108.181.20.35 - mailcious

api.ipify.org(104.237.62.211)
173.231.16.76

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

stratum-eu.rplant.xyz(141.94.192.217)
141.94.192.217

162.55.60.2 -

http://107.175.202.150/110/ChromeSetup.exe
http://showip.net/

showip.net(162.55.60.2) -
162.55.60.2 -
107.175.202.150 -

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY IP Check Domain (showip in HTTP Host)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://104.208.85.234:26509/IE9CompatViewList.xml
http://104.208.85.234:26509/3voE

104.208.85.234 -

ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

http://geoplugin.net/json.gp
http://31.42.186.198/4/panel/panel/uploads/Ncyfnyvi.mp3

geoplugin.net(178.237.33.50) -
verem.remcacount.co(185.195.237.203) -
31.42.186.198 -
178.237.33.50 -
185.195.237.203 -

ET JA3 Hash - Remcos 3.x TLS Connection

api.ipify.org(173.231.16.76) -
162.55.60.2 -
64.185.227.156 -

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://showip.net/

showip.net(162.55.60.2) -
162.55.60.2 -
185.195.237.203 -

ET POLICY IP Check Domain (showip in HTTP Host)

103.57.228.101 -

SURICATA Applayer Protocol detection skipped
SURICATA Applayer Detect protocol only one direction