http://212.113.119.255/joomla/index.php
http://179.43.155.247/cc.exe - rule_id: 27942
http://212.113.119.255/joomla/Plugins/cred64.dll
https://transfer.sh/get/Ot2CIs/sec2.exe
https://bitbucket.org/coldminusthousand/needheater/downloads/build123456789.exe

bitbucket.org(104.192.141.1) - malware
transfer.sh(144.76.136.153) - malware
176.113.115.145 - mailcious
104.192.141.1 - mailcious
179.43.155.247 - malware
144.76.136.153 - mailcious
212.113.119.255 - malware

ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey CnC Check-In
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET INFO Packed Executable Download
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Dotted Quad Host DLL Request

http://179.43.155.247/cc.exe

http://ipinfo.io/country
http://62.204.41.69/AVA/gate.php
http://ipinfo.io/ip

ipinfo.io(34.117.59.81)
62.204.41.69 - malware
34.117.59.81

ET DROP Dshield Block Listed Source group 1
ET POLICY External IP Lookup ipinfo.io
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Generic Request to gate.php Dotted-Quad
ET MALWARE Win32/ModernLoader Activity (POST)

135.181.173.163 - mailcious

http://ultimatescamrecovery.com/r/tz.jpg

ultimatescamrecovery.com(104.219.248.27)
google.com(142.250.76.142)
104.219.248.27
142.250.204.142

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

77.91.124.207 - malware
176.113.115.145 - mailcious

http://77.91.124.207/plays/chapter/Plugins/cred64.dll
http://77.91.124.207/plays/chapter/index.php

77.91.124.207 - malware
176.113.115.145 - mailcious

ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host DLL Request

176.113.115.145 - mailcious