161.97.160.16

176.113.115.145 - mailcious

176.113.115.145 - mailcious

http://chongmei33.publicvm.com:7045/is-ready

chongmei33.publicvm.com(103.47.144.42) - mailcious
103.47.144.42

ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain

api.missedglobalparcel.com(144.126.228.108)
144.126.228.108 - mailcious

192.253.237.20

http://193.233.20.29/DSC01491/foto0189.exe
http://193.233.20.29/DSC01491/fotocr12.exe
http://193.233.20.29/games/category/Plugins/cred64.dll
http://193.233.20.29/games/category/Plugins/clip64.dll
http://193.233.20.29/games/category/index.php

176.113.115.145 - mailcious
193.233.20.29 - malware

ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request

192.253.237.20

cp5ua.hyperhost.ua(91.235.128.141) - mailcious
91.235.128.141 - mailcious

SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)