193.233.132.51 - mailcious

transfer.sh(144.76.136.153) - malware
144.76.136.153 - mailcious

ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)

65.60.36.22 - mailcious

http://91.92.253.11/thursdayexploitxla.exe

91.92.253.11 - malware

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

91.92.241.115

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Family Activity (Response)

http://172.245.208.4/3456/wlanext.exe

www.synergyinnovationgroup.com(65.60.36.22) - mailcious
65.60.36.22 - mailcious
172.245.208.4 - mailcious

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

193.233.132.51 - mailcious
107.172.31.178

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50)
remcosmonitor.duckdns.org(107.172.31.178)
178.237.33.50
107.172.31.178

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection

mcwillis.duckdns.org(91.92.251.22)
91.92.251.22
131.153.76.130 - mailcious

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

176.123.10.211 - mailcious
91.92.243.245

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer Family Activity (Response)

http://94.156.71.160/carsalepanel/api/endpoint.php - rule_id: 38536

xmr.2miners.com(162.19.139.184) - mailcious
pool.hashvault.pro(125.253.92.50) - mailcious
pastebin.com(104.20.68.143) - mailcious
162.19.139.184 - mailcious
131.153.76.130 - mailcious
94.156.71.160 - mailcious
104.20.67.143 - mailcious

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)

http://94.156.71.160/carsalepanel/api/endpoint.php

akcay.duckdns.org(91.92.243.245)
91.92.243.245

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin