http://uamgayumeqmwemas.xyz:1775/avast_update - rule_id: 41478
http://uamgayumeqmwemas.xyz:1775/api/client_hello - rule_id: 41479

ugmkmoigiimgmaaw.xyz() - mailcious
iqowocguasswcmca.xyz() - mailcious
scqekwyoswaguuyo.xyz(188.40.187.174) - mailcious
skssoeqouussusyi.xyz(15.197.192.55) - mailcious
kmiigggyqiwkeeci.xyz() - mailcious
kgeyscaqeacwaccu.xyz() - mailcious
uamgayumeqmwemas.xyz(185.172.129.25) - mailcious
15.197.192.55 - mailcious
188.40.187.174 - mailcious
185.172.129.25 - mailcious

ET HUNTING EXE Base64 Encoded potential malware
ET SHELLCODE Common 0a0a0a0a Heap Spray String

http://uamgayumeqmwemas.xyz:1775/avast_update
http://uamgayumeqmwemas.xyz:1775/api/client_hello

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50)
infoprokaps.ddns.net(178.162.212.214)
178.162.212.214
178.237.33.50

ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50) -
aryexpcrt.ddns.net(68.235.48.108) -
178.237.33.50 -
68.235.48.108 -

ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET JA3 Hash - Remcos 3.x TLS Connection

aryexpcrt.ddns.net(68.235.48.108) -
68.235.48.108 -
141.94.96.195 -

ET POLICY DNS Query to DynDNS Domain *.ddns .net

ftp.artemusa.cl(158.69.242.51) - mailcious
158.69.242.51 - mailcious
45.242.211.92

SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil via FTP

ftp.artemusa.cl(158.69.242.51)
158.69.242.51 - mailcious

SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil via FTP