192.3.101.172

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50)
178.237.33.50
192.3.101.172

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50)
178.237.33.50
23.227.193.34 - mailcious

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293

t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
23.51.142.168
116.203.10.69 - mailcious

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

https://steamcommunity.com/profiles/76561199761128941

147.45.47.36 - malware

ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293

t.me(149.154.167.99) - mailcious
steamcommunity.com(184.85.112.102) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
116.203.10.69 - mailcious

ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://steamcommunity.com/profiles/76561199761128941

http://45.90.89.50/250/butterfoodgoodforhealthbetterfood.tIF

ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
45.90.89.50 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://tvexc20pt.top/v1/upload.php

tvexc20pt.top(80.249.145.88)
80.249.145.88

ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain

http://46.8.231.109/1309cdeb8f4c8736/nss3.dll
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
http://46.8.231.109/c4754d4f680ead72.php - rule_id: 42211
http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
http://46.8.231.109/ - rule_id: 42142
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll

46.8.231.109 - mailcious

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Submitting System Information to C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

http://46.8.231.109/c4754d4f680ead72.php
http://46.8.231.109/

https://steamcommunity.com/profiles/76561199761128941 - rule_id: 42293

t.me(149.154.167.99) - mailcious
steamcommunity.com(23.59.200.146) - mailcious
149.154.167.99 - mailcious
23.51.142.168
116.203.10.69 - mailcious

ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

https://steamcommunity.com/profiles/76561199761128941

http://client-updates.lumu.io/service/update2?cup2key=1:aiyktIlMWjC_YDIJkn6k3-6XqffwkP2DaBfamURTQIA&cup2hreq=a4125a8074c9af063159ba78027272f9671c42488dea9878a9c5f20b4b7c8dc7
http://x1.i.lencr.org/
http://client-updates.lumu.io/service/update2
https://lumu-updates.s3.amazonaws.com/build/Agent/win/2203318943744/desktop_single_agent-d47545d41d.exe

client-updates.lumu.io(3.229.137.113)
x1.i.lencr.org(23.207.177.83)
lumu-updates.s3.amazonaws.com(54.231.203.249)
3.229.137.113
23.52.33.11
23.41.113.9
54.231.194.33

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://198.46.174.158/xampp/dums/veryniceprocessforbutterchocomilk.tIF

ia803104.us.archive.org(207.241.232.154) - malware
207.241.232.154 - malware
198.46.174.158 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

125.253.92.50 - mailcious