108.170.20.75 - mailcious

http://ip-api.com/json/

objects.githubusercontent.com(185.199.108.133) - malware
repo1.maven.org(199.232.196.209)
github.com(20.200.245.247) - mailcious
ip-api.com(208.95.112.1)
151.101.196.209
185.199.109.133 - mailcious
208.95.112.1
108.170.20.75 - mailcious
20.200.245.247 - malware

ET POLICY External IP Lookup ip-api.com
ET MALWARE STRRAT CnC Checkin
SURICATA Applayer Protocol detection skipped

https://db-ip.com/demo/home.php?s=175.208.134.152

ipinfo.io(34.117.186.192)
db-ip.com(104.26.4.15)
104.26.5.15
91.208.127.168
34.117.186.192

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)

http://93.123.39.68:1334/
http://93.123.39.68/client.exe
https://api.ip.sb/geoip

api.ip.sb(104.26.12.31)
93.123.39.68
104.26.13.31

ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer Family Activity (Response)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA HTTP unable to match response to request

http://apps.identrust.com/roots/dstrootcax3.p7c

i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
121.254.136.27

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://apps.identrust.com/roots/dstrootcax3.p7c

i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)