198.46.174.165 - malware

ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

83.149.81.235 - mailcious

139.196.224.137 - malware

http://a.dowgmua.com/gamexyz/2701/random.exe - rule_id: 26100
http://77.73.134.27/8bmdh3Slb2/index.php - rule_id: 26125
http://jjx.eiwaggff.com/files/pe/pb1111.exe - rule_id: 26217
http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll - rule_id: 26126
http://77.73.134.27/8bmdh3Slb2/index.php?scr=1 - rule_id: 26125
http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll - rule_id: 26128
http://www.teeoffinscotland.com/handdiy_1.exe - rule_id: 26218
http://www.teeoffinscotland.com/handdiy1/handdiy_1.exe - rule_id: 26219
https://xv.yxzgamen.com/logo.png - rule_id: 26104
https://xv.yxzgamen.com/logo.png
https://b.dowgmub.com/gamexyz/2701/7a783382ab7fd5c1305599e648e4838f.exe
https://xv.yxzgamen.com/2701.html - rule_id: 26088
https://www.icodeps.com/ - rule_id: 14280

a.dowgmua.com(104.21.57.8) - malware
xv.yxzgamen.com(172.67.141.51) - mailcious
www.icodeps.com(149.28.253.196) - mailcious
b.dowgmub.com(104.21.70.228) - malware
iplogger.org(148.251.234.83) - mailcious
www.teeoffinscotland.com(104.21.11.161) - malware
jjx.eiwaggff.com(104.21.48.89) - malware
148.251.234.83
77.73.134.27 - malware
104.21.27.36 - mailcious
172.67.183.10 - malware
149.28.253.196 - mailcious
104.21.57.8 - malware
172.67.140.42 - mailcious
172.67.141.51 - mailcious
104.21.11.161 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey CnC Check-In
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host DLL Request

http://a.dowgmua.com/gamexyz/2701/random.exe
http://77.73.134.27/8bmdh3Slb2/index.php
http://jjx.eiwaggff.com/files/pe/pb1111.exe
http://77.73.134.27/8bmdh3Slb2/Plugins/cred64.dll
http://77.73.134.27/8bmdh3Slb2/index.php
http://77.73.134.27/8bmdh3Slb2/Plugins/clip64.dll
http://www.teeoffinscotland.com/handdiy_1.exe
http://www.teeoffinscotland.com/handdiy1/handdiy_1.exe
https://xv.yxzgamen.com/logo.png
https://xv.yxzgamen.com/2701.html
https://www.icodeps.com/

https://api.ip.sb/ip

librchichelpai.shop(45.129.97.243) - mailcious
api.ip.sb(104.26.12.31)
45.129.97.243
104.26.13.31

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

82.115.223.9 - mailcious

104.21.57.8 - malware
104.21.11.161 - malware
172.67.140.42 - mailcious

62.204.41.159 - mailcious
77.73.134.27 - malware

ET DROP Dshield Block Listed Source group 1

https://api.ip.sb/ip

librchichelpai.shop(45.129.97.243) - mailcious
api.ip.sb(104.26.13.31)
104.26.12.31
45.129.97.243

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)