poopy.aarkhipov.ru(92.63.193.141)
92.63.193.141

malaygxproj.com()

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://185.172.128.69/advdlc.php
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981

185.172.128.69 - malware
185.172.128.90 - mailcious

ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP

http://185.172.128.90/cpa/ping.php

lubriaceites.com(212.1.210.79)
api.telegram.org(149.154.167.220)
212.1.210.79
149.154.167.220

ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)

http://185.172.128.69/advdlc.php
http://185.172.128.90/cpa/ping.php?substr=one&s=two - rule_id: 38981

185.172.128.69 - malware
185.172.128.90 - mailcious

http://185.172.128.90/cpa/ping.php

https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
147.45.47.126 - mailcious
104.26.4.15
194.54.164.123 - malware
34.117.186.192
45.130.41.108 - malware
94.232.45.38 - malware
51.15.65.182 - mailcious

ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE RisePro CnC Activity (Inbound)

https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(172.67.75.166)
147.45.47.126 - mailcious
104.26.4.15
18.64.13.203
34.117.186.192

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)