http://5.39.217.221/win/vbc.exe

5.39.217.221 - malware

ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://185.239.242.107/base/21D64E34E143EBC79AFD599A19616687.html - rule_id: 263
http://185.239.242.107/base/1C06388B82C5C429CCE7D57B562320BB.html - rule_id: 263

185.239.242.107 - mailcious

http://185.239.242.107/base/
http://185.239.242.107/base/

http://www.neftyfuentes.com/tboh/?9r70bd-P=KmKol9fk3gupyhahIpU4zRKwVGGzj5hrIedhtJJasqLS74N3ksEYJSQpA+XubBC1E0ukxJ8N&EhLpvJ=jdFp72Lpc

www.neftyfuentes.com(74.115.32.75)
74.115.32.75

ET MALWARE FormBook CnC Checkin (GET)

http://185.239.242.107/base/9D65C94CBB7F4C410BDB1AE7D3AEF278.html - rule_id: 263

185.239.242.107 - mailcious

http://185.239.242.107/base/

freesoftdownloads.publicvm.com(200.83.136.8)
200.83.136.8 - mailcious

ET MALWARE Bladabindi/njRAT CnC Command (ll)

http://icanhazip.com/
https://onedrive.live.com/download?cid=89C2283E219D084B&resid=89C2283E219D084B%21715&authkey=AL6CsXGxuywK1bs
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709267&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709268&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky

icanhazip.com(147.75.47.199)
login.live.com(40.126.38.20)
onedrive.live.com(13.107.42.13) - mailcious
api.mylnikov.org(104.21.57.49)
136.144.56.255
20.190.165.20
13.107.42.13 - mailcious
104.21.57.49
147.75.47.199

ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://icanhazip.com/
https://onedrive.live.com/download?cid=89C2283E219D084B&resid=89C2283E219D084B%21715&authkey=AL6CsXGxuywK1bs
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613709576&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D89C2283E219D084B%26resid%3D89C2283E219D084B%2521715%26authkey%3DAL6CsXGxuywK1bs&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00

icanhazip.com(147.75.47.199)
login.live.com(40.126.38.18)
onedrive.live.com(13.107.42.13) - mailcious
api.mylnikov.org(172.67.141.244)
136.144.56.255
172.67.141.244
40.126.37.0
13.107.42.13 - mailcious
147.75.47.199

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)

http://www.achakhao.com/cbd/?jfIXkD=ZQBHVU5zkOOy64LYcNCqcwrZ7LRUSeLlsseUdX8oVjbQb0lqolQbFhGBFYOfCvIEws5Vm+Qy&UVI=D8ODAr
http://www.drolmaorganic.com/cbd/?jfIXkD=st6CpzySBKLcHrpdDE5YQ9RZ/tuSkdX3kZTy0Mzk1xNTbpdBHCKL6SusdvP5/shfRqNUEBZk&UVI=D8ODAr

www.drolmaorganic.com(186.64.116.165)
www.achakhao.com(23.111.175.173)
www.stairliftzainfos.com()
23.111.175.173
186.64.116.165 - mailcious

ET MALWARE FormBook CnC Checkin (GET)

http://192.236.147.189/custom/alien/html/base/9F8716930AC8F62FA2C2E3D5E7AAEF09.html

192.236.147.189 - malware

http://185.215.113.17//jG3cs2rP/index.php?scr=up - rule_id: 275

185.215.113.17 - malware

http://185.215.113.17/

https://www.google.com/

www.google.com(172.217.175.36)
216.58.200.68

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)