https://ainvestinternational.com/wp/Sleflistuiq.zip

ainvestinternational.com(172.67.133.121) - mailcious
172.67.133.121

http://www.onlinesupportforroad.com/Employee.exe

www.onlinesupportforroad.com(193.31.116.186) - mailcious
193.31.116.186 - mailcious

ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

http://107.172.4.179/515/winiti.exe

107.172.4.179 - malware

ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

https://steamcommunity.com/profiles/76561199743486170 - rule_id: 41270
https://t.me/s41l0

t.me(149.154.167.99) - mailcious
steamcommunity.com(23.66.133.162) - mailcious
149.154.167.99 - mailcious
96.7.99.225
78.46.255.249 - mailcious

ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://steamcommunity.com/profiles/76561199743486170

http://79.137.192.15/n9djvSc3x/index.php

coe.com.vn(103.28.36.182) - malware
easy2buy.ae(185.199.220.53)
79.137.192.15 - malware
103.28.36.182 - malware
185.199.220.53

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
ET MALWARE Amadey Bot Activity (POST)

https://api.ipify.org/
http://107.172.4.179/516/winiti.exe

api.ipify.org(172.67.74.152)
104.26.13.205
107.172.4.179 - malware

ET INFO Executable Download from dotted-quad Host
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response