http://185.246.220.85/fresh/five/fre.php - rule_id: 28273

185.246.220.85 - mailcious

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2

http://185.246.220.85/fresh/five/fre.php

http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://45.144.28.189/302f831c3b8545fb0a5a60bd7a5eeedb
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
http://45.144.28.189/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://45.144.28.189/
https://14mmf.za.com/analytics.php?pub=a03&guid=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&sign=178004f0465ebfb5

iplogger.com(148.251.234.93) - mailcious
14mmf.za.com(172.67.223.30)
148.251.234.93 - mailcious
172.67.223.30
45.144.28.189

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information
ET HUNTING Possible Generic Stealer Sending a Screenshot

https://api.ipify.org/

api.ipify.org(104.237.62.211)
104.237.62.211

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://apps.identrust.com/roots/dstrootcax3.p7c

horriblysparkling.com(192.243.61.225)
173.233.139.164
121.254.136.27

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

https://api.ipify.org/

api.ipify.org(173.231.16.76)
smtp.yandex.com(77.88.21.158)
64.185.227.155
77.88.21.158

SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

december2n.duckdns.org(192.169.69.26)
december2nd.ddns.net(212.193.30.230)
192.169.69.26 - phishing
212.193.30.230 - mailcious

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net

192.3.216.137

mail.safinaco.com(112.213.89.32)
45.81.243.246 - mailcious
112.213.89.32 - mailcious

SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

http://geoplugin.net/json.gp

geoplugin.net(178.237.33.50)
45.81.243.246 - mailcious
178.237.33.50

ET JA3 Hash - Remcos 3.x TLS Connection