https://srtk.hometax.go.kr/download/jquery-1.11.1.min.js
https://srtk.hometax.go.kr/download/img/security_pop_bt_close.png
https://srtk.hometax.go.kr/download/cri.css?v=1
https://srtk.hometax.go.kr/download/components/enc-cp949-min.js
https://srtk.hometax.go.kr/download/cri_ems_nt.js?v=1
https://srtk.hometax.go.kr/download/rollups/seed.js
https://srtk.hometax.go.kr/download/rollups/md5.js
https://srtk.hometax.go.kr/download/rollups/aes.js
https://srtk.hometax.go.kr/download/img/security_pop_ic_lock.png

srtk.hometax.go.kr(116.67.103.155)
116.67.103.155

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

138.201.120.172 - mailcious

ET MALWARE Arechclient2 Backdoor CnC Init

api.ipify.org(104.237.62.212)
64.185.227.156

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://apps.identrust.com/roots/dstrootcax3.p7c
https://paste.ee/d/Oe5nV
https://uploaddeimagens.com.br/images/004/666/683/original/js.jpg?1700183864
http://91.92.246.47/3fgwx.txt

paste.ee(104.21.84.67) - mailcious
uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.84.67 - malware
172.67.215.45 - malware

ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://paste.ee/d/ly4Cq

paste.ee(104.21.84.67) - mailcious
104.21.84.67 - malware

ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

api.ipify.org(64.185.227.156)
173.231.16.77

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

8.217.212.78

http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
http://91.92.248.130/toothpick.txt

uploaddeimagens.com.br(104.21.45.138) - malware
121.254.136.9
104.21.45.138 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://apps.identrust.com/roots/dstrootcax3.p7c
https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840

uploaddeimagens.com.br(172.67.215.45) - malware
121.254.136.9
104.21.45.138 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)