ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://192.3.108.47/demo/1/HTML.hta
https://redr.me/llj4ev
https://redr.me/

redr.me(104.21.30.250) - mailcious
172.67.174.59
192.3.108.47 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible HTA Application Download
ET INFO Dotted Quad Host HTA Request
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2

urlsh.us(107.189.8.23)
107.189.8.23

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://cacerts.digicert.com/DigiCertGlobalRootG2.crt

cacerts.digicert.com(152.195.38.76)
onedrive.live.com(13.107.42.13) - mailcious
13.107.42.13 - mailcious
152.195.38.76

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

91.215.85.20

ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)

http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937
http://79.110.48.52/ngohms.txt

uploaddeimagens.com.br(172.67.215.45) - malware
182.162.106.32
104.21.45.138 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://5.42.92.211/loghub/master - rule_id: 36282
https://fbcdn.net/security/hsts-pixel.gif?c=2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/ogW1H5O-17r.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png
https://www.facebook.com/favicon.ico
https://connect.facebook.net/security/hsts-pixel.gif
https://www.facebook.com/login
https://static.xx.fbcdn.net/rsrc.php/v3/y3/l/0,cross/ikFECARVllV.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/r/SccipWfTlTT.js?_nc_x=Ij3Wp8lg5Kz
https://facebook.com/security/hsts-pixel.gif?c=3.2.5
https://static.xx.fbcdn.net/rsrc.php/v3/yT/r/Ovcfo1SlXij.js?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg
https://static.xx.fbcdn.net/rsrc.php/v3/yP/l/0,cross/OioQXAqgNbJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yH/l/0,cross/zDdQsF0sOjp.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yD/l/0,cross/dEOkGH79P3Y.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz
https://fbsbx.com/security/hsts-pixel.gif?c=5
https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz
https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png
https://static.xx.fbcdn.net/rsrc.php/v3/yg/r/tzWkwLNK4bI.js?_nc_x=Ij3Wp8lg5Kz

www.facebook.com(157.240.215.35)
fbsbx.com(157.240.215.35)
static.xx.fbcdn.net(157.240.215.14)
fbcdn.net(157.240.215.35)
accounts.google.com(172.217.25.173)
connect.facebook.net(157.240.215.14)
facebook.com(157.240.215.35)
157.240.215.14
77.91.124.55
157.240.215.35
172.217.25.13
5.42.92.211 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)

http://5.42.92.211/loghub/master

121.254.136.18