http://208.67.104.60/api/firegate.php - rule_id: 34253
http://208.67.104.60/api/tracemap.php - rule_id: 28876
http://193.233.254.61/loghub/master - rule_id: 35736
http://reinroot.top/f059ec3d7eb90876/softokn3.dll
http://reinroot.top/f059ec3d7eb90876/sqlite3.dll
http://reinroot.top/f059ec3d7eb90876/vcruntime140.dll
http://reinroot.top/f059ec3d7eb90876/msvcp140.dll
http://apps.identrust.com/roots/dstrootcax3.p7c
http://94.142.138.131/api/tracemap.php - rule_id: 28311
http://reinroot.top/f059ec3d7eb90876/mozglue.dll
http://reinroot.top/f059ec3d7eb90876/freebl3.dll
http://www.maxmind.com/geoip/v2.1/city/me
http://87.121.221.58/g.exe - rule_id: 35764
http://reinroot.top/f059ec3d7eb90876/nss3.dll
http://45.15.156.229/api/tracemap.php - rule_id: 33783
http://reinroot.top/3886d2276f6914c4.php
https://db-ip.com/demo/home.php?s=175.208.134.152
https://vk.com/doc647736509_665946936?hash=Fw8vXcrjS5Y82bLQZhz32GCk6IzsT6dnzFC0fLxgLtw&dl=YdGZzLuwnaHUwjzmbi8OVpbEtxsL4XE8QVyvW0tyB7z&api=1&no_preview=1#ampul
https://sun6-22.userapi.com/c909628/u647736509/docs/d9/d05371c5ad1b/crypted.bmp?extra=_BSw5BxWGH5kQbw3SOZWiZmxneG1Mm7KsLdT8BR9aygsrxw3tGDzxJ7zahx7VVTUjJFO6WEids3x3ydWzjErsNVr_sglsVXU19p-gTF0BkqUFhJk6Dwy0IGXzdey84pdzfJaU0KQ-EXh84vs4g
https://busell.store/setup294.exe - rule_id: 35772
https://db-ip.com/
https://vk.com/doc647736509_665952794?hash=beIXGypj5pVP0OkMsBnpWjHmPdo1Dvd0ZLVa9zqpxNT&dl=gw9epkyrndw2PGDAQG3LR6ojcOshuBjYRZzs1CrYVbw&api=1&no_preview=1#nudik
https://sun6-23.userapi.com/c909628/u647736509/docs/d6/bffd6b9ab110/RisePro.bmp?extra=jX_cm3sy4CknoQfM7-JMWS4wYRkXkleQqeOPhUa0tcdjKyTHBvsnjrCXjFFZqrDtB6UL7hLyHU_Wo1bXM-pjy3vsLBMutPb9uIlqhW6cxt_Eb89cF8G9u8-5J9GaM_1jnexuqzcPqWUZJg_cSg
https://sun6-22.userapi.com/c909618/u647736509/docs/d6/49341793a9d8/OfficeTlsN.bmp?extra=8gEtDs_1QebRuVjs7yy3207O3Hn6bCGEr5wFC9607nRvd_8t5t2sB-Ps-ApEVaZty8lKaZ7Oxy126dTQDgvWpI7bRQAS0oztn42AxB-ir1QJ-rZq8mWDmQcg7NioqcbH1ASenGQb15vBsIVo2w
https://sun6-21.userapi.com/c909628/u647736509/docs/d12/c33b467a8d1d/PMmp.bmp?extra=EMd7mEWvFCEyKakzsVUMs8a_hW7nen1rxXQOcH8l0dktthsDXofuo_pUCyQCh5p1kWZjb2ZrjUg9S6ygNDxvMnyb4is4G3RZ7GoFzrK2A9XR_xJRGPuSyEop-UQnQs4LHxz6v_01rFNENj5UKg
https://sun6-22.userapi.com/c909228/u647736509/docs/d52/fbdf66113369/nudik.bmp?extra=IBxLJjQkBRFD0a5qyjwrm-nMLwFIxDFxBKKVlM0bfjPUbQuWvEP0zJqYdaV-LS-jCeSuSm_uddwjcZlp01E7eXv2_FgfgBWyvdSsiR0aQIWqYYW1yg0tNhRC6CoWdvT4u9mYUi_6UdsgrrT2xg
https://vk.com/doc647736509_665952884?hash=ouqF7K5kIj5i1vbx3UIlf5iAbqbiAUCRXIUOYrMg3xL&dl=7655dMZoGamYocJn7PzpOvUI8TGxiVDzfg20PeJrtlz&api=1&no_preview=1#office
https://sun6-22.userapi.com/c237231/u647736509/docs/d56/8153c0d6ad19/WWW1.bmp?extra=5fYdSdSSZoymAUCSE3cIydPBy5p8q8gxm_LzgKcDYywjcv-MNLMbSeCs4FmIZ0_6HF_kn5xggisfPt-rTt5BqT8b4GHFFFwECg59El_Ocl1L9fWjP36mvG6iqaJeijCeXE2J7tSiVzx8iZ7WIQ
https://transfer.sh/get/v1v0vsd6BF/d38afgh.exe
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
https://sun6-21.userapi.com/c909618/u647736509/docs/d36/ae9a2d0b4afe/AmpulesUnweened.bmp?extra=rFOfD69Ynm6Q6ocKi7J-93DMK3OKh29QrNV-VGwsF1sMAqLR3s_Hk3J-EoKz4cLNQPuf_-zGtPdRZ3a_CGTWXJGSC11JkCjRWI5bgAu6_O-f8aYwX-48CL60scV5tmngHFPV3-qfg46aIydhtg
https://vk.com/doc647736509_665954868?hash=2Ur4wxKVMUCXZVZ12NZLQLSvSpf4bpmZ3Ss59vXSvs4&dl=mx1kX4WsmG2cW1Op1kgtsxXsfQL3ZeRLkEs3HHXv6pX&api=1&no_preview=1#1

db-ip.com(104.26.5.15)
sun6-21.userapi.com(95.142.206.1) - mailcious
api.db-ip.com(104.26.5.15)
andrewjohnson.top(195.58.51.86) - malware
sun6-22.userapi.com(95.142.206.2)
vk.com(87.240.132.67) - mailcious
busell.store(104.21.9.89) - malware
iplogger.org(148.251.234.83) - mailcious
sun6-23.userapi.com(95.142.206.3)
z.nnnaajjjgc.com(156.236.72.121) - malware
ipinfo.io(34.117.59.81)
api.myip.com(104.26.9.59)
bitbucket.org(104.192.141.1) - malware
www.maxmind.com(104.17.241.37)
zzz.alie3ksgdd.com(172.67.143.192) - malware
www.logpasta.com(188.166.57.133)
reinroot.top(195.58.51.86) - malware
iplis.ru(148.251.234.93) - mailcious
transfer.sh(144.76.136.153) - malware
148.251.234.93 - mailcious
194.169.175.128 - mailcious
144.76.136.153 - mailcious
104.16.104.68
104.26.5.15
208.67.104.60 - mailcious
87.121.221.58 - malware
61.111.58.34 - malware
172.67.75.166
104.21.54.252 - malware
194.26.135.162 - mailcious
87.240.132.78 - mailcious
195.58.51.86 - malware
34.117.59.81
148.251.234.83
77.91.124.73 - mailcious
104.21.9.89 - malware
15.235.130.167
94.142.138.131 - mailcious
104.192.141.1 - mailcious
77.91.124.231 - malware
149.202.0.242 - mailcious
156.236.72.121 - mailcious
45.15.156.229 - mailcious
104.26.9.59
104.26.4.15
95.142.206.3
163.123.143.4 - mailcious
95.142.206.1 - mailcious
193.233.254.61 - mailcious
85.208.136.10 - mailcious
95.142.206.2
188.166.57.133
185.244.181.112 - mailcious

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SURICATA Applayer Mismatch protocol both directions
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 39
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO Packed Executable Download
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET DROP Dshield Block Listed Source group 1
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2

http://208.67.104.60/api/firegate.php
http://208.67.104.60/api/tracemap.php
http://193.233.254.61/loghub/master
http://94.142.138.131/api/tracemap.php
http://87.121.221.58/g.exe
http://45.15.156.229/api/tracemap.php
https://busell.store/setup294.exe

https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys - rule_id: 34841
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
https://pastebin.com/raw/PTNbBX9V - rule_id: 34840
https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe - rule_id: 21519
https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe - rule_id: 21520

github.com(20.200.245.247) - mailcious
pastebin.com(104.20.67.143) - mailcious
104.20.68.143 - mailcious
20.200.245.247 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys
https://pastebin.com/raw/PTNbBX9V
https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe
https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe

https://bloom-artists.com/wp-includes/class-wp-image-editors.php?filename=winx32apideftype.exe - rule_id: 35978

bloom-artists.com(85.187.128.34) - malware
46.149.77.25 - mailcious
85.187.128.34 - mailcious

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

https://bloom-artists.com/wp-includes/class-wp-image-editors.php