http://41.216.188.190/api/wp-admin.php
http://41.216.188.190/api/wp-ping.php
http://147.45.44.104/revada/66efcc2ab2731_setup3.exe#lyla
https://steamcommunity.com/profiles/76561199780418869
https://db-ip.com/demo/home.php?s=
https://api.myip.com/

db-ip.com(172.67.75.166)
api64.ipify.org(104.237.62.213)
api.myip.com(104.26.8.59)
steamcommunity.com(104.76.74.15) - mailcious
t.me(149.154.167.99) - mailcious
ipinfo.io(34.117.59.81)
bitbucket.org(104.192.140.25) - malware
149.154.167.99 - mailcious
176.111.174.109 - malware
104.26.8.59
104.76.74.15
176.113.115.33 - malware
104.26.4.15
41.216.188.190
104.192.140.24 - malware
116.203.165.127
147.45.44.104 - malware
173.231.16.77
34.117.59.81
103.130.147.211 - malware

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Observed Telegram Domain (t .me in TLS SNI)