http://104.194.128.170/svp/Ykwrxaauw.dat - rule_id: 37401

iplogger.com(148.251.234.93) - mailcious
148.251.234.93 - mailcious
104.194.128.170 - mailcious

ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://104.194.128.170/svp/Ykwrxaauw.dat

https://wallpapercave.com/uwp/uwp4072801.png
http://185.254.37.80/seventhhhhhhhh.txt

wallpapercave.com(104.22.52.71) - malware
172.67.29.26 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://wallpapercave.com/uwp/uwp4082989.png
http://94.156.253.236/newbeginining.txt

wallpapercave.com(172.67.29.26) - malware
172.67.29.26 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://wallpapercave.com/uwp/uwp4072801.png
http://185.254.37.80/apamaaktivosbase6444.txt

wallpapercave.com(104.22.52.71) - malware
104.22.53.71

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://185.254.37.80/sevenththththththth.vbs

wallpapercave.com(104.22.52.71) - malware
185.254.37.80 - mailcious
104.22.53.71

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request

http://79.137.192.18/latestX.exe - rule_id: 37269
http://galandskiyher5.com/downloads/toolspub2.exe - rule_id: 37268
http://193.42.33.7/mbSDvj3/index.php
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe - rule_id: 37364

rangeroverfan.org(172.67.165.223) - malware
galandskiyher5.com(194.169.175.127) - malware
foxandcatbet.org(104.21.71.26) - malware
pastebin.com(104.20.67.143) - mailcious
xmr-eu1.nanopool.org(51.15.193.130) - mailcious
51.255.34.118
193.42.33.7 - mailcious
194.169.175.127 - malware
79.137.192.18 - malware
104.21.66.240
104.21.71.26 - malware
51.15.65.182 - mailcious
172.67.34.170 - mailcious

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Possible Kelihos.F EXE Download Common Structure
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)

http://79.137.192.18/latestX.exe
http://galandskiyher5.com/downloads/toolspub2.exe
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe

https://i.imgur.com/pRZqSZX.png

i.imgur.com(146.75.92.193) - mailcious
ctrip.com(114.80.56.121)
i.ibb.co(172.96.160.210) - mailcious
104.194.8.143 - mailcious
146.75.92.193 - mailcious
51.15.65.182 - mailcious
114.80.56.121

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://94.156.253.236/lllllillilililiil.vbs

wallpapercave.com(104.22.53.71) - malware
172.67.29.26 - malware
94.156.253.236 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request

rxrr.duckdns.org(185.81.157.213) - mailcious
185.81.157.213 - mailcious

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert

https://wallpapercave.com/uwp/uwp4082989.png
http://94.156.253.236/yeyeyeyyeeyyeyeye.txt

wallpapercave.com(104.22.52.71) - malware
104.22.53.71

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432
http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8
http://5.75.212.77/upgrade.zip - rule_id: 37406
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://gobo02fc.top/build.exe - rule_id: 37395
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430
http://104.194.128.170/svp/Hfxbflp.mp3
http://jackantonio.top/timeSync.exe - rule_id: 37357
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://94.142.138.113/api/tracemap.php - rule_id: 28877
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://5.42.92.88/loghub/master - rule_id: 37264
http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://5.75.212.77/ - rule_id: 37407
http://45.129.14.83/fra.exe
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://94.142.138.113/api/firegate.php - rule_id: 36152
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://gons01b.top/build.exe - rule_id: 37402
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=a00cd6w1eEWAICwyKE1cTFHt5KkPpREimUXb%2F8yxloI%3D&spr=https&se=2023-10-21T09%3A35%3A45Z&rscl=x-e2eid-895be34d-23854a20-9d9bd2e0-37a2ea5b-session-e9f4363b-00ed493a-bb4152d6-64db1898
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=i2VslFCszJFPcsoKvioFglCJvuT3uSV4ZcbuBEr9zkw%3D&spr=https&se=2023-10-21T09%3A12%3A02Z&rscl=x-e2eid-ea5bfd11-052b4cba-8003f3a4-4c7e5a46-session-8e6b7233-d98a40c2-b0fb76d7-2383fe95
https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://vk.com/doc52355237_667162081?hash=4BgzraSUlIskCw5J6xGm3ViPzq8b7svHxEssqfvoCPH&dl=LANzNVd3qg51q6TImeUt70feNJmp9qZlTmWM3bxixcD&api=1&no_preview=1#test22
https://potatogoose.com/011c9f113ddd731c796c737fa640ca01/baf14778c246e15550645e30ba78ce1c.exe
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe
https://msdl.microsoft.com/download/symbols/index2.txt
https://sso.passport.yandex.ru/push?uuid=f7ac55a0-6e6f-4cd3-8e26-a48c8345246e&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW
https://dzen.ru/?yredirect=true
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ
https://vk.com/doc52355237_667141516?hash=HsWBQHEyToldG20L9sZwIGv5gYpaCVz2I4NaffNltj4&dl=bzijOkGFnqMWzUUPzsZAF8ZEAo0nny8RcsO8lHuWRKD&api=1&no_preview=1#rise
https://diplodoka.net/011c9f113ddd731c796c737fa640ca01/7a54bdb20779c4359694feaa1398dd25.exe
https://vk.com/doc52355237_667169888?hash=0FXstFY9YauEmcBFs6Ju2Y5tz7xvBx6HWmEsxICLiEk&dl=ZYeU9AHGQRsNeFvrDCqd9qZaUAOggliBMioUMK71cy8&api=1&no_preview=1#t1
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://neuralshit.net/011c9f113ddd731c796c737fa640ca01/7725eaa6592c80f8124e769b4e8a07f7.exe
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A

neuralshit.net(172.67.134.35) - malware
www.maxmind.com(104.18.146.235)
db-ip.com(172.67.75.166)
jackantonio.top(45.132.1.20) - malware
dzen.ru(62.217.160.2)
t.me(149.154.167.99) - mailcious
lrefjviufewmcd.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
galandskiyher5.com(194.169.175.127) - malware
iplogger.org(148.251.234.83) - mailcious
potatogoose.com(104.21.35.235) - malware
darianentertainment.com(65.109.26.240)
lakuiksong.known.co.ke(146.59.70.14) - malware
api.2ip.ua(172.67.139.220)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
api.db-ip.com(172.67.75.166)
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.129)
telegram.org(149.154.167.99)
yip.su(148.251.234.93) - mailcious
cdn.discordapp.com(162.159.135.233) - malware
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20) - mailcious
octocrabs.com(104.21.21.189) - mailcious
ab07dfb1-b583-46f4-8c3d-99c8152cf07f.uuid.filesdumpplace.org(185.82.216.96)
sun6-21.userapi.com(95.142.206.1) - mailcious
msdl.microsoft.com(204.79.197.219)
diplodoka.net(104.21.78.56) - malware
experiment.pw(104.21.34.37) - malware
yandex.ru(77.88.55.60)
grabyourpizza.com(172.67.197.174) - malware
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63) - malware
zexeq.com(211.119.84.112) - malware
stun4.l.google.com(172.253.127.127)
vsblobprodscussu5shard10.blob.core.windows.net(20.150.70.36)
colisumy.com(201.124.243.137) - malware
net.geo.opera.com(107.167.110.211)
api.myip.com(172.67.75.163)
gobo02fc.top(85.143.220.63) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(104.21.93.225) - malware
vsblobprodscussu5shard58.blob.core.windows.net(20.150.38.228)
vk.com(87.240.132.67) - mailcious
sso.passport.yandex.ru(213.180.204.24)
server11.filesdumpplace.org(185.82.216.96)
iplis.ru(148.251.234.93) - mailcious
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
85.217.144.143 - malware
104.18.146.235
193.42.33.7 - mailcious
93.186.225.194 - mailcious
171.22.28.213 - malware
69.48.143.183 - malware
172.67.167.220 - malware
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
104.20.68.143 - mailcious
162.159.135.233 - malware
62.217.160.2
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
172.86.97.117 - malware
104.20.67.143 - mailcious
149.154.167.99 - mailcious
104.21.65.24
104.21.34.37 - phishing
45.129.14.83 - malware
20.150.38.228
104.21.90.82 - malware
95.142.206.1 - mailcious
91.215.85.209 - mailcious
204.79.197.219
172.67.187.122 - malware
190.187.52.42
171.22.28.224
171.22.28.226 - malware
171.22.28.221 - malware
20.150.79.68
34.117.59.81
77.91.68.249 - malware
85.143.220.63 - malware
104.21.21.189
104.21.35.235
185.82.216.96
148.251.234.83
104.26.8.59
104.21.6.10 - malware
190.219.136.87
193.42.32.118 - mailcious
5.75.212.77 - mailcious
45.132.1.20 - mailcious
104.21.32.208 - malware
172.67.75.166
172.67.216.81 - malware
94.142.138.113 - mailcious
172.67.197.174
121.254.136.9
65.109.26.240 - mailcious
45.130.41.101 - mailcious
104.21.78.56 - malware
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170 - mailcious
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
172.67.139.220
185.216.70.238 - mailcious
172.67.217.52 - malware
95.142.206.0 - mailcious
146.59.70.14 - malware
171.22.28.239
213.180.204.24
172.67.180.173 - malware
87.240.132.72 - mailcious
142.251.2.127
171.22.28.236
104.76.78.101 - mailcious
5.42.92.88 - mailcious

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Executable Download from dotted-quad Host
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)

http://171.22.28.226/download/WWW14_64.exe
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe
http://5.75.212.77/upgrade.zip
http://zexeq.com/test2/get.php
http://45.15.156.229/api/firegate.php
http://galandskiyher5.com/downloads/toolspub1.exe
http://colisumy.com/dl/build2.exe
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://jackantonio.top/timeSync.exe
http://zexeq.com/files/1/build3.exe
http://94.142.138.113/api/tracemap.php
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://193.42.33.7/mbSDvj3/index.php
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://5.75.212.77/
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://94.142.138.113/api/firegate.php
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://gons01b.top/build.exe
http://77.91.68.249/navi/kur90.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe

http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907
http://kevinrobinson.top/e9c345fc99a4e67e.php - rule_id: 37432
http://172.86.97.117/himeffectivelyproress.exe - rule_id: 37400
http://85.217.144.143/files/Amadey.exe - rule_id: 37253
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8 - rule_id: 37466
http://gons01b.top/build.exe - rule_id: 37402
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911
http://5.75.212.77/ - rule_id: 37407
http://colisumy.com/dl/build2.exe - rule_id: 31026
http://gobo02fc.top/build.exe - rule_id: 37395
http://85.217.144.143/files/My2.exe - rule_id: 34643
http://apps.identrust.com/roots/dstrootcax3.p7c
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e - rule_id: 37430
http://104.194.128.170/svp/Hfxbflp.mp3 - rule_id: 37467
http://45.15.156.229/api/firegate.php - rule_id: 36052
http://zexeq.com/files/1/build3.exe - rule_id: 27913
http://171.22.28.221/files/Ads.exe - rule_id: 37468
http://193.42.32.118/api/firegate.php - rule_id: 36458
http://171.22.28.226/download/Services.exe - rule_id: 37064
http://5.42.92.88/loghub/master - rule_id: 37264
http://193.42.33.7/mbSDvj3/index.php - rule_id: 37449
http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358
http://193.42.32.118/api/tracemap.php - rule_id: 36180
http://galandskiyher5.com/downloads/toolspub1.exe - rule_id: 37396
http://45.129.14.83/fra.exe - rule_id: 37469
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://171.22.28.213/3.exe - rule_id: 37068
http://171.22.28.221/files/Random.exe - rule_id: 37434
http://193.42.32.118/api/firecom.php - rule_id: 36700
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
http://www.maxmind.com/geoip/v2.1/city/me
http://5.75.212.77/upgrade.zip - rule_id: 37406
http://77.91.68.249/navi/kur90.exe - rule_id: 37069
http://193.42.33.7/newumma.exe - rule_id: 37470
http://jackantonio.top/timeSync.exe - rule_id: 37357
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/847843b59260/d3h782af.bmp?extra=47rdXWAczPPHoELmIB5F-wINKuHjiWx6MelbVcVKX-XzpjSlHCjtPC1dX3n_SIjy-E4a7Hg3ljMBe_q87PD5QlZ2pVx4ON5lHKAy5mRVFJ1gUNHTUI93vvVaO6EwzCqnfk4tvVE6n497Lvvo
https://db-ip.com/demo/home.php?s=175.208.134.152
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe - rule_id: 36783
https://sun6-20.userapi.com/c909618/u52355237/docs/d11/f10de79a60ff/zxc.bmp?extra=2IWemhXJCtxsmHnrEM-ehLyp7-WvTFYNf8GWUSetJ8-guOw5s09JP69BhcVtGTfTBNve75XWmGAhxDunL7CtJMC1rNTCZuAvsRuanIuDufmraKQuKFdW0Cm_40H7Ham6r6z6YAx4u-VxVNfo
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe - rule_id: 37397
https://experiment.pw/setup294.exe - rule_id: 37436
https://pastebin.com/raw/HPj0MzD6 - rule_id: 37403
https://sso.passport.yandex.ru/push?uuid=0c22eec9-dd9e-4ca3-bb99-195d019d5eff&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/2461e2bfbe4c/PL_Client.bmp?extra=rsx6YdeS1TMyj8hstvsuJl4qhUAw0Cl_BDL9zlBtIcqYM_c5iOMTGcoEDS3olEnkyxRuhLKtQgZ_Zj9A57UjQvMe0WnaTE5UkrhQZfK52loM8JRRAIGs9XcvugIqJJ1mp3W0eylyXuWPRmvv
https://api.myip.com/
https://steamcommunity.com/profiles/76561199563297648 - rule_id: 37362
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/c2ec420964d3/2.bmp?extra=smxM9cx8UEWCOi7dAazlPSUrryzvsUncAMkw9IxCyGfvRsBfqF9Kcg1S-tNZodsGOZ48oxP5EllG8Xt2Ml5MTfQOxvIXD5_Fz8dySEBwkZD0lSlzpLf7fEFS2icznum8dAEPSqE3f4Oo6JPe
https://potatogoose.com/49a60f5db34b71a108084872f1d8829a/baf14778c246e15550645e30ba78ce1c.exe
https://diplodoka.net/49a60f5db34b71a108084872f1d8829a/7a54bdb20779c4359694feaa1398dd25.exe
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/367eee565503/WWW11_32.bmp?extra=lT8dVRtZIQ6vp6oOAx94JFf1Pro4u-Ic3tMl1CwZ8XPaX73x5ZrR1KeXmhnzlfj7eyhv7kwN3ufSPWi09MsfgYLRAda7vmz9jpdhAXH9UFKpzlAsiGhAQn-f4zeU-Bw9pQ0y1tekcHh7kG0I
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/12f243df05d7/test2222.bmp?extra=5bKT7bWgmxjzByTTdgZLdjnXojvB8-hfjOtwHYX6E6fgUFd2WSjbF6OE-4IlOSj2ex_qerAma71rtt-akOzRHhnyyLh_hGKtJNRiHlwRwkCy1H5_zDaf6KrOyd06nRcyKhI_1KX0VQOBkLZW
https://dzen.ru/?yredirect=true
https://neuralshit.net/49a60f5db34b71a108084872f1d8829a/7725eaa6592c80f8124e769b4e8a07f7.exe
https://pastebin.com/raw/xYhKBupz - rule_id: 36780
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
https://api.2ip.ua/geo.json
https://sun6-22.userapi.com/c909228/u52355237/docs/d34/5396c88b015b/RisePro_0_9.bmp?extra=yXqSXHL5f2CYAzONeUP1CPICSmUZrVngDGEO05ensD48azqcKnZhT4LnpLZSM8Awzy3VfNBN9qtudAdBqvG2Bz9DjytesrB8-F7i4ClmlyfNYz5P0OZKhaPjYFvjyA3yFHnDZDJPNuyzY6lZ
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716
https://sun6-20.userapi.com/c235131/u52355237/docs/d47/44a24ce675a2/crypted.bmp?extra=zC6h-JiJEnlq0D7d34kRb8Vbq1AnLg6Vg_zNG5ePklvOfDwaCO35VzPPNI5eK99N1s35KXwS1iDpWGb2FFRintE43fmGTCnpX9oWSgb42LHByV-2U5b5oyRP2ZmgndiJVmc8OeFX9UV2rI2A

neuralshit.net(104.21.6.10) - malware
db-ip.com(104.26.4.15)
lakuiksong.known.co.ke(146.59.70.14) - malware
jackantonio.top(45.132.1.20) - malware
t.me(149.154.167.99) - mailcious
lrefjviufewmcd.org(91.215.85.209) - malware
ipinfo.io(34.117.59.81)
sun6-23.userapi.com(95.142.206.3) - mailcious
yandex.ru(5.255.255.77)
galandskiyher5.com(194.169.175.127) - malware
iplogger.org(148.251.234.83) - mailcious
potatogoose.com(104.21.35.235) - malware
darianentertainment.com(65.109.26.240)
dzen.ru(62.217.160.2)
api.2ip.ua(104.21.65.24)
steamcommunity.com(104.76.78.101) - mailcious
martvl.com(69.48.143.183) - malware
grabyourpizza.com(104.21.90.82) - malware
laubenstein.space(45.130.41.101) - mailcious
twitter.com(104.244.42.65)
telegram.org(149.154.167.99)
yip.su(148.251.234.93) - mailcious
sun6-20.userapi.com(95.142.206.0) - mailcious
kevinrobinson.top(45.132.1.20) - mailcious
api.db-ip.com(104.26.4.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
sso.passport.yandex.ru(213.180.204.24)
diplodoka.net(172.67.217.52) - malware
experiment.pw(104.21.34.37) - malware
www.maxmind.com(104.18.145.235)
iplogger.com(148.251.234.93) - mailcious
gons01b.top(85.143.220.63) - malware
zexeq.com(2.180.10.7) - malware
octocrabs.com(104.21.21.189) - mailcious
colisumy.com(123.140.161.243) - malware
412f46bf-dd0d-47dc-a208-5c99cf96abe8.uuid.alldatadump.org(185.82.216.108)
iplis.ru(148.251.234.93) - mailcious
gobo02fc.top(85.143.220.63) - malware
sun6-22.userapi.com(95.142.206.2) - mailcious
pastebin.com(104.20.67.143) - mailcious
flyawayaero.net(172.67.216.81) - malware
net.geo.opera.com(107.167.110.216)
vk.com(87.240.132.67) - mailcious
api.myip.com(172.67.75.163)
lycheepanel.info(104.21.32.208) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
85.217.144.143 - malware
104.18.146.235
104.18.145.235
123.140.161.243 - mailcious
93.186.225.194 - mailcious
69.48.143.183 - malware
172.67.167.220 - malware
194.169.175.127 - malware
185.225.75.171 - mailcious
77.91.124.55 - mailcious
104.20.68.143 - mailcious
62.217.160.2
104.26.5.15
208.67.104.60 - mailcious
104.244.42.129 - suspicious
172.86.97.117 - malware
104.20.67.143 - mailcious
149.154.167.99 - mailcious
104.21.65.24
172.67.75.166
45.129.14.83 - malware
104.21.90.82 - malware
95.142.206.1 - mailcious
91.215.85.209 - mailcious
193.42.33.7 - mailcious
172.67.187.122 - malware
23.77.13.112
171.22.28.224 - mailcious
171.22.28.226 - malware
171.22.28.221 - malware
34.117.59.81
77.91.68.249 - malware
85.143.220.63 - malware
104.21.21.189
172.67.180.173 - malware
87.240.137.164 - mailcious
148.251.234.83
104.26.8.59
45.130.41.101 - mailcious
172.67.134.35 - malware
193.42.32.118 - mailcious
5.75.212.77 - mailcious
45.132.1.20 - mailcious
104.21.32.208 - malware
77.88.55.88
172.67.216.81 - malware
121.254.136.9
65.109.26.240 - mailcious
23.67.53.27
104.26.9.59
104.21.78.56 - malware
107.167.110.211
45.15.156.229 - mailcious
104.194.128.170 - mailcious
107.167.110.216
193.42.32.29 - malware
95.142.206.3 - mailcious
95.142.206.2 - mailcious
5.42.92.88 - mailcious
95.142.206.0 - mailcious
172.67.217.52 - malware
104.21.93.225 - phishing
146.59.70.14 - malware
171.22.28.239 - mailcious
213.180.204.24
171.22.28.213 - malware
87.240.129.133 - mailcious
171.22.28.236 - mailcious
104.76.78.101 - mailcious

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET HUNTING Possible EXE Download From Suspicious TLD
ET HUNTING Suspicious services.exe in URI
ET INFO TLS Handshake Failure
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Packed Executable Download
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Dotted Quad Host ZIP Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)

http://171.22.28.226/download/WWW14_64.exe
http://kevinrobinson.top/e9c345fc99a4e67e.php
http://172.86.97.117/himeffectivelyproress.exe
http://85.217.144.143/files/Amadey.exe
http://5.75.212.77/13088c19c5a97b42d0d1d9573cc9f1b8
http://gons01b.top/build.exe
http://zexeq.com/test2/get.php
http://5.75.212.77/
http://colisumy.com/dl/build2.exe
http://gobo02fc.top/build.exe
http://85.217.144.143/files/My2.exe
http://5.75.212.77/55d1d90f582be35927dbf245a6a59f6e
http://104.194.128.170/svp/Hfxbflp.mp3
http://45.15.156.229/api/firegate.php
http://zexeq.com/files/1/build3.exe
http://171.22.28.221/files/Ads.exe
http://193.42.32.118/api/firegate.php
http://171.22.28.226/download/Services.exe
http://5.42.92.88/loghub/master
http://193.42.33.7/mbSDvj3/index.php
http://lakuiksong.known.co.ke/netTimer.exe
http://193.42.32.118/api/tracemap.php
http://galandskiyher5.com/downloads/toolspub1.exe
http://45.129.14.83/fra.exe
http://45.15.156.229/api/tracemap.php
http://171.22.28.213/3.exe
http://171.22.28.221/files/Random.exe
http://193.42.32.118/api/firecom.php
http://5.75.212.77/upgrade.zip
http://77.91.68.249/navi/kur90.exe
http://193.42.33.7/newumma.exe
http://jackantonio.top/timeSync.exe
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe
https://experiment.pw/setup294.exe
https://pastebin.com/raw/HPj0MzD6
https://steamcommunity.com/profiles/76561199563297648
https://pastebin.com/raw/xYhKBupz
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe

http://185.254.37.174/droidwednesdayyyFile.vbs

wallpapercave.com(104.22.52.71) - malware
185.254.37.174 - mailcious
104.22.52.71

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request

https://wallpapercave.com/uwp/uwp4082989.png
http://193.42.33.51/aby.txt

wallpapercave.com(172.67.29.26) - malware
172.67.29.26 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://wallpapercave.com/uwp/uwp4082989.png
http://185.254.37.174/apamaaktivozdroidbase644.txt

wallpapercave.com(104.22.53.71) - malware
104.22.53.71

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)