http://185.172.128.90/cpa/ping.php?substr=four&s=ab - rule_id: 38981
http://185.172.128.109/syncUpd.exe - rule_id: 39052

185.172.128.90 - mailcious
185.172.128.109 - malware
5.42.64.33 - mailcious

ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://185.172.128.90/cpa/ping.php
http://185.172.128.109/syncUpd.exe

141.95.211.148 - mailcious

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)

loggz.giize.com(94.228.169.141)
94.228.169.141

ET INFO Observed DNS Query to Dynamic DNS Service (giize .com)
ET INFO DYNAMIC_DNS Query to a *.giize .com Domain

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://192.3.176.145/458/conhost.exe

192.3.176.145 - malware

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://goodmarket.or.kr/admin/sms/3.html

http://91.92.248.152/z/ - rule_id: 39147
http://91.92.248.152/z - rule_id: 39146
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
http://91.92.248.152/z/a.png - rule_id: 39145

www.ssl.com(54.210.82.44)
91.92.248.152 - mailcious
184.72.241.63

http://91.92.248.152/z/
http://91.92.248.152/z
http://91.92.248.152/z/a.png