kCDsxsOcfhTlMjafabHRMsCYusl.kCDsxsOcfhTlMjafabHRMsCYusl()

icacxndo.ac.ug() - suspicious
icando.ug(194.5.98.107) - suspicious
194.5.98.107

http://185.215.113.81:28578/
https://api.ip.sb/geoip

api.ip.sb(104.26.13.31)
104.26.13.31
185.215.113.81

ET DROP Spamhaus DROP Listed Traffic Inbound group 26
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

ET DROP Spamhaus DROP Listed Traffic Inbound group 26

zedaumalev.xyz(77.246.145.4) - mailcious
77.246.145.4 - mailcious

http://backproxyzz.ug/1.exe

backproxyzz.ug(91.214.124.161)
185.215.113.32
91.214.124.161

ET DROP Spamhaus DROP Listed Traffic Inbound group 26
ET MALWARE Single char EXE direct download likely trojan (multiple families)

185.215.113.32 - mailcious

ET DROP Spamhaus DROP Listed Traffic Inbound group 26

http://droidsec.tk/gate.php?id=1&os=Windows%207&cookie=0&pswd=0&version=V&cc=0&autofill=0&hwid=017BD04FB3BF45B681679E8F41FF87BF
http://ip-api.com/line/?fields

droidsec.tk(156.38.171.144) - mailcious
ip-api.com(208.95.112.1)
156.38.171.144 - mailcious
208.95.112.1

ET DNS Query to a .tk domain - Likely Hostile
ET POLICY External IP Lookup ip-api.com
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET POLICY HTTP Request to a *.tk domain

http://mahetechasia.com/data/five/fre.php

mahetechasia.com(50.17.5.224) - mailcious
50.17.5.224

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2