http://91.121.200.35:8080/K1uKQdxD7ph/qfR3TQwB8Gid/

179.15.102.2
91.121.200.35

http://jiehost.com/wp-admin/6ZFh6A/
http://107.170.146.252:8080/r4TdOePZcY2xOB/BX1Ae4O/gnQzBkBvpnx/ - mailcious

jiehost.com(202.95.11.52)
107.170.146.252 - suspicious
202.95.11.52
88.153.35.32
117.18.232.200 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP

http://www.josejuanarroyo.com/antithetical-bulblet/l/
http://78.206.229.130/jTt9/KZwZ0vlvI7dAu2QWz/qhtQlX8dMR6/

www.josejuanarroyo.com(65.254.227.224) - mailcious
78.206.229.130
65.254.227.224 - suspicious
117.18.232.200 - suspicious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP

http://oreillyautolawsuit.com/f3.exe

oreillyautolawsuit.com(8.209.127.167)
8.209.127.167 - suspicious
117.18.232.200 - suspicious

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP

http://www.tessuto.net/glt/?RP=RXCBf+kRwtR1pIzlq54zDDgrcqehmcxCBUaK6qj2AbfyZ/t9TvGN2V+NJcOiP+Lg/Slh4fLG&rVBt5x=S0D0XvJ
http://103.153.79.195/0pp.exe - malware

www.tessuto.net(3.128.208.230)
www.findoffline.com()
103.153.79.195 - suspicious
3.22.191.41
117.18.232.200 - suspicious

ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://107.170.146.252:8080/jz4gNpp6m5qRXw9NLU/FbrMZTF/DHip8bMTk8WVuy4Sna/ - mailcious
https://www.theginlibrary.de/wp-includes/ma/
https://toorak.ie/wp-includes/aT/
https://homewatchamelia.com/wp-admin/MQxjrRU/

www.theginlibrary.de(37.17.224.143)
toorak.ie(104.31.82.230)
pottershousedurban.co.za(102.130.121.16) - mailcious
homewatchamelia.com(172.67.148.194) - mailcious
67.163.161.107 - suspicious
104.31.82.230
102.130.121.16 - suspicious
37.17.224.143
104.28.23.149 - suspicious
107.170.146.252 - suspicious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://104.131.92.244:8080/RGc8Ihma897MD9Up/x4JW/F9mrfCWszepi3o/
http://kbppp.ilmci.com/wp-includes/z/
http://www.royalempresshair.com/wp-content/upgrade/Ete/

www.royalempresshair.com(45.79.219.198) - mailcious
kbppp.ilmci.com(103.241.24.165) - mailcious
45.79.219.198 - suspicious
103.241.24.165 - suspicious
45.16.226.117 - suspicious
104.131.92.244

ET CNC Feodo Tracker Reported CnC Server group 18
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://104.131.92.244:8080/UpnPUowtfqf8qspt1/Qqwr1NrLzr3LzL/

45.16.226.117 - suspicious
104.131.92.244

ET CNC Feodo Tracker Reported CnC Server group 18

http://magicview.ga/chang/gate.php - mailcious

magicview.ga(91.203.192.84) - mailcious
91.203.192.84 - suspicious

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

http://61.118.67.173/4Es8r3qc8nTFF/o8D8eq/

61.118.67.173

http://61.118.67.173/X00DApi56EqexN/IE9i13knJe/BHOOP9/

61.118.67.173

http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/

api.ipify.org(50.19.252.36)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.83.248

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f

api.ipify.org(184.73.247.141)
54.225.169.28

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)