiprocessing mode
"""
def update_timer():
global _timer
try:
if (time.time() - os.stat(config.TRAILS_FILE).st_mtime) >= config.UPDATE_PERIOD:
while True:
_ = load_trails(True)
if _:
trails.clear()
trails.update(_)
break
time.sleep(LOAD_TRAILS_RETRY_SLEEP_TIME)
finally:
_timer = threading.Timer(config.UPDATE_PERIOD, update_timer)
_timer.start()
update_timer()
count = 0
while True:
try:
if (count % mod) == offset:
if count >= n.value:
time.sleep(REGULAR_SENSOR_SLEEP_TIME)
continue
content = read_block(buffer, count)
if content is None:
break
elif len(content) < 12:
continue
sec, usec, ip_offset = struct.unpack("=III", content[:12])
packet = content[12:]
process_packet(packet, sec, usec, ip_offset)
count += 1
except KeyboardInterrupt:
break
if _timer:
_timer.cancel()
================================================
FILE: core/settings.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import os
import re
import socket
import stat
import struct
import subprocess
import sys
from core.addr import addr_to_int
from core.addr import expand_range
from core.addr import make_mask
from core.attribdict import AttribDict
from core.colorized import init_output
from core.trailsdict import TrailsDict
from thirdparty.six.moves import urllib as _urllib
NAME = "Maltrail"
VERSION = "1.2"
HOMEPAGE = "https://maltrail.github.io"
PLATFORM = os.name
IS_WIN = PLATFORM == "nt"
IS_LINUX = "linux" in PLATFORM
IS_SENSOR = "sensor" in sys.argv[0]
USER_AGENT = "%s/%s (%s/py%s/x%d)" % (NAME, VERSION, re.sub(r"\d$", "", sys.platform), sys.version.split(' ')[0], struct.calcsize('P') * 8)
DATE_FORMAT = "%Y-%m-%d"
ROTATING_CHARS = ('\\', '|', '|', '/', '-')
TIMEOUT = 30
UNICODE_ENCODING = "utf8"
FRESH_IPCAT_DELTA_DAYS = 10
USERS_DIR = os.path.join(os.path.expanduser("~"), ".%s" % NAME.lower())
DEFAULT_TRAILS_FILE = os.path.join(USERS_DIR, "trails.csv")
IPCAT_CSV_FILE = os.path.join(USERS_DIR, "ipcat.csv")
IPCAT_SQLITE_FILE = os.path.join(USERS_DIR, "ipcat.sqlite")
IPCAT_URL = "https://raw.githubusercontent.com/growlfm/ipcat/master/datacenters.csv"
CHECK_CONNECTION_URL = "https://www.github.com"
CHECK_CONNECTION_MAX_RETRIES = 3
TIME_FORMAT = "%Y-%m-%d %H:%M:%S"
HTTP_DEFAULT_PORT = 8338
HTTP_TIME_FORMAT = "%a, %d %b %Y %H:%M:%S GMT" # Reference: http://stackoverflow.com/a/225106
CEF_FORMAT = "{syslog_time} {host} CEF:0|{device_vendor}|{device_product}|{device_version}|{signature_id}|{name}|{severity}|{extension}"
SESSION_COOKIE_NAME = "%s_sessid" % NAME.lower()
SESSION_COOKIE_FLAG_SAMESITE = True
SNAP_LEN = 2000
BLOCK_LENGTH = 1 + 2 + 4 + 4 + 4 + SNAP_LEN # primitive mutex + short for packet size + int for sec + int for usec + int for IP offset + max packet size
SHORT_SENSOR_SLEEP_TIME = 0.00001
REGULAR_SENSOR_SLEEP_TIME = 0.001
LOAD_TRAILS_RETRY_SLEEP_TIME = 60
UNAUTHORIZED_SLEEP_TIME = 5
NO_SUCH_NAME_PER_HOUR_THRESHOLD = 20
NO_BLOCK = -1
END_BLOCK = -2
ROOT_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
HTML_DIR = os.path.join(ROOT_DIR, "html")
DISPOSED_NONCES = set()
PING_RESPONSE = "pong"
MAX_NOFILE = 65000
CAPTURE_TIMEOUT = 100 # ms
MAX_HELP_OPTION_LENGTH = 18
CONFIG_FILE = os.path.join(ROOT_DIR, "maltrail.conf")
SYSTEM_LOG_DIR = "/var/log" if not IS_WIN else "C:\\Windows\\Logs"
DEFAULT_EVENT_LOG_PERMISSIONS = stat.S_IREAD | stat.S_IWRITE | stat.S_IRGRP | stat.S_IROTH
DEFAULT_ERROR_LOG_PERMISSIONS = stat.S_IREAD | stat.S_IWRITE | stat.S_IRGRP | stat.S_IWGRP | stat.S_IROTH | stat.S_IWOTH
HOSTNAME = socket.gethostname()
PROXIES = {}
DISABLED_CONTENT_EXTENSIONS = (".py", ".pyc", ".md", ".txt", ".bak", ".conf", ".zip", "~")
CONTENT_EXTENSIONS_EXCLUSIONS = ("robots.txt",)
CONDENSE_ON_INFO_KEYWORDS = ("attacker", "reputation", "scanner", "user agent", "tor exit", "port scanning", "potential infection")
CONDENSED_EVENTS_FLUSH_PERIOD = 10
LOW_PRIORITY_INFO_KEYWORDS = ("reputation", "attacker", "spammer", "abuser", "malicious", "dnspod", "nicru", "crawler", "compromised", "bad history")
HIGH_PRIORITY_INFO_KEYWORDS = ("mass scanner", "ipinfo")
HIGH_PRIORITY_REFERENCES = ("(static)", "(custom)")
CONSONANTS = "bcdfghjklmnpqrstvwxyz"
BAD_TRAIL_PREFIXES = ("127.", "192.168.", "localhost")
LOCALHOST_IP = {4: "127.0.0.1", 6: "::1"}
POTENTIAL_INFECTION_PORTS = (135, 139, 445, 1433, 3389, 6379, 6892, 6893, 6901)
IGNORE_DNS_QUERY_SUFFIXES = set(("arpa", "local", "guest", "intranet", "int", "corp", "home", "lan", "intra", "intran", "workgroup", "localdomain", "url", "alienvault", "dev", "example", "internal", "localnet", "test"))
VALID_DNS_NAME_REGEX = r"\A[a-zA-Z0-9.-]*\.[a-zA-Z0-9-]+\Z" # Reference: http://stackoverflow.com/a/3523068
SUSPICIOUS_CONTENT_TYPES = ("application/vnd.ms-htmlhelp", "application/x-bsh", "application/x-chm", "application/x-ms-shortcut", "application/x-sh", "application/x-shellscript", "application/hta", "text/x-scriptlet", "text/x-sh", "text/x-shellscript", "application/x-ms-vsto")
SUSPICIOUS_DIRECT_DOWNLOAD_EXTENSIONS = set((".apk", ".bin", ".class", ".chm", ".dll", ".egg", ".exe", ".hta", ".hwp", ".lnk", ".msi", ".pif", ".ps1", ".scr", ".sct", ".vsto", ".wbk", ".xpi"))
WHITELIST_DIRECT_DOWNLOAD_KEYWORDS = ("cgi", "/scripts/", "/_vti_bin/", "/bin/", "/pub/softpaq/", "/bios/", "/pc-axis/")
SUSPICIOUS_HTTP_REQUEST_REGEXES = (
("potential sql injection", r"information_schema|sysdatabases|sysusers|floor\(rand\(|ORDER BY \d+|\bUNION\s+(ALL\s+)?SELECT\b|\b(UPDATEXML|EXTRACTVALUE)\(|\bCASE[^\w]+WHEN.*THEN\b|\bWAITFOR[^\w]+DELAY\b|\bCONVERT\(|VARCHAR\(|\bCOUNT\(\*\)|\b(pg_)?sleep\(|\bSELECT\b.*\bFROM\b.*\b(WHERE|GROUP|ORDER)\b|\bSELECT \w+ FROM \w+|\b(AND|OR|SELECT)\b.*/\*.*\*/|/\*.*\*/.*\b(AND|OR|SELECT)\b|\b(AND|OR)[^\w]+\d+['\") ]?[=><]['\"( ]?\d+|ODBC;DRIVER|\bINTO\s+(OUT|DUMP)FILE|\bDROP[^\w]+(TABLE|DATABASE)\b"),
("potential xml injection", r"/text\(\)='"),
("potential php injection", r"<\?php|php://input"),
("potential ldap injection", r"\(\|\(\w+=\*"),
("potential xss injection", r"<script.*?>|\balert\(|(alert|confirm|prompt)\((\d+|document\.|response\.write\(|[^\w]*XSS)|on(mouseover|error|focus|transitionend)=[^&;\n]+\("),
("potential xxe injection", r"\[<!ENTITY"),
("potential ssti injection", r"\${[^&]+\}|\$\{\{[^&]+\}\}"),
("potential data leakage", r"im[es]i=\d{15}|iccid=[a-zA-Z0-9]{18,22}|(mac([aA]ddress)?|sid)=([0-9a-f]{2}:){5}[0-9a-f]{2}|sim=\d{20}|([a-z0-9_.+-]+@[a-z0-9-.]+\.[a-z]+\b.{0,100}){4}|(telnum|telcompany)=[a-zA-Z0-9-]+"),
("config file access", r"\.ht(access|passwd)|\bwp-config\.php"),
("potential remote code execution", r"\$_(REQUEST|GET|POST)\[|xp_cmdshell|shell_exec|exec_code|shell:::\{|oscmd\(|\bping(\.exe)? -[nc] \d+|timeout(\.exe)? /T|tftp -|wget http|curl -O|sh /tmp/|touch /tmp/|cmd\.exe|/bin/(ba)?sh\b|/sbin/launchd\b|2>&1|\b(cat|ls) /|chmod [0-7]{3,4}\b|chmod +x\b|base64 -d|nc -l -p \d+|>\s*/dev/null|-d (allow_url_include|safe_mode|auto_prepend_file)|ms-msdt:|mhtml:ftp:|jndi:(corba|dns|http|iiop|n(d|i)s|ldap[s]?|rmi):?|base64:JHtqbmRp|ipconfig|net (config|view)|nltest|netsh (firewall|wlan)|\$\{IFS\}|getRuntime\(\)\.exec\(|\.execSync\("),
("potential directory traversal", r"(\.{2,}[/\\]+){3,}|/etc/(group|passwd|shadow|issue|hostname|hosts|sudoers)|[/\\](boot|system|win)\.ini|[/\\]system32\b|%SYSTEMROOT%"),
("potential web scan", r"(acunetix|injected_by)_wvs_|SomeCustomInjectedHeader|some_inexistent_file_with_long_name|testasp\.vulnweb\.com/t/fit\.txt|www\.acunetix\.tst|\.bxss\.me|thishouldnotexistandhopefullyitwillnot|OWASP%\d+ZAP|chr\(122\)\.chr\(97\)\.chr\(112\)|Vega-Inject|VEGA123|vega\.invalid|PUT-putfile|w00tw00t|muieblackcat"),
("potential dns changer", r"\b(dhcpPriDns|dhcpSecDns|staticPriDns|staticSecDns|staticThiDns|PriDnsv6|SecDnsv6|ThiDnsv6|staticPriDnsv6|staticSecDnsv6|staticThiDnsv6|dnsipv4|dns2ipv4|dnsipv6|dns2ipv6|pppoePriDns|pppoeSecDns|wan_dns1|wan_dns2|dnsPrimary|dnsSecondary|dnsDynamic|dnsRefresh|DNS_FST|DNS_SND|dhcpPriDns|dhcpSecDns|dnsserver|dnsserver1|dnsserver2|dns_server_ip_1|dns_server_ip_2|dns_server_ip_3|dns_server_ip_4|dns1|dns2|dns3|dns4|dns1_1|dns1_2|dns1_3|dns1_4|dns2_1|dns2_2|dns2_3|dns2_4|wan_dns_x|wan_dns1_x|wan_dns2_x|wan_dns3_x|wan_dns4_x|wan_dnsenable_x|dns_status|p_DNS|a_DNS|uiViewDns1Mark|uiViewDns2Mark|uiViewDNSRelay|is_router_as_dns|Enable_DNSFollowing|domainserverip|DSEN|DNSEN|dnsmode|dns%5Bserver1%5D|dns%5Bserver2%5D)=")
)
SUSPICIOUS_HTTP_PATH_REGEXES = (
("non-existent page", r"defaultwebpage\.cgi"),
("potential web scan", r"inexistent_file_name\.inexistent|test-for-some-inexistent-file|long_inexistent_path|some-inexistent-website\.acu")
)
SUSPICIOUS_HTTP_REQUEST_PRE_CONDITION = ("?", "..", ".ht", "=", " ", "'")
SUSPICIOUS_DIRECT_IP_URL_REGEX = r"\A[\w./-]*/[\w.]*\b(aarch|amd64\b|arm(\b|v?\d)|arcle-(750d|hs38)|exploit|m68k?\b|m[i1]ps\w{0,4}\b|mpsl\w?\b|pcc|powerp{1,2}c|pp-?c|riscv\w{0,3}\b|root|s390\w?\b|x86|x32|x64|i\d{1,2}\b|i386|i486|i586|i686|sparc|sh\b|wtf|yarn|zte)\Z"
SUSPICIOUS_PROXY_PROBE_PRE_CONDITION = ("probe", "proxy", "echo", "check")
SUSPICIOUS_HTTP_REQUEST_FORCE_ENCODE_CHARS = dict((_, _urllib.parse.quote(_)) for _ in "( )\r\n")
SUSPICIOUS_UA_REGEX = ""
OBSOLETE_UA_REGEX = r"(?i)windows NT [3-5]\.\d+|windows (3\.\d+|95|98|xp)|MSIE [1-6]\.\d+|Navigator/|Safari/[1-4]|Opera/[1-3]|Firefox/1?[0-9]\.|Android [1-3]\.\d+|iPhone OS [1-4]_\d+|Mac OS X 10\.[0-4]\.|Chrome/[1-2]?\d\.|BlackBerry ?[0-7]"
GENERIC_SINKHOLE_REGEX = r"(?im)^(X-Sinkhole|Server): (malware-?)?sinkhole|\bSinkholed? by |^(X-Sinkholed?(-Domain)?|X-Zinkhole|X-Sinkhole):| a malware sinkhole|\bSinkhole( Project)?</title>|This is a sinkhole|bots party hard|computers connecting to this sinkhole| Sinkhole by |^Set-Cookie: snkz=|^Server: Apache [0-9.]+/SinkSoft|^Location:[^\n]+\.sinkdns\.org:80"
WORST_ASNS = {}
BOGON_IPS = {"::1"}
BOGON_RANGES = {}
CDN_RANGES = {}
WHITELIST_HTTP_REQUEST_PATHS = ("fql", "yql", "ads", "../images/", "../themes/", "../design/", "../scripts/", "../assets/", "../core/", "../js/", "/gwx/")
WHITELIST_UA_REGEX = r"AntiVir\-NGUpd|TMSPS|AVGSETUP|SDDS|Sophos|Symantec|internal dummy connection|Microsoft\-CryptoAPI"
WHITELIST_LONG_DOMAIN_NAME_KEYWORDS = ("blogspot",)
LOCAL_SUBDOMAIN_LOOKUPS = ("wpad", "autodiscover", "_ldap._tcp")
SESSIONS = {}
NO_SUCH_NAME_COUNTERS = {} # this won't be (expensive) shared in multiprocessing run (hence, the threshold will effectively be n-times higher)
SESSION_ID_LENGTH = 16
SESSION_EXPIRATION_HOURS = 24
IPPROTO_LUT = dict(((getattr(socket, _), _.replace("IPPROTO_", "")) for _ in dir(socket) if _.startswith("IPPROTO_")))
DEFLATE_COMPRESS_LEVEL = 9
PORT_SCANNING_THRESHOLD = 10
WEB_SCANNING_THRESHOLD = 10
INFECTION_SCANNING_THRESHOLD = 32
MAX_CACHE_ENTRIES = 1000
MMAP_ZFILL_CHUNK_LENGTH = 1024 * 1024
HOURLY_SECS = 1 * 60 * 60
DAILY_SECS = 24 * 60 * 60
DNS_EXHAUSTION_THRESHOLD = 1000
SUSPICIOUS_DOMAIN_LENGTH_THRESHOLD = 24
SUSPICIOUS_DOMAIN_CONSONANT_THRESHOLD = 9
SUSPICIOUS_DOMAIN_ENTROPY_THRESHOLD = 3.5
WHITELIST = set()
WHITELIST_RANGES = set()
IGNORE_EVENTS = set()
STATIC_IPCAT_LOOKUPS = {"shadowserver.org": ("184.105.139.66-184.105.139.126", "184.105.247.194-184.105.247.254", "74.82.47.1-74.82.47.63", "216.218.206.66-216.218.206.126"), "labs.rapid7.com": ("71.6.216.32-71.6.216.63",), "shodan.io": ("66.240.192.138", "66.240.236.119", "71.6.135.131", "71.6.165.200", "71.6.167.142", "82.221.105.6", "82.221.105.7", "85.25.43.94", "85.25.103.50", "93.120.27.62", "104.131.0.69", "104.236.198.48", "162.159.244.38", "188.138.9.50", "198.20.69.74", "198.20.69.98", "198.20.70.114", "198.20.87.98", "198.20.99.130", "208.180.20.97", "209.126.110.38"), "eecs.umich.edu": ("141.212.121.0-141.212.121.255", "141.212.122.0-141.212.122.255"), "netsec.colostate.edu": ("129.82.138.12", "129.82.138.31", "129.82.138.32", "129.82.138.33", "129.82.138.34", "129.82.138.44"), "ant.isi.edu": ("128.9.168.98", "203.178.148.18", "203.178.148.19"), "eecs.berkeley.edu": ("169.229.3.89", "169.229.3.90", "169.229.3.91", "169.229.3.92", "169.229.3.93", "169.229.3.94"), "openresolverproject.org": ("204.42.253.2", "204.42.254.5"), "opensnmpproject.org": ("204.42.253.130",), "openntpproject.org": ("204.42.253.131",), "openssdpproject.org": ("204.42.253.132",), "projectblindferret.com": ("107.150.52.82-107.150.52.86",), "kudelskisecurity.com": ("185.35.62.0-185.35.62.255",), "riskiq.com": ("64.125.239.0-64.125.239.255",), "comsys.rwth-aachen.de": ("137.226.113.0-137.226.113.63",), "sba-research.org": ("98.189.26.18",)}
# Reference: https://gist.github.com/ryanwitt/588678
DLT_OFFSETS = {0: 4, 1: 14, 6: 22, 7: 6, 8: 16, 9: 4, 10: 21, 117: 48, 18: 4, 12 if sys.platform.find('openbsd') != -1 else 108: 4, 14 if sys.platform.find('openbsd') != -1 else 12: 0, 113: 16}
try:
import multiprocessing
CPU_CORES = multiprocessing.cpu_count()
except ImportError:
CPU_CORES = 1
config = AttribDict({"TRAILS_FILE": DEFAULT_TRAILS_FILE})
trails = TrailsDict()
def _get_total_physmem():
retval = None
try:
if IS_WIN:
output = subprocess.check_output(['wmic', 'computersystem', 'get', 'TotalPhysicalMemory'], universal_newlines=True)
retval = int(output.strip().splitlines()[-1].strip())
else:
retval = 1024 * int(re.search(r"(?i)MemTotal:\s+(\d+)\skB", open("/proc/meminfo").read()).group(1))
except:
pass
if not retval:
try:
import psutil
retval = psutil.virtual_memory().total
except:
pass
if not retval:
try:
retval = int(re.search(r"real mem(ory)?\s*=\s*(\d+) ", open("/var/run/dmesg.boot").read()).group(2))
except:
pass
if not retval:
try:
output = subprocess.check_output(['sysctl', '-n', 'hw.memsize'], universal_newlines=True, stderr=subprocess.PIPE)
retval = int(output.strip())
except:
pass
if not retval:
try:
# Fallback to original sysctl regex method for other BSD systems
output = subprocess.check_output("sysctl hw", shell=True, stderr=subprocess.STDOUT, universal_newlines=True)
retval = int(re.search(r"hw\.(physmem|memsize):\s*(\d+)", output).group(2))
except:
pass
if not retval:
try:
retval = 1024 * int(re.search(r"\s+(\d+) K total memory", subprocess.check_output("vmstat -s", shell=True, stderr=subprocess.STDOUT)).group(1))
except:
pass
if not retval:
try:
retval = int(re.search(r"Mem:\s+(\d+)", subprocess.check_output("free -b", shell=True, stderr=subprocess.STDOUT)).group(1))
except:
pass
if not retval:
if IS_LINUX:
try:
retval = 1024 * int(re.search(r"KiB Mem:\s*\x1b[^\s]+\s*(\d+)", subprocess.check_output("top -n 1", shell=True, stderr=subprocess.STDOUT)).group(1))
except:
pass
return retval
def read_config(config_file):
global config
if not os.path.isfile(config_file):
sys.exit("[!] missing configuration file '%s'" % config_file)
else:
print("[i] using configuration file '%s'" % config_file)
config.clear()
try:
array = None
content = open(config_file, "r").read()
for line in content.split("\n"):
line = line.strip('\r')
line = re.sub(r"\s*#.*", "", line)
if not line.strip():
continue
if line.count(' ') == 0:
if re.search(r"[^\w]", line):
if array == "USERS":
sys.exit("[!] invalid USERS entry '%s'\n[?] (hint: add whitespace at start of line)" % line)
else:
sys.exit("[!] invalid configuration (line: '%s')" % line)
array = line.upper()
config[array] = []
continue
if array and line.startswith(' '):
line = line.strip()
if array == "IP_ALIASES" and any(_ in line.split(':')[0] for _ in ('/', '-')):
for addr in expand_range(line.split(':')[0]):
config[array].append("%s:%s" % (addr, line.split(':', 1)[-1]))
else:
config[array].append(line)
continue
else:
array = None
try:
name, value = line.strip().split(' ', 1)
except ValueError:
name = line
value = ""
finally:
name = name.strip().upper()
value = value.strip("'\"").strip()
_ = os.environ.get("%s_%s" % (NAME.upper(), name))
if _:
value = _
if any(name.startswith(_) for _ in ("USE_", "SET_", "CHECK_", "ENABLE_", "SHOW_", "DISABLE_")):
value = value.lower() in ("1", "true")
elif value.isdigit():
value = int(value)
else:
for match in re.finditer(r"\$([A-Z0-9_]+)", value):
if match.group(1) in globals():
value = value.replace(match.group(0), str(globals()[match.group(1)]))
else:
value = value.replace(match.group(0), os.environ.get(match.group(1), match.group(0)))
if name.endswith("_DIR"):
value = os.path.realpath(os.path.join(ROOT_DIR, os.path.expanduser(value)))
config[name] = value
except (IOError, OSError):
pass
for option in ("MONITOR_INTERFACE", "CAPTURE_BUFFER", "LOG_DIR"):
if option not in config:
sys.exit("[!] missing mandatory option '%s' in configuration file '%s'" % (option, config_file))
for entry in (config.USERS or []):
if len(entry.split(':')) != 4:
sys.exit("[!] invalid USERS entry '%s'" % entry)
if re.search(r"\$\d+\$", entry):
sys.exit("[!] invalid USERS entry '%s'\n[?] (hint: please update PBKDF2 hashes to SHA256 in your configuration file)" % entry)
if config.SSL_PEM:
config.SSL_PEM = config.SSL_PEM.replace('/', os.sep)
if config.USER_WHITELIST:
if ',' in config.USER_WHITELIST:
print("[x] configuration value 'USER_WHITELIST' has been changed. Please use it to set location of whitelist file")
elif not os.path.isfile(config.USER_WHITELIST):
sys.exit("[!] missing 'USER_WHITELIST' file '%s'" % config.USER_WHITELIST)
else:
read_whitelist()
if config.USER_IGNORELIST:
if not os.path.isfile(config.USER_IGNORELIST):
sys.exit("[!] missing 'USER_IGNORELIST' file '%s'" % config.USER_IGNORELIST)
else:
read_ignorelist()
config.PROCESS_COUNT = int(config.PROCESS_COUNT or CPU_CORES)
if config.USE_MULTIPROCESSING:
print("[x] configuration switch 'USE_MULTIPROCESSING' is deprecated. Please use 'PROCESS_COUNT' instead")
if config.DISABLE_LOCAL_LOG_STORAGE and not any((config.LOG_SERVER, config.SYSLOG_SERVER)):
print("[x] configuration switch 'DISABLE_LOCAL_LOG_STORAGE' turned on and neither option 'LOG_SERVER' nor 'SYSLOG_SERVER' are set. Falling back to console output of event data")
if config.UDP_ADDRESS is not None and config.UDP_PORT is None:
sys.exit("[!] usage of configuration value 'UDP_ADDRESS' requires also usage of 'UDP_PORT'")
if config.UDP_ADDRESS is None and config.UDP_PORT is not None:
sys.exit("[!] usage of configuration value 'UDP_PORT' requires also usage of 'UDP_ADDRESS'")
if not str(config.HTTP_PORT or "").isdigit() and not IS_SENSOR:
sys.exit("[!] invalid configuration value for 'HTTP_PORT' ('%s')" % ("" if config.HTTP_PORT is None else config.HTTP_PORT))
if not str(config.UPDATE_PERIOD or "").isdigit():
sys.exit("[!] invalid configuration value for 'UPDATE_PERIOD' ('%s')" % ("" if config.UPDATE_PERIOD is None else config.UPDATE_PERIOD))
if config.PROCESS_COUNT and IS_WIN:
print("[x] multiprocessing is currently not supported on Windows OS")
config.PROCESS_COUNT = 1
if config.CAPTURE_BUFFER:
if str(config.CAPTURE_BUFFER or "").isdigit():
config.CAPTURE_BUFFER = int(config.CAPTURE_BUFFER)
elif re.search(r"\d+\s*[kKmMgG]B", config.CAPTURE_BUFFER):
match = re.search(r"(\d+)\s*([kKmMgG])B", config.CAPTURE_BUFFER)
config.CAPTURE_BUFFER = int(match.group(1)) * {"K": 1024, "M": 1024 ** 2, "G": 1024 ** 3}[match.group(2).upper()]
elif re.search(r"\d+%", config.CAPTURE_BUFFER):
physmem = _get_total_physmem()
if physmem:
config.CAPTURE_BUFFER = physmem * int(re.search(r"(\d+)%", config.CAPTURE_BUFFER).group(1)) // 100
else:
sys.exit("[!] unable to determine total physical memory. Please use absolute value for 'CAPTURE_BUFFER'")
else:
sys.exit("[!] invalid configuration value for 'CAPTURE_BUFFER' ('%s')" % config.CAPTURE_BUFFER)
config.CAPTURE_BUFFER = config.CAPTURE_BUFFER // BLOCK_LENGTH * BLOCK_LENGTH
if config.PROXY_ADDRESS:
PROXIES.update({"http": config.PROXY_ADDRESS, "https": config.PROXY_ADDRESS})
opener = _urllib.request.build_opener(_urllib.request.ProxyHandler(PROXIES))
_urllib.request.install_opener(opener)
if not config.TRAILS_FILE:
config.TRAILS_FILE = DEFAULT_TRAILS_FILE
else:
config.TRAILS_FILE = os.path.abspath(os.path.expanduser(config.TRAILS_FILE))
if int(os.environ.get("MALTRAIL_DREI", 0)) > 0:
config.SHOW_DEBUG = True
def read_whitelist():
WHITELIST.clear()
WHITELIST_RANGES.clear()
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "whitelist.txt"))
if os.path.isfile(_):
with open(_, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
elif re.search(r"\A\d+\.\d+\.\d+\.\d+/\d+\Z", line):
try:
prefix, mask = line.split('/')
WHITELIST_RANGES.add((addr_to_int(prefix), make_mask(int(mask))))
except (IndexError, ValueError):
WHITELIST.add(line)
else:
WHITELIST.add(line)
if config.USER_WHITELIST and os.path.isfile(config.USER_WHITELIST):
with open(config.USER_WHITELIST, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
elif re.search(r"\A\d+\.\d+\.\d+\.\d+/\d+\Z", line):
try:
prefix, mask = line.split('/')
WHITELIST_RANGES.add((addr_to_int(prefix), make_mask(int(mask))))
except (IndexError, ValueError):
WHITELIST.add(line)
else:
WHITELIST.add(line)
# add rules to ignore event list from passed file
def add_ignorelist(filepath):
if filepath and os.path.isfile(filepath):
with open(filepath, "r") as f:
for line in f:
line = re.sub(r"\s+", "", line)
if not line or line.startswith('#'):
continue
elif line.count(';') == 3:
src_ip, src_port, dst_ip, dst_port = line.split(';')
IGNORE_EVENTS.add((src_ip, src_port, dst_ip, dst_port))
def read_ignorelist():
IGNORE_EVENTS.clear()
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "ignore_events.txt"))
add_ignorelist(_)
if config.USER_IGNORELIST and os.path.isfile(config.USER_IGNORELIST):
add_ignorelist(config.USER_IGNORELIST)
def read_ua():
global SUSPICIOUS_UA_REGEX
SUSPICIOUS_UA_REGEX = ""
items = []
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "ua.txt"))
if os.path.isfile(_):
with open(_, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
elif " (compatible" in line:
line = re.escape(line)
else:
try:
re.compile(line)
except:
line = re.escape(line)
items.append(line)
if items:
SUSPICIOUS_UA_REGEX = "(?i)%s" % '|'.join(items)
def read_worst_asn():
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "worst_asns.txt"))
if os.path.isfile(_):
with open(_, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
else:
match = re.search(r"([\d.]+)/(\d+),(.+)", line)
if not match:
continue
key = line.split('.')[0]
if key not in WORST_ASNS:
WORST_ASNS[key] = []
prefix, mask, name = match.groups()
WORST_ASNS[key].append((addr_to_int(prefix), make_mask(int(mask)), name))
def read_cdn_ranges():
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "cdn_ranges.txt"))
if os.path.isfile(_):
with open(_, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
else:
key = line.split('.')[0]
if key not in CDN_RANGES:
CDN_RANGES[key] = []
prefix, mask = line.split('/')
CDN_RANGES[key].append((addr_to_int(prefix), make_mask(int(mask))))
def read_bogon_ranges():
_ = os.path.abspath(os.path.join(ROOT_DIR, "misc", "bogon_ranges.txt"))
if os.path.isfile(_):
with open(_, "r") as f:
for line in f:
line = line.strip()
if not line or line.startswith('#'):
continue
else:
key = line.split('.')[0]
if key not in BOGON_RANGES:
BOGON_RANGES[key] = []
prefix, mask = line.split('/')
BOGON_RANGES[key].append((addr_to_int(prefix), make_mask(int(mask))))
def check_deprecated():
if "--no-updates" in sys.argv:
print("[!] switch '--no-updates' was renamed to '--offline'")
sys.argv = [(_ if _ != "--no-updates" else "--offline") for _ in sys.argv]
if "-i" in sys.argv:
print("[x] option '-i' was renamed to '-r'")
sys.argv = [(_ if _ != "-i" else "-r") for _ in sys.argv]
if __name__ != "__main__":
init_output()
read_whitelist()
read_ignorelist()
read_ua()
read_worst_asn()
read_cdn_ranges()
read_bogon_ranges()
check_deprecated()
================================================
FILE: core/trailsdict.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
import re
class TrailsDict(dict):
def __init__(self):
self._trails = {}
self._regex = ""
self._infos = []
self._reverse_infos = {}
self._references = []
self._reverse_references = {}
def __delitem__(self, key):
del self._trails[key]
def has_key(self, key):
return key in self._trails
def __contains__(self, key):
return key in self._trails
def clear(self):
self.__init__()
def keys(self):
return self._trails.keys()
def iterkeys(self):
for key in self._trails.keys():
yield key
def __iter__(self):
for key in self._trails.keys():
yield key
def get(self, key, default=None):
if key in self._trails:
_ = self._trails[key].split(',')
if len(_) == 2:
return (self._infos[int(_[0])], self._references[int(_[1])])
return default
def update(self, value):
if isinstance(value, TrailsDict):
if not self._trails:
for attr in dir(self):
if re.search(r"\A_[a-z]", attr):
setattr(self, attr, getattr(value, attr))
else:
for key in value:
self[key] = value[key]
elif isinstance(value, dict):
for key in value:
info, reference = value[key]
if info not in self._reverse_infos:
self._reverse_infos[info] = len(self._infos)
self._infos.append(info)
if reference not in self._reverse_references:
self._reverse_references[reference] = len(self._references)
self._references.append(reference)
self._trails[key] = "%d,%d" % (self._reverse_infos[info], self._reverse_references[reference])
else:
raise Exception("unsupported type '%s'" % type(value))
def __len__(self):
return len(self._trails)
def __getitem__(self, key):
if key in self._trails:
_ = self._trails[key].split(',')
if len(_) == 2:
return (self._infos[int(_[0])], self._references[int(_[1])])
raise KeyError(key)
def __setitem__(self, key, value):
if isinstance(value, (tuple, list)):
info, reference = value
if info not in self._reverse_infos:
self._reverse_infos[info] = len(self._infos)
self._infos.append(info)
if reference not in self._reverse_references:
self._reverse_references[reference] = len(self._references)
self._references.append(reference)
self._trails[key] = "%d,%d" % (self._reverse_infos[info], self._reverse_references[reference])
else:
raise Exception("unsupported type '%s'" % type(value))
================================================
FILE: core/update.py
================================================
#!/usr/bin/env python
"""
Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
See the file 'LICENSE' for copying permission
"""
from __future__ import print_function
import codecs
import csv
import glob
import inspect
import os
import re
import sqlite3
import sys
import time
sys.dont_write_bytecode = True
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))) # to enable calling from current directory too
from core.addr import addr_to_int
from core.addr import int_to_addr
from core.addr import make_mask
from core.common import bogon_ip
from core.common import cdn_ip
from core.common import check_whitelisted
from core.common import load_trails
from core.common import retrieve_content
from core.compat import xrange
from core.settings import config
from core.settings import read_config
from core.settings import read_whitelist
from core.settings import BAD_TRAIL_PREFIXES
from core.settings import FRESH_IPCAT_DELTA_DAYS
from core.settings import LOW_PRIORITY_INFO_KEYWORDS
from core.settings import HIGH_PRIORITY_INFO_KEYWORDS
from core.settings import HIGH_PRIORITY_REFERENCES
from core.settings import IPCAT_CSV_FILE
from core.settings import IPCAT_SQLITE_FILE
from core.settings import IPCAT_URL
from core.settings import IS_WIN
from core.settings import ROOT_DIR
from core.settings import UNICODE_ENCODING
from core.settings import USERS_DIR
from core.trailsdict import TrailsDict
from thirdparty import six
from thirdparty.six.moves import urllib as _urllib
# patch for self-signed certificates (e.g. CUSTOM_TRAILS_URL)
try:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
except (ImportError, AttributeError):
pass
def _chown(filepath):
if not IS_WIN and os.path.exists(filepath):
try:
os.chown(filepath, int(os.environ.get("SUDO_UID", -1)), int(os.environ.get("SUDO_GID", -1)))
except Exception as ex:
print("[!] chown problem with '%s' ('%s')" % (filepath, ex))
def _fopen(filepath, mode="rb", opener=open):
retval = opener(filepath, mode)
if "w+" in mode:
_chown(filepath)
return retval
def update_trails(force=False, offline=False):
"""
Update trails from feeds
"""
success = False
trails = TrailsDict()
duplicates = {}
try:
if not os.path.isdir(USERS_DIR):
os.makedirs(USERS_DIR, 0o755)
except Exception as ex:
sys.exit("[!] something went wrong during creation of directory '%s' ('%s')" % (USERS_DIR, ex))
_chown(USERS_DIR)
if config.UPDATE_SERVER:
print("[i] retrieving trails from provided 'UPDATE_SERVER' server...")
content = retrieve_content(config.UPDATE_SERVER)
if not content or content.count(',') < 2:
print("[x] unable to retrieve data from '%s'" % config.UPDATE_SERVER)
else:
with _fopen(config.TRAILS_FILE, "w+b" if six.PY2 else "w+", open if six.PY2 else codecs.open) as f:
f.write(content)
trails = load_trails()
else:
trail_files = set()
for dirpath, dirnames, filenames in os.walk(os.path.abspath(os.path.join(ROOT_DIR, "trails"))):
for filename in filenames:
trail_files.add(os.path.abspath(os.path.join(dirpath, filename)))
if config.CUSTOM_TRAILS_DIR:
for dirpath, dirnames, filenames in os.walk(os.path.abspath(os.path.join(ROOT_DIR, os.path.expanduser(config.CUSTOM_TRAILS_DIR)))):
for filename in filenames:
trail_files.add(os.path.abspath(os.path.join(dirpath, filename)))
if not trails and (force or not os.path.isfile(config.TRAILS_FILE) or (time.time() - os.stat(config.TRAILS_FILE).st_mtime) >= config.UPDATE_PERIOD or os.stat(config.TRAILS_FILE).st_size == 0 or any(os.stat(_).st_mtime > os.stat(config.TRAILS_FILE).st_mtime for _ in trail_files)):
if not config.offline:
print("[i] updating trails (this might take a while)...")
else:
print("[i] checking trails...")
if not offline and (force or config.USE_FEED_UPDATES):
_ = os.path.abspath(os.path.join(ROOT_DIR, "trails", "feeds"))
if _ not in sys.path:
sys.path.append(_)
filenames = sorted(glob.glob(os.path.join(_, "*.py")))
else:
filenames = []
_ = os.path.abspath(os.path.join(ROOT_DIR, "trails"))
if _ not in sys.path:
sys.path.append(_)
filenames += [os.path.join(_, "custom")]
filenames += [os.path.join(_, "static")] # Note: higher priority than previous one because of dummy user trails (FE)
filenames = [_ for _ in filenames if "__init__.py" not in _]
if config.DISABLED_FEEDS:
filenames = [filename for filename in filenames if os.path.splitext(os.path.split(filename)[-1])[0] not in re.split(r"[^\w]+", config.DISABLED_FEEDS)]
for i in xrange(len(filenames)):
filename = filenames[i]
try:
module = __import__(os.path.basename(filename).split(".py")[0])
except (ImportError, SyntaxError) as ex:
print("[x] something went wrong during import of feed file '%s' ('%s')" % (filename, ex))
continue
for name, function in inspect.getmembers(module, inspect.isfunction):
if name == "fetch":
url = module.__url__ # Note: to prevent "SyntaxError: can not delete variable 'module' referenced in nested scope"
print(" [o] '%s'%s" % (url, " " * 20 if len(url) < 20 else ""))
sys.stdout.write("[?] progress: %d/%d (%d%%)\r" % (i, len(filenames), i * 100 // len(filenames)))
sys.stdout.flush()
if config.DISABLED_TRAILS_INFO_REGEX and re.search(config.DISABLED_TRAILS_INFO_REGEX, getattr(module, "__info__", "")):
continue
try:
results = function()
for item in results.items():
if item[0].startswith("www.") and '/' not in item[0]:
item = [item[0][len("www."):], item[1]]
if item[0] in trails:
if item[0] not in duplicates:
duplicates[item[0]] = set((trails[item[0]][1],))
duplicates[item[0]].add(item[1][1])
if not (item[0] in trails and (any(_ in item[1][0] for _ in LOW_PRIORITY_INFO_KEYWORDS) or trails[item[0]][1] in HIGH_PRIORITY_REFERENCES)) or (item[1][1] in HIGH_PRIORITY_REFERENCES and "history" not in item[1][0]) or any(_ in item[1][0] for _ in HIGH_PRIORITY_INFO_KEYWORDS):
trails[item[0]] = item[1]
if not results and not any(_ in url for _ in ("abuse.ch", "cobaltstrike")):
print("[x] something went wrong during remote data retrieval ('%s')" % url)
except Exception as ex:
print("[x] something went wrong during processing of feed file '%s' ('%s')" % (filename, ex))
try:
sys.modules.pop(module.__name__)
del module
except Exception:
pass
# custom trails from remote location
if config.CUSTOM_TRAILS_URL:
print(" [o] '(remote custom)'%s" % (" " * 20))
for url in re.split(r"[;,]", config.CUSTOM_TRAILS_URL):
url = url.strip()
if not url:
continue
url = ("http://%s" % url) if "//" not in url else url
content = retrieve_content(url)
if not content:
print("[x] unable to retrieve data (or empty response) from '%s'" % url)
else:
__info__ = "blacklisted"
__reference__ = "(remote custom)" # urlparse.urlsplit(url).netloc
for line in content.split('\n'):
line = line.strip()
if not line or line.startswith('#'):
continue
line = re.sub(r"\s*#.*", "", line)
if '://' in line:
line = re.search(r"://(.*)", line).group(1)
line = line.rstrip('/')
if line in trails and any(_ in trails[line][1] for _ in ("custom", "static")):
continue
if '/' in line:
trails[line] = (__info__, __reference__)
line = line.split('/')[0]
elif re.search(r"\A\d+\.\d+\.\d+\.\d+\Z", line):
trails[line] = (__info__, __reference__)
else:
trails[line.strip('.')] = (__info__, __reference__)
for match in re.finditer(r"(\d+\.\d+\.\d+\.\d+)/(\d+)", content):
prefix, mask = match.groups()
mask = int(mask)
if mask > 32:
continue
start_int = addr_to_int(prefix) & make_mask(mask)
end_int = start_int | ((1 << 32 - mask) - 1)
if 0 <= end_int - start_int <= 1024:
address = start_int
while start_int <= address <= end_int:
trails[int_to_addr(address)] = (__info__, __reference__)
address += 1
print("[i] post-processing trails (this might take a while)...")
# basic cleanup
for key in list(trails.keys()):
if key not in trails:
continue
if config.DISABLED_TRAILS_INFO_REGEX:
if re.search(config.DISABLED_TRAILS_INFO_REGEX, trails[key][0]):
del trails[key]
continue
try:
_key = key.decode(UNICODE_ENCODING) if isinstance(key, bytes) else key
_key = _key.encode("idna")
if six.PY3:
_key = _key.decode(UNICODE_ENCODING)
if _key != key: # for domains with non-ASCII letters (e.g. phishing)
trails[_key] = trails[key]
del trails[key]
key = _key
except:
pass
if not key or re.search(r"(?i)\A\.?[a-z]+\Z", key) and not any(_ in trails[key][1] for _ in ("custom", "static")):
del trails[key]
continue
if re.search(r"\A\d+\.\d+\.\d+\.\d+\Z", key):
if any(_ in trails[key][0] for _ in ("parking site", "sinkhole")) and key in duplicates: # Note: delete (e.g.) junk custom trails if static trail is a sinkhole
del duplicates[key]
if trails[key][0] == "malware":
trails[key] = ("potential malware site", trails[key][1])
if config.get("IP_MINIMUM_FEEDS", 3) > 1:
if (key not in duplicates or len(duplicates[key]) < config.get("IP_MINIMUM_FEEDS", 3)) and re.search(r"\b(custom|static)\b", trails[key][1]) is None:
del trails[key]
continue
if any(int(_) > 255 for _ in key.split('.')):
del trails[key]
continue
if trails[key][0] == "ransomware":
trails[key] = ("ransomware (malware)", trails[key][1])
if key.startswith("www.") and '/' not in key:
_ = trails[key]
del trails[key]
key = key[len("www."):]
if key:
trails[key] = _
if '?' in key and not key.startswith('/'):
_ = trails[key]
del trails[key]
key = key.split('?')[0]
if key:
trails[key] = _
if '//' in key:
_ = trails[key]
del trails[key]
key = key.replace('//', '/')
trails[key] = _
if key != key.lower():
_ = trails[key]
del trails[key]
key = key.lower()
trails[key] = _
if key in duplicates:
_ = trails[key]
others = sorted(duplicates[key] - set((_[1],)))
if others and " (+" not in _[1]:
trails[key] = (_[0], "%s (+%s)" % (_[1], ','.join(others)))
read_whitelist()
for key in list(trails.keys()):
match = re.search(r"\A(\d+\.\d+\.\d+\.\d+)\b", key)
if check_whitelisted(key) or any(key.startswith(_) for _ in BAD_TRAIL_PREFIXES):
del trails[key]
elif match and (bogon_ip(match.group(1)) or cdn_ip(match.group(1))) and not any(_ in trails[key][0] for _ in ("parking", "sinkhole")):
del trails[key]
else:
try:
key.decode("utf8") if hasattr(key, "decode") else key.encode("utf8")
trails[key][0].decode("utf8") if hasattr(trails[key][0], "decode") else trails[key][0].encode("utf8")
trails[key][1].decode("utf8") if hasattr(trails[key][1], "decode") else trails[key][1].encode("utf8")
except UnicodeError:
del trails[key]
try:
if trails:
with _fopen(config.TRAILS_FILE, "w+b" if six.PY2 else "w+", open if six.PY2 else codecs.open) as f:
writer = csv.writer(f, delimiter=',', quotechar='\"', quoting=csv.QUOTE_MINIMAL)
for trail in trails:
row = (trail, trails[trail][0], trails[trail][1])
writer.writerow(row)
success = True
except Exception as ex:
print("[x] something went wrong during trails file write '%s' ('%s')" % (config.TRAILS_FILE, ex))
print("[i] update finished%s" % (40 * " "))
if success:
print("[i] trails stored to '%s'" % config.TRAILS_FILE)
return trails
def update_ipcat(force=False):
try:
if not os.path.isdir(USERS_DIR):
os.makedirs(USERS_DIR, 0o755)
except Exception as ex:
sys.exit("[!] something went wrong during creation of directory '%s' ('%s')" % (USERS_DIR, ex))
_chown(USERS_DIR)
if force or not os.path.isfile(IPCAT_CSV_FILE) or not os.path.isfile(IPCAT_SQLITE_F
gitextract_hq1cpac0/
├── .gitattributes
├── .github/
│ ├── CODE_OF_CONDUCT.md
│ ├── CONTRIBUTING.md
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ ├── feature_request.md
│ │ └── questions-and-support.md
│ └── workflows/
│ └── docker-release.yml
├── .gitignore
├── CHANGELOG
├── CITATION.cff
├── LICENSE
├── README.md
├── SECURITY.md
├── core/
│ ├── __init__.py
│ ├── addr.py
│ ├── attribdict.py
│ ├── colorized.py
│ ├── common.py
│ ├── compat.py
│ ├── datatype.py
│ ├── enums.py
│ ├── httpd.py
│ ├── ignore.py
│ ├── log.py
│ ├── parallel.py
│ ├── settings.py
│ ├── trailsdict.py
│ └── update.py
├── docker/
│ ├── Dockerfile
│ ├── README.md
│ ├── docker-compose.yml
│ └── start.sh
├── fail2ban/
│ └── maltrail.conf.example
├── html/
│ ├── README.txt
│ ├── css/
│ │ ├── main.css
│ │ └── media.css
│ ├── index.html
│ ├── js/
│ │ ├── demo.js
│ │ ├── errorhandler.js
│ │ ├── main.js
│ │ └── thirdparty.ccs
│ └── robots.txt
├── maltrail-sensor.service
├── maltrail-server.service
├── maltrail.conf
├── misc/
│ ├── bogon_ranges.txt
│ ├── cdn_ranges.txt
│ ├── ignore_events.txt
│ ├── logo.xcf
│ ├── precommit-hook
│ ├── server.pem
│ ├── ua.txt
│ ├── whitelist.txt
│ └── worst_asns.txt
├── plugins/
│ ├── __init__.py
│ ├── peek.py
│ └── strings.py
├── requirements.txt
├── sensor.py
├── server.py
├── thirdparty/
│ ├── __init__.py
│ ├── odict/
│ │ ├── __init__.py
│ │ └── ordereddict.py
│ └── six/
│ └── __init__.py
└── trails/
├── custom/
│ ├── __init__.py
│ └── dprk.txt
├── feeds/
│ ├── __init__.py
│ ├── abuseipdb.py
│ ├── alienvault.py
│ ├── atmos.py
│ ├── badips.py
│ ├── binarydefense.py
│ ├── bitcoinnodes.py
│ ├── blackbook.py
│ ├── blackholemonster.py
│ ├── blocklist.py
│ ├── botscout.py
│ ├── bruteforceblocker.py
│ ├── ciarmy.py
│ ├── cleantalk.py
│ ├── cobaltstrike.py
│ ├── cybercrimetracker.py
│ ├── dataplane.py
│ ├── dshieldip.py
│ ├── emergingthreatsbot.py
│ ├── emergingthreatscip.py
│ ├── emergingthreatsdns.py
│ ├── fareit.py
│ ├── feodotrackerip.py
│ ├── gpfcomics.py
│ ├── greensnow.py
│ ├── ipnoise.py
│ ├── maxmind.py
│ ├── minerchk.py
│ ├── myip.py
│ ├── openphish.py
│ ├── palevotracker.py
│ ├── policeman.py
│ ├── ransomwaretrackerdns.py
│ ├── ransomwaretrackerip.py
│ ├── ransomwaretrackerurl.py
│ ├── rutgers.py
│ ├── sblam.py
│ ├── scriptzteam.py
│ ├── socksproxy.py
│ ├── sslproxies.py
│ ├── statics.py
│ ├── torproject.py
│ ├── trickbot.py
│ ├── turris.py
│ ├── urlhaus.py
│ ├── viriback.py
│ ├── zeustrackermonitor.py
│ └── zeustrackerurl.py
└── static/
├── __init__.py
├── malicious/
│ ├── 365stealer_phishtool.txt
│ ├── 404_tds.txt
│ ├── abcsoup.txt
│ ├── adaptix_c2.txt
│ ├── alchimist_c2.txt
│ ├── alexus_spamtool.txt
│ ├── anarchy_c2.txt
│ ├── android_goldoson.txt
│ ├── android_hiddad.txt
│ ├── araneida.txt
│ ├── arl.txt
│ ├── bad_proxy.txt
│ ├── bad_script.txt
│ ├── bad_service.txt
│ ├── bitrixcore.txt
│ ├── black_tds.txt
│ ├── brc4.txt
│ ├── brchecker.txt
│ ├── browser_locker.txt
│ ├── c2_panel.txt
│ ├── caldera_c2.txt
│ ├── chromekatz.txt
│ ├── cloakndagger_c2.txt
│ ├── contador_spamtool.txt
│ ├── coreimpact.txt
│ ├── covenant.txt
│ ├── cyberstrikeai.txt
│ ├── deimos_c2.txt
│ ├── domain_shadowing.txt
│ ├── ek_angler.txt
│ ├── ek_bottle.txt
│ ├── ek_capesand.txt
│ ├── ek_clearfake.txt
│ ├── ek_fallout.txt
│ ├── ek_generic.txt
│ ├── ek_grandsoft.txt
│ ├── ek_greenflash.txt
│ ├── ek_kaixin.txt
│ ├── ek_landupdate808.txt
│ ├── ek_magnitude.txt
│ ├── ek_neutrino.txt
│ ├── ek_nuclear.txt
│ ├── ek_purplefox.txt
│ ├── ek_radio.txt
│ ├── ek_rig.txt
│ ├── ek_rogueraticate.txt
│ ├── ek_router.txt
│ ├── ek_scamclub.txt
│ ├── ek_shade.txt
│ ├── ek_spelevo.txt
│ ├── ek_trillium.txt
│ ├── ek_underminer.txt
│ ├── ek_vextrio.txt
│ ├── ek_zphp.txt
│ ├── elf_reversessh.txt
│ ├── errtraffic_tds.txt
│ ├── evilginx.txt
│ ├── filebroser.txt
│ ├── generic_tds.txt
│ ├── ghostshell_c2.txt
│ ├── gophish.txt
│ ├── hak5cloud_c2.txt
│ ├── havoc.txt
│ ├── help_tds.txt
│ ├── install_capital.txt
│ ├── install_cube.txt
│ ├── interactsh.txt
│ ├── katyabot.txt
│ ├── keitaro_tds.txt
│ ├── khepri_c2.txt
│ ├── ligolo_tunnel.txt
│ ├── magentocore.txt
│ ├── merlin_c2.txt
│ ├── metasploit.txt
│ ├── mini_c2.txt
│ ├── modxcore.txt
│ ├── moneybadgers_tds.txt
│ ├── msau_autouploader.txt
│ ├── mythic.txt
│ ├── nameless_c2.txt
│ ├── nighthawk.txt
│ ├── nimplant.txt
│ ├── openxcore.txt
│ ├── parrot_tds.txt
│ ├── perfaudcore.txt
│ ├── perswaysion.txt
│ ├── phonyc2.txt
│ ├── pinnaclecore.txt
│ ├── prestacore.txt
│ ├── prometheus_tds.txt
│ ├── proxychanger.txt
│ ├── psransom_c2.txt
│ ├── pushbug.txt
│ ├── pyramid_c2.txt
│ ├── python_byob.txt
│ ├── redguard.txt
│ ├── redwarden.txt
│ ├── robloxcore.txt
│ ├── rogue_dns.txt
│ ├── savvyseahorse_tds.txt
│ ├── scareware.txt
│ ├── shellcodec2.txt
│ ├── sliver.txt
│ ├── sms_flooder.txt
│ ├── socgholish.txt
│ ├── spiderlabs_responder.txt
│ ├── supershell_c2.txt
│ ├── supremebot.txt
│ ├── sutra_tds.txt
│ ├── swat_c2.txt
│ ├── telekopye_scamtool.txt
│ ├── upx_tds.txt
│ ├── villian_c2.txt
│ ├── viper.txt
│ ├── woof.txt
│ ├── wp_inject.txt
│ ├── wraithnet.txt
│ ├── xiebroc2.txt
│ ├── xsender_spamtool.txt
│ ├── xtramailer_spamtool.txt
│ └── zoro_c2.txt
├── malware/
│ ├── 0bj3ctivity.txt
│ ├── 0debug.txt
│ ├── 0ktapus.txt
│ ├── 0mega.txt
│ ├── 0xthief.txt
│ ├── 123.txt
│ ├── 1312.txt
│ ├── 1336.txt
│ ├── 1ms0rry.txt
│ ├── 404.txt
│ ├── 411.txt
│ ├── 44caliber.txt
│ ├── 4l4md4r_ransomware.txt
│ ├── 8base.txt
│ ├── 9002.txt
│ ├── a310.txt
│ ├── aabquerys.txt
│ ├── ab.txt
│ ├── aboc.txt
│ ├── absent.txt
│ ├── acbackdoor.txt
│ ├── acridrain.txt
│ ├── activeagent.txt
│ ├── adrozek.txt
│ ├── advisorbot.txt
│ ├── adwind.txt
│ ├── adylkuzz.txt
│ ├── adzok.txt
│ ├── aegis.txt
│ ├── aeroblade.txt
│ ├── afrodita.txt
│ ├── agaadex.txt
│ ├── againstthewest.txt
│ ├── agartha.txt
│ ├── agenttesla.txt
│ ├── agniane.txt
│ ├── aguijon.txt
│ ├── ailock_ransomware.txt
│ ├── ailurophile.txt
│ ├── airbot.txt
│ ├── akey.txt
│ ├── akira.txt
│ ├── album.txt
│ ├── aldibot.txt
│ ├── alina.txt
│ ├── allakore.txt
│ ├── almalocker.txt
│ ├── almashreq.txt
│ ├── alpha.txt
│ ├── alphav.txt
│ ├── amadey.txt
│ ├── amatera.txt
│ ├── amavaldo.txt
│ ├── amend_miner.txt
│ ├── ammyyrat.txt
│ ├── amnesia.txt
│ ├── amnesiarat.txt
│ ├── anchor.txt
│ ├── android_abstractemu.txt
│ ├── android_acecard.txt
│ ├── android_actionspy.txt
│ ├── android_adrd.txt
│ ├── android_ahmythrat.txt
│ ├── android_airavat.txt
│ ├── android_ajina.txt
│ ├── android_albiriox.txt
│ ├── android_alienspy.txt
│ ├── android_andichap.txt
│ ├── android_androrat.txt
│ ├── android_antidot.txt
│ ├── android_anubis.txt
│ ├── android_arsinkrat.txt
│ ├── android_arspam.txt
│ ├── android_asacub.txt
│ ├── android_autolycos.txt
│ ├── android_awspy.txt
│ ├── android_backflash.txt
│ ├── android_badbox.txt
│ ├── android_bankbot.txt
│ ├── android_bankun.txt
│ ├── android_basbanke.txt
│ ├── android_basebridge.txt
│ ├── android_besyria.txt
│ ├── android_bigpanzi.txt
│ ├── android_bingomod.txt
│ ├── android_blackrock.txt
│ ├── android_blankbot.txt
│ ├── android_boomslang.txt
│ ├── android_boxer.txt
│ ├── android_brokewell.txt
│ ├── android_buhsam.txt
│ ├── android_busygasper.txt
│ ├── android_calibar.txt
│ ├── android_callerspy.txt
│ ├── android_camscanner.txt
│ ├── android_cerberus.txt
│ ├── android_cherryblos.txt
│ ├── android_chuli.txt
│ ├── android_circle.txt
│ ├── android_claco.txt
│ ├── android_clayrat.txt
│ ├── android_clickfraud.txt
│ ├── android_cometbot.txt
│ ├── android_cookiethief.txt
│ ├── android_coolreaper.txt
│ ├── android_copycat.txt
│ ├── android_counterclank.txt
│ ├── android_coyote.txt
│ ├── android_craxrat.txt
│ ├── android_crocodilus.txt
│ ├── android_cyberwurx.txt
│ ├── android_darkshades.txt
│ ├── android_dendoroid.txt
│ ├── android_dougalek.txt
│ ├── android_droidbot.txt
│ ├── android_droidjack.txt
│ ├── android_droidkungfu.txt
│ ├── android_droidlock.txt
│ ├── android_eaglemsgspy.txt
│ ├── android_eaglespy.txt
│ ├── android_enesoluty.txt
│ ├── android_ermac.txt
│ ├── android_escobar.txt
│ ├── android_eventbot.txt
│ ├── android_ewalls.txt
│ ├── android_ewind.txt
│ ├── android_exobot.txt
│ ├── android_exodus.txt
│ ├── android_exprespam.txt
│ ├── android_facestealer.txt
│ ├── android_fakeapp.txt
│ ├── android_fakebanco.txt
│ ├── android_fakedown.txt
│ ├── android_fakeinst.txt
│ ├── android_fakelog.txt
│ ├── android_fakemart.txt
│ ├── android_fakemrat.txt
│ ├── android_fakeneflic.txt
│ ├── android_fakesecsuit.txt
│ ├── android_fanta.txt
│ ├── android_fantasyhub.txt
│ ├── android_feabme.txt
│ ├── android_fleckpe.txt
│ ├── android_flexispy.txt
│ ├── android_flubot.txt
│ ├── android_fluhorse.txt
│ ├── android_fobus.txt
│ ├── android_fraudbot.txt
│ ├── android_friend.txt
│ ├── android_frogblight.txt
│ ├── android_frogonal.txt
│ ├── android_funkybot.txt
│ ├── android_fvncbot.txt
│ ├── android_gabas.txt
│ ├── android_geinimi.txt
│ ├── android_generic.txt
│ ├── android_geost.txt
│ ├── android_ghostbatrat.txt
│ ├── android_ghostpush.txt
│ ├── android_ghostspy.txt
│ ├── android_gigabud.txt
│ ├── android_ginmaster.txt
│ ├── android_ginp.txt
│ ├── android_gmaster.txt
│ ├── android_gnews.txt
│ ├── android_goatrat.txt
│ ├── android_godwon.txt
│ ├── android_golddigger.txt
│ ├── android_golddream.txt
│ ├── android_goldencup.txt
│ ├── android_golfspy.txt
│ ├── android_gonesixty.txt
│ ├── android_goontact.txt
│ ├── android_gplayed.txt
│ ├── android_gustuff.txt
│ ├── android_gymdrop.txt
│ ├── android_gypte.txt
│ ├── android_handda.txt
│ ├── android_henbox.txt
│ ├── android_hermit.txt
│ ├── android_herodotus.txt
│ ├── android_hornbill.txt
│ ├── android_hydra.txt
│ ├── android_ibanking.txt
│ ├── android_iconosys.txt
│ ├── android_joker.txt
│ ├── android_jsmshider.txt
│ ├── android_kbuster.txt
│ ├── android_kemoge.txt
│ ├── android_klopatra.txt
│ ├── android_landfall.txt
│ ├── android_lazarus.txt
│ ├── android_ligarat.txt
│ ├── android_lockdroid.txt
│ ├── android_lotoor.txt
│ ├── android_lovetrap.txt
│ ├── android_lunabot.txt
│ ├── android_malbus.txt
│ ├── android_malibot.txt
│ ├── android_mandrake.txt
│ ├── android_masterfred.txt
│ ├── android_maxit.txt
│ ├── android_mazar.txt
│ ├── android_megasrat.txt
│ ├── android_mellat.txt
│ ├── android_mmrat.txt
│ ├── android_mobok.txt
│ ├── android_mobstspy.txt
│ ├── android_monokle.txt
│ ├── android_nativeworm.txt
│ ├── android_ngate.txt
│ ├── android_notcompatible.txt
│ ├── android_oblivionrat.txt
│ ├── android_oneclickfraud.txt
│ ├── android_opfake.txt
│ ├── android_oscorp.txt
│ ├── android_ozotshielder.txt
│ ├── android_pakchat.txt
│ ├── android_parcel.txt
│ ├── android_pareto.txt
│ ├── android_pekkarat.txt
│ ├── android_perseus.txt
│ ├── android_phantom.txt
│ ├── android_phonespy.txt
│ ├── android_pikspam.txt
│ ├── android_pixpirate.txt
│ ├── android_pjapps.txt
│ ├── android_pjobrat.txt
│ ├── android_playpraetor.txt
│ ├── android_promptspy.txt
│ ├── android_protospy.txt
│ ├── android_qdplugin.txt
│ ├── android_qwizzserial.txt
│ ├── android_raddex.txt
│ ├── android_rafelrat.txt
│ ├── android_ransomware.txt
│ ├── android_ratmilad.txt
│ ├── android_ratseller.txt
│ ├── android_redalert.txt
│ ├── android_regon.txt
│ ├── android_remotecode.txt
│ ├── android_repane.txt
│ ├── android_residentbat.txt
│ ├── android_riltok.txt
│ ├── android_roamingmantis.txt
│ ├── android_rocinante.txt
│ ├── android_roidsec.txt
│ ├── android_rotexy.txt
│ ├── android_salvador.txt
│ ├── android_samsapo.txt
│ ├── android_sandrorat.txt
│ ├── android_selfmite.txt
│ ├── android_shadowvoice.txt
│ ├── android_shahilrat.txt
│ ├── android_sharkbot.txt
│ ├── android_shopper.txt
│ ├── android_simbad.txt
│ ├── android_simplocker.txt
│ ├── android_skullkey.txt
│ ├── android_smsfactory.txt
│ ├── android_sndapps.txt
│ ├── android_sparkkitty.txt
│ ├── android_spinok.txt
│ ├── android_spynote.txt
│ ├── android_spysolrrat.txt
│ ├── android_spytekcell.txt
│ ├── android_stels.txt
│ ├── android_surxrat.txt
│ ├── android_svpeng.txt
│ ├── android_swanalitics.txt
│ ├── android_teabot.txt
│ ├── android_teelog.txt
│ ├── android_telerat.txt
│ ├── android_tetus.txt
│ ├── android_tgtoxic.txt
│ ├── android_th33ht.txt
│ ├── android_thamera.txt
│ ├── android_thiefbot.txt
│ ├── android_tonclank.txt
│ ├── android_torec.txt
│ ├── android_triada.txt
│ ├── android_uracto.txt
│ ├── android_usbcleaver.txt
│ ├── android_vapor.txt
│ ├── android_viceleaker.txt
│ ├── android_vmvol.txt
│ ├── android_vo1d.txt
│ ├── android_vultur.txt
│ ├── android_windseeker.txt
│ ├── android_wirex.txt
│ ├── android_wolfrat.txt
│ ├── android_wpeeper.txt
│ ├── android_xavirad.txt
│ ├── android_xbot007.txt
│ ├── android_xenomorph.txt
│ ├── android_xerxes.txt
│ ├── android_xhelper.txt
│ ├── android_xploitspy.txt
│ ├── android_ynrk.txt
│ ├── android_z3core.txt
│ ├── android_zertsecurity.txt
│ ├── android_ztorg.txt
│ ├── andromeda.txt
│ ├── androxgh0st.txt
│ ├── anel.txt
│ ├── anivia.txt
│ ├── anonrat.txt
│ ├── anonvnc.txt
│ ├── antarctica.txt
│ ├── antefrigus.txt
│ ├── antibot.txt
│ ├── antigravityrat.txt
│ ├── anubis.txt
│ ├── anubis_ransomware.txt
│ ├── anuna.txt
│ ├── aotera.txt
│ ├── apocalypse.txt
│ ├── apossec.txt
│ ├── apt_12.txt
│ ├── apt_17.txt
│ ├── apt_18.txt
│ ├── apt_1877team.txt
│ ├── apt_23.txt
│ ├── apt_27.txt
│ ├── apt_30.txt
│ ├── apt_33.txt
│ ├── apt_37.txt
│ ├── apt_38.txt
│ ├── apt_45.txt
│ ├── apt_48.txt
│ ├── apt_5.txt
│ ├── apt_60.txt
│ ├── apt_68.txt
│ ├── apt_73.txt
│ ├── apt_aoqindragon.txt
│ ├── apt_appin.txt
│ ├── apt_aridviper.txt
│ ├── apt_atlascross.txt
│ ├── apt_babar.txt
│ ├── apt_babyshark.txt
│ ├── apt_badmagic.txt
│ ├── apt_bahamut.txt
│ ├── apt_banishedkitten.txt
│ ├── apt_barium.txt
│ ├── apt_batshadow.txt
│ ├── apt_bisonal.txt
│ ├── apt_bitter.txt
│ ├── apt_blackgear.txt
│ ├── apt_blacktech.txt
│ ├── apt_bladedfeline.txt
│ ├── apt_blindeagle.txt
│ ├── apt_bloodywolf.txt
│ ├── apt_bluenoroff.txt
│ ├── apt_blueprint.txt
│ ├── apt_bookworm.txt
│ ├── apt_boteam.txt
│ ├── apt_buhtrap.txt
│ ├── apt_cadetblizzard.txt
│ ├── apt_calypso.txt
│ ├── apt_camarodragon.txt
│ ├── apt_caracalkitten.txt
│ ├── apt_carbonspider.txt
│ ├── apt_carderbee.txt
│ ├── apt_careto.txt
│ ├── apt_casper.txt
│ ├── apt_cdt.txt
│ ├── apt_chafer.txt
│ ├── apt_chamelgang.txt
│ ├── apt_charmingkitten.txt
│ ├── apt_cleaver.txt
│ ├── apt_cloudatlas.txt
│ ├── apt_cloudwizard.txt
│ ├── apt_cobaltdickens.txt
│ ├── apt_codoso.txt
│ ├── apt_coldriver.txt
│ ├── apt_coldwastrel.txt
│ ├── apt_commentcrew.txt
│ ├── apt_copykittens.txt
│ ├── apt_cosmicduke.txt
│ ├── apt_crimsoncollective.txt
│ ├── apt_cyberav3ngers.txt
│ ├── apt_cyberbit.txt
│ ├── apt_dalbit.txt
│ ├── apt_darkcaracal.txt
│ ├── apt_darkhotel.txt
│ ├── apt_darkhydrus.txt
│ ├── apt_darkpink.txt
│ ├── apt_darkriver.txt
│ ├── apt_deadlykiss.txt
│ ├── apt_deathstalker.txt
│ ├── apt_desertfalcon.txt
│ ├── apt_dnspionage.txt
│ ├── apt_docless.txt
│ ├── apt_domestickitten.txt
│ ├── apt_donot.txt
│ ├── apt_downex.txt
│ ├── apt_dragonok.txt
│ ├── apt_driftingcloud.txt
│ ├── apt_duke.txt
│ ├── apt_dunequixote.txt
│ ├── apt_dustspecter.txt
│ ├── apt_dustsquad.txt
│ ├── apt_earthberberoka.txt
│ ├── apt_earthestries.txt
│ ├── apt_earthhundun.txt
│ ├── apt_earthkrahang.txt
│ ├── apt_earthkurma.txt
│ ├── apt_earthwendigo.txt
│ ├── apt_egomaniac.txt
│ ├── apt_energeticbear.txt
│ ├── apt_equationgroup.txt
│ ├── apt_evapiks.txt
│ ├── apt_evasivepanda.txt
│ ├── apt_ezq.txt
│ ├── apt_familiarfeeling.txt
│ ├── apt_ferociouskitten.txt
│ ├── apt_finfisher.txt
│ ├── apt_flame.txt
│ ├── apt_flaxtyphoon.txt
│ ├── apt_flightnight.txt
│ ├── apt_flyingyeti.txt
│ ├── apt_forumtroll.txt
│ ├── apt_fruityarmor.txt
│ ├── apt_gallmaker.txt
│ ├── apt_gamaredon-1.txt
│ ├── apt_gamaredon.txt
│ ├── apt_gaza.txt
│ ├── apt_ghostemperor.txt
│ ├── apt_glasses.txt
│ ├── apt_golddragon.txt
│ ├── apt_goldenbird.txt
│ ├── apt_goldenjackal.txt
│ ├── apt_goldenrat.txt
│ ├── apt_goldmelody.txt
│ ├── apt_goldmouse.txt
│ ├── apt_gorgon.txt
│ ├── apt_gothicpanda.txt
│ ├── apt_grayling.txt
│ ├── apt_greenspot.txt
│ ├── apt_gref.txt
│ ├── apt_greyenergy.txt
│ ├── apt_groundbait.txt
│ ├── apt_group5.txt
│ ├── apt_hackingteam.txt
│ ├── apt_hafnium.txt
│ ├── apt_hangover.txt
│ ├── apt_hellhounds.txt
│ ├── apt_hermit.txt
│ ├── apt_hezirash.txt
│ ├── apt_higaisa.txt
│ ├── apt_hogfish.txt
│ ├── apt_icefog.txt
│ ├── apt_icepeony.txt
│ ├── apt_imperialkitten.txt
│ ├── apt_indigozebra.txt
│ ├── apt_indra.txt
│ ├── apt_inedibleochotense.txt
│ ├── apt_infy.txt
│ ├── apt_innaput.txt
│ ├── apt_irn2.txt
│ ├── apt_ironhusky.txt
│ ├── apt_irontiger.txt
│ ├── apt_isoon.txt
│ ├── apt_judgmentpanda.txt
│ ├── apt_kapeka.txt
│ ├── apt_karakurt.txt
│ ├── apt_kasablanka.txt
│ ├── apt_ke3chang.txt
│ ├── apt_keyboy.txt
│ ├── apt_kimsuky.txt
│ ├── apt_kun3.txt
│ ├── apt_lazarus.txt
│ ├── apt_lazyscripter.txt
│ ├── apt_leafminer.txt
│ ├── apt_librarianghouls.txt
│ ├── apt_longhorn.txt
│ ├── apt_longnosedgoblin.txt
│ ├── apt_lotusblossom.txt
│ ├── apt_luckycat.txt
│ ├── apt_luminousmoth.txt
│ ├── apt_lyceum.txt
│ ├── apt_machete.txt
│ ├── apt_malkamak.txt
│ ├── apt_marbleddust.txt
│ ├── apt_menupass.txt
│ ├── apt_mercenaryamanda.txt
│ ├── apt_middleeast.txt
│ ├── apt_middlefloor.txt
│ ├── apt_miniduke.txt
│ ├── apt_mirrorface.txt
│ ├── apt_modifiedelephant.txt
│ ├── apt_motorbeacon.txt
│ ├── apt_moustachedbouncer.txt
│ ├── apt_mudcarp.txt
│ ├── apt_muddywater.txt
│ ├── apt_murenshark.txt
│ ├── apt_mustangpanda.txt
│ ├── apt_naikon.txt
│ ├── apt_nettraveler.txt
│ ├── apt_newsbeef.txt
│ ├── apt_newspenguin.txt
│ ├── apt_nighteagle.txt
│ ├── apt_noisybear.txt
│ ├── apt_noname05716.txt
│ ├── apt_novispy.txt
│ ├── apt_obsmogwai.txt
│ ├── apt_oceanlotus.txt
│ ├── apt_oilalpha.txt
│ ├── apt_oilrig.txt
│ ├── apt_onyxsleet.txt
│ ├── apt_opera1er.txt
│ ├── apt_packrat.txt
│ ├── apt_paperwerewolf.txt
│ ├── apt_paragon.txt
│ ├── apt_patchwork.txt
│ ├── apt_peepingtitle.txt
│ ├── apt_pegasus.txt
│ ├── apt_pittytiger.txt
│ ├── apt_pkplug.txt
│ ├── apt_platinum.txt
│ ├── apt_poisonneedles.txt
│ ├── apt_pokingthebear.txt
│ ├── apt_polonium.txt
│ ├── apt_potao.txt
│ ├── apt_predator.txt
│ ├── apt_punishingowl.txt
│ ├── apt_purplehaze.txt
│ ├── apt_putterpanda.txt
│ ├── apt_q015.txt
│ ├── apt_q12.txt
│ ├── apt_q27.txt
│ ├── apt_quarian.txt
│ ├── apt_quasar.txt
│ ├── apt_rainbowhyena.txt
│ ├── apt_rampantkitten.txt
│ ├── apt_rancor.txt
│ ├── apt_reaper.txt
│ ├── apt_redbaldknight.txt
│ ├── apt_redfoxtrot.txt
│ ├── apt_redjuliett.txt
│ ├── apt_rednovember.txt
│ ├── apt_redoctober.txt
│ ├── apt_redwolf.txt
│ ├── apt_rnexus.txt
│ ├── apt_rocketman.txt
│ ├── apt_rusticweb.txt
│ ├── apt_saguaro.txt
│ ├── apt_sandman.txt
│ ├── apt_sandworm.txt
│ ├── apt_sauron.txt
│ ├── apt_scanbox.txt
│ ├── apt_scarletmimic.txt
│ ├── apt_scieron.txt
│ ├── apt_seaflower.txt
│ ├── apt_sectora05.txt
│ ├── apt_shamoon.txt
│ ├── apt_sharppanda.txt
│ ├── apt_shiqiang.txt
│ ├── apt_sidewinder.txt
│ ├── apt_silence.txt
│ ├── apt_silencerlion.txt
│ ├── apt_silentlynx.txt
│ ├── apt_simbaa.txt
│ ├── apt_skycloak.txt
│ ├── apt_snowman.txt
│ ├── apt_sobaken.txt
│ ├── apt_sofacy.txt
│ ├── apt_spacepirates.txt
│ ├── apt_stealthfalcon.txt
│ ├── apt_stolenpencil.txt
│ ├── apt_stonedrill.txt
│ ├── apt_stonefly.txt
│ ├── apt_strongpity.txt
│ ├── apt_stuxnet.txt
│ ├── apt_ta2101.txt
│ ├── apt_ta240524.txt
│ ├── apt_ta410.txt
│ ├── apt_ta416.txt
│ ├── apt_ta428.txt
│ ├── apt_ta555.txt
│ ├── apt_ta5918.txt
│ ├── apt_tag22.txt
│ ├── apt_tag28.txt
│ ├── apt_tajmahal.txt
│ ├── apt_tealkurma.txt
│ ├── apt_telebots.txt
│ ├── apt_tempperiscope.txt
│ ├── apt_temptingcedar.txt
│ ├── apt_tengyunsnake.txt
│ ├── apt_thewizards.txt
│ ├── apt_tibet.txt
│ ├── apt_tick.txt
│ ├── apt_tidrone.txt
│ ├── apt_tinyscouts.txt
│ ├── apt_toddycat.txt
│ ├── apt_tortoiseshell.txt
│ ├── apt_transparenttribe.txt
│ ├── apt_triangulation.txt
│ ├── apt_turla.txt
│ ├── apt_tvrms.txt
│ ├── apt_twistedpanda.txt
│ ├── apt_unc1151.txt
│ ├── apt_unc215.txt
│ ├── apt_unc2190.txt
│ ├── apt_unc2447.txt
│ ├── apt_unc2452.txt
│ ├── apt_unc2465.txt
│ ├── apt_unc2529.txt
│ ├── apt_unc2565.txt
│ ├── apt_unc2596.txt
│ ├── apt_unc2814.txt
│ ├── apt_unc2970.txt
│ ├── apt_unc3500.txt
│ ├── apt_unc3535.txt
│ ├── apt_unc3886.txt
│ ├── apt_unc3890.txt
│ ├── apt_unc3966.txt
│ ├── apt_unc4108.txt
│ ├── apt_unc4166.txt
│ ├── apt_unc4191.txt
│ ├── apt_unc4210.txt
│ ├── apt_unc4221.txt
│ ├── apt_unc4553.txt
│ ├── apt_unc4841.txt
│ ├── apt_unc4899.txt
│ ├── apt_unc4990.txt
│ ├── apt_unc5174.txt
│ ├── apt_unc5221.txt
│ ├── apt_unc5537.txt
│ ├── apt_unc5792.txt
│ ├── apt_unc5812.txt
│ ├── apt_unc5952.txt
│ ├── apt_unc6293.txt
│ ├── apt_unc6353.txt
│ ├── apt_unc6691.txt
│ ├── apt_unc961.txt
│ ├── apt_unclassified.txt
│ ├── apt_ush.txt
│ ├── apt_vajraeleph.txt
│ ├── apt_venomspider.txt
│ ├── apt_vicesociety.txt
│ ├── apt_viciouspanda.txt
│ ├── apt_voidarachne.txt
│ ├── apt_voidblizzard.txt
│ ├── apt_volatilecedar.txt
│ ├── apt_weakestlink.txt
│ ├── apt_webky.txt
│ ├── apt_whitecompany.txt
│ ├── apt_wickedpanda.txt
│ ├── apt_windshift.txt
│ ├── apt_wintervivern.txt
│ ├── apt_wirte.txt
│ ├── apt_wuqiongdong.txt
│ ├── apt_xdspy.txt
│ ├── apt_xpath.txt
│ ├── aptlock_ransomware.txt
│ ├── arachna_ransomware.txt
│ ├── arackus.txt
│ ├── arcane.txt
│ ├── arcanedoor.txt
│ ├── arcrypter.txt
│ ├── arcusmedia.txt
│ ├── arec.txt
│ ├── areses.txt
│ ├── argonauts.txt
│ ├── arkana.txt
│ ├── arkanix.txt
│ ├── arkei.txt
│ ├── arrowrat.txt
│ ├── artemisrat.txt
│ ├── artro.txt
│ ├── arvin.txt
│ ├── aspire.txt
│ ├── asruex.txt
│ ├── astarionrat.txt
│ ├── astaroth.txt
│ ├── astrobot.txt
│ ├── astrolocker.txt
│ ├── asyncrat.txt
│ ├── athenagorat.txt
│ ├── athenahttp.txt
│ ├── atilla.txt
│ ├── atlantida.txt
│ ├── atm_dispcash.txt
│ ├── atmos.txt
│ ├── atomlogger.txt
│ ├── atomsilo.txt
│ ├── atroposia.txt
│ ├── attor.txt
│ ├── aurora.txt
│ ├── aurotun.txt
│ ├── autoit.txt
│ ├── avaddon.txt
│ ├── avalanche.txt
│ ├── avast_ransomware.txt
│ ├── avemaria.txt
│ ├── avoslocker.txt
│ ├── avrecon.txt
│ ├── axespec.txt
│ ├── axile.txt
│ ├── axolotl.txt
│ ├── axpergle.txt
│ ├── aybo.txt
│ ├── azorult.txt
│ ├── aztro.txt
│ ├── babadeda.txt
│ ├── babmote.txt
│ ├── babuk.txt
│ ├── babybot.txt
│ ├── babyduck.txt
│ ├── babylonrat.txt
│ ├── bachosens.txt
│ ├── backnet.txt
│ ├── backoff.txt
│ ├── badblock.txt
│ ├── badiis.txt
│ ├── badrabbit.txt
│ ├── balamid.txt
│ ├── baldr.txt
│ ├── balkanrat.txt
│ ├── bamital.txt
│ ├── bananasulfate.txt
│ ├── bandit.txt
│ ├── bandook.txt
│ ├── bankapol.txt
│ ├── bankerclip.txt
│ ├── bankerflux.txt
│ ├── bankiacry.txt
│ ├── bankpatch.txt
│ ├── banload.txt
│ ├── banprox.txt
│ ├── banwarum.txt
│ ├── barkio.txt
│ ├── barys.txt
│ ├── batloader.txt
│ ├── bayrob.txt
│ ├── bazarloader.txt
│ ├── bbtok.txt
│ ├── bby.txt
│ ├── bbz.txt
│ ├── beamwinhttp.txt
│ ├── beapy.txt
│ ├── bear.txt
│ ├── beast_ransomware.txt
│ ├── bedep.txt
│ ├── beebone.txt
│ ├── belesn_ransomware.txt
│ ├── belonard.txt
│ ├── benzona.txt
│ ├── bert.txt
│ ├── bestafera.txt
│ ├── betabot.txt
│ ├── bezigaterat.txt
│ ├── bianlian.txt
│ ├── bifrost.txt
│ ├── biskvit.txt
│ ├── bitbyte.txt
│ ├── bitpaymer.txt
│ ├── bitrat.txt
│ ├── bitshifter.txt
│ ├── bitstealer.txt
│ ├── blackbasta.txt
│ ├── blackbyte.txt
│ ├── blackdolphin.txt
│ ├── blackfield.txt
│ ├── blackhole.txt
│ ├── blackhunt.txt
│ ├── blackkingdom.txt
│ ├── blacklotus.txt
│ ├── blackmagic.txt
│ ├── blackmatter.txt
│ ├── blackmoon.txt
│ ├── blacknet.txt
│ ├── blacknevas.txt
│ ├── blacknixrat.txt
│ ├── blacknote.txt
│ ├── blackrat.txt
│ ├── blackreaperrat.txt
│ ├── blackrota.txt
│ ├── blackshades.txt
│ ├── blackshadow.txt
│ ├── blackshrantac.txt
│ ├── blacksquid.txt
│ ├── blackstrike.txt
│ ├── blacksuit_ransomware.txt
│ ├── blacktor.txt
│ ├── blackwater.txt
│ ├── blackworm.txt
│ ├── blankgrabber.txt
│ ├── blaze.txt
│ ├── blister.txt
│ ├── blitz.txt
│ ├── blockbuster.txt
│ ├── bloody.txt
│ ├── bloored.txt
│ ├── bluebananarat.txt
│ ├── bluebot.txt
│ ├── bluebox.txt
│ ├── bluecrab.txt
│ ├── bluefox.txt
│ ├── bluesky.txt
│ ├── blx.txt
│ ├── bobax.txt
│ ├── bofamet.txt
│ ├── bolek.txt
│ ├── bolik.txt
│ ├── bomber.txt
│ ├── bonaci.txt
│ ├── bondat.txt
│ ├── bondnet.txt
│ ├── bonsoir.txt
│ ├── boolka.txt
│ ├── bootkitty.txt
│ ├── borr.txt
│ ├── boryptgrab.txt
│ ├── bot_asus.txt
│ ├── bot_mikrotik.txt
│ ├── boteye.txt
│ ├── boxclipper.txt
│ ├── bozokrat.txt
│ ├── bqtlock_ransomware.txt
│ ├── braincipher.txt
│ ├── braodo.txt
│ ├── bravox_ransomware.txt
│ ├── brbbot.txt
│ ├── bredolab.txt
│ ├── breut.txt
│ ├── brontok.txt
│ ├── bronzestarlight.txt
│ ├── brookrat.txt
│ ├── bropass.txt
│ ├── brotherhood.txt
│ ├── brushaloader.txt
│ ├── bsloader.txt
│ ├── bubnix.txt
│ ├── bucriv.txt
│ ├── buer.txt
│ ├── bughatch.txt
│ ├── bulehero.txt
│ ├── bundlebot.txt
│ ├── bunitu.txt
│ ├── bunnyloader.txt
│ ├── buran.txt
│ ├── buterat.txt
│ ├── butter.txt
│ ├── byakugan.txt
│ ├── cabinetrat.txt
│ ├── cactus.txt
│ ├── cactustorch.txt
│ ├── caesar.txt
│ ├── calfbot.txt
│ ├── camerashy.txt
│ ├── can.txt
│ ├── cannibalrat.txt
│ ├── capturatela.txt
│ ├── carberp.txt
│ ├── cardinalrat.txt
│ ├── carnavalheist.txt
│ ├── casbaneiro.txt
│ ├── cashrat.txt
│ ├── caspersec.txt
│ ├── cassiopeia.txt
│ ├── cattore.txt
│ ├── ccleaner_backdoor.txt
│ ├── ceidpagelock.txt
│ ├── celestial.txt
│ ├── centurion.txt
│ ├── cephalus.txt
│ ├── cerber.txt
│ ├── cerbfyne.txt
│ ├── cerbu.txt
│ ├── cereals.txt
│ ├── certishell.txt
│ ├── cgnrat.txt
│ ├── chainshot.txt
│ ├── changeup.txt
│ ├── chanitor.txt
│ ├── chaos_ransomware.txt
│ ├── chaosc2.txt
│ ├── chaosrat.txt
│ ├── chasebot.txt
│ ├── cherryloader.txt
│ ├── cheshire.txt
│ ├── chewbacca.txt
│ ├── chicxulub.txt
│ ├── chimerabot.txt
│ ├── chimneysweep.txt
│ ├── chinachopper.txt
│ ├── chinoxy.txt
│ ├── chisbur.txt
│ ├── chort.txt
│ ├── chromelevator.txt
│ ├── chromeloader.txt
│ ├── chthonic.txt
│ ├── ciadoor.txt
│ ├── cicada3301.txt
│ ├── cinasquel.txt
│ ├── cinobi.txt
│ ├── ciphbit.txt
│ ├── cipherforce.txt
│ ├── cirenegrat.txt
│ ├── cleanup.txt
│ ├── clearwater.txt
│ ├── clientmeshrat.txt
│ ├── clipsa.txt
│ ├── cloak_ransomware.txt
│ ├── clop.txt
│ ├── cloudeye.txt
│ ├── cloudstalker.txt
│ ├── cmdstealer.txt
│ ├── coalabot.txt
│ ├── cobalt.txt
│ ├── cobaltstrike-1.txt
│ ├── cobaltstrike-2.txt
│ ├── cobaltstrike.txt
│ ├── cobianrat.txt
│ ├── cobint.txt
│ ├── coderware_ransomware.txt
│ ├── coffeeloader.txt
│ ├── coinbasecartel.txt
│ ├── coinloader.txt
│ ├── cold.txt
│ ├── colibriloader.txt
│ ├── collector.txt
│ ├── cometer.txt
│ ├── conficker.txt
│ ├── conti.txt
│ ├── contopee.txt
│ ├── cookiest.txt
│ ├── cooming.txt
│ ├── corebot.txt
│ ├── cosmicstrand.txt
│ ├── cotxrat.txt
│ ├── countloader.txt
│ ├── couponarific.txt
│ ├── cova.txt
│ ├── crackonosh.txt
│ ├── crapsomware.txt
│ ├── cratedepression.txt
│ ├── crazyhunter.txt
│ ├── creal.txt
│ ├── criakl.txt
│ ├── cridex.txt
│ ├── crilock.txt
│ ├── cring.txt
│ ├── cripto.txt
│ ├── crmstealer.txt
│ ├── crosslock.txt
│ ├── cry0_ransomware.txt
│ ├── cryakl.txt
│ ├── crylocker.txt
│ ├── cryp70n1c0d3.txt
│ ├── cryptbb_ransomware.txt
│ ├── cryptbot.txt
│ ├── cryptfile2.txt
│ ├── cryptinfinite.txt
│ ├── cryptn8_ransomware.txt
│ ├── cryptnet.txt
│ ├── crypto24.txt
│ ├── cryptoclippy.txt
│ ├── cryptocroc.txt
│ ├── cryptodefense.txt
│ ├── cryptolocker.txt
│ ├── cryptoshield.txt
│ ├── cryptowall.txt
│ ├── cryptxxx.txt
│ ├── cryrig_miner.txt
│ ├── crystealer.txt
│ ├── csharpstreamerrat.txt
│ ├── ctblocker.txt
│ ├── cuba.txt
│ ├── cube.txt
│ ├── cutwail.txt
│ ├── cybergaterat.txt
│ ├── cyberstealer.txt
│ ├── cylance.txt
│ ├── cypress.txt
│ ├── cythosia.txt
│ ├── d0glun_ransomware.txt
│ ├── d1onis.txt
│ ├── d4rk4rmy.txt
│ ├── dailyscriptlet.txt
│ ├── daixin.txt
│ ├── damoclis.txt
│ ├── dan0n_ransomware.txt
│ ├── danabot.txt
│ ├── dangerous.txt
│ ├── danji.txt
│ ├── daolpu.txt
│ ├── darkangels.txt
│ ├── darkcloud.txt
│ ├── darkddoser.txt
│ ├── darkeye.txt
│ ├── darkgate.txt
│ ├── darkhole.txt
│ ├── darkirc.txt
│ ├── darkleak.txt
│ ├── darkloader.txt
│ ├── darkmoon.txt
│ ├── darkpower.txt
│ ├── darkrat.txt
│ ├── darkshell.txt
│ ├── darkshinigamis.txt
│ ├── darkside.txt
│ ├── darktortilla.txt
│ ├── darkvault.txt
│ ├── darkvision.txt
│ ├── darkvnc.txt
│ ├── darkware.txt
│ ├── darkwatchman.txt
│ ├── darkylock.txt
│ ├── darth.txt
│ ├── datacarry.txt
│ ├── datakeeper.txt
│ ├── dataleak_ransomware.txt
│ ├── dcrat.txt
│ ├── deadbolt.txt
│ ├── deadglyph.txt
│ ├── deadnetbot.txt
│ ├── deathlocker.txt
│ ├── deedrat.txt
│ ├── defray.txt
│ ├── defru.txt
│ ├── deftloader.txt
│ ├── delfloader.txt
│ ├── delshad.txt
│ ├── deltastealer.txt
│ ├── denizkizi.txt
│ ├── denonia.txt
│ ├── deprimon.txt
│ ├── derialock.txt
│ ├── dero_miner.txt
│ ├── desckvbrat.txt
│ ├── desolator.txt
│ ├── destiny.txt
│ ├── destory.txt
│ ├── destruktor.txt
│ ├── detroie.txt
│ ├── devilshadow.txt
│ ├── devilstongue.txt
│ ├── devman.txt
│ ├── dexter.txt
│ ├── dexwarerat.txt
│ ├── dharma.txt
│ ├── diablorat.txt
│ ├── diamondfoxrat.txt
│ ├── diavlo.txt
│ ├── diavol.txt
│ ├── diddy.txt
│ ├── diez.txt
│ ├── dimnie.txt
│ ├── dior.txt
│ ├── dircrypt.txt
│ ├── dirtjump.txt
│ ├── discordgrabber.txt
│ ├── dmalocker.txt
│ ├── dmsniff.txt
│ ├── dmsspy.txt
│ ├── dnsbirthday.txt
│ ├── dnschanger.txt
│ ├── dnstrojan.txt
│ ├── dockerhub_malrepos.txt
│ ├── doenerium.txt
│ ├── dofoil.txt
│ ├── doge.txt
│ ├── dohdoor.txt
│ ├── domen.txt
│ ├── donex.txt
│ ├── donut.txt
│ ├── dopplepaymer.txt
│ ├── doraemon.txt
│ ├── dorifel.txt
│ ├── dorkbot.txt
│ ├── dorshel.txt
│ ├── dorv.txt
│ ├── dotrunpex.txt
│ ├── doublefinger.txt
│ ├── doubleguns.txt
│ ├── doubleloader.txt
│ ├── dracula.txt
│ ├── dragonforce.txt
│ ├── drahma.txt
│ ├── drapion.txt
│ ├── dread.txt
│ ├── dreamc2.txt
│ ├── dridex.txt
│ ├── drill_ransomware.txt
│ ├── drillapp.txt
│ ├── drokbk.txt
│ ├── dropnak.txt
│ ├── droppitch.txt
│ ├── dslog.txt
│ ├── dtstealer.txt
│ ├── dualtoy.txt
│ ├── duckrat.txt
│ ├── ducktail.txt
│ ├── dupzom.txt
│ ├── duri.txt
│ ├── dursg.txt
│ ├── dustrat.txt
│ ├── duvet.txt
│ ├── dynamicrat.txt
│ ├── dyreza.txt
│ ├── eaglerat.txt
│ ├── easy.txt
│ ├── easypeasy.txt
│ ├── ebola.txt
│ ├── echelon.txt
│ ├── echida.txt
│ ├── eddie.txt
│ ├── edgeguard.txt
│ ├── egregor.txt
│ ├── ekiparat.txt
│ ├── eldorado_ransomware.txt
│ ├── electronbot.txt
│ ├── electrorat.txt
│ ├── elf_abcbot.txt
│ ├── elf_aidra.txt
│ ├── elf_amcsh.txt
│ ├── elf_amnesiark.txt
│ ├── elf_asnarok.txt
│ ├── elf_autocolor.txt
│ ├── elf_b1txor20.txt
│ ├── elf_bigviktor.txt
│ ├── elf_billgates.txt
│ ├── elf_blueshell.txt
│ ├── elf_boldmove.txt
│ ├── elf_cdrthief.txt
│ ├── elf_chalubo.txt
│ ├── elf_chinaz.txt
│ ├── elf_coinminer.txt
│ ├── elf_cronrat.txt
│ ├── elf_darkradiation.txt
│ ├── elf_darlloz.txt
│ ├── elf_ddosman.txt
│ ├── elf_disgomoji.txt
│ ├── elf_diskwiper.txt
│ ├── elf_dofloo.txt
│ ├── elf_doki.txt
│ ├── elf_ekoms.txt
│ ├── elf_emptiness.txt
│ ├── elf_evilgnome.txt
│ ├── elf_ewdoor.txt
│ ├── elf_facefish.txt
│ ├── elf_fodcha.txt
│ ├── elf_fontonlake.txt
│ ├── elf_freakout.txt
│ ├── elf_fritzfrog.txt
│ ├── elf_gafgyt.txt
│ ├── elf_generic.txt
│ ├── elf_gobrat.txt
│ ├── elf_gotitan.txt
│ ├── elf_groundhog.txt
│ ├── elf_h2miner.txt
│ ├── elf_hajime.txt
│ ├── elf_heh.txt
│ ├── elf_hellobot.txt
│ ├── elf_hiatusrat.txt
│ ├── elf_hiddenwasp.txt
│ ├── elf_hideseek.txt
│ ├── elf_hodin.txt
│ ├── elf_httpsd.txt
│ ├── elf_icnanker.txt
│ ├── elf_insekt.txt
│ ├── elf_iotreaper.txt
│ ├── elf_ipstorm.txt
│ ├── elf_kaiji.txt
│ ├── elf_kaiten.txt
│ ├── elf_kfos.txt
│ ├── elf_kmsdbot.txt
│ ├── elf_kobalos.txt
│ ├── elf_krane.txt
│ ├── elf_krasue.txt
│ ├── elf_labrat.txt
│ ├── elf_lady.txt
│ ├── elf_manx.txt
│ ├── elf_mayhem.txt
│ ├── elf_melofee.txt
│ ├── elf_mirai.txt
│ ├── elf_mokes.txt
│ ├── elf_moobot.txt
│ ├── elf_mumblehard.txt
│ ├── elf_ngioweb.txt
│ ├── elf_nkabuse.txt
│ ├── elf_nspps.txt
│ ├── elf_openssh_backdoorkit.txt
│ ├── elf_pacha.txt
│ ├── elf_pasteminer.txt
│ ├── elf_patpooty.txt
│ ├── elf_perfctl.txt
│ ├── elf_pgmem.txt
│ ├── elf_pink.txt
│ ├── elf_pinscan.txt
│ ├── elf_platypus.txt
│ ├── elf_plox.txt
│ ├── elf_powerghost.txt
│ ├── elf_prism.txt
│ ├── elf_pumakit.txt
│ ├── elf_qbot.txt
│ ├── elf_ransomware.txt
│ ├── elf_redxor.txt
│ ├── elf_rekoobe.txt
│ ├── elf_roboto.txt
│ ├── elf_routex.txt
│ ├── elf_rudedevil.txt
│ ├── elf_shelldos.txt
│ ├── elf_shikata.txt
│ ├── elf_shikitega.txt
│ ├── elf_sidewalk.txt
│ ├── elf_skidmap.txt
│ ├── elf_slexec.txt
│ ├── elf_smargaft.txt
│ ├── elf_speakup.txt
│ ├── elf_specter.txt
│ ├── elf_sshdoor.txt
│ ├── elf_sshscan.txt
│ ├── elf_symbiote.txt
│ ├── elf_teamtnt.txt
│ ├── elf_themoon.txt
│ ├── elf_torii.txt
│ ├── elf_tshgod.txt
│ ├── elf_tunpot.txt
│ ├── elf_voidlink.txt
│ ├── elf_vpnfilter.txt
│ ├── elf_vtflooder.txt
│ ├── elf_xbash.txt
│ ├── elf_xdr33.txt
│ ├── elf_xnote.txt
│ ├── elf_xorddos.txt
│ ├── elpman.txt
│ ├── elysium.txt
│ ├── emansrepo.txt
│ ├── embargo.txt
│ ├── emdivi.txt
│ ├── emmenhtal.txt
│ ├── emogen.txt
│ ├── emotet.txt
│ ├── empirerat.txt
│ ├── enc_ransomware.txt
│ ├── engrwiz.txt
│ ├── entropy.txt
│ ├── ep918_ransomware.txt
│ ├── epsilon.txt
│ ├── epsteinrat.txt
│ ├── erbium.txt
│ ├── eredel.txt
│ ├── escelar.txt
│ ├── esfur.txt
│ ├── especter.txt
│ ├── esquele.txt
│ ├── eternalblue.txt
│ ├── eternalrocks.txt
│ ├── eternity.txt
│ ├── everest.txt
│ ├── evilbunny.txt
│ ├── evilextractor.txt
│ ├── evilgrab.txt
│ ├── evilnominatus.txt
│ ├── evilnum.txt
│ ├── evilproxy.txt
│ ├── evilstealer.txt
│ ├── evoltinpos.txt
│ ├── evrial.txt
│ ├── exa.txt
│ ├── exela.txt
│ ├── exitium.txt
│ ├── exorcist.txt
│ ├── exoticloader.txt
│ ├── expiro.txt
│ ├── extenbro.txt
│ ├── eyespy.txt
│ ├── fahis.txt
│ ├── fakben.txt
│ ├── fakeadobe.txt
│ ├── fakeapp.txt
│ ├── fakeav.txt
│ ├── fakebat.txt
│ ├── fakeran.txt
│ ├── faketicketer.txt
│ ├── fantazyaloader.txt
│ ├── fantom.txt
│ ├── fareit.txt
│ ├── farfli.txt
│ ├── faria.txt
│ ├── farseer.txt
│ ├── fastloader.txt
│ ├── fatherrat.txt
│ ├── fbi_ransomware.txt
│ ├── fbstealer.txt
│ ├── fbtime.txt
│ ├── felixhttp.txt
│ ├── fenix.txt
│ ├── fenixrat.txt
│ ├── ffdroider.txt
│ ├── ficker.txt
│ ├── fiexp.txt
│ ├── fignotok.txt
│ ├── filemess.txt
│ ├── filespider.txt
│ ├── filsh.txt
│ ├── fin12.txt
│ ├── fin4.txt
│ ├── fin6.txt
│ ├── fin7.txt
│ ├── fin8.txt
│ ├── fin9.txt
│ ├── finderbot.txt
│ ├── findpos.txt
│ ├── firebird.txt
│ ├── flesh.txt
│ ├── fletchen.txt
│ ├── fletchen_ransomware.txt
│ ├── flocker.txt
│ ├── floxif.txt
│ ├── fnumbot.txt
│ ├── fobber.txt
│ ├── fog_ransomware.txt
│ ├── formbook.txt
│ ├── fourteenhi.txt
│ ├── fox.txt
│ ├── frag_ransomware.txt
│ ├── frankenstein.txt
│ ├── frat.txt
│ ├── fraudload.txt
│ ├── fredy.txt
│ ├── fruitfly.txt
│ ├── ftcode.txt
│ ├── fudcrypt.txt
│ ├── fujinama.txt
│ ├── fukuworm.txt
│ ├── funksec.txt
│ ├── fusionloader.txt
│ ├── fynloski.txt
│ ├── fysna.txt
│ ├── gamania.txt
│ ├── gamapos.txt
│ ├── gandcrab.txt
│ ├── gaudox.txt
│ ├── gauss.txt
│ ├── gbot.txt
│ ├── gdlockersec.txt
│ ├── gehenna.txt
│ ├── gelsemium.txt
│ ├── generic.txt
│ ├── generic_cwprce.txt
│ ├── generic_follina.txt
│ ├── generic_log4shell.txt
│ ├── generic_miner.txt
│ ├── generic_proxynotshell.txt
│ ├── generic_ransomware.txt
│ ├── generic_stealer.txt
│ ├── genesis_ransomware.txt
│ ├── gentlemen.txt
│ ├── germanwiper.txt
│ ├── gh0stbins.txt
│ ├── gh0strat.txt
│ ├── ghost_miner.txt
│ ├── ghostbot.txt
│ ├── ghostdns.txt
│ ├── ghostengine.txt
│ ├── ghostlocker.txt
│ ├── ghostposter.txt
│ ├── ghostredirector.txt
│ ├── giftedcrook.txt
│ ├── ginzo.txt
│ ├── gippers.txt
│ ├── glassworm.txt
│ ├── glitchpos.txt
│ ├── global_ransomware.txt
│ ├── glock.txt
│ ├── glorysprout.txt
│ ├── glove.txt
│ ├── glupteba.txt
│ ├── goblinrat.txt
│ ├── gobotkr.txt
│ ├── gobrut.txt
│ ├── godlua.txt
│ ├── godrat.txt
│ ├── godzilla.txt
│ ├── gokeylogger.txt
│ ├── goldbrute.txt
│ ├── goldenspy.txt
│ ├── golroted.txt
│ ├── gomet.txt
│ ├── good_ransomware.txt
│ ├── goodwill_ransomware.txt
│ ├── goomba.txt
│ ├── gootkit.txt
│ ├── gopix.txt
│ ├── gorat.txt
│ ├── gored.txt
│ ├── gotham.txt
│ ├── grager.txt
│ ├── grand.txt
│ ├── grandamisha.txt
│ ├── grandmonty.txt
│ ├── grandoreiro.txt
│ ├── gravityrat.txt
│ ├── greamerat.txt
│ ├── greenblood.txt
│ ├── greenstone.txt
│ ├── gremlin.txt
│ ├── grief.txt
│ ├── grimagent.txt
│ ├── grimbolt.txt
│ ├── grmsk.txt
│ ├── grobrat.txt
│ ├── grokpy.txt
│ ├── groooboor.txt
│ ├── groove.txt
│ ├── growtopia.txt
│ ├── gruntstager.txt
│ ├── gtbot.txt
│ ├── guloader.txt
│ ├── gunra.txt
│ ├── gupti_miner.txt
│ ├── gypsyteam.txt
│ ├── h1n1.txt
│ ├── habitsrat.txt
│ ├── hacked_3cx.txt
│ ├── hacked_apkpure.txt
│ ├── hacked_chromecrxext.txt
│ ├── hacked_ciscosslvpn.txt
│ ├── hacked_cms8000.txt
│ ├── hacked_codecov.txt
│ ├── hacked_comm100.txt
│ ├── hacked_dependabot.txt
│ ├── hacked_dnspy.txt
│ ├── hacked_f5.txt
│ ├── hacked_fdm.txt
│ ├── hacked_fortinac.txt
│ ├── hacked_githubrepos.txt
│ ├── hacked_globalprotect.txt
│ ├── hacked_healthcheck.txt
│ ├── hacked_keepass.txt
│ ├── hacked_log4j.txt
│ ├── hacked_mint.txt
│ ├── hacked_monero.txt
│ ├── hacked_moveit.txt
│ ├── hacked_netweaversap.txt
│ ├── hacked_nginx.txt
│ ├── hacked_npmrepos.txt
│ ├── hacked_openvsxext.txt
│ ├── hacked_pygrata.txt
│ ├── hacked_pypirepos.txt
│ ├── hacked_pytorch.txt
│ ├── hacked_saltstack.txt
│ ├── hacked_solarwinds.txt
│ ├── hacked_trivy.txt
│ ├── hacked_trustwallet.txt
│ ├── hacked_uaparserjs.txt
│ ├── hacked_vsixext.txt
│ ├── hacked_whlext.txt
│ ├── hacking_team.txt
│ ├── hadestealer.txt
│ ├── haibonbay.txt
│ ├── hamaetot.txt
│ ├── handala.txt
│ ├── hannibal.txt
│ ├── harnig.txt
│ ├── haron.txt
│ ├── havanacrypt.txt
│ ├── hawkball.txt
│ ├── hawkeye.txt
│ ├── hekworm.txt
│ ├── hellcat.txt
│ ├── helldown_ransomware.txt
│ ├── hellokitty.txt
│ ├── helloxd.txt
│ ├── hellsdaysec.txt
│ ├── helompy.txt
│ ├── hennessy.txt
│ ├── hermeticwiper.txt
│ ├── hexon.txt
│ ├── hiddenbee.txt
│ ├── hiddenbeer.txt
│ ├── hiddentear.txt
│ ├── hiloti.txt
│ ├── hinired.txt
│ ├── hitler_ransomware.txt
│ ├── hive_ransomware.txt
│ ├── hiverat.txt
│ ├── holdthismoney.txt
│ ├── hollow_miner.txt
│ ├── holygh0st.txt
│ ├── holyghost.txt
│ ├── honeybee.txt
│ ├── hoplight.txt
│ ├── hotarus.txt
│ ├── houdini.txt
│ ├── hunters_ransomware.txt
│ ├── huntpos.txt
│ ├── hvncrat.txt
│ ├── hydracrypt.txt
│ ├── hydseven.txt
│ ├── hzrat.txt
│ ├── i2prat.txt
│ ├── icarus.txt
│ ├── icebreaker.txt
│ ├── icedid.txt
│ ├── icefire.txt
│ ├── icerat.txt
│ ├── icexloader.txt
│ ├── iconloader.txt
│ ├── igb_ransomware.txt
│ ├── imbetter.txt
│ ├── imddos.txt
│ ├── imminentrat.txt
│ ├── immortal.txt
│ ├── imncrew.txt
│ ├── inari.txt
│ ├── inc_ransomware.txt
│ ├── indexsinas.txt
│ ├── indone_miner.txt
│ ├── infinilate.txt
│ ├── infinityrat.txt
│ ├── injecto.txt
│ ├── innfirat.txt
│ ├── insomnia.txt
│ ├── interlock-1.txt
│ ├── interlock.txt
│ ├── interstellar.txt
│ ├── investimer.txt
│ ├── invisimole.txt
│ ├── ios_glasscage.txt
│ ├── ios_keyraider.txt
│ ├── ios_muda.txt
│ ├── ios_oneclickfraud.txt
│ ├── ios_realtimespy.txt
│ ├── ios_specter.txt
│ ├── ios_xcodeghost.txt
│ ├── ipikabot.txt
│ ├── iris.txt
│ ├── iron.txt
│ ├── ismdoor.txt
│ ├── isodisk.txt
│ ├── ispy.txt
│ ├── isr.txt
│ ├── ixware.txt
│ ├── j_ransomware.txt
│ ├── jackpos.txt
│ ├── jacksbot.txt
│ ├── jaff.txt
│ ├── janelarat.txt
│ ├── janeleiro.txt
│ ├── jaska.txt
│ ├── jasmin.txt
│ ├── jasperloader.txt
│ ├── javali.txt
│ ├── javaloader.txt
│ ├── javarat.txt
│ ├── jedobot.txt
│ ├── jerryrat.txt
│ ├── jester.txt
│ ├── jigsaw.txt
│ ├── jinxloader.txt
│ ├── jrat.txt
│ ├── jripbot.txt
│ ├── jshellrat.txt
│ ├── jsoutprox.txt
│ ├── jspspy.txt
│ ├── juice.txt
│ ├── junos_jmagic.txt
│ ├── jupyter.txt
│ ├── justaskjacky.txt
│ ├── k8steal.txt
│ ├── kairos.txt
│ ├── kamasers.txt
│ ├── kapahyku.txt
│ ├── karkoff.txt
│ ├── karma.txt
│ ├── karstorat.txt
│ ├── kasidet.txt
│ ├── katz.txt
│ ├── kawalocker.txt
│ ├── kazakrat.txt
│ ├── kazu_ransomware.txt
│ ├── kazy.txt
│ ├── kbot.txt
│ ├── kegotip.txt
│ ├── kelihos.txt
│ ├── kelvinsec.txt
│ ├── kematian.txt
│ ├── kentloader.txt
│ ├── keres.txt
│ ├── kernelbot.txt
│ ├── keybase.txt
│ ├── khonsari_ransomware.txt
│ ├── khrat.txt
│ ├── kidotai.txt
│ ├── kief.txt
│ ├── killrabbit.txt
│ ├── killsec.txt
│ ├── killua.txt
│ ├── kingslayer.txt
│ ├── kingsman.txt
│ ├── kittykatkrew.txt
│ ├── kjw0rm.txt
│ ├── klingon.txt
│ ├── knotweed.txt
│ ├── koadic.txt
│ ├── koi.txt
│ ├── kolab.txt
│ ├── konni.txt
│ ├── koobface.txt
│ ├── korplug.txt
│ ├── kortex.txt
│ ├── kovter.txt
│ ├── kpot.txt
│ ├── kradellsh.txt
│ ├── kraken.txt
│ ├── kraziomel.txt
│ ├── kromagent.txt
│ ├── kronos.txt
│ ├── krown.txt
│ ├── krugbot.txt
│ ├── krypt_ransomware.txt
│ ├── kryptocibule.txt
│ ├── kryptos_ransomware.txt
│ ├── kuago_miner.txt
│ ├── kuiper_ransomware.txt
│ ├── kulekmoko.txt
│ ├── kupidon.txt
│ ├── kutaki.txt
│ ├── kwampirsrat.txt
│ ├── kyber_ransomware.txt
│ ├── l0rdix.txt
│ ├── ladon.txt
│ ├── lambda_ransomware.txt
│ ├── lampion.txt
│ ├── lanfiltrator.txt
│ ├── lapdogs.txt
│ ├── laplasclipper.txt
│ ├── latentbot.txt
│ ├── latot.txt
│ ├── latrodectus.txt
│ ├── laurent.txt
│ ├── lazagne.txt
│ ├── laziok.txt
│ ├── lcy.txt
│ ├── ldpinch.txt
│ ├── leaknet_ransomware.txt
│ ├── leaktheanalyst.txt
│ ├── ledger_backdoor.txt
│ ├── legion_loader.txt
│ ├── lemonduck_miner.txt
│ ├── leprechaun.txt
│ ├── lethic.txt
│ ├── lgoogloader.txt
│ ├── lightning.txt
│ ├── lilith.txt
│ ├── limerat.txt
│ ├── linkc_ransomware.txt
│ ├── linkoptimizer.txt
│ ├── litehttp.txt
│ ├── liushen.txt
│ ├── loadpcbanker.txt
│ ├── lockbit.txt
│ ├── lockdata.txt
│ ├── locky.txt
│ ├── lodarat.txt
│ ├── lodeinfo.txt
│ ├── logx.txt
│ ├── lokibot.txt
│ ├── lokidoor.txt
│ ├── lokilock.txt
│ ├── lokirat.txt
│ ├── lokorrito.txt
│ ├── lolkek_ransomware.txt
│ ├── lollipop.txt
│ ├── lolnek.txt
│ ├── loocipher.txt
│ ├── loopbackrat.txt
│ ├── lorenz.txt
│ ├── losabel.txt
│ ├── lostdoorrat.txt
│ ├── loud_miner.txt
│ ├── ltx.txt
│ ├── lu0bot.txt
│ ├── luca.txt
│ ├── lucidoor.txt
│ ├── lucifer.txt
│ ├── lucky.txt
│ ├── luminositylinkrat.txt
│ ├── lummac2.txt
│ ├── lunalock.txt
│ ├── lunar.txt
│ ├── luoxk.txt
│ ├── lust.txt
│ ├── luxnetrat.txt
│ ├── lv_ransomware.txt
│ ├── m00nd3v.txt
│ ├── m1nus273_ransomware.txt
│ ├── m8220_miner.txt
│ ├── madliberator.txt
│ ├── madmxshell.txt
│ ├── mado_miner.txt
│ ├── maggie.txt
│ ├── magicpos.txt
│ ├── magniber.txt
│ ├── majikpos.txt
│ ├── mallox.txt
│ ├── mambashim.txt
│ ├── mamo.txt
│ ├── mamona.txt
│ ├── manabot.txt
│ ├── mancsyn.txt
│ ├── mandaph.txt
│ ├── maplebot.txt
│ ├── maranhao.txt
│ ├── marap.txt
│ ├── mardom.txt
│ ├── marketo.txt
│ ├── markopolo.txt
│ ├── marmoolak.txt
│ ├── marsjoke.txt
│ ├── masad.txt
│ ├── maskgram.txt
│ ├── mass_miner.txt
│ ├── masslogger.txt
│ ├── mastermana.txt
│ ├── matanbuchus.txt
│ ├── matrix.txt
│ ├── matrixmax.txt
│ ├── matsnu.txt
│ ├── mauri_ransomware.txt
│ ├── mave.txt
│ ├── maze.txt
│ ├── mbc_ransomware.txt
│ ├── mdrop.txt
│ ├── meatball.txt
│ ├── mebroot.txt
│ ├── medbot.txt
│ ├── medusa.txt
│ ├── medusahttp.txt
│ ├── medusalocker.txt
│ ├── megacortex.txt
│ ├── megalodonhttprat.txt
│ ├── megaopac.txt
│ ├── megumin.txt
│ ├── mehcrypter.txt
│ ├── mekotio.txt
│ ├── mena_ransomware.txt
│ ├── meow.txt
│ ├── mercurybot.txt
│ ├── meris.txt
│ ├── merkspy.txt
│ ├── mespinoza.txt
│ ├── mestep.txt
│ ├── meta.txt
│ ├── metador.txt
│ ├── metadrain.txt
│ ├── metaencryptor.txt
│ ├── metamorfo.txt
│ ├── mewsei.txt
│ ├── microstealer.txt
│ ├── midas.txt
│ ├── midie.txt
│ ├── mielit.txt
│ ├── miga_ransomware.txt
│ ├── migo_miner.txt
│ ├── milkman.txt
│ ├── milkyboy.txt
│ ├── millionware.txt
│ ├── mimus.txt
│ ├── minas_miner.txt
│ ├── minedoor.txt
│ ├── mingloa.txt
│ ├── minotaur.txt
│ ├── mint.txt
│ ├── mintsloader.txt
│ ├── miragefox.txt
│ ├── mirai_stealer.txt
│ ├── misogow.txt
│ ├── mist.txt
│ ├── mitglieder.txt
│ ├── miuref.txt
│ ├── mixshell.txt
│ ├── mnubot.txt
│ ├── mocker.txt
│ ├── modelorat.txt
│ ├── modirat.txt
│ ├── modpipe.txt
│ ├── modpos.txt
│ ├── momo33333.txt
│ ├── moneymessage.txt
│ ├── monkey_ransomware.txt
│ ├── monolith.txt
│ ├── monsterinstall.txt
│ ├── montysthree.txt
│ ├── moonlight.txt
│ ├── moonriserat.txt
│ ├── moontag.txt
│ ├── moorat.txt
│ ├── morpheus.txt
│ ├── morto.txt
│ ├── morty.txt
│ ├── mosaicregressor.txt
│ ├── moserpass.txt
│ ├── moses.txt
│ ├── mosquito.txt
│ ├── mostererat.txt
│ ├── mosucker.txt
│ ├── mountlocker.txt
│ ├── mozart.txt
│ ├── mranon.txt
│ ├── mrb_miner.txt
│ ├── mrstealer.txt
│ ├── ms13089_ransomware.txt
│ ├── mstealer.txt
│ ├── msupedge.txt
│ ├── mufila.txt
│ ├── muggle.txt
│ ├── mumbai.txt
│ ├── muse_miner.txt
│ ├── mydata_ransomware.txt
│ ├── mydoom.txt
│ ├── mykings_miner.txt
│ ├── mylobot.txt
│ ├── mysticalnet.txt
│ ├── n13v_ransomware.txt
│ ├── n2019cov.txt
│ ├── n3tw0rm.txt
│ ├── n3xtrat.txt
│ ├── nampohyu.txt
│ ├── nanocore.txt
│ ├── napolar.txt
│ ├── narniarat.txt
│ ├── nasir.txt
│ ├── nbot.txt
│ ├── necrobot.txt
│ ├── necurs.txt
│ ├── neko.txt
│ ├── nelsy.txt
│ ├── nemeot.txt
│ ├── nemesis.txt
│ ├── nemezida_ransomware.txt
│ ├── nemty.txt
│ ├── nemucod.txt
│ ├── neojit.txt
│ ├── neonwallet.txt
│ ├── neptune.txt
│ ├── neptunerat.txt
│ ├── nerbian.txt
│ ├── neshuta.txt
│ ├── nestrat.txt
│ ├── netbounce.txt
│ ├── netbus.txt
│ ├── netdooka.txt
│ ├── netloader.txt
│ ├── netsupport.txt
│ ├── netwalker.txt
│ ├── netwire.txt
│ ├── neuron.txt
│ ├── neurorat.txt
│ ├── neus.txt
│ ├── neutrino.txt
│ ├── nevada_ransomware.txt
│ ├── newbot.txt
│ ├── newddosbot.txt
│ ├── newpos.txt
│ ├── newsrat.txt
│ ├── nex.txt
│ ├── nexlogger.txt
│ ├── nextmind.txt
│ ├── nexus.txt
│ ├── nhattuanblrat.txt
│ ├── nicerat.txt
│ ├── nigelthorn.txt
│ ├── nightingale.txt
│ ├── nightshadec2.txt
│ ├── nightsky.txt
│ ├── nightspire.txt
│ ├── nikki.txt
│ ├── nionspy.txt
│ ├── nitol.txt
│ ├── nitro.txt
│ ├── nitrogen.txt
│ ├── nivdort.txt
│ ├── njrat-1.txt
│ ├── njrat.txt
│ ├── nocry.txt
│ ├── nodersok.txt
│ ├── nodestealer.txt
│ ├── noescape.txt
│ ├── nokoyawa.txt
│ ├── nomercy.txt
│ ├── nonbolqu.txt
│ ├── noodlophile.txt
│ ├── nopyfy.txt
│ ├── norddragonscan.txt
│ ├── normaldaki.txt
│ ├── notrobin.txt
│ ├── nova_ransomware.txt
│ ├── novahttp.txt
│ ├── novaloader.txt
│ ├── novasentinel.txt
│ ├── novel_miner.txt
│ ├── novobot.txt
│ ├── novter.txt
│ ├── novu.txt
│ ├── now.txt
│ ├── nozelesn.txt
│ ├── nsabuff_miner.txt
│ ├── ntstealer.txt
│ ├── nucleartor.txt
│ ├── nuggetphantom.txt
│ ├── nullbulge.txt
│ ├── nullmixer.txt
│ ├── numando.txt
│ ├── nuqel.txt
│ ├── nworm.txt
│ ├── nwt.txt
│ ├── nymaim.txt
│ ├── nymeria.txt
│ ├── oapt_ransomware.txt
│ ├── obliquerat.txt
│ ├── obscura.txt
│ ├── obscurebat.txt
│ ├── observer.txt
│ ├── octalyn.txt
│ ├── octopus.txt
│ ├── octopuz.txt
│ ├── octorat.txt
│ ├── odcodc.txt
│ ├── oddball.txt
│ ├── odyssey.txt
│ ├── offendium.txt
│ ├── offloader.txt
│ ├── oficla.txt
│ ├── olymploader.txt
│ ├── olympus.txt
│ ├── omegaloader.txt
│ ├── oneclik.txt
│ ├── onepercent.txt
│ ├── onionpoison.txt
│ ├── onkods.txt
│ ├── optima.txt
│ ├── orca_rasnomware.txt
│ ├── orchard.txt
│ ├── orcusrat.txt
│ ├── originbot.txt
│ ├── orion_ransomware.txt
│ ├── oriongrabber.txt
│ ├── osiris_ransomware.txt
│ ├── oski.txt
│ ├── ospreypr.txt
│ ├── ostap.txt
│ ├── osx_atomic.txt
│ ├── osx_banshee.txt
│ ├── osx_bundlore.txt
│ ├── osx_cheana.txt
│ ├── osx_chillyhell.txt
│ ├── osx_clipstealer.txt
│ ├── osx_coinminer.txt
│ ├── osx_coldroot.txt
│ ├── osx_cthulhu.txt
│ ├── osx_dazzlespy.txt
│ ├── osx_fakeapp.txt
│ ├── osx_flashback.txt
│ ├── osx_generic.txt
│ ├── osx_gmera.txt
│ ├── osx_godoor.txt
│ ├── osx_hashbreaker.txt
│ ├── osx_imuler.txt
│ ├── osx_jokerspy.txt
│ ├── osx_jscorerunner.txt
│ ├── osx_keranger.txt
│ ├── osx_keydnap.txt
│ ├── osx_keysteal.txt
│ ├── osx_linker.txt
│ ├── osx_lol.txt
│ ├── osx_loselose.txt
│ ├── osx_m1.txt
│ ├── osx_macma.txt
│ ├── osx_macmeow.txt
│ ├── osx_macspy.txt
│ ├── osx_mami.txt
│ ├── osx_mokes.txt
│ ├── osx_mughthesec.txt
│ ├── osx_nova.txt
│ ├── osx_osaminer.txt
│ ├── osx_phexiabot.txt
│ ├── osx_proton.txt
│ ├── osx_proxy.txt
│ ├── osx_pureland.txt
│ ├── osx_readerupdate.txt
│ ├── osx_realst.txt
│ ├── osx_rustdoor.txt
│ ├── osx_salgorea.txt
│ ├── osx_shlayer.txt
│ ├── osx_thiefquest.txt
│ ├── osx_trikster.txt
│ ├── osx_updateagent.txt
│ ├── osx_wirelurker.txt
│ ├── osx_xcodespy.txt
│ ├── osx_xcsset.txt
│ ├── osx_zuru.txt
│ ├── ovidiy.txt
│ ├── owowa.txt
│ ├── oxtarat.txt
│ ├── oyster.txt
│ ├── p2pinfect.txt
│ ├── padcrypt.txt
│ ├── palevo.txt
│ ├── palmerworm.txt
│ ├── pandabanker.txt
│ ├── pandora.txt
│ ├── panteganarat.txt
│ ├── panther.txt
│ ├── paradoxrat.txt
│ ├── parallax.txt
│ ├── parasitesnatcher.txt
│ ├── patchbrowse.txt
│ ├── patriot.txt
│ ├── pay2key.txt
│ ├── paycrypt.txt
│ ├── payload_ransomware.txt
│ ├── payloadbin.txt
│ ├── payoutsking.txt
│ ├── paysafecard.txt
│ ├── pcastle_miner.txt
│ ├── pcshare.txt
│ ├── pdfjsc.txt
│ ├── peaklight.txt
│ ├── pear_ransomware.txt
│ ├── pearl.txt
│ ├── pennywise.txt
│ ├── pepperat.txt
│ ├── peppyrat.txt
│ ├── perl_shellbot.txt
│ ├── perseusrat.txt
│ ├── petya.txt
│ ├── pghost.txt
│ ├── phantom.txt
│ ├── phantomrat.txt
│ ├── phasebot.txt
│ ├── phemedrone.txt
│ ├── philadelphia.txt
│ ├── phoenix.txt
│ ├── phoenix_miner.txt
│ ├── phorpiex.txt
│ ├── photo_miner.txt
│ ├── phpstudyghost.txt
│ ├── phpw_ransomware.txt
│ ├── phxi.txt
│ ├── phytob.txt
│ ├── picgoo.txt
│ ├── pickai.txt
│ ├── pift.txt
│ ├── pinkslipbot.txt
│ ├── pipka.txt
│ ├── piratematryoshka.txt
│ ├── piritebot.txt
│ ├── pixpirate.txt
│ ├── plague.txt
│ ├── planet.txt
│ ├── plasmarat.txt
│ ├── playboy_ransomware.txt
│ ├── plead.txt
│ ├── pleasereadme_ransomware.txt
│ ├── plugx.txt
│ ├── plurox.txt
│ ├── plutocrypt.txt
│ ├── plutos.txt
│ ├── pocorat.txt
│ ├── poetrat.txt
│ ├── poisonivy.txt
│ ├── polaredge.txt
│ ├── ponmocup.txt
│ ├── poppingeagle.txt
│ ├── portstarter.txt
│ ├── poshcoder.txt
│ ├── pots.txt
│ ├── poullight.txt
│ ├── poverty.txt
│ ├── powelike.txt
│ ├── powerpool.txt
│ ├── powershell_injector.txt
│ ├── powershell_ransomware.txt
│ ├── powershell_smbghost.txt
│ ├── powerworm.txt
│ ├── powmet.txt
│ ├── prash.txt
│ ├── prat.txt
│ ├── prctrlrat.txt
│ ├── predatory.txt
│ ├── pripyat_miner.txt
│ ├── privatecrypt.txt
│ ├── privateloader.txt
│ ├── proced.txt
│ ├── prolificpuma.txt
│ ├── prometei.txt
│ ├── propagate.txt
│ ├── prorat.txt
│ ├── proslikefan.txt
│ ├── prostoclipper.txt
│ ├── prostoloader.txt
│ ├── protonbot.txt
│ ├── prowli.txt
│ ├── proxyback.txt
│ ├── proxycb.txt
│ ├── prysmax.txt
│ ├── pryx_ransomware.txt
│ ├── psixbot.txt
│ ├── pswstealer.txt
│ ├── pulsarrat.txt
│ ├── punisher_ransomware.txt
│ ├── punisherrat.txt
│ ├── pupyrat.txt
│ ├── purecrypter.txt
│ ├── purelogs.txt
│ ├── purplefox.txt
│ ├── purpleurchin.txt
│ ├── purplewave.txt
│ ├── pushdo.txt
│ ├── puzzlemaker.txt
│ ├── pxabot.txt
│ ├── pycstealer.txt
│ ├── pykspa.txt
│ ├── pyleet.txt
│ ├── pylocky.txt
│ ├── pypi_backdoor.txt
│ ├── pyrogenic.txt
│ ├── pysa_ransomware.txt
│ ├── python_appxpy.txt
│ ├── python_brost.txt
│ ├── python_extrack.txt
│ ├── python_injector.txt
│ ├── python_killmbr.txt
│ ├── python_memento.txt
│ ├── python_w4sp.txt
│ ├── python_xwo.txt
│ ├── pyxierat.txt
│ ├── qakbot.txt
│ ├── qarallaxrat.txt
│ ├── qdoor.txt
│ ├── qeallerrat.txt
│ ├── qilin.txt
│ ├── qiulong.txt
│ ├── qlocker.txt
│ ├── qnodeservice.txt
│ ├── qqcookie.txt
│ ├── qrat.txt
│ ├── quad7.txt
│ ├── quadagent.txt
│ ├── quadream.txt
│ ├── quantloader.txt
│ ├── quantum_ransomware.txt
│ ├── quasarrat.txt
│ ├── qudox.txt
│ ├── quickbooks.txt
│ ├── qukart.txt
│ ├── qulab.txt
│ ├── qwert_miner.txt
│ ├── r2015.txt
│ ├── raasberry.txt
│ ├── raccoon.txt
│ ├── radar_ransomware.txt
│ ├── radx.txt
│ ├── ragnar.txt
│ ├── ragnarok.txt
│ ├── rainstealer.txt
│ ├── rajump.txt
│ ├── rakhni.txt
│ ├── rakhni_ransomware.txt
│ ├── ralord.txt
│ ├── ramdo.txt
│ ├── ramnit.txt
│ ├── ramp.txt
│ ├── ranion.txt
│ ├── ransirac.txt
│ ├── ransomblog.txt
│ ├── ransomcartel.txt
│ ├── ransomcortex.txt
│ ├── ransomed.txt
│ ├── ransomexx.txt
│ ├── ransomhouse.txt
│ ├── ransomhub.txt
│ ├── ranzy.txt
│ ├── rapid.txt
│ ├── raptrain.txt
│ ├── rarog.txt
│ ├── rasprobin.txt
│ ├── rat369.txt
│ ├── ratel.txt
│ ├── raticate.txt
│ ├── ratty.txt
│ ├── raven.txt
│ ├── rawld_ransomware.txt
│ ├── razy.txt
│ ├── rdpbrutebot.txt
│ ├── reactorbot.txt
│ ├── reaver.txt
│ ├── red_ransomware.txt
│ ├── redalpha.txt
│ ├── reddot_ransomware.txt
│ ├── reddriver.txt
│ ├── rediswannamine.txt
│ ├── redline.txt
│ ├── redsip.txt
│ ├── redtail_miner.txt
│ ├── reductor.txt
│ ├── ref3927.txt
│ ├── ref7707.txt
│ ├── remcos.txt
│ ├── remexirat.txt
│ ├── remotexrat.txt
│ ├── renocide.txt
│ ├── retroc2rat.txt
│ ├── revcoderat.txt
│ ├── revengerat.txt
│ ├── reveton.txt
│ ├── revetrat.txt
│ ├── reynolds.txt
│ ├── rhadamanthys.txt
│ ├── rhysida.txt
│ ├── rift.txt
│ ├── rilide.txt
│ ├── rincux.txt
│ ├── riseloader.txt
│ ├── risen_ransomware.txt
│ ├── risepro.txt
│ ├── rmsrat.txt
│ ├── robinhood.txt
│ ├── rocco.txt
│ ├── rocketx.txt
│ ├── rogue_ransomware.txt
│ ├── rombertik.txt
│ ├── rook_ransomware.txt
│ ├── rootteam.txt
│ ├── rovnix.txt
│ ├── royal_ransomware.txt
│ ├── rozena.txt
│ ├── rransom.txt
│ ├── rsockstun.txt
│ ├── rtm.txt
│ ├── rtm_ransomware.txt
│ ├── rubella.txt
│ ├── ruby_backdoor.txt
│ ├── ruftar.txt
│ ├── runforestrun.txt
│ ├── runsomewares.txt
│ ├── rust_injector.txt
│ ├── rustock.txt
│ ├── rusty.txt
│ ├── rustylocker.txt
│ ├── ryuk.txt
│ ├── saefkorat.txt
│ ├── safepay.txt
│ ├── saferat.txt
│ ├── sage.txt
│ ├── saintbot.txt
│ ├── sakabota.txt
│ ├── sakari.txt
│ ├── sakula.txt
│ ├── sakurel.txt
│ ├── salat.txt
│ ├── sality.txt
│ ├── samorat.txt
│ ├── samsam.txt
│ ├── sanny.txt
│ ├── santa.txt
│ ├── sapphire.txt
│ ├── sarcoma.txt
│ ├── satacom.txt
│ ├── satana.txt
│ ├── satancd.txt
│ ├── sathurbot.txt
│ ├── scanbox.txt
│ ├── scarab.txt
│ ├── schwarzesonne.txt
│ ├── scranos.txt
│ ├── scylla.txt
│ ├── sdbot.txt
│ ├── sdrop.txt
│ ├── seaduke.txt
│ ├── sealrat.txt
│ ├── secpo.txt
│ ├── sectoprat.txt
│ ├── sefnit.txt
│ ├── sekhmet.txt
│ ├── selfdel.txt
│ ├── sembmarine.txt
│ ├── sendsafe.txt
│ ├── sensayq.txt
│ ├── seroxenrat.txt
│ ├── serpent.txt
│ ├── setcoderat.txt
│ ├── seth_ransomware.txt
│ ├── severe.txt
│ ├── sfile_ransomware.txt
│ ├── shadow_ransomware.txt
│ ├── shadowbyte.txt
│ ├── shadownet.txt
│ ├── shadowrat.txt
│ ├── shadowsyndicate.txt
│ ├── shadowtechrat.txt
│ ├── shadypanda.txt
│ ├── shalom.txt
│ ├── sharkstealer.txt
│ ├── shelby.txt
│ ├── shellresetrat.txt
│ ├── shelma.txt
│ ├── shifu.txt
│ ├── shimrat.txt
│ ├── shinysp1d3r.txt
│ ├── shiotob.txt
│ ├── shkolota.txt
│ ├── shurl0ckr.txt
│ ├── shylock.txt
│ ├── sicari_ransomware.txt
│ ├── siegedsec.txt
│ ├── siesta.txt
│ ├── silent.txt
│ ├── silent_ransomware.txt
│ ├── silentbrute.txt
│ ├── silentcrypto_miner.txt
│ ├── silentroute.txt
│ ├── silentsyncrat.txt
│ ├── silly.txt
│ ├── silverfox.txt
│ ├── silverterrier.txt
│ ├── simayrat.txt
│ ├── simda.txt
│ ├── sinkhole_360netlab.txt
│ ├── sinkhole_abuse.txt
│ ├── sinkhole_arbor.txt
│ ├── sinkhole_bitdefender.txt
│ ├── sinkhole_bitsight.txt
│ ├── sinkhole_blacklab.txt
│ ├── sinkhole_bomccss.txt
│ ├── sinkhole_botnethunter.txt
│ ├── sinkhole_cabal.txt
│ ├── sinkhole_certgovau.txt
│ ├── sinkhole_certpl.txt
│ ├── sinkhole_certtr.txt
│ ├── sinkhole_certua.txt
│ ├── sinkhole_changeip.txt
│ ├── sinkhole_checkpoint.txt
│ ├── sinkhole_cirtdk.txt
│ ├── sinkhole_cncert.txt
│ ├── sinkhole_collector.txt
│ ├── sinkhole_conficker.txt
│ ├── sinkhole_cryptolocker.txt
│ ├── sinkhole_cydef.txt
│ ├── sinkhole_devilish.txt
│ ├── sinkhole_dnssinkhole.txt
│ ├── sinkhole_doombringer.txt
│ ├── sinkhole_drweb.txt
│ ├── sinkhole_dynadot.txt
│ ├── sinkhole_dyre.txt
│ ├── sinkhole_farsight.txt
│ ├── sinkhole_fbizeus.txt
│ ├── sinkhole_fireeye.txt
│ ├── sinkhole_fitsec.txt
│ ├── sinkhole_fnord.txt
│ ├── sinkhole_fraunhofer.txt
│ ├── sinkhole_gamaredon.txt
│ ├── sinkhole_gameoverzeus.txt
│ ├── sinkhole_georgiatech.txt
│ ├── sinkhole_gladtech.txt
│ ├── sinkhole_hyas.txt
│ ├── sinkhole_infosecjp.txt
│ ├── sinkhole_kaspersky.txt
│ ├── sinkhole_kryptoslogic.txt
│ ├── sinkhole_menupass.txt
│ ├── sinkhole_microsoft.txt
│ ├── sinkhole_noip.txt
│ ├── sinkhole_nowdns.txt
│ ├── sinkhole_oceanlotus.txt
│ ├── sinkhole_opendns.txt
│ ├── sinkhole_paloalto.txt
│ ├── sinkhole_rsa.txt
│ ├── sinkhole_scarletshark.txt
│ ├── sinkhole_secureworks.txt
│ ├── sinkhole_securityscorecard.txt
│ ├── sinkhole_sekoia.txt
│ ├── sinkhole_shadowserver.txt
│ ├── sinkhole_sidnlabs.txt
│ ├── sinkhole_sinkdns.txt
│ ├── sinkhole_sobaken.txt
│ ├── sinkhole_sofacy.txt
│ ├── sinkhole_spamandabuse.txt
│ ├── sinkhole_sugarbucket.txt
│ ├── sinkhole_sunburst.txt
│ ├── sinkhole_supportintel.txt
│ ├── sinkhole_switch.txt
│ ├── sinkhole_tech.txt
│ ├── sinkhole_tsway.txt
│ ├── sinkhole_turla.txt
│ ├── sinkhole_unknown.txt
│ ├── sinkhole_vicheck.txt
│ ├── sinkhole_virustracker.txt
│ ├── sinkhole_vittalia.txt
│ ├── sinkhole_wapacklabs.txt
│ ├── sinkhole_xaayda.txt
│ ├── sinkhole_xlab.txt
│ ├── sinkhole_xyz.txt
│ ├── sinkhole_yourtrap.txt
│ ├── sinkhole_zinkhole.txt
│ ├── sinobi.txt
│ ├── sirkeira.txt
│ ├── skeeyah.txt
│ ├── skidrat.txt
│ ├── skynet.txt
│ ├── skyper.txt
│ ├── sleepyduck.txt
│ ├── slenfbot.txt
│ ├── slnya_ransomware.txt
│ ├── sload.txt
│ ├── slopoly.txt
│ ├── slothfulmedia.txt
│ ├── slserver.txt
│ ├── slub.txt
│ ├── slug_ransomware.txt
│ ├── smallnetrat.txt
│ ├── smartloader.txt
│ ├── smert_ransomware.txt
│ ├── smokebot.txt
│ ├── smokeloader.txt
│ ├── smsfakesky.txt
│ ├── snatch.txt
│ ├── sneakystrike.txt
│ ├── snifula.txt
│ ├── snslocker.txt
│ ├── sockrat.txt
│ ├── socksbot.txt
│ ├── sodapop.txt
│ ├── sodinokibi.txt
│ ├── sohanad.txt
│ ├── solarsys.txt
│ ├── sombrat.txt
│ ├── somnirecords.txt
│ ├── sonoko.txt
│ ├── sonoyuncu.txt
│ ├── sorano.txt
│ ├── sorena.txt
│ ├── sorrygomaster.txt
│ ├── sorvepotel.txt
│ ├── sosihvncrat.txt
│ ├── soul.txt
│ ├── soulsearcher.txt
│ ├── spacebears.txt
│ ├── sparkycarp.txt
│ ├── sparta.txt
│ ├── specter.txt
│ ├── spectra.txt
│ ├── spectre.txt
│ ├── spicerat.txt
│ ├── spideybot.txt
│ ├── spock.txt
│ ├── spook.txt
│ ├── sporacrypt.txt
│ ├── spybotpos.txt
│ ├── spyeye.txt
│ ├── spygaterat.txt
│ ├── spypress.txt
│ ├── squidloader.txt
│ ├── squirrelwaffle.txt
│ ├── sqzrframework480.txt
│ ├── stabuniq.txt
│ ├── stanley.txt
│ ├── stantinko.txt
│ ├── statc.txt
│ ├── stealerium.txt
│ ├── stealit.txt
│ ├── stealzilla.txt
│ ├── steamreplacer.txt
│ ├── steamstealer.txt
│ ├── steelfox.txt
│ ├── stely.txt
│ ├── stih.txt
│ ├── stilachirat.txt
│ ├── stinger.txt
│ ├── stlfun.txt
│ ├── stomida.txt
│ ├── stop_ransomware.txt
│ ├── storm2603.txt
│ ├── stormkitty.txt
│ ├── stormous_ransomware.txt
│ ├── strela.txt
│ ├── strictor.txt
│ ├── stripedfly.txt
│ ├── strrat.txt
│ ├── sugar_ransomware.txt
│ ├── sukalogger.txt
│ ├── suncrypt.txt
│ ├── superbearrat.txt
│ ├── supremebot.txt
│ ├── surfer.txt
│ ├── surtr.txt
│ ├── susafone.txt
│ ├── susvsex.txt
│ ├── svcreadyrat.txt
│ ├── svcstealer.txt
│ ├── svproxy.txt
│ ├── swaetrat.txt
│ ├── swamprat.txt
│ ├── sykipot.txt
│ ├── sylavriu.txt
│ ├── symmi.txt
│ ├── symmiware.txt
│ ├── synack.txt
│ ├── syndicasec.txt
│ ├── synolocker.txt
│ ├── sys01.txt
│ ├── sysc32cmd.txt
│ ├── syscon.txt
│ ├── sysjoker.txt
│ ├── sysrat.txt
│ ├── sysrvhello_miner.txt
│ ├── systembc.txt
│ ├── systemd_miner.txt
│ ├── sysworm.txt
│ ├── t1087.txt
│ ├── t34loader.txt
│ ├── ta2541.txt
│ ├── ta2552.txt
│ ├── ta2726.txt
│ ├── ta2727.txt
│ ├── ta401.txt
│ ├── ta4557.txt
│ ├── ta505.txt
│ ├── ta558.txt
│ ├── ta569.txt
│ ├── ta581.txt
│ ├── ta829.txt
│ ├── tables.txt
│ ├── taidoor.txt
│ ├── targetcompany.txt
│ ├── taskmasters.txt
│ ├── taurus.txt
│ ├── tdss.txt
│ ├── teambot.txt
│ ├── teamspy.txt
│ ├── teamxxx.txt
│ ├── teerac.txt
│ ├── telebot.txt
│ ├── telegrab.txt
│ ├── telemetr.txt
│ ├── tellyouthepass.txt
│ ├── tempheretic.txt
│ ├── tengu_ransomware.txt
│ ├── termite.txt
│ ├── terracotta.txt
│ ├── teslacrypt.txt
│ ├── tetrade.txt
│ ├── tevrinox.txt
│ ├── tflower.txt
│ ├── tgrcri0045.txt
│ ├── thanos.txt
│ ├── therat.txt
│ ├── thirdeye.txt
│ ├── thorc2.txt
│ ├── threeam_ransomware.txt
│ ├── thrower.txt
│ ├── thunderfox.txt
│ ├── tibs.txt
│ ├── tikiloader.txt
│ ├── tinba.txt
│ ├── tinyloader.txt
│ ├── tinynuke.txt
│ ├── tinypos.txt
│ ├── tipikit.txt
│ ├── tispy.txt
│ ├── titan.txt
│ ├── tobor.txt
│ ├── tofsee.txt
│ ├── tokgrabber.txt
│ ├── tookps.txt
│ ├── toponev.txt
│ ├── tor_backdoor.txt
│ ├── torctrat.txt
│ ├── torpig.txt
│ ├── torrentlocker.txt
│ ├── tovkater.txt
│ ├── transferloader.txt
│ ├── trat.txt
│ ├── travle.txt
│ ├── treasurehunter.txt
│ ├── trickbot.txt
│ ├── trinity.txt
│ ├── triumphloader.txt
│ ├── troldesh.txt
│ ├── tron.txt
│ ├── trox.txt
│ ├── truebot.txt
│ ├── tscookie.txt
│ ├── tsundere.txt
│ ├── tuhkit.txt
│ ├── tupym.txt
│ ├── turkojanrat.txt
│ ├── tvrat.txt
│ ├── tvspy.txt
│ ├── typhon.txt
│ ├── uat7290.txt
│ ├── uboatrat.txt
│ ├── ubomb.txt
│ ├── udpos.txt
│ ├── udprat.txt
│ ├── ufr.txt
│ ├── ultibot.txt
│ ├── underground.txt
│ ├── unicorn.txt
│ ├── unidentrat.txt
│ ├── unk_ransomware.txt
│ ├── unruy.txt
│ ├── up007.txt
│ ├── upatre.txt
│ ├── urausy.txt
│ ├── ursaloader.txt
│ ├── ursnif.txt
│ ├── utopia.txt
│ ├── vacban.txt
│ ├── vadokrist.txt
│ ├── vaggen.txt
│ ├── vaimalandra.txt
│ ├── valak.txt
│ ├── valleyrat.txt
│ ├── vanhelsing.txt
│ ├── vanir.txt
│ ├── varenyky.txt
│ ├── vawtrak.txt
│ ├── vbcheman.txt
│ ├── vbrat.txt
│ ├── vect_ransomware.txt
│ ├── vector.txt
│ ├── veety.txt
│ ├── vektorx.txt
│ ├── venom.txt
│ ├── venus.txt
│ ├── venusrat.txt
│ ├── verblecon.txt
│ ├── vespygrabber.txt
│ ├── vespyrat.txt
│ ├── vetra.txt
│ ├── vexion.txt
│ ├── vfokx.txt
│ ├── vidar.txt
│ ├── viknok.txt
│ ├── vikro.txt
│ ├── vilerat.txt
│ ├── vinderuf.txt
│ ├── violetrat.txt
│ ├── vipersoftx.txt
│ ├── virobot.txt
│ ├── virtubot.txt
│ ├── virtum.txt
│ ├── virusrat.txt
│ ├── virut.txt
│ ├── vittalia.txt
│ ├── vizom.txt
│ ├── vjw0rm.txt
│ ├── vncrat.txt
│ ├── vobfus.txt
│ ├── void.txt
│ ├── volk.txt
│ ├── vollgar.txt
│ ├── voltaire.txt
│ ├── vshell.txt
│ ├── vssdestroy.txt
│ ├── vulturi.txt
│ ├── vundo.txt
│ ├── vvs.txt
│ ├── vxrat.txt
│ ├── vystealer.txt
│ ├── wacatac.txt
│ ├── waledac.txt
│ ├── wallyshack.txt
│ ├── wanna_miner.txt
│ ├── wannacry.txt
│ ├── wannamine.txt
│ ├── wapobi.txt
│ ├── waprox.txt
│ ├── warezov.txt
│ ├── warlock.txt
│ ├── warmcookie.txt
│ ├── wasabiseed.txt
│ ├── wastedlocker.txt
│ ├── watchdog_miner.txt
│ ├── wavebys.txt
│ ├── weaxor_ransomware.txt
│ ├── webcobra.txt
│ ├── webffrat.txt
│ ├── wecorl.txt
│ ├── wecoym.txt
│ ├── weecnaw.txt
│ ├── westeal.txt
│ ├── weyhro.txt
│ ├── whipweave.txt
│ ├── whispergate.txt
│ ├── whitelock.txt
│ ├── whiteshadow.txt
│ ├── whitesnake.txt
│ ├── wholocked_ransomware.txt
│ ├── wickrme.txt
│ ├── wifistealer.txt
│ ├── wikiloader.txt
│ ├── wildfire.txt
│ ├── wildpressure.txt
│ ├── wincirrat.txt
│ ├── wingo.txt
│ ├── winnti.txt
│ ├── wip26.txt
│ ├── wiseremote.txt
│ ├── wndred.txt
│ ├── wofeksad.txt
│ ├── wograt.txt
│ ├── wolfresearch.txt
│ ├── wolphv.txt
│ ├── woodyrat.txt
│ ├── woozlist.txt
│ ├── wpbrutebot.txt
│ ├── wtracker.txt
│ ├── wwolves.txt
│ ├── xadupi.txt
│ ├── xanthe_miner.txt
│ ├── xaparo.txt
│ ├── xavierera.txt
│ ├── xaview.txt
│ ├── xctdoor.txt
│ ├── xehook.txt
│ ├── xenorat.txt
│ ├── xenos.txt
│ ├── xenotix.txt
│ ├── xfiles.txt
│ ├── xhunt.txt
│ ├── xillen.txt
│ ├── xinglocker.txt
│ ├── xinof.txt
│ ├── xorium.txt
│ ├── xp95.txt
│ ├── xpay.txt
│ ├── xploder.txt
│ ├── xshark.txt
│ ├── xtbl.txt
│ ├── xtrat.txt
│ ├── xworm.txt
│ ├── yanisma.txt
│ ├── yanluowang.txt
│ ├── yenibot.txt
│ ├── yibackdoor.txt
│ ├── yimfoca.txt
│ ├── yorotrooper.txt
│ ├── yoursqldumps.txt
│ ├── ytstealer.txt
│ ├── yurei.txt
│ ├── z0miner.txt
│ ├── zaletelly.txt
│ ├── zardoor.txt
│ ├── zbbx.txt
│ ├── zcrypt.txt
│ ├── zegost.txt
│ ├── zemot.txt
│ ├── zenar_miner.txt
│ ├── zenrat.txt
│ ├── zephyrloader.txt
│ ├── zeroaccess.txt
│ ├── zerolockersec.txt
│ ├── zeropadypt.txt
│ ├── zerotolerance.txt
│ ├── zetarink.txt
│ ├── zeus.txt
│ ├── zgrat.txt
│ ├── zharkbot.txt
│ ├── zherotee.txt
│ ├── zhong.txt
│ ├── zlader.txt
│ ├── zloader.txt
│ ├── zlob.txt
│ ├── zlugin.txt
│ ├── zombieboy.txt
│ ├── zombrari.txt
│ ├── zonidel.txt
│ ├── zoomer.txt
│ ├── zstealer.txt
│ ├── zusy.txt
│ ├── zxshell.txt
│ ├── zyklon.txt
│ └── zzsteal.txt
├── mass_scanner.txt
├── mass_scanner_cidr.txt
└── suspicious/
├── android_pua.txt
├── anonymous_web_proxy.txt
├── bad_history.txt
├── bad_wpad.txt
├── blockchain_dns.txt
├── computrace.txt
├── connectwise.txt
├── crypto_mining.txt
├── dns_tunneling_service.txt
├── dnspod.txt
├── domain.txt
├── dprk_silivaccine.txt
├── dynamic_domain.txt
├── free_web_hosting.txt
├── i2p.txt
├── ipinfo.txt
├── meshagent.txt
├── nezha_rmmtool.txt
├── onion.txt
├── osx_pua.txt
├── parking_site.txt
├── port_proxy.txt
├── pua.txt
├── simplehelp.txt
├── superfish.txt
├── suspended_domain.txt
├── web_shells.txt
└── xenarmor.txt
SYMBOL INDEX (297 symbols across 70 files)
FILE: core/addr.py
function addr_to_int (line 12) | def addr_to_int(value):
function int_to_addr (line 16) | def int_to_addr(value):
function make_mask (line 19) | def make_mask(bits):
function compress_ipv6 (line 22) | def compress_ipv6(address):
function inet_ntoa6 (line 32) | def inet_ntoa6(packed_ip):
function expand_range (line 36) | def expand_range(value):
function addr_port (line 67) | def addr_port(addr, port):
FILE: core/attribdict.py
class AttribDict (line 8) | class AttribDict(dict):
method __getattr__ (line 9) | def __getattr__(self, name):
method __setattr__ (line 12) | def __setattr__(self, name, value):
FILE: core/colorized.py
class ColorizedStream (line 13) | class ColorizedStream:
method __init__ (line 14) | def __init__(self, original):
method write (line 21) | def write(self, text):
method flush (line 44) | def flush(self):
function init_output (line 47) | def init_output():
FILE: core/common.py
function retrieve_content (line 44) | def retrieve_content(url, data=None, headers=None):
function fetch_headers (line 74) | def fetch_headers(url, timeout=10):
function ipcat_lookup (line 91) | def ipcat_lookup(address):
function worst_asns (line 128) | def worst_asns(address):
function cdn_ip (line 142) | def cdn_ip(address):
function bogon_ip (line 156) | def bogon_ip(address):
function check_sudo (line 173) | def check_sudo():
function extract_zip (line 189) | def extract_zip(filename, path=None):
function get_regex (line 193) | def get_regex(items):
function check_connection (line 240) | def check_connection():
function check_whitelisted (line 243) | def check_whitelisted(trail):
function load_trails (line 258) | def load_trails(quiet=False):
function get_text (line 287) | def get_text(value):
function get_ex_message (line 301) | def get_ex_message(ex):
function is_local (line 319) | def is_local(address):
function patch_parser (line 322) | def patch_parser(parser):
FILE: core/datatype.py
class LRUDict (line 6) | class LRUDict(object):
method __init__ (line 20) | def __init__(self, capacity):
method __len__ (line 24) | def __len__(self):
method __contains__ (line 27) | def __contains__(self, key):
method __getitem__ (line 30) | def __getitem__(self, key):
method get (line 39) | def get(self, key):
method __setitem__ (line 42) | def __setitem__(self, key, value):
method set (line 50) | def set(self, key, value):
method keys (line 53) | def keys(self):
FILE: core/enums.py
class _ (line 12) | class _(type):
method __getattr__ (line 13) | def __getattr__(self, attr):
class TRAIL (line 17) | class TRAIL(object):
class BLOCK_MARKER (line 21) | class BLOCK_MARKER:
class BLOCK_MARKER (line 27) | class BLOCK_MARKER:
class PROTO (line 33) | class PROTO:
class HTTP_HEADER (line 38) | class HTTP_HEADER:
class CACHE_TYPE (line 70) | class CACHE_TYPE:
class COLOR (line 78) | class COLOR:
class BACKGROUND (line 114) | class BACKGROUND:
class SEVERITY (line 133) | class SEVERITY:
FILE: core/httpd.py
function start_httpd (line 78) | def start_httpd(address=None, port=None, join=False, pem=None):
FILE: core/ignore.py
function ignore_event (line 16) | def ignore_event(event_tuple):
FILE: core/log.py
function create_log_directory (line 45) | def create_log_directory():
function get_event_log_handle (line 52) | def get_event_log_handle(sec, flags=os.O_APPEND | os.O_CREAT | os.O_WRON...
function get_error_log_handle (line 83) | def get_error_log_handle(flags=os.O_APPEND | os.O_CREAT | os.O_WRONLY):
function safe_value (line 93) | def safe_value(value):
function flush_condensed_events (line 100) | def flush_condensed_events(single=False):
function log_event (line 134) | def log_event(event_tuple, packet=None, skip_write=False, skip_condensin...
function log_error (line 228) | def log_error(msg, single=False):
function start_logd (line 242) | def start_logd(address=None, port=None, join=False):
function set_sigterm_handler (line 293) | def set_sigterm_handler():
FILE: core/parallel.py
function read_block (line 24) | def read_block(buffer, i):
function write_block (line 51) | def write_block(buffer, i, block, marker=None):
function worker (line 62) | def worker(buffer, n, offset, mod, process_packet):
FILE: core/settings.py
function _get_total_physmem (line 157) | def _get_total_physmem():
function read_config (line 218) | def read_config(config_file):
function read_whitelist (line 372) | def read_whitelist():
function add_ignorelist (line 408) | def add_ignorelist(filepath):
function read_ignorelist (line 420) | def read_ignorelist():
function read_ua (line 429) | def read_ua():
function read_worst_asn (line 455) | def read_worst_asn():
function read_cdn_ranges (line 473) | def read_cdn_ranges():
function read_bogon_ranges (line 488) | def read_bogon_ranges():
function check_deprecated (line 503) | def check_deprecated():
FILE: core/trailsdict.py
class TrailsDict (line 10) | class TrailsDict(dict):
method __init__ (line 11) | def __init__(self):
method __delitem__ (line 19) | def __delitem__(self, key):
method has_key (line 22) | def has_key(self, key):
method __contains__ (line 25) | def __contains__(self, key):
method clear (line 28) | def clear(self):
method keys (line 31) | def keys(self):
method iterkeys (line 34) | def iterkeys(self):
method __iter__ (line 38) | def __iter__(self):
method get (line 42) | def get(self, key, default=None):
method update (line 50) | def update(self, value):
method __len__ (line 72) | def __len__(self):
method __getitem__ (line 75) | def __getitem__(self, key):
method __setitem__ (line 83) | def __setitem__(self, key, value):
FILE: core/update.py
function _chown (line 57) | def _chown(filepath):
function _fopen (line 64) | def _fopen(filepath, mode="rb", opener=open):
function update_trails (line 70) | def update_trails(force=False, offline=False):
function update_ipcat (line 340) | def update_ipcat(force=False):
function main (line 383) | def main():
FILE: html/js/demo.js
function getDemoCSV (line 6) | function getDemoCSV() {
FILE: html/js/main.js
function initDialogs (line 194) | function initDialogs() {
function checkAuthentication (line 266) | function checkAuthentication() {
function toggleHeatmap (line 311) | function toggleHeatmap() {
function graphClose (line 321) | function graphClose() {
function initCalHeatmap (line 326) | function initCalHeatmap() {
function charTrim (line 386) | function charTrim(str, chr) {
function numberWithCommas (line 395) | function numberWithCommas(x) {
function isLocalAddress (line 400) | function isLocalAddress(ip) {
function escapeHtml (line 434) | function escapeHtml(string) {
function getContrast50 (line 441) | function getContrast50(hexcolor) {
function getPercentageColor (line 446) | function getPercentageColor(percentage) {
function getContrastYIQ (line 463) | function getContrastYIQ(hexcolor){
function getTagHtml (line 475) | function getTagHtml(tag) {
function getHashColor (line 486) | function getHashColor(value) {
function escapeRegExp (line 491) | function escapeRegExp(str) {
function getThreatUID (line 495) | function getThreatUID(threat) { // e.g. 192.168.0.1~>shv4.no-ip.biz
function resetView (line 506) | function resetView() {
function init (line 521) | function init(url, from, to) {
function resetStatusButtons (line 979) | function resetStatusButtons() {
function scrollTo (line 988) | function scrollTo(id) {
function addrToInt (line 995) | function addrToInt(value) {
function makeMask (line 1000) | function makeMask(bits) {
function netmaskValidate (line 1004) | function netmaskValidate(netmask) {
function searchTipToTab (line 1012) | function searchTipToTab(query) {
function tagInputKeyUp (line 1025) | function tagInputKeyUp(event, forcedelete) {
function stopPropagation (line 1098) | function stopPropagation(event) {
function _sort (line 1106) | function _sort(obj) {
function _ipSortingValue (line 1123) | function _ipSortingValue(a) {
function _ipCompareValues (line 1145) | function _ipCompareValues(a, b) {
function copyEllipsisToClipboard (line 1150) | function copyEllipsisToClipboard(event) {
function copyEventsToClipboard (line 1181) | function copyEventsToClipboard(event) {
function appendFilter (line 1187) | function appendFilter(filter, event, istag) {
function initDetails (line 1227) | function initDetails() {
function generateNonce (line 1969) | function generateNonce() {
function setChartScale (line 2181) | function setChartScale(options, maxValue) {
function drawInfo (line 2197) | function drawInfo(type) {
function initVisual (line 2689) | function initVisual() {
function timestamp (line 2958) | function timestamp(str){
function pad (line 2962) | function pad(n, width, z) {
function formatDate (line 2969) | function formatDate(value) {
function parseDate (line 2973) | function parseDate(value) {
function getParameterByName (line 2983) | function getParameterByName(name) {
function dayStart (line 2992) | function dayStart(tick_seconds) {
function dayEnd (line 3003) | function dayEnd(tick_seconds) {
function query (line 3035) | function query(date1, date2) {
FILE: plugins/peek.py
function plugin (line 14) | def plugin(event_tuple, packet=None):
FILE: plugins/strings.py
function plugin (line 14) | def plugin(event_tuple, packet=None):
FILE: sensor.py
class _set (line 131) | class _set(set):
function print (line 141) | def print(*args, **kwargs):
function _check_domain_member (line 157) | def _check_domain_member(query, domains):
function _check_domain_whitelisted (line 167) | def _check_domain_whitelisted(query):
function _check_domain (line 176) | def _check_domain(query, sec, usec, src_ip, src_port, dst_ip, dst_port, ...
function _get_local_prefix (line 260) | def _get_local_prefix():
function _process_packet (line 273) | def _process_packet(packet, sec, usec, ip_offset):
function init (line 886) | def init():
function _init_multiprocessing (line 1086) | def _init_multiprocessing():
function monitor (line 1122) | def monitor():
function main (line 1266) | def main():
FILE: server.py
function main (line 41) | def main():
FILE: thirdparty/odict/ordereddict.py
class OrderedDict (line 31) | class OrderedDict(dict, DictMixin):
method __init__ (line 33) | def __init__(self, *args, **kwds):
method clear (line 42) | def clear(self):
method __setitem__ (line 48) | def __setitem__(self, key, value):
method __delitem__ (line 55) | def __delitem__(self, key):
method __iter__ (line 61) | def __iter__(self):
method __reversed__ (line 68) | def __reversed__(self):
method popitem (line 75) | def popitem(self, last=True):
method __reduce__ (line 85) | def __reduce__(self):
method keys (line 95) | def keys(self):
method __repr__ (line 107) | def __repr__(self):
method copy (line 112) | def copy(self):
method fromkeys (line 116) | def fromkeys(cls, iterable, value=None):
method __eq__ (line 122) | def __eq__(self, other):
method __ne__ (line 132) | def __ne__(self, other):
FILE: thirdparty/six/__init__.py
class X (line 60) | class X(object):
method __len__ (line 62) | def __len__(self):
function _add_doc (line 80) | def _add_doc(func, doc):
function _import_module (line 85) | def _import_module(name):
class _LazyDescr (line 91) | class _LazyDescr(object):
method __init__ (line 93) | def __init__(self, name):
method __get__ (line 96) | def __get__(self, obj, tp):
class MovedModule (line 108) | class MovedModule(_LazyDescr):
method __init__ (line 110) | def __init__(self, name, old, new=None):
method _resolve (line 119) | def _resolve(self):
method __getattr__ (line 122) | def __getattr__(self, attr):
class _LazyModule (line 129) | class _LazyModule(types.ModuleType):
method __init__ (line 131) | def __init__(self, name):
method __dir__ (line 135) | def __dir__(self):
class MovedAttribute (line 144) | class MovedAttribute(_LazyDescr):
method __init__ (line 146) | def __init__(self, name, old_mod, new_mod, old_attr=None, new_attr=None):
method _resolve (line 164) | def _resolve(self):
class _SixMetaPathImporter (line 169) | class _SixMetaPathImporter(object):
method __init__ (line 178) | def __init__(self, six_module_name):
method _add_module (line 182) | def _add_module(self, mod, *fullnames):
method _get_module (line 186) | def _get_module(self, fullname):
method find_module (line 189) | def find_module(self, fullname, path=None):
method find_spec (line 194) | def find_spec(self, fullname, path, target=None):
method __get_module (line 199) | def __get_module(self, fullname):
method load_module (line 205) | def load_module(self, fullname):
method is_package (line 219) | def is_package(self, fullname):
method get_code (line 228) | def get_code(self, fullname):
method create_module (line 236) | def create_module(self, spec):
method exec_module (line 239) | def exec_module(self, module):
class _MovedItems (line 245) | class _MovedItems(_LazyModule):
class Module_six_moves_urllib_parse (line 340) | class Module_six_moves_urllib_parse(_LazyModule):
class Module_six_moves_urllib_error (line 382) | class Module_six_moves_urllib_error(_LazyModule):
class Module_six_moves_urllib_request (line 402) | class Module_six_moves_urllib_request(_LazyModule):
class Module_six_moves_urllib_response (line 459) | class Module_six_moves_urllib_response(_LazyModule):
class Module_six_moves_urllib_robotparser (line 480) | class Module_six_moves_urllib_robotparser(_LazyModule):
class Module_six_moves_urllib (line 498) | class Module_six_moves_urllib(types.ModuleType):
method __dir__ (line 508) | def __dir__(self):
function add_move (line 515) | def add_move(move):
function remove_move (line 520) | def remove_move(name):
function advance_iterator (line 552) | def advance_iterator(it):
function callable (line 560) | def callable(obj):
function get_unbound_function (line 565) | def get_unbound_function(unbound):
function create_unbound_method (line 570) | def create_unbound_method(func, cls):
function get_unbound_function (line 575) | def get_unbound_function(unbound):
function create_bound_method (line 578) | def create_bound_method(func, obj):
function create_unbound_method (line 581) | def create_unbound_method(func, cls):
class Iterator (line 584) | class Iterator(object):
method next (line 586) | def next(self):
function iterkeys (line 603) | def iterkeys(d, **kw):
function itervalues (line 606) | def itervalues(d, **kw):
function iteritems (line 609) | def iteritems(d, **kw):
function iterlists (line 612) | def iterlists(d, **kw):
function iterkeys (line 621) | def iterkeys(d, **kw):
function itervalues (line 624) | def itervalues(d, **kw):
function iteritems (line 627) | def iteritems(d, **kw):
function iterlists (line 630) | def iterlists(d, **kw):
function b (line 648) | def b(s):
function u (line 651) | def u(s):
function b (line 674) | def b(s):
function u (line 678) | def u(s):
function byte2int (line 683) | def byte2int(bs):
function indexbytes (line 686) | def indexbytes(buf, i):
function assertCountEqual (line 699) | def assertCountEqual(self, *args, **kwargs):
function assertRaisesRegex (line 703) | def assertRaisesRegex(self, *args, **kwargs):
function assertRegex (line 707) | def assertRegex(self, *args, **kwargs):
function assertNotRegex (line 711) | def assertNotRegex(self, *args, **kwargs):
function reraise (line 718) | def reraise(tp, value, tb=None):
function exec_ (line 730) | def exec_(_code_, _globs_=None, _locs_=None):
function raise_from (line 758) | def raise_from(value, from_value):
function print_ (line 764) | def print_(*args, **kwargs):
function print_ (line 820) | def print_(*args, **kwargs):
function _update_wrapper (line 835) | def _update_wrapper(wrapper, wrapped,
function wraps (line 851) | def wraps(wrapped, assigned=functools.WRAPPER_ASSIGNMENTS,
function with_metaclass (line 861) | def with_metaclass(meta, *bases):
function add_metaclass (line 885) | def add_metaclass(metaclass):
function ensure_binary (line 903) | def ensure_binary(s, encoding='utf-8', errors='strict'):
function ensure_str (line 921) | def ensure_str(s, encoding='utf-8', errors='strict'):
function ensure_text (line 944) | def ensure_text(s, encoding='utf-8', errors='strict'):
function python_2_unicode_compatible (line 963) | def python_2_unicode_compatible(klass):
FILE: trails/custom/__init__.py
function fetch (line 20) | def fetch():
FILE: trails/feeds/abuseipdb.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/alienvault.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/atmos.py
function fetch (line 18) | def fetch():
FILE: trails/feeds/badips.py
function fetch (line 16) | def fetch():
FILE: trails/feeds/binarydefense.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/bitcoinnodes.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/blackbook.py
function fetch (line 14) | def fetch():
FILE: trails/feeds/blackholemonster.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/blocklist.py
function fetch (line 14) | def fetch():
FILE: trails/feeds/botscout.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/bruteforceblocker.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/ciarmy.py
function fetch (line 14) | def fetch():
FILE: trails/feeds/cleantalk.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/cobaltstrike.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/cybercrimetracker.py
function fetch (line 18) | def fetch():
FILE: trails/feeds/dataplane.py
function fetch (line 14) | def fetch():
FILE: trails/feeds/dshieldip.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/emergingthreatsbot.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/emergingthreatscip.py
function fetch (line 14) | def fetch():
FILE: trails/feeds/emergingthreatsdns.py
function fetch (line 18) | def fetch():
FILE: trails/feeds/fareit.py
function fetch (line 18) | def fetch():
FILE: trails/feeds/feodotrackerip.py
function fetch (line 16) | def fetch():
FILE: trails/feeds/gpfcomics.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/greensnow.py
function fetch (line 16) | def fetch():
FILE: trails/feeds/ipnoise.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/maxmind.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/minerchk.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/myip.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/openphish.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/palevotracker.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/policeman.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/ransomwaretrackerdns.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/ransomwaretrackerip.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/ransomwaretrackerurl.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/rutgers.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/sblam.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/scriptzteam.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/socksproxy.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/sslproxies.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/statics.py
function fetch (line 13) | def fetch():
FILE: trails/feeds/torproject.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/trickbot.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/turris.py
function fetch (line 15) | def fetch():
FILE: trails/feeds/urlhaus.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/viriback.py
function fetch (line 17) | def fetch():
FILE: trails/feeds/zeustrackermonitor.py
function fetch (line 16) | def fetch():
FILE: trails/feeds/zeustrackerurl.py
function fetch (line 15) | def fetch():
FILE: trails/static/__init__.py
function fetch (line 17) | def fetch():
Copy disabled (too large)
Download .json
Condensed preview — 3047 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (45,287K chars).
[
{
"path": ".gitattributes",
"chars": 179,
"preview": "*.py text eol=lf\n*.txt text eol=lf\n*.csv text eol=lf\n*.js text eol=lf\n*.ccs text eol=lf\n*.css text eol=lf\n*.html text eo"
},
{
"path": ".github/CODE_OF_CONDUCT.md",
"chars": 5224,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participa"
},
{
"path": ".github/CONTRIBUTING.md",
"chars": 4743,
"preview": "# Contributing to Maltrail\n\n## Reporting bugs\n\n**Bug reports are welcome**!\nPlease report all bugs on the [issue tracker"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 863,
"preview": "---\nname: Bug report\nabout: Create a report to help us improve Maltrail\ntitle: \"[BUG]\"\nlabels: ''\nassignees: ''\n\n---\n\n**"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 616,
"preview": "---\nname: Feature request\nabout: Suggest an idea for Maltrail project\ntitle: \"[Feature Request]\"\nlabels: ''\nassignees: '"
},
{
"path": ".github/ISSUE_TEMPLATE/questions-and-support.md",
"chars": 278,
"preview": "---\nname: Questions and Support\nabout: General topics. Questions and Support.\ntitle: \"[Questions and Support]\"\nlabels: '"
},
{
"path": ".github/workflows/docker-release.yml",
"chars": 1142,
"preview": "name: Build and Push Docker Image on Tag\n\non:\n push:\n tags:\n - '*'\n\njobs:\n build-and-push:\n runs-on: ubuntu"
},
{
"path": ".gitignore",
"chars": 50,
"preview": "*.py[cod]\n*~\nPipfile*\ndocker-compose.override.yml\n"
},
{
"path": "CHANGELOG",
"chars": 13229,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "CITATION.cff",
"chars": 711,
"preview": "# YAML 1.2\n---\ncff-version: \"1.1.0\"\nmessage: \"If you use this software, please cite it using these metadata.\"\ndoi: 10.23"
},
{
"path": "LICENSE",
"chars": 1131,
"preview": "The MIT License (MIT)\n\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n\nPermission i"
},
{
"path": "README.md",
"chars": 45859,
"preview": "\n\n[![Python 2.6|2.7|3.x](https://img.shields.io/badge/python-2.6|2.7|3.x-yel"
},
{
"path": "SECURITY.md",
"chars": 923,
"preview": "---\ntitle: Maltrail Security Vulnerability Reports\ncategory: contributing\nlayout: default\nSPDX-License-Identifier: MIT\n-"
},
{
"path": "core/__init__.py",
"chars": 167,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/addr.py",
"chars": 2200,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/attribdict.py",
"chars": 317,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/colorized.py",
"chars": 2913,
"preview": "#!/usr/bin/env python\n\nimport os\nimport re\nimport sys\n\nfrom core.enums import BACKGROUND\nfrom core.enums import COLOR\nfr"
},
{
"path": "core/common.py",
"chars": 10779,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/compat.py",
"chars": 250,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/datatype.py",
"chars": 1218,
"preview": "#!/usr/bin/env python\n\nfrom thirdparty.odict import OrderedDict\n\n# Reference: https://www.kunxi.org/2014/05/lru-cache-in"
},
{
"path": "core/enums.py",
"chars": 3334,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/httpd.py",
"chars": 38210,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/ignore.py",
"chars": 1300,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/log.py",
"chars": 12821,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/parallel.py",
"chars": 2974,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/settings.py",
"chars": 26377,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/trailsdict.py",
"chars": 3082,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "core/update.py",
"chars": 19292,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "docker/Dockerfile",
"chars": 1269,
"preview": "FROM python:3\n\n# Workdir and metadata\nWORKDIR /opt/maltrail\n\n# Environment variables\nENV PYTHONUNBUFFERED=1 \\\n PYTHON"
},
{
"path": "docker/README.md",
"chars": 256,
"preview": "# Docker\n\nTo build this image, please change your build context to the maltrail repo root. If you are in this very direc"
},
{
"path": "docker/docker-compose.yml",
"chars": 685,
"preview": "services:\n\n # sensor:\n # container_name: maltrail-sensor\n # build: .\n # command: sensor.py\n # restart: unle"
},
{
"path": "docker/start.sh",
"chars": 140,
"preview": "#!/bin/sh\nset -e\n\n# Start cron in background\nservice cron start\n\n# Starte maltrail-Server im Vordergrund\nexec python /op"
},
{
"path": "fail2ban/maltrail.conf.example",
"chars": 967,
"preview": "[Definition]\nfailregex = ^.*?\\s+<HOST>\\s+\\d+\\s+\\d+\\.\\d+\\.\\d+\\.\\d+\\s+\\d+\\s+\\w+\\s+\\w+\\s+\\d+\\.\\d+\\.\\d+\\.\\d+\\s+\"known attack"
},
{
"path": "html/README.txt",
"chars": 146,
"preview": "Note: This directory should not be copied to the stand-alone web server installation (e.g. Apache) as it is being served"
},
{
"path": "html/css/main.css",
"chars": 18077,
"preview": "body {\n font: 13px Verdana, Geneva, sans-serif;\n background-color: #f8f9fa;\n}\ntable {\n font: 13px Verdana, Gene"
},
{
"path": "html/css/media.css",
"chars": 819,
"preview": "@media screen and (max-width: 680px) {\n #status_container, #documentation_link, #collaboration_link, #issues_link, .l"
},
{
"path": "html/index.html",
"chars": 7138,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n <meta "
},
{
"path": "html/js/demo.js",
"chars": 451486,
"preview": "/*\n* Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n* See the file 'LICENSE' for co"
},
{
"path": "html/js/errorhandler.js",
"chars": 549,
"preview": "window.onerror = function(errorMsg, url, lineNumber) {\n if (typeof errorMsg !== \"string\") {\n if (errorMsg.hasO"
},
{
"path": "html/js/main.js",
"chars": 119819,
"preview": "/*\n* Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n* See the file 'LICENSE' for co"
},
{
"path": "html/js/thirdparty.ccs",
"chars": 1890,
"preview": "// ==ClosureCompiler==\n// @compilation_level WHITESPACE_ONLY\n// @output_file_name thirdparty.min.js\n// @language ECMASCR"
},
{
"path": "html/robots.txt",
"chars": 26,
"preview": "User-agent: *\nDisallow: /\n"
},
{
"path": "maltrail-sensor.service",
"chars": 437,
"preview": "[Unit]\nDescription=Maltrail. Sensor of malicious traffic detection system\nDocumentation=https://github.com/stamparm/malt"
},
{
"path": "maltrail-server.service",
"chars": 430,
"preview": "[Unit]\r\nDescription=Maltrail. Server of malicious traffic detection system\r\nDocumentation=https://github.com/stamparm/ma"
},
{
"path": "maltrail.conf",
"chars": 6151,
"preview": "# [Server]\n\n# Listen address of (reporting) HTTP server\nHTTP_ADDRESS 0.0.0.0\n#HTTP_ADDRESS ::\n#HTTP_ADDRESS fe80::12c3:7"
},
{
"path": "misc/bogon_ranges.txt",
"chars": 453,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "misc/cdn_ranges.txt",
"chars": 12271,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "misc/ignore_events.txt",
"chars": 189,
"preview": "# Syntax:\n#\n# src_ip;src_port;dst_ip;dst_port\n#\n# (Note: '*' means any)\n#\n# Ignore all events from source ip 192.168.0.3"
},
{
"path": "misc/precommit-hook",
"chars": 1942,
"preview": "#!/bin/bash\n\n# Reference: http://jeffreysambells.com/2010/10/22/a-git-pre-commit-hook-to-update-androidmanifest-xml-vers"
},
{
"path": "misc/server.pem",
"chars": 2859,
"preview": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDzrkUgkrui5slp\ntfakZZD1gwlejslaoyeYzs++h+K"
},
{
"path": "misc/ua.txt",
"chars": 63718,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "misc/whitelist.txt",
"chars": 70649,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "misc/worst_asns.txt",
"chars": 165251,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "plugins/__init__.py",
"chars": 167,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "plugins/peek.py",
"chars": 714,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "plugins/strings.py",
"chars": 694,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "requirements.txt",
"chars": 9,
"preview": "pcapy-ng\n"
},
{
"path": "sensor.py",
"chars": 65913,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "server.py",
"chars": 5101,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "thirdparty/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "thirdparty/odict/__init__.py",
"chars": 156,
"preview": "#!/usr/bin/env python\n\nimport sys\n\nif sys.version_info[:2] >= (2, 7):\n from collections import OrderedDict\nelse:\n "
},
{
"path": "thirdparty/odict/ordereddict.py",
"chars": 4283,
"preview": "# Copyright (c) 2009 Raymond Hettinger\n#\n# Permission is hereby granted, free of charge, to any person\n# obtaining a cop"
},
{
"path": "thirdparty/six/__init__.py",
"chars": 34703,
"preview": "# Copyright (c) 2010-2024 Benjamin Peterson\n#\n# Permission is hereby granted, free of charge, to any person obtaining a "
},
{
"path": "trails/custom/__init__.py",
"chars": 1596,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/custom/dprk.txt",
"chars": 149,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/feeds/__init__.py",
"chars": 167,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/abuseipdb.py",
"chars": 736,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/alienvault.py",
"chars": 908,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/atmos.py",
"chars": 954,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/badips.py",
"chars": 821,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/binarydefense.py",
"chars": 684,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/bitcoinnodes.py",
"chars": 747,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/blackbook.py",
"chars": 755,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/blackholemonster.py",
"chars": 680,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/blocklist.py",
"chars": 605,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/botscout.py",
"chars": 716,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/bruteforceblocker.py",
"chars": 712,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/ciarmy.py",
"chars": 606,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/cleantalk.py",
"chars": 648,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/cobaltstrike.py",
"chars": 967,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/cybercrimetracker.py",
"chars": 1518,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/dataplane.py",
"chars": 1098,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nSee the file 'LICENSE' for copying permission\n\"\"\"\n\nfrom core.common import retrieve_content\n\n"
},
{
"path": "trails/feeds/dshieldip.py",
"chars": 697,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/emergingthreatsbot.py",
"chars": 640,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/emergingthreatscip.py",
"chars": 655,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/emergingthreatsdns.py",
"chars": 963,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/fareit.py",
"chars": 1031,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/feodotrackerip.py",
"chars": 777,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/gpfcomics.py",
"chars": 638,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/greensnow.py",
"chars": 822,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/ipnoise.py",
"chars": 672,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/maxmind.py",
"chars": 675,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/minerchk.py",
"chars": 720,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/myip.py",
"chars": 629,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/openphish.py",
"chars": 779,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/palevotracker.py",
"chars": 835,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/policeman.py",
"chars": 788,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/ransomwaretrackerdns.py",
"chars": 678,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/ransomwaretrackerip.py",
"chars": 677,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/ransomwaretrackerurl.py",
"chars": 815,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/rutgers.py",
"chars": 674,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/sblam.py",
"chars": 687,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/scriptzteam.py",
"chars": 718,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/socksproxy.py",
"chars": 736,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/sslproxies.py",
"chars": 733,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/statics.py",
"chars": 727,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/torproject.py",
"chars": 717,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/trickbot.py",
"chars": 929,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/turris.py",
"chars": 715,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/urlhaus.py",
"chars": 779,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/viriback.py",
"chars": 1122,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/zeustrackermonitor.py",
"chars": 647,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/feeds/zeustrackerurl.py",
"chars": 673,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/static/__init__.py",
"chars": 3417,
"preview": "#!/usr/bin/env python\n\n\"\"\"\nCopyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\nSee the f"
},
{
"path": "trails/static/malicious/365stealer_phishtool.txt",
"chars": 646,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/404_tds.txt",
"chars": 945,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/abcsoup.txt",
"chars": 1094,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/adaptix_c2.txt",
"chars": 18809,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/alchimist_c2.txt",
"chars": 655,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/alexus_spamtool.txt",
"chars": 455,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/anarchy_c2.txt",
"chars": 229,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/android_goldoson.txt",
"chars": 1347,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/android_hiddad.txt",
"chars": 80591,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/araneida.txt",
"chars": 2366,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/arl.txt",
"chars": 24538,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/bad_proxy.txt",
"chars": 1609,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/bad_script.txt",
"chars": 245846,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/bad_service.txt",
"chars": 99074,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/bitrixcore.txt",
"chars": 480,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/black_tds.txt",
"chars": 21197,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/brc4.txt",
"chars": 31116,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/brchecker.txt",
"chars": 301,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/browser_locker.txt",
"chars": 280930,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/c2_panel.txt",
"chars": 29876,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/caldera_c2.txt",
"chars": 5296,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/chromekatz.txt",
"chars": 544,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/cloakndagger_c2.txt",
"chars": 222,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/contador_spamtool.txt",
"chars": 710,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/coreimpact.txt",
"chars": 302,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/covenant.txt",
"chars": 24080,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/cyberstrikeai.txt",
"chars": 2852,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/deimos_c2.txt",
"chars": 63737,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/domain_shadowing.txt",
"chars": 583,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_angler.txt",
"chars": 2850,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_bottle.txt",
"chars": 1244,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_capesand.txt",
"chars": 314,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_clearfake.txt",
"chars": 1084473,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_fallout.txt",
"chars": 6855,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_generic.txt",
"chars": 3619,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_grandsoft.txt",
"chars": 1612,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_greenflash.txt",
"chars": 386,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_kaixin.txt",
"chars": 589,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_landupdate808.txt",
"chars": 21336,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_magnitude.txt",
"chars": 99180,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_neutrino.txt",
"chars": 525,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_nuclear.txt",
"chars": 370,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_purplefox.txt",
"chars": 3666,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_radio.txt",
"chars": 395,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_rig.txt",
"chars": 12455,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_rogueraticate.txt",
"chars": 1182,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_router.txt",
"chars": 1909,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_scamclub.txt",
"chars": 386,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_shade.txt",
"chars": 1262,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_spelevo.txt",
"chars": 34524,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_trillium.txt",
"chars": 377,
"preview": " \n# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for co"
},
{
"path": "trails/static/malicious/ek_underminer.txt",
"chars": 2039,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_vextrio.txt",
"chars": 35311,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ek_zphp.txt",
"chars": 49615,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/elf_reversessh.txt",
"chars": 28895,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/errtraffic_tds.txt",
"chars": 910,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/evilginx.txt",
"chars": 18831,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/filebroser.txt",
"chars": 518,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/generic_tds.txt",
"chars": 1016,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ghostshell_c2.txt",
"chars": 282,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/gophish.txt",
"chars": 141056,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/hak5cloud_c2.txt",
"chars": 51489,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/havoc.txt",
"chars": 126449,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/help_tds.txt",
"chars": 1607,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/install_capital.txt",
"chars": 763,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/install_cube.txt",
"chars": 334,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/interactsh.txt",
"chars": 141380,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/katyabot.txt",
"chars": 317,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/keitaro_tds.txt",
"chars": 172269,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/khepri_c2.txt",
"chars": 1616,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/ligolo_tunnel.txt",
"chars": 18555,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/magentocore.txt",
"chars": 359542,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/merlin_c2.txt",
"chars": 406,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/metasploit.txt",
"chars": 147945,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/mini_c2.txt",
"chars": 401,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/modxcore.txt",
"chars": 323,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/moneybadgers_tds.txt",
"chars": 381,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/msau_autouploader.txt",
"chars": 1320,
"preview": "# Reference: https://twitter.com/500mk500/status/1586505814839558145\n# Reference: https://twitter.com/neonprimetime/stat"
},
{
"path": "trails/static/malicious/mythic.txt",
"chars": 120117,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/nameless_c2.txt",
"chars": 403,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/nighthawk.txt",
"chars": 1951,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/nimplant.txt",
"chars": 7743,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/openxcore.txt",
"chars": 674,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/parrot_tds.txt",
"chars": 2826,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/perfaudcore.txt",
"chars": 608,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
},
{
"path": "trails/static/malicious/perswaysion.txt",
"chars": 1204,
"preview": "# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)\n# See the file 'LICENSE' for copyi"
}
]
// ... and 2847 more files (download for full content)
About this extraction
This page contains the full source code of the stamparm/maltrail GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 3047 files (41.2 MB), approximately 11.0M tokens, and a symbol index with 297 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.