http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf
http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf
http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf - rule_id: 37946

www.zg9tywlubmftzw5ldzmzmzk.com(103.224.212.216)
www.klxcv.xyz(198.177.124.40)
www.xpermate.com(77.245.157.73) - mailcious
www.jokergiftcard.buzz()
www.merchascarpamici.com()
198.177.124.40 - mailcious
103.224.212.216 - mailcious
77.245.157.73 - mailcious

ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers

http://www.xpermate.com/ju29/

194.49.94.80
91.235.128.141

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)

cp5ua.hyperhost.ua(91.235.128.141)
91.235.128.141

SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://91.92.243.151/api/tracemap.php - rule_id: 37889
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://apps.identrust.com/roots/dstrootcax3.p7c
http://www.maxmind.com/geoip/v2.1/city/me
http://94.142.138.131/api/firecom.php - rule_id: 36179
https://sso.passport.yandex.ru/push?uuid=17ee63be-a01d-4351-b836-3f7809d3449d&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
https://dzen.ru/?yredirect=true
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://db-ip.com/

db-ip.com(172.67.75.166)
www.maxmind.com(104.18.146.235)
ipinfo.io(34.117.59.81)
twitter.com(104.244.42.1)
telegram.org(149.154.167.99)
yandex.ru(5.255.255.70)
api.db-ip.com(104.26.4.15)
dzen.ru(62.217.160.2)
ironhost.io(104.21.57.237)
sso.passport.yandex.ru(213.180.204.24)
149.154.167.99 - mailcious
213.180.204.24
172.67.75.166
172.67.193.129
104.18.146.235
94.142.138.131 - mailcious
121.254.136.18
62.217.160.2
91.92.243.151 - mailcious
34.117.59.81
104.244.42.1 - suspicious
104.26.5.15
5.255.255.70
125.253.92.50

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO TLS Handshake Failure

http://91.92.243.151/api/tracemap.php
http://94.142.138.131/api/tracemap.php
http://94.142.138.131/api/firecom.php

194.169.175.235 - mailcious

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)

pool.hashvault.pro(131.153.76.130) - mailcious
125.253.92.50

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

136.243.151.123 - mailcious

cp5ua.hyperhost.ua(91.235.128.141)
162.159.134.233 - malware
91.235.128.141

SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR - rule_id: 37996
https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR

discordapp.com(162.159.135.233) - mailcious
185.174.174.220 - phishing
162.159.134.233 - malware

ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://discordapp.com/api/webhooks/1164197415147020358/r6DHDEdEVlubS99_mqTR2EYAvLqIPvG1AA9kVN_oApRfIgXgxydFAbvOjcrA0W4bxbuR

mail.bretoffice.com(185.174.174.220) - mailcious
185.174.174.220 - phishing

SURICATA Applayer Detect protocol only one direction
ET MALWARE AgentTesla Exfil Via SMTP