raw.githubusercontent.com(185.199.108.133) - malware
185.199.109.133 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://pastebin.com/raw/g96Z0CYj

5.tcp.eu.ngrok.io(3.67.112.102)
pastebin.com(172.67.34.170) - mailcious
3.67.62.142
3.127.181.115
104.20.67.143 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DNS Query to a *.ngrok domain (ngrok.io)

193.233.132.67 - mailcious

https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
172.67.75.166
193.233.132.67 - mailcious
34.117.186.192

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)

http://193.233.132.197/lumma27.exe
http://5.42.66.22/crypted_de7109ba.exe
https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
34.117.186.192
5.42.66.22 - malware
193.233.132.197 - mailcious
104.26.5.15
5.42.65.117

ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

www.catherby.cloud(198.54.115.220)
xmr.2miners.com(162.19.139.184) - mailcious
162.19.139.184 - mailcious
198.54.115.220 - phishing

ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)