http://skilldrivinget.com/ojman/PL341/index.php - mailcious

skilldrivinget.com(81.19.215.2) - mailcious
81.19.215.2 - suspicious
104.75.32.111

ET MALWARE AZORult v3.3 Server Response M1

http://70.39.251.94:8080/EBVQYhBbK8U/ys83dclAmS5XK/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

fullelectronica.com.ar(209.133.222.158) - malware
209.133.222.158 - suspicious
172.217.25.3
172.217.24.74
211.46.92.199
211.46.93.10
117.18.232.200 - suspicious

ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://da-industrial.com/js/9IdLP/ - malware
http://173.173.254.105/6gutBCvN9/Il0Z/ - mailcious
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/

da-industrial.com(181.88.192.21) - malware
181.88.192.21 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://70.39.251.94:8080/C7UranzjC/Z0owDwHf/Ok6tMt3BbF5FUkZ78c6/HJyqzWox9oFTgUn0qn/fJfs3I1N3i8nVyrDgA/MJyxAQrjLIbvjQt5/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/5qGiDTQbt2M3E/pmKaKqFNIpPJ2slYB/sik1lN7jWaLd/CJA4Obiy3/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/hcVx/OgLyOkmDwCTmM/p2pkqLA15Sm/MDkzk/EN8kGI/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://magicview.ga/rojas/gate.php

magicview.ga(91.203.193.242) - mailcious
91.203.193.242

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

bitbucket.org(104.192.141.1) - malware
18.205.93.2 - suspicious
117.18.232.200 - suspicious

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex

http://70.39.251.94:8080/upYJrV/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious

pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP

http://70.39.251.94:8080/rTd1BLeci/ION6jVntQcFEnskr/nVplv25C/H9DfHq1WUDUpB/ - mailcious

118.69.11.81 - suspicious
70.39.251.94 - suspicious
190.202.229.74 - suspicious

http://ciuj.ir/donpy/index.php

ciuj.ir(104.237.252.41)
104.237.252.41

ET MALWARE AZORult v3.3 Server Response M3