http://checkip.amazonaws.com/
http://94.177.123.237:35200/IRemotePanel
https://1ls32sh.worwokr.ru/RdeSWHLHdlCi
https://api.ip.sb/geoip

WHOIS.APNIC.NET(172.104.77.201)
checkip.amazonaws.com(34.193.115.2)
whois.iana.org(192.0.32.59)
1ls32sh.worwokr.ru(81.177.165.230)
api.ip.sb(172.67.75.172)
34.192.7.28
172.104.77.201
192.0.32.59
104.26.13.31
94.177.123.237
81.177.165.230 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request

benweve.com(95.213.224.87) - mailcious
193.106.175.43

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

http://paratuseventos.cl/doc/nov16/index.php

paratuseventos.cl(190.107.176.64) - mailcious
190.107.176.64 - mailcious

ET MALWARE AZORult v3.3 Server Response M3

http://benweve.com/clock/five/fre.php - rule_id: 153

benweve.com(193.106.175.43) - mailcious
193.106.175.43

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

http://benweve.com/clock/five/fre.php

http://setup.roblox.com/version

setup.roblox.com(52.216.12.62)
52.216.142.22

198.12.125.13 - mailcious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

kingshakes.linkpc.net(79.134.225.52) - mailcious
79.134.225.52 - mailcious

https://hastebin.com/raw/ozakocuver
https://hastebin.com/raw/afukimumiw
https://hastebin.com/raw/qirinoloqe
https://hastebin.com/raw/xohesulowe
https://hastebin.com/raw/locupetepa
https://hastebin.com/raw/iwukefezul
https://hastebin.com/raw/mirihuqaju
https://hastebin.com/raw/waciluzaqa

vremenew.ddns.net(79.134.225.12)
hastebin.com(104.24.126.89) - mailcious
172.67.143.180 - mailcious
79.134.225.12

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.ddns .net

darkangel.ac.ug(217.8.117.77)
217.8.117.77 - malware