http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981

185.172.128.90 - mailcious

ET DROP Spamhaus DROP Listed Traffic Inbound group 32

http://185.172.128.90/cpa/ping.php

https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
147.45.47.126 - mailcious
104.26.4.15
34.117.186.192

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)

http://apps.identrust.com/roots/dstrootcax3.p7c
http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
https://cdn-edge-node.com/online_security_mkl.exe
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002
https://d2csnxzxwctx26.cloudfront.net/load/load.php?c=1002

d22hce23hy1ej9.cloudfront.net(13.225.110.70)
cdn-edge-node.com(172.67.165.254)
240429000936002.mjt.kqri92.top(94.156.35.76)
d2csnxzxwctx26.cloudfront.net(18.64.13.65)
adblock2024.shop(172.67.176.247)
104.21.11.117
104.21.43.83
18.64.13.155
94.156.35.76 - malware
13.225.110.102
121.254.136.9

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile

http://107.172.34.27/panel/machines/api/endpoint.php

107.172.34.27

ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3

https://api.ipify.org/

api.ipify.org(172.67.74.152)
172.67.74.152

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)