http://download.logins.online/file/LinK13112020.txt

download.logins.online(104.24.100.5) - mailcious
104.24.100.5

http://198.23.212.152/mom.exe

198.23.212.152 - suspicious

ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile

http://stoplyingme.com/pdf/nass.exe

stoplyingme.com(37.72.175.148)
172.217.25.14 - suspicious
37.72.175.148

ET POLICY PE EXE or DLL Windows file download HTTP

http://download.logins.online/exe/LinK13112020.msi

download.logins.online(172.67.136.62)
172.67.136.62
117.18.232.200 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

http://45.134.21.8:61/SDuQ
http://45.134.21.8:61/fwlink

45.134.21.8
172.217.25.14 - suspicious

http://45.63.58.134/WGTcpDEjfJlnd9IASbPhArlczzzhLNQC
http://45.63.58.134/g.pixel

45.63.58.134 - suspicious

aarque.co(45.155.36.57) - mailcious
pastebin.com(104.23.98.190) - mailcious
45.155.36.57 - suspicious
104.23.99.190 - suspicious
172.217.25.14 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://api.ipify.org/

api.ipify.org(50.19.252.36)
54.235.83.248

ET POLICY External IP Lookup api.ipify.org

http://magicview.ga/akin/gate.php - rule_id: 96

magicview.ga(8.208.99.216) - mailcious
8.208.99.216

ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain

http://magicview.ga/akin/gate.php