15.236.142.224

ET MALWARE AZORult Variant.4 Checkin M2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.2 Server Response M1

web24host.com(198.23.213.114)
198.23.213.114 - malware

ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

http://52.58.209.130/index.php - rule_id: 136

52.58.209.130

ET MALWARE AZORult Variant.4 Checkin M2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

http://52.58.209.130/index.php

52.58.209.130

ET MALWARE AZORult Variant.4 Checkin M2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE AZORult v3.2 Server Response M1

crt.comodoca.com(91.199.212.52)
dogechain.info(104.26.3.232)
api.ipify.org(23.21.42.25)
cnc.c25e6559668942.xyz(193.239.147.105) - malware
pool.hashvault.pro(131.153.76.130) - mailcious
www1.c25e6559668942.xyz(84.16.234.240)
172.67.71.222
104.28.5.151
193.239.147.105 - malware
184.73.247.141
91.199.212.52
131.153.76.130

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET INFO AutoIt User Agent Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7
ET HUNTING SUSPICIOUS IRC - NICK and Win
ET CHAT IRC PONG response
ET CHAT IRC PING command
ET CHAT IRC USER command
ET CHAT IRC NICK command
ET CHAT IRC JOIN command

freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.71)
162.88.193.70
104.28.5.151

ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)