http://104.168.28.10/001.exe

91.240.118.49 - malware
104.168.28.10 - malware

ET DROP Spamhaus DROP Listed Traffic Inbound group 12
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://dugong.ydns.eu//kj2h34kj23h4/msvcp140.dll
http://dugong.ydns.eu//kj2h34kj23h4/vcruntime140.dll
http://dugong.ydns.eu//kj2h34kj23h4/nss3.dll
http://dugong.ydns.eu//kj2h34kj23h4/sqlite3.dll
http://dugong.ydns.eu//kj2h34kj23h4/softokn3.dll
http://dugong.ydns.eu//gtthfbsb2h.php
http://dugong.ydns.eu/
http://dugong.ydns.eu//kj2h34kj23h4/freebl3.dll
http://dugong.ydns.eu//kj2h34kj23h4/mozglue.dll

dugong.ydns.eu(38.180.229.217)
38.180.229.217

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

195.3.223.35

195.3.223.35
51.89.23.91