From 8ec2a3a98d19ca25a3ab3b906b23d10577c06889 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 29 Dec 2017 20:01:55 +0100
Subject: [PATCH] add: automated-malware-analysis known domain list

Fix #45
---
 README.md                                  |  1 +
 lists/automated-malware-analysis/list.json | 25 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 lists/automated-malware-analysis/list.json

diff --git a/README.md b/README.md
index 152c96b..4a25dec 100755
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ are available in one of the list. The list can be globally enabled or disabled i
 # lists
 
 - [lists/alexa](lists/alexa) - Top 1000 websites from Alexa
+- [lists/automated-malware-analysis](lists/automated-malware-analysis) - known domains used by automated malware analysis services
 - [lists/eicar.com](lists/eicar.com) - hashes for EICAR test virus
 - [lists/empty-hashes](lists/empty-hashes) - hash values of empty files
 - [lists/google](lists/google) - known domains and hostnames from Google
diff --git a/lists/automated-malware-analysis/list.json b/lists/automated-malware-analysis/list.json
new file mode 100644
index 0000000..9c0f7a4
--- /dev/null
+++ b/lists/automated-malware-analysis/list.json
@@ -0,0 +1,25 @@
+{
+  "name": "List of known domains used by automated malware analysis services",
+  "version": 1,
+  "description": "Domains used by automated malware analysis services",
+  "type": "substring",
+  "matching_attributes": [
+    "domain",
+    "hostname",
+    "domain|ip",
+    "url"
+  ],
+  "list": [
+    "virustotal.com",
+    "malwr.com",
+    "hybrid-analysis.com",
+    "emergingthreats.net",
+    "joesandbox.com",
+    "anlyz.io",
+    "detux.org",
+    "akana.mobiseclab.org",
+    "sandbox.pikker.ee",
+    "www.threatexpert.com",
+    "www.vicheck.ca"
+  ]
+}