94.131.119.184

124.221.70.199 - malware

http://91.92.251.170:1334/
https://api.ip.sb/geoip

api.ip.sb(172.67.75.172)
91.92.251.170
104.26.13.31

ET MALWARE RedLine Stealer - CheckConnect Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request

http://147.45.45.69/sdsdhggf.exe
http://176.111.174.109/kurwa - rule_id: 42733
http://45.91.200.135/api/wp-admin.php - rule_id: 42765
http://147.45.45.69/vdcsb.exe
http://240922164748184.tyr.zont16.com/f/fikbam0922184.exe
http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe - rule_id: 42729
http://45.91.200.135/api/wp-ping.php - rule_id: 42766
http://176.113.115.33/thebig/noode.exe - rule_id: 42735
http://147.45.45.69/vdcsnjdh15.exe
https://db-ip.com/demo/home.php?s=
https://api.myip.com/

db-ip.com(104.26.5.15)
api64.ipify.org(104.237.62.213)
api.myip.com(104.26.9.59)
240922164748184.tyr.zont16.com(179.43.188.227)
ipinfo.io(34.117.59.81)
bitbucket.org(104.192.140.25) - malware
176.111.174.109 - malware
185.215.113.37 - mailcious
147.45.44.104 - malware
104.26.9.59
104.26.4.15
80.66.75.114 - malware
176.113.115.33 - malware
104.192.140.26 - mailcious
104.237.62.213
194.116.215.195 - malware
108.61.198.52
45.91.200.135 - mailcious
34.117.59.81
147.45.45.69 - malware

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
ET INFO Executable Download from dotted-quad Host
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET DROP Spamhaus DROP Listed Traffic Inbound group 8

http://176.111.174.109/kurwa
http://45.91.200.135/api/wp-admin.php
http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe
http://45.91.200.135/api/wp-ping.php
http://176.113.115.33/thebig/noode.exe