http://198.46.178.145/38/vbc.exe

193.122.130.0
198.46.178.145 - mailcious

ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://checkip.dyndns.org/
https://newk1.shop/UUisfkPI/vice.exe

newk1.shop(172.67.132.107) - malware
api.telegram.org(149.154.167.220)
checkip.dyndns.org(158.101.44.242)
104.21.4.202 - malware
193.122.130.0
149.154.167.220

ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET HUNTING Telegram API Domain in DNS Lookup

http://checkip.dyndns.org/

checkip.dyndns.org(158.101.44.242)
api.telegram.org(149.154.167.220)
132.226.247.73
149.154.167.220

ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain

rentry.co(198.251.88.130) - malware
198.251.88.130

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://www.hatchandneststudio.com/ne28/?SR=INLkPwLdPEp0e7O+uk+XnPUPakKg/Q0E+8q2ORGJ7qDmdgM/ag03xqRekH731yYf/dhFFaa9&2d=9rjtkxr
http://www.brandpage.site/ne28/?SR=3ddPpw5qcAXzWYVMnui2+nOF7ExAiiZ39Pc1Ms0KRYuPug1U7PTOXmiuVPVz54bF6xy8HMPX&2d=9rjtkxr

www.brandpage.site(194.58.112.174)
www.hatchandneststudio.com(13.248.243.5)
13.248.243.5 - phishing
194.58.112.174 - mailcious

ET MALWARE FormBook CnC Checkin (GET)

http://192.3.179.147/94/vbc.exe
http://www.jdmgarage.shop/ne28/?2dc0O=4ylpq+cNkf9DAynrQJUi5yfCTtyjP79XIONaHlLz2tG3aZqG+v1Tyctnw0X8szX4qhMZUR9O&uZxT=XPgTRh4P

www.jdmgarage.shop(84.32.84.32)
www.theredorchard.co.uk()
84.32.84.32 - mailcious
192.3.179.147 - mailcious

ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://eset.com/wLIdPRS656?q=2

www.eset.com(23.67.53.139)
eset.com(91.228.166.47)
rentry.co(198.251.88.130) - malware
152.199.39.108 - mailcious
91.228.166.47
198.251.88.130

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://46.175.149.13/Oilio.bat

46.175.149.13 - mailcious