123.175.114.112 - malware

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

139.196.224.137 - malware

blitzz.com.ar(69.46.4.57) - mailcious
69.46.4.57 - mailcious

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

http://192.210.175.102/test/putty.exe

192.210.175.102

ET INFO Executable Download from dotted-quad Host
ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

85.31.54.183 - mailcious

https://api.ipify.org/
http://194.180.48.59/damianozx.exe

api.ipify.org(64.185.227.155)
194.180.48.59 - malware
64.185.227.155

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

https://api.ipify.org/
http://194.180.48.59/pmexzx.exe

api.ipify.org(173.231.16.76)
194.180.48.59 - malware
142.250.66.99
77.91.124.20 - malware
104.237.62.211

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

http://77.91.124.20/store/games/Plugins/cred64.dll - rule_id: 31849
http://77.91.124.20/store/games/index.php - rule_id: 32547
http://77.91.124.20/store/games/Plugins/clip64.dll - rule_id: 32546
http://77.91.124.20/DSC01491/fotocr05.exe
http://77.91.124.20/DSC01491/foto495.exe

77.91.124.251
77.91.124.20 - malware
83.97.73.127

ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

http://77.91.124.20/store/games/Plugins/cred64.dll
http://77.91.124.20/store/games/index.php
http://77.91.124.20/store/games/Plugins/clip64.dll

185.161.248.37 - malware