http://45.15.156.229/api/firegate.php - rule_id: 36052
http://45.15.156.229/api/tracemap.php - rule_id: 33783
https://vk.com/doc278414724_666990616?hash=4CotYHxpQIpd56XcQZdpXEA3nXJg8jBmLdZCLDYGTM4&dl=5wzQdfHJAm42JxdCzDIp2OLxzWhsnZyAL9RzHoNviH8&api=1&no_preview=1
https://sun6-23.userapi.com/c909618/u278414724/docs/d42/29be4c51d720/tmvwr.bmp?extra=lo1JLlDudToLN88wnSMMBgylnX1wZTo7dOyVInza09welEABQpw4eL107Ew0zGWbBHSZBcWjr8Ul2BHoKLnfShpyWd-XGHjt6BGnQMXMMB9fPp0nlsR-7ZS6NAy1Lkfclpxxg_FCr-j3uBfJEA
https://api.myip.com/

vk.com(87.240.132.78) - mailcious
ipinfo.io(34.117.59.81)
api.myip.com(172.67.75.163)
sun6-23.userapi.com(95.142.206.3) - mailcious
45.15.156.229 - mailcious
104.26.9.59
95.142.206.3 - mailcious
185.172.128.69 - malware
87.240.129.133 - mailcious
34.117.59.81

SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://45.15.156.229/api/firegate.php
http://45.15.156.229/api/tracemap.php

http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://23.254.227.214/api/tracemap.php - rule_id: 26616
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/

apps.identrust.com(23.43.165.105)
api.db-ip.com(104.26.5.15)
db-ip.com(104.26.5.15)
ipinfo.io(34.117.59.81)
www.maxmind.com(104.17.214.67)
172.217.175.68
23.254.227.214 - mailcious
172.67.75.166
121.254.136.27
34.117.59.81
104.17.214.67

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)

http://23.254.227.214/api/tracemap.php

http://metazone1.com/api/tracemap.php
http://metazone1.com/api/firegate.php
http://107.182.129.251/download/it_tab.png
http://107.182.129.251/download/it_tab.jpeg
https://ipinfo.io/widget
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1

vk.com(87.240.132.67)
iplis.ru(148.251.234.93) - mailcious
ipinfo.io(34.117.59.81)
metazone1.com(31.31.196.244)
iplogger.org(148.251.234.83) - mailcious
45.10.52.33 - mailcious
148.251.234.83
148.251.234.93 - mailcious
163.123.143.4 - mailcious
87.240.129.133
34.117.59.81
107.182.129.251 - malware
31.31.196.244 - mailcious

SURICATA Applayer Mismatch protocol both directions
ET INFO Observed URL Shortening Service Domain (vk .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
ET INFO URL Shortening Service Domain in DNS Lookup (vk .com)
ET INFO TLS Handshake Failure
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY IP Check Domain (iplogger .org in TLS SNI)