71.185.52.88 -

172.67.34.170 - mailcious

http://ip-api.com/csv/?fields=status,query
https://discord.com/api/webhooks/1056590206893051904/2ybdaA7zXHVKpVJNM5j-1a4lW_FhpBXMYcNGIJpTvJx-GQGX3887N8vX1I_ea-w62qoK

localbeheaders.mcgo.io(108.16.60.193)
discord.com(162.159.137.232) - mailcious
ip-api.com(208.95.112.1)
162.159.137.232 - mailcious
208.95.112.1
108.16.60.193

ET INFO Observed Discord Domain in DNS Lookup (discord .com)
ET INFO Observed Discord Domain (discord .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com

3.125.102.39

localbeheaders.mcgo.io(108.16.60.193)
108.16.60.193

http://ip-api.com/csv/?fields=status,query
https://pastebin.com/raw/fB4ZyQEn

0.tcp.eu.ngrok.io(3.125.102.39)
pastebin.com(104.20.67.143) - mailcious
ip-api.com(208.95.112.1)
208.95.112.1
3.125.102.39
172.67.34.170 - mailcious

ET INFO DNS Query to a *.ngrok domain (ngrok.io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com

95.217.188.21

http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
http://185.181.10.208/
http://185.181.10.208/26556a0c2e4bbf69b06c173ce1681609
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
http://185.181.10.208/8e0966e25decf295f67dfe9904e292d5
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
http://185.181.10.208/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll

185.181.10.208 - malware

ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible Generic Stealer Sending System Information

http://checkip.dyndns.org/

checkip.dyndns.org(193.122.6.168)
193.122.130.0

ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain

http://checkip.dyndns.org/
http://104.168.46.107/219/vbc.exe

checkip.dyndns.org(193.122.130.0)
1.12.242.71 - malware
158.101.44.242
104.168.46.107 - mailcious

ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE 404/Snake/Matiex Keylogger Style External IP Check
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain