http://160.20.147.241/12344.exe

160.20.147.241

ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)
ET HUNTING Request for EXE via WinHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO WinHttpRequest Downloading EXE
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://18.157.168.193/index.php
https://www.bing.com/

www.google.com(216.58.197.132)
142.250.199.68
18.157.168.193

ET MALWARE AZORult Variant.4 Checkin M2
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE AZORult v3.2 Server Response M1

http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f

195.140.214.82 - mailcious

http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f

173.249.14.104 - mailcious

http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/

fort-communications.com(129.146.47.154) - malware
129.146.47.154 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

194.147.115.117 - mailcious

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET INFO Executable Download from dotted-quad Host
ET INFO AutoIt User Agent Executable Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

123.200.26.246 - mailcious
122.2.28.70 - mailcious

SURICATA Applayer Mismatch protocol both directions
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)

217.8.117.207