194.5.98.250 - mailcious

worrynot.duckdns.org(85.208.139.45)
85.208.139.45 - mailcious

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

http://185.254.37.234/61c7c6a1a965cae9/mozglue.dll
http://185.254.37.234/61c7c6a1a965cae9/freebl3.dll
http://185.254.37.234/61c7c6a1a965cae9/sqlite3.dll
http://185.254.37.234/61c7c6a1a965cae9/vcruntime140.dll
http://185.254.37.234/61c7c6a1a965cae9/softokn3.dll
http://185.254.37.234/a68326a8bd26a679.php
http://185.254.37.234/61c7c6a1a965cae9/msvcp140.dll
http://185.254.37.234/61c7c6a1a965cae9/nss3.dll

185.254.37.234 - mailcious

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2

randomxmonero.auto.nicehash.com(34.149.22.228)
34.149.22.228
104.248.239.160

34.149.22.228

randomxmonero.auto.nicehash.com(34.149.22.228)
34.149.22.228
104.248.239.160

http://www.36-m.beauty/btrd/?blm=fsO7LJV8pcnx+es9Gts03N8ftxquB7IY0G5hW1obA2KYArJ49pBsmzxrJSVXrlPCdrhTiUFd&uVg8A=M6Al
http://www.casa-hilo.com/btrd/?blm=BMYEhhN4qKhLneP2t4DYpBocsvBE62SOJU9NCOd5/PIUgS/yqfI03blVivjJ3b1IQdFTnqft&uVg8A=M6Al

www.casa-hilo.com(23.227.38.74)
www.36-m.beauty(156.230.205.39)
156.230.205.39
23.227.38.74 - mailcious

ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Observed Query to .beauty TLD

162.55.60.2

http://showip.net/

us2.smtp.mailhostbox.com(208.91.199.223)
showip.net(162.55.60.2)
162.55.60.2
208.91.199.224 - mailcious

ET POLICY IP Check Domain (showip in HTTP Host)
SURICATA Applayer Detect protocol only one direction

94.142.138.212 - mailcious

ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)