54.169.136.76 - mailcious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

www.hahae.co.kr(211.233.50.229) - mailcious
211.233.50.229 - malware

http://www.excellentsunshop.com/cgc/?v2=SU0xek3BHwTUkYY7nlKXQ7zeI8h4mxTMtb12zbJJxjrhGHWatOaRJA5AnYPvMNX+zCUTF0rO&oX=TxohN6vpNVWDF

www.excellentsunshop.com(161.117.47.123)
161.117.47.123

http://paratuseventos.cl/doc/nov16/index.php - rule_id: 152

paratuseventos.cl(162.214.123.251) - mailcious
162.214.123.251
20.43.94.199

http://paratuseventos.cl/doc/nov16/index.php

www.hahae.co.kr(211.233.50.229) - mailcious
211.233.50.229 - malware

http://mute-saga-0240.lovesick.jp/WAH.exe

mute-saga-0240.lovesick.jp(163.44.185.199) - malware
163.44.185.199 - malware

ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

54.169.136.76 - mailcious

ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu(192.253.246.143) - mailcious
192.253.246.143

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/

api.ipify.org(54.225.66.103)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.225.169.28

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://paste.ee/r/5DfGL
https://paste.ee/r/nCYHY

paste.ee(172.67.219.133) - mailcious
172.67.219.133 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)