45.138.16.150 - mailcious

d1x3x.linkpc.net(45.138.16.150) - mailcious
45.138.16.150 - mailcious

ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert

http://156.96.156.177:222/x.txt
http://156.96.156.177:222/pp.html

156.96.156.177

ET DROP Spamhaus DROP Listed Traffic Inbound group 13
ET INFO PowerShell NoProfile Command Received In Powershell Stagers
ET INFO PowerShell NonInteractive Command Common In Powershell Stagers

http://cacerts.digicert.com/DigiCertGlobalRootG2.crt

aka.ms(23.200.101.166)
api.joinmassive.com(18.64.8.115)
cacerts.digicert.com(172.64.149.82)
104.18.38.174
104.78.89.51
18.64.8.36

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Detect protocol only one direction

https://fastdl.raftmodding.com/data/launcher.php?branch=public

fastdl.raftmodding.com(172.67.142.102)
104.21.63.16

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/zypgmb_zffz.txt
http://210.34.80.129/wbwj/fjafusoft/mobel_zffz/Setup_Mobel.txt
http://210.34.80.129/wbwj/fjafusoft/setup_zffz.txt

210.34.80.129 - malware

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

http://146.70.147.12/jettyhead.exe

146.70.147.12

ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response